Web Development

Do Not Track Plus: A tool to protect your online privacy

If you're concerned about privacy online, but find anti-tracking software difficult to understand, there's an app for that. Michael Kassner checks out DNT+.

I use online-privacy tools. Or at least try to. Most of the time, I'm not sure what to block or what to allow. For example, I tweet so should I add a rule to my privacy app allowing:

platform.twitter.com/widgets.js

I don't use Google Analytics; is it best to block this:

google-analytics.com/ga.js

Now for the irony. If, like me, you're not sure what to do, the only way to find out is to go online -- which means risking your privacy.

What's the answer?

I have to be honest -- there isn't a good answer yet. I do know there are a lot of people working hard to find one. I've been fortunate to have several of them help with my articles about online privacy and Do Not Track. Dr. Aleecia McDonald is one such expert. Currently, Aleecia is co-chair of the W3C Tracking Protection Working Group (TPWG) -- the committee deciding how to maintain privacy on the Internet.

I mentioned TPWG because people behind a new online-privacy tool that I've been researching are involved in the process. In fact, one of the company co-founders was at the recent TPWG meeting in Brussels. It's not every day a business invests time and money to help with standards.

Enough back story

I'd like to introduce you to Abine, Inc and co-founders Rob Shavell, Andrew Sudbury, and Eugene Kuznetsov -- all MIT engineers. These are the guys invested in TPWG and aware of people like me -- those "trying to" figure out online-privacy tools.

Do Not Track Plus (DNT+), the online-privacy tool I mentioned, is their answer. Here's what they say it can do.

Before running tests on DNT+, I decided to contact Abine. Rob Shavell and Bill Kerrigan -- CEO of Abine -- hopped on the conference call and answered the following questions.

Kassner: For the uninitiated, would you explain what DNT+ is? Kerrigan: DNT+ is a free web-browser tool that uncovers invisible online tracking and targeted advertising, stopping consumers from being followed online. If you pay attention to the DNT+ icon sitting in the upper right corner of the web browser, you'll notice a number. That's how many trackers are associated with that particular website.

By clicking on the DNT+ icon, users can see details of the companies and technologies attempting to track them, as well as an all-time count of blocked tracking attempts.

Kassner: Let's check it out. I went to a website and clicked on the DNT+ icon. The following window opened.

Would you describe what we are looking at?

Kerrigan: The DNT+ privacy window provides detail about the tracking companies and technologies associated with the website you visited. We divide the information into three categories:
  • Social buttons: Links to websites that focus on building social relationships (like Facebook, Twitter, and LinkedIn) and help members easily share content, interests, and activities with their contacts. With social buttons, social networks are able to track your activity across the Internet.
  • Advertising networks: Businesses purposed to share information across different sites. They collect data, display advertising, and place cookies as a paid service. Typically, customers are those interested in displaying targeted-marketing content on many different websites.
  • Tracking companies: There are firms that provide website owners with tools to analyze and monitor visitors to their sites. These analytics networks collect data on how long you stayed on a site, what you clicked on, where you were before, and where you went after your visit.

Finally, the number you're seeing on the bottom of the window is the all-time tracking total. It represents blocked tracking attempts.

Kassner: I'd like to go back to social buttons for a second. Are you saying DNT+ blocks social-button requests because they are involved in tracking? Shavell: Yes. When your computer is asked to make requests for a social button -- for instance, when Facebook "Like" buttons are included on a website with XFBML or an iframe -- we block the request from being made. In its place, we put a marker that looks just like a regular button into the same spot on the page so you know a social button is supposed to be there.

If you click on the social button placeholder, we know you want to share, so we then load the social buttons into the page and activate the button you clicked. You'll have to click again to share in case your click was an accident.

