Berkeley Law Releases Its First Web Privacy Census

New submitter DeeEff writes "The first report in the University of California, Berkeley Law School's quarterly Web Privacy Census was released on Tuesday, and it shows that popular Web sites are far more aggressive in their consumer tracking practices than most people suspect, and that consumers are trapped in an escalating privacy crisis with limited control over their personal information. Most interestingly noted in the article is that twice the amount of sites are using HTML5 storage as opposed to last year, while Flash Cookies are dying down, as we should expect. It also appears that third-party tracking seems to dominate most sites, such as from Google, Facebook, and other large players."

The rest are details.

[Johann Lau]

By the way, if anyone here is in advertising or marketing, kill yourself.

Just a little thought. I'm just trying to plant seeds. Maybe one day, they'll take root. I don't know. You try. You do what you can. Kill yourself.

Seriously, though. If you are, do. No, really. There's no rationalisation for what you do, and you are Satan's little helpers, okay? Kill yourself. Seriously. You are the ruiner of all things good, seriously. No, this is not a joke, if you're going: "There's going to be a joke coming." There's no fucking joke coming. You are Satan's spawn, filling the world with bile and garbage. You are fucked, and you are fucking us. Kill yourself, it's the only way to save your fucking soul. Kill yourself. Planting seeds.

I know all the marketing people are going: "He's doing a joke." There's no joke here whatsoever. Suck a tail-pipe, fucking hang yourself, borrow a gun from a Yank friend - I don't care how you do it. Rid the world of your evil fucking machinations.

I know what all the marketing people are thinking right now, too. "Oh, you know what Bill's doing? He's going for that anti-marketing dollar. That's a good market, he's very smart." Oh man. I am not doing that, you fucking evil scumbags! "Oh, you know what Bill's doing now? He's going for the righteous indignation dollar. That's a big dollar. Lot of people are feeling that indignation, we've done research. Huge market. He's doing a good thing." God damn it, I'm not doing that, you scumbags. Quit putting a goddamn dollar sign on every fucking thing on this planet! "Oh, the anger dollar. Huge. Huge in times of recession. Giant market, Bill's very bright to do that." God, I'm just caught in a fucking web. "Oh, the trapped dollar. Big dollar, huge dollar. Good market, look at our research. We see that many people feel trapped. If we play to that and then separate them into the trapped dollar ..."

How do you live like that? And I bet you sleep like fucking babies at night, don't you? "What did you do today, honey?" "Oh, we made arsenic childhood food. Now, good night. Yeah, we just said, you know, is your baby really too loud? You know ... yeah, the mums will love it, yeah." Sleep like fucking children, don't you? This is your world, isn't it?

-- Bill Hicks

Not as simple as "use Tor!"

[betterunixthanunix]

Yes, I know, someone is going to say, "Use Tor!" -- and I would have said the same thing not so long ago. Yet this is more complicated than just deploying privacy enhancing technologies.

We are talking about companies that have teams of hackers and computer scientists who are paid to find ways to break technical measures of protecting privacy. Substantial effort is needed to fight back, and most people are not willing to do the sorts of things that would be needed to protect their privacy. Disabling Flash, Silverlight, Java, and Javascript? Disabling cookies? These things make using the web very difficult these days, and as if that were not enough, there are malicious Tor exits that look for passwords and credit card data -- leaving users dependent on the very websites that are violating their privacy to protect it (by enabling TLS).

So unless someone has figured out a way to compel everyone to stop installing every trendy plugin, to give up on trendy Javascript-heavy websites, and to demand TLS from every website they connect to, we need to put some legal restrictions on data collection in places. Yes, I know, the big bad government interfering with business, but let's put it this way: do you want the big bad government to have access to vast logs of user activity (which is the next step after the corporations collect it -- the government either asks politely, demands it, or covertly acquires it)?

Which leaves us at the heart of the problem: the only organization in our society with the power needed to stop this has an interest in promoting it.

Re:

[Anonymous Coward]

These things make using the web very difficult these days

Do they really though? People keep saying that, but I've never seen it. I don't enable ANY of that shit by default. I whitelist a few sites like yahoo or my local bank, and that's it. Everything seems quite fine honestly, and much, much, much less annoying. When I look at the web on other people's computers who don't do that, it just looks entirely unusable. There's shit popping up over things you're trying to read, shit moving all around the screen to distract you, ... it's unusable.

