Looking At Who's Looking At You: Users Lack Necessary Tools To See Who's Tracking Them Online
The next time you spend an hour Googling that weird rash on your arm, keep in mind that hundreds of bugs are watching too -- and that you may never know who knows what you've been doing or what they might do with that knowledge.
The recent revelation that iPhones were storing the precise location data of their owners has led to serious concern from users who had no idea it was happening.
"We don't have the kinds of tools that we would like to have to figure out who is tracking us and what they're collecting," said Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation. "We're working with ad hoc methods."
Advertisers, data brokers and related companies use online bugs to follow users from site to site, collecting browsing information in order to deliver more targeted advertising. They use tools like cookies (identifying text stored in a user's browser), as well as more sophisticated trackers.
But consumers don't have the right to collect information about who is snooping on their web activity, or what those snoops are doing with the information.
"Most people are unaware of the majority of tracking that's taking place online," said Rainey Reitman, activism director at EFF. "As you wander around the Internet, you gather more and more tracking bugs."
The tech tools that let consumers get a handle on who is following them are limited. But a handful of tools can reveal at least some of the trackers who piggy-back on web travels.
Many kinds of common bugs can be easily detected using programs like Ghostery, a browser plug-in that reveals which companies are following users, and lets them disable those companies’ tracking bugs. Ghostery works for Mozilla, Chrome, Firefox and Internet Explorer, as does the privacy suite offered by Abine. Privacy Choice lets users see what Google, Yahoo and others have collected about them. BlueKai and Exelate, data collectors themselves, offer preferences on their own sites that let consumers opt out of certain categories of targeted ads.
Yet even though sites like these can show the third parties that receive notice when you browse, they can't show you the vast data economy built on this initial data collection. Collected browsing information can be sold to any number of groups, including data traders and ad agencies
None of these methods can compile a full log of all the bugs that may be following a user at any given time. For example, one kind of cookie -- known as a “flash cookie” or “local shared object” -- is stored separately from browser settings in a different directory. Such cookies can be exploited by website owners to reinstate tracking files even after they've been deleted from the browser's history.
Five class-action lawsuits have been filed against companies that use flash cookies on the sly, but their use is not illegal in the United States.
In January 2011, Adobe implemented a plan to help consumers find and delete these cookies, working with Mozilla and Google to develop a new browser API that lets users clear flash cookies the way they can delete ordinary browser cookies.
"It's an arms race," said Rainey of the growth of these tracking technologies. "Ad companies are coming up with increasingly technical means of tracking people, and the average consumer is struggling to find a way to block that tracking."
To stretch the limits of tracking software -- and prove it could be done -- hacker Sammy Kamkar developed an un-deletable cookie called the “evercookie.” The bug stores itself in eight different places, making use of flash cookies to resurrect other, deleted cookies. In response, a plug-in called nevercookie was then developed to fight evercookies. Whether or not Kamkar meant for the evercookie to be used, it demonstrates the sophistication of the technology available to a determined data collector.
But even evercookies are less insidious than a new form of undetectable web tracking known as fingerprinting. Fingerprinting does not rely on cookies to track users. Instead, it detects the unique settings of a particular computer -- stored fonts, installed software, screen resolution and more -- in order to distinguish it from others.
"You can't identify fingerprint collection systems -- they're entirely invisible," said Reitman. "Rather than putting a device like a web bug or a cookie on your computer, they're just looking at your computer when it comes to them and analyzing it."
EFF developed a research project called Panopticlick to measure the power of fingerprint collection. They found that among their sample group, 83.6 percent of browsers were instantly identifiable as unique. Even after researchers altered their fingerprints by changing settings, they were still identifiable 99 percent of the time.
Smartphone users have another device to worry about when it comes to protecting their personal information. The huge popularity of third-party apps and the availability of geo-locational data, alongside personal data like contacts, emails and text messages, present a different kind of privacy problem.
Though apps are supposed to ask permissions before accessing users’ data, there's no way to know if they are complying with those standards.
"There is no way to see which apps are spying," said Eckersley. "You'd have to reverse engineer what they're doing and watch their network traffic. You would need not only a Ph.D. and high level of expertise, but you'd need to spend a large amount of time doing it for each app."
Consumers recently learned the iPhone was storing precise locational data for up to a year in an unencrypted file, which Apple then used to optimize certain features, like maps. But Apple isn't the only company that has access to such data. Cellphone companies also receive such information regularly, as do any apps that need a location to provide their services.
In 2009, blogger Christopher Sogohian found that Sprint Nextel had provided law enforcement agencies with customer location data over 8 million times between September 2008 and October 2009. Customers had had no idea they were under surveillance.
And most had no legal right to know they were being watched. A California privacy law, Shine the Light, requires companies to disclose what personal information they've shared with third parties, and which parties they've shared it with, but consumers in other states do not have the same prerogative.
"There is no baseline consumer privacy law," said Erica Newland, policy analyst at the Center for Democracy and Technology. "A very small subsection of the population could block close to all forms of tracking, [but] the average consumer is not going to win this battle."