Kassner: What specific features are incorporated in DNT+? Kerrigan: It's best to discuss the features in terms of web-browser activity:
  • Web browser start-up: DNT+ sets opt-out cookies. Opt-out cookies are non-unique, non-personally-identifiable cookies that inform advertisers not to deliver targeted advertisements.
  • While browsing: DNT+ examines each request your browser receives. If DNT+ determines it's a tracking request (like a 1-pixel image or tracking JavaScript), the request is denied, and no connection is established between the web browser and the remote web server. DNT+ blocks tracking requests from third-party domains, as well as first-party requests for known tracking code.
  • While browsing: DNT+ sends the Do Not Track header -- a new standard of requesting that companies don't track you online to every web server. However, there isn't an agreed-upon meaning for what companies need to do when they see this header. That's why we also block requests we think are occurring to track you.
  • Web browser shutting down: Upon closing, DNT+ will remove all set opt-out cookies.

All of the above takes place locally on the client computer. Abine is only aware of two things:

  • IP addresses of devices downloading DNT+ are counted to keep track of how many copies of DNT+ exist.
  • Abine servers see when client software asks for tracking-information updates.

And we being very privacy-conscious, will not collect personally-identifiable information.

Kassner: There are several well-known privacy tools already on the market. What distinguishes DNT+? Kerrigan: There are several products available for people with acumen in tracking companies. We designed DNT+ to be simple to use. In addition, DNT+ has some unique characteristics:
  • Blocks tracking, but still enables voluntary use of social buttons.
  • Available on Internet Explorer, Firefox, Safari, and Chrome.
  • Actively blocks tracking requests from ever being made and selectively sends the Do Not Track HTTP header, rather than wholesale broadcasting.
Kassner: The press release mentions that DNT+ is the first of a collection of privacy tools, what other tools can we expect? Kerrigan: We are working on other privacy services, like our "in beta" Privacy Suite, which will have premium upgradeable features. Our business model is to develop free products like DNT+ and premium products for individuals desiring greater control of their online privacy.

Final thoughts

People debate whether privacy on the Internet is even possible or not. Whether it's achievable or not, I think we can agree -- privacy is important.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

54 comments
ivan1j
ivan1j

After installing this on my computer and trying it out for a few days, I recomended it to my boss. He asked me, You are freely installing this on the computer, how do I know that the company that is offering this (and because it's free) is'nt using it for getting informaiton from my computer, they must have the source code protected so others don't copy their program. They make you think they are giving you something great, but they could be getting my bank account info and everything else, and you freely put it in my computer. Today most everthing is about money and you can't trust most companies." I felt a little stupid not knowing how to answer this. Any feed back?

tommy
tommy

I like my privacy as well as the next person, but while I feel protection of passwords, accounting details and personal information that is specific to me is of paramount importance, do I care if Amazon knows what I like to look at and targets me with advertising while I'm on their site? Nope. Advertising - as in my PC starts offering me random advertising because my O/S is loaded with spy-ware - is obviously undesirable. A mechanism that loads my machine with virus that will damage my reputation, my data, or use my PC resources for someone else's nefarious ends is something I want to avoid for sure. Having spy-ware that's creating security holes in my system with back door entry opportunities as provided by any number of free-ware browser tool bars and the like? That kind of intrusion I don't want. Having the world at large knowing that I dig science fiction, that I'm probably in the market for a new camera at the moment, or that I've a passion for remote control helicopters? Why should that bother me?

spacepioneer
spacepioneer

This is a hot topic and will lead to chaos. Too many sites like Excite, Iwon, etc., count on cookies to gather information to sell, trade, or both to insure their livelihood, just like many businesses used to do and some still do in the real world by having people gather information from phone books mostly and pay them $.50 per person usually. Sites like Excite block your access if you don't accept their cookies and java scripts. Some or most browsers now offer Private Browsing. Firefox also offers other tools and Add-ons to help with add blocking and better privacy. I personally now also use a Keystroke Scrambler. This issue will be a bitter battle and those who don't support our need for privacy will try to use the Government to help them by passing laws and regulations to favor them and their privacy pirating. And it will get ugly.