I think it's exact

Re:

[C_amiga_fan]

Using Opera browser I have disabled Flash, Silverlight, Java, and Javascript. But left cookies active (to login). It makes webpages load about 400% faster and doesn't really break anything, except video sites, but that's an easy fix (just click the play button).

As for regulation of user data, and limiting its use, just make it part of the corporate license. If companies don't like it they can give-up the license and be free to do whatever (of course google, facebook, and the rest won't do that).

Oh and the

Re:

[beachcoder]

Another Opera user here. I enable cookies from only the site I visit, and they're auto-deleted when I close Opera. Coupled with the Wand and Notes/Personal info only a right-click away, it keeps a lot of the guff out of the system.

Re:put some legal restrictions on data collection

[TaoPhoenix]

To get the snark comment out of the way, it's no longer 99-0 against the Tin Foil Hats. They're starting to collect a few victories. So for the Obligatory Tin Foil Hat comment, "the powers that be have no reason to stop their delicious lunch on consumer data."

Okay, with that out of the way, my suggestion is that if you get a big enough pissed-off-big-pocket on our side, get personal data classified as Copyrighted Data. Then when these companies go to share it with their buddies, all those $375,000 copyright

Re:not willing to do the sorts of things

[TaoPhoenix]

Yeah, I'm starting to enter this group. I'm midline - I run a modified variant of Firefox with AdBlock, Ghostery, Do Not Track, the Collusion plugin, and Private Browsing Mode with history set to zero. And that's about all the energy I have for this stuff.

If all that is not enough, (and it's not), that's the point of the article.

Ghostery. Right away.

[gestalt_n_pepper]

Installing ghostery is the first thing I do now when I install a browser. You'll find that you can't interact with a lot of sites, or write comments on them if their tracking software is off, which gives you a good list of sites to stay away from.

Re:

[betterunixthanunix]

Which is also why this is not a battle that will be won with technology. Most people do not understand the extent to which their privacy is being violated or the implications of those violations, and only see the technical measures as getting in the way of what they want to do with their computers. The web companies know this, and that is why their websites are designed to fail if you disable technologies that are known to be used for tracking.

Re:

[Anonymous Coward]

I use ghostery too, but keep in mind browser uniqueness. Test here: https://panopticlick.eff.org

My results:
Your browser fingerprint appears to be unique among the 2,262,812 tested so far.

So despite ghostery, ad-block plus, and custom hosts file (winhelp2002.mvps.org/hosts.htm) google, facebook, linkedin et al can all still track my between home, work and on the move once I use their services.

The only alternative I can thing of is a browser appliance (virtual machine), for each major service.

Re:

[gestalt_n_pepper]

The other alternative is a temporary instance of a VM in a cloud service. Use and toss much like a mobile phone.

Re:

[Anonymous Coward]

I got:

"Within our dataset of several million visitors, only one in 5,312 browsers have the same fingerprint as yours."

I have jasascript turned off, meaning it could not request most of the data it did. It's scary to me that so few people DO have javascript disabled by default. it's one of the biggest security risks AND privacy risks. Turning it off is a huge win, and something that should probably be configured that way out of the box on consumer browsers, since people don't often know enough to disable

Re:

[Jah-Wren Ryel]

The only alternative I can thing of is a browser appliance (virtual machine), for each major service.

I've been thinking along those lines too. What I would like to see is an extension for firefox that spoofs and/or configures all of that stuff based on the URL in the current tab.

For example, if the URL includes facebook.com you get one profile and if you are browsing google.com you get another. The profile would include things like:

unique browser-agent
unique cookies (of all sorts)
unique bogus X-Forwarded-For http header
unique adblock exception list
unique set of accepted content-types
etc - basically every

Re:

[Jah-Wren Ryel]

Installing ghostery is the first thing I do now when I install a browser. You'll find that you can't interact with a lot of sites, or write comments on them if their tracking software is off, which gives you a good list of sites to stay away from.

I've bee using ghostery for what feels like forever and I have run across less than 5 sites that would not function without turning ghostery off.

I can't say for the commenting part though because practically no website allows anonymous comments any more and I refuse to create an account just for a one-off comment and won't even go near facebook for regular use, much less as a global-login.

Re: UseNet or why Ad Peoples Suck So Very Much

[WillAffleckUW]

I can't say for the commenting part though because practically no website allows anonymous comments any more

Nod nod nod. I think this was something lost when people moved off usenet and onto a million little fiefdoms. On usenet you could easily have one or multiple pseudonym identities, no one controlled the discussions, you didn't have to sign up for shit, and the reader software was much better than on any web forum I've EVER seen. I mean literally 100% of web forums I've seen in my entire life suck compared to the functionality of the better usenet clients.

