Online Privacy Tools Don't Work Well, CMU Researchers Find

There's some bad news out of Carnegie Mellon University for Internet users concerned about effectively managing their online privacy. The online privacy management tools don't appear to work all that well, researchers found.

CMU researchers observed 45 participants using nine tools that supposedly limited online behavioral advertising or blocked access to online advertisements and found that protections are "fundamentally flawed." CyLab researchers released the report, "Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising," on Oct. 31.

The tools examined in the report included Web browser plug-ins such as Ghostery, tools that rely on blacklists such as PrivacyMark and the privacy features embedded in the latest Web browsers such as Mozilla Firefox and Microsoft Internet Explorer. In most cases, users were unable to configure the tools properly, thus reducing their effectiveness, researchers found.

"We found serious usability flaws in all nine tools we examined," CMU CyLab researchers wrote in the report.
The online tools were challenging to understand and configure. As a result users were "unable to make meaningful choices," researchers found.

Users struggled to install and manage blocking lists and often thought just having the tools was enough to block online behavioral advertising, not realizing they were disabled by default and had to be configured first, the report said. A participant spent 47 minutes going through all the opt-out instructions for one tool, which were available only in Japanese, said Lorrie Cranor, director of CyLab, on an American Public Media podcast.
Another tool included in the study, TACO, required a user to configure Targeted Ad Networks, Web Trackers and Cookies.

The difference between the categories were not explained, most users "tend to be unfamiliar," with how advertising companies work, researchers said. The user had to click on three separate buttons that originally didn't appear to be clickable to enable blocking, according to the report. None of the study's participants managed to block all 630 targets the tool claims to be able to block.

"You may well have thought that Facebook's privacy controls are unfathomable. These privacy tools, including the settings on common browsers Internet Explorer and Firefox, are torturous," wrote Lisa Vaas, on the Naked Security blog for Sophos.

Users liked the fact that browsers had built-in Do Not Track features, but were "wary" of whether the advertising companies would actually respect the setting, the report found. Internet Explorer 9 also provides a "privacy slider" for users to adjust the level of privacy protection, but it wasn't clear to the study participants what "low," "medium," and "high" meant in terms or what was blocked, the survey found.

Internet users are increasingly becoming concerned about online privacy in light of data breaches, aggressive data collection by Web companies and reports of the government tracking user behavior and activity online. CMU's CyLab found in a 2009 study that if given a choice, 87 percent of Americans “definitely would not” or “probably would not” allow advertisers to track them online even if the data collected was anonymized. The researchers in that study found that 64 percent of the respondents found the idea of targeted ads invasive.

Many Web companies and marketing professionals have resisted attempts by the government to regulate online tracking and proposed industry-led mechanisms. A blanket opt-out, included in various privacy and "do-not-track" bills currently making rounds in Congress, would impede innovation and the company's ability to individually tailor services for their customers, according to Steve Minichini, president of interactive at media agency TargetCast.

The industry is "policing itself," and the government shouldn’t try to dictate how to handle consumer preferences," Minichini told eWEEK earlier this year. A government-enforced legislation was “unnecessary” and would be “too restrictive,” he said.

However, CMU researchers concluded that users were getting incomplete protection, if any, against Web sites and online advertisers intent on tracking user behavior using these industry-led tools.