Jonathan Mayer and I have a new piece in Slate about how the NSA piggybacks on the web tracking activities of advertisers and other services. Essentially, the trackers tag computers and smartphones with unique tracking IDs that are attached to web requests, and the NSA uses those tracking IDs to follow users. I wrote last week about how tracking companies can protect their users by switching to HTTPS, the standard encrypted web protocol.
Unless and until the trackers turn on HTTPS, it’s down to us as users to protect ourselves from NSA tracking. The one and only way to do this is to prevent the sending of tracking IDs by your browser or phone. Let’s talk about how to do that.
Ideally there would be an industry opt-out that let you opt out of tracking IDs. But this does not exist. Existing industry opt-outs limit the use of tracking information, for example forbidding use for ad targeting, but they don’t prevent sites from using tracking IDs. Some companies respond to opt-out by stopping the use of tracking IDs. Others respond to an opt-out request by giving you a tracking cookie—for example, Yahoo, which says it uses the unique tracking cookie to link you to your opted-out status.
Do Not Track is not your solution either, at least not as it is currently defined. Again, the draft Do Not Track standard controls uses of tracking information but it does not rule out the creation of unique tracking IDs that are sent in the clear with every request to the tracking site.
Browser-based controls on third-party cookies will do some good. For example, Apple’s Safari browser puts some limits on third-party cookies, which will reduce the amount of tracking you encounter. Similar functionality exists in prerelease versions of Firefox, but this feature seems to be snagged in Mozilla bureaucracy and is not currently moving toward deployment.
Another approach is to clear your browser cookies and profile, or to use anonymous browsing mode. Again, this does some good, but it’s awkward to do these things on an everyday basis, and anyway you can still be tracked within a session—between clearing events if you’re clearing cookies, or within an anonymous browsing session. And of course there are types of tracking IDs that survive these measures.
At the moment the only surefire way to stop a site from using tracking IDs is to avoid interacting with that site altogether. Some browsers have tools to block access to unwanted sites. But most users who want to block tracking sites will use an ad blocker. Studies show that ad blockers are the single most effective tool for avoiding tracking IDs.
This is unfortunate, because ads are not the problem—at least, not directly. But because ads are so often associated with tracking IDs, blocking ads has the side-effect of blocking tracking IDs very effectively. The problem is that wholesale blocking of ads will eliminate privacy-friendly ads too. It would be better to have a blocking facility that blocked tracking IDs while welcoming privacy-friendly ads.
But of course it would be better yet to have ad companies take a step by protect our privacy by refraining from sending unique tracking IDs on non-HTTPS connections.