I'm all for the forward march of technology, but not when it replaces good things with pure suck.

The problem is that all the advertising spam since those nutso lawyers spammed UseNet is why we have all the authenticated logins.

Half the denial of posting is to handle advertisers trying to push whatever crap they have in their bag.

The other half is wacko nutjobs yelling at people in uppercase.

Re:

[Jah-Wren Ryel]

Usenet is way better than the bad old days that followed the green card lawyers.
It has been mostly forgotten by their type, having moved on to crapping all over the web, and the single to noise ratio on usenet discussions has improved.

Re:

[WillAffleckUW]

So there are more singles?

Cool.

Are they actual women or people like me who used to post as women for a joke?

Re:

[C_amiga_fan]

I went searching for Ghostery to install on Opera, and ran across this. Agree or disagree?

AdBlock, NoScript & Ghostery â" The Trifecta Of Evil [Opinion]
http://www.makeuseof.com/tag/adblock-noscript-ghostery-trifecta-evil-opinion/ [makeuseof.com]
"Matt has already written an extensive article on why AdBlock plugin is destroying the Internet..... So when you use NoScript, youâ(TM)re breaking the Internet. Not only do you drag webpages 10 years into the past, but you prevent essential modern page components fro

Re:

[Hatta]

Complete misinformation by someone with a vested interest in abusing your privacy. Disregard entirely.

Ghostery's true background

[Anonymous Coward]

Do Not Install The Proprietary Ghostery FF Addon!

Ghostery's true background (Score:3, Interesting)

"Seems like a lot of people are praising Ghostery, which leads me to believe that you haven't heard the backstory.

Evidon, which makes Ghostery, is an advertising company. They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons. Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy. Evidon

I miss the good old days...

[Sarten-X]

Remember the good old days when we complained about those nasty banner ads that would compile lists of what sites in their network you'd visit? When privacy meant not using your real name online? Such simple and naive times...

Re:

[betterunixthanunix]

That was back when the government was actively thwarting the deployment of encryption on the Internet. Now we are stuck in a situation where our privacy is even easier to violate because hardly anything is encrypted or authenticated.

Re:

[the eric conspiracy]

Face it, the internet was never intended to provide privacy. Any attempt to do so is a bolt-on that will have problems.

Re:I miss the good old days... Privacy vs Net

[WillAffleckUW]

Actually, the net works very well for privacy. If you have secure websites with encyrption and specific usernames and logins and don't tell anyone about it, it works quite well.

The problem arises when they want to make THAT public.

It's my Internet. It wasn't made for you non-techies. You were an afterthought.

Re:

[Anonymous Coward]

When privacy meant not using your real name online?

If you go back even further, everyone was using their real names online. In the 1970's and the first part of the 80's on (then) arpanet, the standard was to use your real name, and be "fingerable" to discover even more data about you such as your phone number and such. (I know, because I remember those times). But there weren't entire organizations hell bent on logging everything you did, so in that sense, it was far more private even if your data could be discovered by anyone. It was not yet an "evil"

Re:

[idontgno]

Damn September. [wikipedia.org]

The long-term problem with the clueless hordes of newbie sheep wasn't merely that they bleat incessantly, stick their clunky hooves into everything, and crap on the carpets... it's the fact that unshepherded sheep attract predators by the pack. So that's what we have now... an internet of sheep, lured and corralled by wolves with good herding skills.

Or, if you insist on your metaphors unmixed, the range was wide open before they came. And now there are barbed wire fences and loud flashy town

Re:

[Teresita]

Recently Google Groups went off USENET for about week while they were fiddling with something, and the n00bs didn't even know. It was refreshing. But then Google came back online and all those posts in the queue were dumped on USENET, and it was September deja vu all over again.

The worst offenders

[bmo]

The worst offenders are the ones that drive me to noscript and adblock plus. The more these fruitcakes at sites like Gawker Media^1 insist on throwing more crud at me, the more I will further fortify my position and flush all ads and tracking.

And now, if the world was ending, and the only way to save myself was to get a lottery ticket from Gawker Media for the next space ship leaving Earth, I wouldn't, on principle.

--
BMO

1. Gawker Media is: gawker gizmodo kotaku jezebe deadspin lifehacker jalopnik io9

Re:

[Johann Lau]

The way to preserve your privacy is to not leak the data in the first place. If you do, and your privacy WILL be violated.

