Posts Tagged ‘Ghostery’

Are privacy add-ons effective? Surprising results from our testing

November 17, 2010

There’s no shortage of browser add-ons for consumers who want to block tracking by data and marketing companies. However, based on our testing, there is a wide variation in the actual effectiveness of these tools.

Methodology

We separately tested four different Firefox add-ons, AdBlock Plus, Better Advertising’s Ghostery, Abine and our own TrackerBlock, by running them on a clean test machine at full blocking. In each case, after visiting all webpages linked from the top page of Google News, we looked at the browser cookie file to see which tracking companies from our Index had been able to write unique cookies on the machine. This sequence was also repeated without any add-on enabled.

We estimated effectiveness based on the number of unique tracking-company cookies allowed by each tool, relative to the number of such cookies present with no add-on installed. We assumed that any unique cookie could be used for tracking and should be counted, because companies do not specify which cookies are used for tracking purposes. We did not test versions of these add-ons for Internet Explorer, Chrome or other browsers.

Results

Here are the results:

Observations

  • No add-on provided perfect blocking.
  • Many people view AdBlock Plus as not only a streamlining tool, but also a privacy tool. It’s not clear that it delivers fully on that expectation.
  • Ghostery’s approach of disabling “web bugs” versus cookie interactions appears to provide incomplete coverage. The companies slipping through included widely installed networks like DoubleClick, Right Media and Audience Science, perhaps compounding the privacy exposure.
  • Abine’s combination of opt-out cookie retention and selective domain blocking appears to provide the least effective results when it comes to cookie blocking.

More detail on methodology and the raw cookie output is available here. Due to the dynamic nature of ad delivery, we expect results to vary from test to test and across a different set of pages and sites. However, in repeat testing, we observed consistency as to those tracking companies able to avoid blocking by each add-on.

Ghostery’s team reported results of their own run of this test, indicating a maximum of 19 cookies making it through, out of 232 in their own database. This may reflect a difference in the classification of tracking domains, among other factors.

We invite comment on this methodology and are happy to assist anyone who wants to repeat the test on their own machine. Please send any suggestions for other ways to measure effectiveness (we’re also looking at cookie reading, not just writing).


Dear IAB: Don’t fear the opt-out

July 21, 2010

The new ad-targeting privacy bill offered by Rep. Bobby Rush is notable because, as reported by Mediapost, it reflects greater confidence in self-regulation. But before you start looking for common ground, consider this disturbing quote:

[IAB Executive] Zaneis questioned whether it made sense to enshrine into law a universal opt-out, such as the one offered through the Network Advertising Initiative. “The FTC hasn’t said that a universal opt-out is necessary,” Zaneis says. “It’s nice to have things like an NAI opt-out, but fundamentally flawed to say that you have to have a universal opt-out.”

It’s hard to conceive of a credible consumer privacy experience that does not include the ability to opt-out of targeting by all companies in a few clicks, as opposed to requiring consumers to chase down individual opt-outs from hundreds of companies. Reputable targeting companies already provide a universal opt-out, and we provide an even more universal opt-out at PrivacyChoice. Making it a requirement is a reasonable price to pay for the self-regulatory freedom otherwise offered by the Rush bill, including immunity from a private right of action.

Maybe Mr. Zaneis is just positioning for the coming negotiation. Or perhaps the fear is that the FTC will require a more effective and durable form of opt-out, perhaps based on Flash cookies or preference setting that is better integrated with browser tools. Maybe Better Advertising would provide the ability to download Ghostery — which can completely block tracking for ads — on every enhanced notice page.  Hmmm.

Here’s my (unsolicited) advice for the IAB: Don’t fear the opt-out. We have enough experience with opt-outs to know that only a very small percentage of users avail themselves of it, but far more consumers (and advertisers) will take assurance from truly easy and effective consumer choices. But this means sincerely embracing a great consumer privacy experience for targeted ads. A great experience involves durable preference setting in just a few clicks, it’s that simple. The good news for the industry is that, in the long run, enhanced notice and choice will and should become a platform for deeper engagement with consumers.

The universal opt-out is table stakes. Far more interesting topics are what companies will need to show consumers about their own profiles, and what kind of back-end oversight is needed to ensure that those profiles are only used as promised. The sooner this debate gets around to those questions, the quicker self-regulation will be a reality.

Credibility Gap: What does Ghostery really see?

March 4, 2010

The popular Firefox add-on, Ghostery, was recently acquired by Better Advertising, which is building a vast system to monitor compliance with new privacy rules for online behavioral advertising. I continue to get questions that indicate confusion about how Ghostery works. Because Better Advertising has portrayed Ghostery as a way to “see 99% of behavioral targeting,” it’s important to understand what Ghostery really sees.

When Ghostery is operating in the browser, it looks for known segments of Javascript that have been mapped in a database to particular companies, including ad targeting companies.

However, unlike our own add-on, TrackerWatcher, Ghostery does not look at actual browser interactions with ad-company servers. As a result, it completely misses non-Javascript tracking methods. Pixel-based tracking, a mainstay of behavioral tracking, may be missed by Ghostery if it is not enabled via Javascript. Because one company’s Javascript can serve another company’s tracking pixel, Ghostery may report the presence of the first company but ignore the second one entirely.

To see a demonstration of this problem, try Ghostery on the master opt-out page at the Network Advertising Initiative. This page includes image files (pixel-equivalents) served by dozens companies engaged in behavioral targeting. Several of these companies (ironically) even write new cookies the minute you hit that page. But because Ghostery is only looking for Javascript, and not actual server interactions, it only reports two advertising companies as present on that page.

This is not to say that Ghostery isn’t a useful tool — it is, and we link to it on PrivacyChoice. The problem is that Ghostery in its current form is being oversold both as a privacy protection tool for consumers and a compliance tool for the industry. In fact, Ghostery needs to be fundamentally re-engineered to be a truly effective tool to detect online tracking.

In the mean time, Better Advertising would be well served to clarify the presentation on Ghostery’s site to make it clearer to consumers what Ghostery really does (and doesn’t do). Credibility is too important to the self-regulatory initiative to be anything less than completely clear.

Note: Please be sure to read Better Advertising’s comment to this post, which includes an update on the product roadmap for Ghostery.