Michael Kassner
Michael Kassner

I am running several tools at the same time. I would not replace NoScript with DNT+, but augment it.

joetron2030
joetron2030

I'm a big fan of NoScript for Firefox. Do you know if DNT+ would replace something like NoScript as well or would it be something one would use in tandem?

ETG296
ETG296

Thank you Michael for a great article, a topkc that I constantly remain very interested in. My question is this; Did you happen to ask about anonamizer tools and sites, with regards to making ones attempts to remain "clean" or a good way to double up with and such? Thanks in advance. Best regards, Eric

JCitizen
JCitizen

Especially since they are "so concerned" about out privacy?

bboyd
bboyd

Most sites don't want you to control your privacy. They make money off ads and selling private information. Why would I want you to use my "Free" service if you block the tracking LSO that lets me get paid for your traffic. This process is measure/countermeasure as people use more privacy tools, more interference and obfuscation will be used by the site operators to circumvent it. If I was running a site I'd start to give adblock and noscript the run around by proxy routing external elements through a ssl. On a side note I prefer still the white list format. If a website is broken by not allowing offsite scripts, i don't need to use it. The solution is out there but it only lasts for a generation. And internet generations are fast and furious.

Michael Kassner
Michael Kassner

Interesting results. I'm seeing the same results on TR. I don't have the problem with the comments. I will pass that information along.

Craig_B
Craig_B

I installed DNT+ on IE9 and did a quick check of sites that I normally visit. I found the range of tracking going from 0 - 24 with most being around 3 - 5. I noticed if I refreshed a page sometimes the count would go up much more. As I type this the number shows as 12 on this page. I find this product quite interesting, I'll do some additional testing and see how it goes. Update: I could not see the other posts or post this responce with DNT+ turned on. I tried unblocking just CNET however that didn't seem to work. I turned off DNT+, refreshed and now I can see and post here.

Michael Kassner
Michael Kassner

For the most part it involves trust; unless you are willing to do some digging. DNT+ is not open source, but you could ask the company for the source code. If they oblige, you could see if there were any quirks. A second and more accurate option would be to setup a packet sniffer and see what kind of traffic the software is sending home. To be honest, the question from your boss applies to any software. You could ask the same question of any software he or she has installed.

NickNielsen
NickNielsen

But I laughed long and loud at the story in the article. That said, it's really a natural extension of all the data collection. If analysts can isolate purchases to a shopper, they can pretty much follow that person's life, even if it's by proxy. The ultimate goal is to reduce inventory expense by having the items you need today delivered last night. If you haven't sent them your shopping list, THAT is creepy...

tommy
tommy

I've had a good read at the info offered on your link http://randomwalker.info/ Michael, and the piece about Target knowing that the daughter was pregnant before her father was pretty funny, if a little creepy. Personal takes on an embarrassing moment aside however, I can see the point raised that blending together a number of different data sources - micro-data as Arvind and Vitaly put it - offers the opportunity for trend analysis to identify supposedly private aspects of your personal life. I will readily concede now that having this sort of information in the wrong hands would be worrying. Idiot marketing managers aside, I can't think of any outside of the blatantly illegal, but I can see it is a concern. Thanks to you guys for coming up with the examples and information here. I'm sure you'll be glad to hear that you have changed my stance on this topic as a result. I do now see this as more of an issue then I had originally thought. I don't think you'll like my conclusions though. I'll explain....

tommy
tommy

Nope not a length thing. :o( Yes it is! :O) Hmmm. Maybe not. I can't seem to post long links. Never mind :o)

tommy
tommy

Just tried to post my response, but they're not coming up :o( Maybe it's a Length thing. I'll break it up.

Michael Kassner
Michael Kassner

I agree with Craig, and here are a few more reasons. Amazon, to the best of my knowledge is only dealing with your information at their site. The other ad networks are tracking you throughout your Internet travels. Also, what happens if someone else uses your computer and thereafter you get ads you really don't want to.