Kinda like going outside unarmed will get you robbed and killed, unless we make that illegal and enforce the law -- which doesn't completely stop it, but kinda helps. But let's drop that rape culture "blaming the victim" shit, yeah?

Also, there's no way to not "leak", say, your IP address. So much for "you don't HAVE to accept those cookies, run those scripts, leak your user-agent, or any

Re:

[Johann Lau]

My IP address right now appears to be in Netherlands

To whom? To the site you connect to via proxy? The proxy? To your ISP?

Since packets have to reach you, *someone* has your IP address. If you run your own proxy, guess what, you're either fucked or scum that uses the computers of others without consent. If you use someone else's proxy, guess what, you're either very lucky or also fucked, because you think you have privacy but actually don't.

See how that works? When you control it, you're doing it. That prox

Re:

[Johann Lau]

Good point about chaining, but still... that's like asking me wether I'd rather like hepatitis or AIDS!

Of course I would prefer hepatitis, but ideally, I would prefer icecream to both. And by that I mean legislation that a.) actually addresses the issue and b.) actually gets enforced. I know that's asking a lot, it's utterly naive seeing how everybody is in bed with everybody; but the thing is, as long as a good chunk of the people who are are technically literate think it doesn't affect them, because they

Re:

[Johann Lau]

The important part is that Google and a million tracking sites don't have it - you know, the places that are the actual problem being discussed?

The actual problem being discusssed is people who use the web being tracked. Not people who browse through a gazillion proxies being able to evade that, provided the following is true:

The proxy sites I use have no known history of ever selling that data to advertizers

Not that you have any way to check, do you. What does "no known history" mean? That if they sold da

NoScript

[doas777]

This is exactly why I use noscript. I persistently block googleadservices.com, doubleclick.net, etc, but I like that Noscripts protects me from the 3rd party listeners by default but in a granular way.

Re:

[DeeEff]

This is because Google owns doubleclick, which happens to be one of the worst offenders, if you RTFA.

Though honestly, its not just them. They do happen to be one of the highest tracking companies, but that's not really news in itself. The interesting part of the article are the other players.

Invading privacy through third party scripts and services seems to be the norm, I'm afraid.

What the eff ....

[xyourfacekillerx]

Last article I read on SD was about Microsoft enabling tracking protection by default. Most users here claimed MS pro-privacy measure violated the user's rights. But in this thread, the consensus is that tracking is problematic and we are recommended to block certain sites? Odd, Slashdot. Odd. So walk me through this.

I'm convinced that tracking, data collection and data sharing, among various other obviously unethical privacy violations by hundreds or more large companies on the web is a major concern and

Re:

[DeeEff]

Let me try to explain:

If Microsoft implements Do-Not-Track as default in IE, then the majority of users will never notice the setting and then leave it on. This means, most ad companies will start losing revenue, and fast. This is a problem for most ad companies. So, since Do-Not-Track is just a flag that says "I don't want you to track me," it can't actually prevent companies from tracking you online (since it doesn't have any technical blocking or filtering) if they decide they want to.

If ad companies sta

HTML5 storage?

[gr8_phk]

Isn't HTML5 storage that shit where they just dump data in a database on YOUR machine? Fuck figuring out who you are and matching shit up - just store it all on your own machine bit by bit and glurb it all in as needed. The problem is these fucking standards shitbags enabling all this. First it was cookies, now it's a full blown local database. Oh, and they can read enough info to identify the machine (recent Orbitz story?) because MSIE6 and other browsers couldn't implement the standards well enough and webdevs had to have more information about your setup just to make shit work.

Just to be clear, the web can work with zero client side storage just by giving a site visitor a GUID embedded in every link - yes this requires the server to then inject the GUID dynamically into every page served, but who gives a shit when half the pages are dynamically created anyway? It wasn't easy in 1993, but today it would be trivial. Can someone please build a framework that makes this simple so we can turn off cookies and still have a "session"?

and no, this is NOT a complete solution to privacy issues by any means - just a start - get peoples machines to stop betraying them.

Re:

[Vekseid]

Use Cookie Monster, so some similar cookie disabling app. For most sites disabling cookies means disabling localStorage.

But cookies are dumb. 99% of the time I don't even want to be seeing what I store in localStorage, it's all user preference gloss, and certainly does not need to be sent between my server and your computer ten million times a day. But right now that's what we use cookies for.

Writing my own fully AJAX driven software, let me just say, adding 2kb to each and every single AJAX request is simp