Do Not Track & AP News Registry

Dominic White

 

Do Not Track & AP News Registry

Firefox 4 implemented the Do Not Track header. This is an option, sent via an HTTP header, to specify to a webserver that the user would like to opt-out of advertising/behavioural tracking. The news came in soon after that the AP News Registry service had implemented support for DNT. So I decided to have a quick look at what this meant. It ended up highlighting why I think DNT will never be a solution by itself, and why it's intended use may even be tenuous.

First off, I needed to know what domain and from what sites the AP cookies are set. It turns out that the service relies on the hNews microformat, and a quick google brought me to The Aspen Times. If you have a look at the source for Aspen News, you'll see some content loaded from analytics.apnewsregistry.com and apnewsregistry.com. Since "analytics" seemed to be the most likely tracking source, I made two simple HTTP requests to the URL referenced in a news story, one with the DNT header, and one without.

$ nc analytics.apnewsregistry.com 80
GET http://analytics.apnewsregistry.com/[snip] HTTP/1.1
Host: analytics.apnewsregistry.com

HTTP/1.0 303 See Other
Set-Cookie: ASP.NET_SessionId=lwymgdbt4u5go3e55al1uxwc; path=/; HttpOnly
[snip]

With DNT:

$ nc analytics.apnewsregistry.com 80
GET http://analytics.apnewsregistry.com/[snip] HTTP/1.1
Host: analytics.apnewsregistry.com
DNT: 1

HTTP/1.0 303 See Other
Set-Cookie: ASP.NET_SessionId=vy1r33ambeja03fev4e1ognw; path=/; HttpOnly
[snip]

In both cases, you can see a unique session cookie is being set. That didn't seem right. So I set up a brand new Firefox 4 profile, hit aspen news, then checked the cookies. Without DNT I saw the following cookies related to apnewsregistry:


I then set the DNT option under Preferences -> Advanced -> General -> "Tell websites I do not want to be tracked", and saw the following cookies get set:


This tells me that it's not the analytics site, but the other which is affected by the DNT header.

Does this mean the AP News Registry conforms to the intention of Do Not Track? The answer is that we have no idea. They're still dropping a unique identifier, even with DNT set. Even if they weren't dropping any, the combination of other browser attributes could prove unique enough. In the end, someone would need to perform a code review of their server-side code to make sure the unique identifiers aren't being used for tracking.

This is important, because that's the primary intention of DNT. To quote Harlan Yu when asked about this issue:

Of course, Do Not Track needs a regulatory framework with effective enforcement mechanisms. This is the ongoing policy debate in Washington, whether Congress should give the FTC authority to define and enforce DNT regulations and what these regulation look like.

But enforcement is going to be very hard if situations like the above are allowed to persist. Do Not Track needs to result in no cookies or other unique identifiers being set on the client side and an independent audit of the tracker's server side code for it to be a meaningful label that can be meaningfully "breached".

In short, I'm not saying DNT is useless, just that implemented as AP News has done it, is equivalent to an unverifiable promise. In the end, it is my belief that we need to rely on technical means *first* for provable privacy, and let ideas like DNT provide a *secondary* legislative mechanism.

In the meantime, DomCorp will be offering free "DNT audits", just send me all your codez and passwords :)

Tuesday, April 5. 2011
Posted by Dominic White in Privacy
Comments (4) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 Todd Martin wrote (Link) (Reply)
Posted on Thursday, April 28. 2011
Dominic - Thanks for the thoughtful analysis of the News Registry implementation of DNT. Our intention for the implementation is to be more consistent with your interpretation of DNT. What you are seeing in your test appears to be the webserver session cookie and not the usage tracking cookie. Both technically could be used to track a user though the session id is typically short lived. However we have no need for the sessionId in our processing and will be updating our server configs to have it removed.
 
#2 Todd Martin wrote (Link) (Reply)
Posted on Thursday, April 28. 2011
Dominic- Thank you for the thoughtful and detailed analysis of the News Registry DNT implementation. Our goal for was to provide an implementation of Do Not Track that would result in no cookies or other unique identifiers being set on the client's device. As you point out, our service is working as expected for the actual usage cookie but there is an unnecessary and unused session cookie still being placed by our service on the client's device. As that cookie could still be used to track in practice, we are making the necessary changes to eliminate the placement of that cookie on the device. Thanks again!
 
#3 Todd Martin wrote (Link) (Reply)
Posted on Friday, April 29. 2011
Dominic - If you care to take another look we have eliminated the unnecessary session cookie. The implementation should behave as expected. Cheers - Todd Martin
 
#3.1 Dominic White wrote (Link) (Reply)
Posted on Tuesday, May 3. 2011
Thanks Todd, it's nice to see you guys so responsive. I especially didn't want to pour cold water on your efforts, it's important that people like you lead the way. However, I do think that DNT isn't a solution by itself, and want to try push for something more robust while it's still being debated.
 

Add Comment