Craig_B
Craig_B

The issue for me is that you don't have any way to know who is doing what. When you go to a site do you know what they track? what they do with the data who is it shared with? If sites would tell you these things in simple terms you can make an informed decision. What if your auto insurance company found that people who like science fiction and remote control helicopters are more of a risk and should be charged a higher premium? That type of thing is already happening by companies looking at data. I'm not really paranoid, I just want full disclosure so I can make informed decisions.

JCitizen
JCitizen

just the cookies I suspect. However, I'm sure I'm wrong because it takes a pretty good trick to allow social buttons and do that at the same time. I'm pretty sure I read that this extension works well with many others like No Script. If you have to give script permission on a page to use the content, DNT+ will still block the tracking. This is how I understood the CNET article.

Michael Kassner
Michael Kassner

If you look at their website they have one app called DeleteMe and they are soon releasing an app called PrivacySuite Have you had experience with this company, J?

Craig_B
Craig_B

All sites should have an easy to find, read and understand policy about what they do. Really this should be something like go to a site press F12 (or some standard key, click, etc.) that brought up a standard form (like a food label) on what they do and what they are doing with your data. Made up Example: Site: www.techrepublic.com About: Articles, Blogs and Community covering Technology Membership: Free - requires registration Tracking: Use several companies that track you to serve up targeted ads, this may also gather location data. Link to companies used. Opt In/Out: Opt Out If all sites had something along these lines then as a user of the site you can easily see if the cost to you (tracking, privacy, etc.) is worth the benefit of accessing the site. You can make an informed decision. Right now most sites if they have a policy it's lost in a sea of other documents, written in legalize and changed without real notification. This makes some people automatically distrust sites, even "free" ones, so they start trying to hide information from the site using DNT+ or other tools and we get into the tit for tat process you mention. (Note: Funny how TR blocked one of my words, I guess I should have used mammary gland for tat as it allows that)

Michael Kassner
Michael Kassner

DNT+ uses the same white lists, and updates automatically. That might be an advantage.

JCitizen
JCitizen

upon trying to comment. I turned it off long enough to enter my comment, then turned it on again. It is still pretty cool! I really thank Michael for pointing this out, I've been avoiding these things up and till now. (edited) I'm using Chrome.

ivan1j
ivan1j

It's becoming a scary world. I personally think its a great program, and having it reviewed and in conversation on this site (TecRepublic) gives me more trust in it.

JCitizen
JCitizen

would be that they are simply taking the information that the other "competitors" would have been selling and using it for their own gain. I'm not saying this is actually happening; but as Michael suggested, they will eventually gain trust. AdAware is owned by Double Click, but I trust them anyway, because I need their network performance. I figure that at least Lavasoft is a more legitimate company, put under more scrutiny that way. I would love to get rid of it, but I can't get to many of my research sites without it; I've been trying to get rid of it, every since 2007 or so, when they were bought out.

HAL 9000
HAL 9000

Start with Windows and Office. They both call home to Mommy so often that I've given up trying to secure any system that they run on. Col

tommy
tommy

In the example of the pregnant daughter, the holder of all of the information used was Target. They make Full Disclosure with regards what they do with the data in no uncertain terms. I'm a little surprised that the Target marketing department thought that sending that email was a good idea. That's a very silly bit of marketing, which embarrassed all those concerned. We're still talking about advertising, though. It's hardly the end of the world. On the idea that Full Disclosure will resolve the issue at hand then, I've not changed my mind I'm afraid. Lets assume that everyone is disclosing exactly what they're up to. It won't make a jot of difference to the vast majority of people using the sites in question, or to the extent that this sort of data collation and trend analysis is being performed. Full Disclosure is no answer.

tommy
tommy

We get bombarded with advertising all the time. Look at the amount of crap on this site ;o) Thing is that without it, we probably wouldn't be having this discussion here, so it's a necessary evil me thinks. Even on the other sites you mention that are more active outside of a given arena, I'm afraid I still can't see the problem. So there's a company out there that's got a cookie on my machine that's logged my browser as looking at whole gamut of different sites, and has decided that RC heli's are my thing. Result, there's a whole bunch of sites that are now pushing heli' adverts at me. I'm still not bothered, and I would still rather see these then Mills and Boon novels. Now the next guy comes along and he's seeing more then his fair share of heli' adverts and he would rather be reading Mills and Boon novels (takes all sorts), where's the privacy problem? If anyone could figure out that me as an individual is looking at a lot of osteopathy adverts and was able to deduce that I (Mr T) had back-ache then that would be a breech of privacy, but if it means that mr anonymous sitting at this terminal gets advetising for cheap med's, then I still can't see the problem I'm afraid.

tommy
tommy

I see where you're coming from with that argument, but I don't think it's valid. There are plenty of criteria that are used for judging risk that's for sure. Lets assume for a minute that such minutiae are being examined, then it could equally be argued that it could be shown that IT guys with a passion for RC helicopters are far less of a risk then IT guys who race boats, lets say. In which case I'm quids in! Don't get me started on the madness that is being acted out in Europe at the moment where insurance companies are no longer allowed to put risk based assessments on gender. Another topic that one ;o) If someone knows that I (Tommy, who lives at &&&&^%$??, has just bought a book X with credit card number Y) then that's a huge issue of security. As long as there's nothing personal being stored (i.e. nothing that can be directly attributed to me as an individual) then I'm still unconvinced that there's any problem. On the contrary, targeted advertising helps me. If I'm looking at a site that knows that I'm in to Sci-Fi and then acts on it, then I'm more likely to get something pushed at me that I like, and not get bombarded with Mills and Boon novels. Again I would draw the distinction between spyware, which is actively trying to glean information about me as an individual, and simple advertising trending. Full disclosure? Amazon give a very verbose description of what they're services provide, what data they expose and what use the tracking cookies are used for. How many people have ever read it from start to finish? Having read it, are you now in a position to make a more informed decision? Can't argue with you on the theory, but it's not, I believe, a practical argument against companies tracking usage as long as their doing it ethically: i.e. no personal data. You've not convinced me I'm afraid Craig. Private information I want private, but someone tracking my spending habits (Tesco knows that an anonymous me likes apples better then pairs) is no more a breech of my privacy then someone else looking at stock figures from fruit sales at the close of play.

JCitizen
JCitizen

I've tested it, and I think it is unbeatable! As far as content goes; I turn all this stuff off when I'm on my favorite sites, so the site owners can make a living. This is what makes utilities like Adblock Plus, No Script, and DNT+ so handy, is that they are easy to turn off for those sites, and they remember the URL automatically, so you don't have to fuss with it from then on.

Michael Kassner
Michael Kassner

I'm no expert, but the examples I offered are related to JavaScript and if I understand correctly DNT+ is blocking them.

JCitizen
JCitizen

that is why I was asking. Motivation is everything. Some companies like this keep the information for themselves and sell it exclusively. I did not read their privacy statement. Those two utilities do sound familiar.

Michael Kassner
Michael Kassner

I am not sure what the answer is. It a brave new world, to be sure.

JCitizen
JCitizen

that block or encrypt all my passwords/personal information, and Rapport blocks any browser manipulation, or session riding to the SSL target; so I'm not worried about spyware gaining access to such. Rapport Keyscrambler LastPass These work even in an infected environment and the first two are at the kernel level, so malware manipulation has been impossible so far. This is evident in my honey pot tests. Also Emisoft's Anti-malware has been the most effective malware killer I've tested to date. It is strictly behavior based and needs no signature files to do it's job; although they include the old A-Squared anti-malware scanning engine, just for good measure; and also so you can safely remove any malicious files or registry left overs.

ivan1j
ivan1j

Thats true as long as the information is not bank accont or password information. As Michael said above, "it involves trust". Lets just hope none of these companies are like Enron.

ivan1j
ivan1j

I've already used your quote multiply times.

JCitizen
JCitizen

is that even when you have legitimate data being gathered legitimately; what is stopping the criminals on your PC from using that same data to profile you for attack. It is nearly impossible now to find the new types of malware on PCs. So damage control is all you can do. Spybot Search and Destroy is the only cookie blocker I know of that works without constant user inputs; so if a client is too lazy for AdBlock Plus, NoScript, or NDT+, I send them to safernetworking to download SS&D - that way, all they have to do is update and immunize. It is definitely better than nothing.

tommy
tommy

Thanks for your input, sir. Lot's of people on the site, not just this one I hasten to add, just like to slag off an idea or one post and they're gone. I've really enjoyed the discussion about the topic, so many thanks for your thoughts.

Michael Kassner
Michael Kassner

The Target piece was meant to show what data-mining algorithms are capable of. My goal for this article was to show the potential problem and possible solutions. I'm more concerned about raising awareness than anything. That way everyone can make an informed decision, like you have done. I wanted to mention that I enjoyed and appreciated your insight into this issue.

tommy
tommy

The conclusion I've drawn from the information offered here with regards the tools being discussed has changed though. I am now a lot more paranoid about this then I was before - thanks guys - but my conclusion is this: Putting anti-virus software on my machine will actively stop virus infection. Having a good firewall in place to stop random people on the Internet from getting access to my PC is just plain common sense. Putting widgets like this on your computer and expecting them to protect your privacy is simple delusion, however. We are all offering information about ourselves every time we click on something. We're actively giving away information every time we buy something, every time we subscribe to something, every time we get an e-mail and click on the 'show pictures' button, log on to Facebook, make a tweet etc. etc. ARG! Being concerned about online privacy is a good thing. To help protect yourself you need to be aware of the issue, that's the first step. Thanks to you guys I'm a lot more aware of it now than I was a couple of days ago. However, while the installation of 'privacy' widgets on your computer would seem, and I now agree on reflection, to make perfect sense I would offer that, as demonstrated by the pregnant daughter example, it is a complete waste of effort. Every single jot of information used to find out that she was pregnant wasn't gleaned through the dark passage of cookie driven, nefarious and mysterious data collection. She gave them all the data they needed of her own volition. The question I'm asking myself now is not "am I paranoid?", it's "am I paranoid enough?".

JCitizen
JCitizen

I posted that on Facebook, so my friends would wake up and smell the coffee. They give away far too much to FB, in my opinion. It is a wonder I haven't been thrown off, for not revealing my data. I hear running incognito on FB is against their policy. I say tuff shit! They can throw me off if they want - my boss made me join, I don't need it.

tommy
tommy

Good discussion ;o) I'll have a look at the material you've linked to. I can see that, if I wanted to, then what your suggesting is possible. Just as a private detective could run through the contents of a dustbin and come up with lots of information, a company could if they chose to, rifle through all of the sites that were visited by an individual and draw up a detailed profile on that person. I quite agree with you that protection against this needs to be in place to ensure an individuals privacy in this respect, but unless you're breaking the law with regards the Data Protection Act (UK) - I'm sure there will be a US equivalent - and the profile thus gained is directly linked to me (Mr T as an individual) then I can't see the harm in a company having a profile of what it is that I like looking at. I'll have a read of the info that Arvind and Vitaly offer in your link and post later.

Michael Kassner
Michael Kassner

My last try would be to mention that there is the concern about what the people do with the information once they have it. I've read that the ad networks are reselling information to anyone who wants it. I have no proof, but that would be a bit unnerving. The reason I say that is from my writing about how gathering bits and pieces of supposedly harmless data from several sources eventually lead to someone knowing a great deal about you. If you are interested my friend, Dr. Arvind Narayanan has done a bunch of research on this: http://randomwalker.info/

JCitizen
JCitizen

They scrape data for the insurance companies to target people individually for rate hikes. This has been in the news. Whether you use Face Book or not, that doesn't mean they won't spread this everywhere on the web.