more on <a ping> tracking what links you click on

[David Farber <dave () farber net>]

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: January 18, 2006 1:11:23 PM EST
To: dave () farber net
Cc: lauren () vortex com
Subject: Re: [IP] <a ping> tracking what links you click on

Dave,

I just posted the following comment regarding this situation
on the related discussion board:

  - - -

Gang,

From a privacy policy standpoint, there is a world of difference
between exploiting "tricks" for user tracking vs. building them into
browsers as standard features.  In the current privacy-invasive
environment, while we have to deal with the former case by case,
there is really no excuse for the latter.

Given that most users stick with defaults, any policy other than
disabling such a new "ping" feature by default would be unacceptable
from a privacy standpoint.  Efficiency and "golly, there are other
ways to track people anyway" arguments are utterly specious.

As it stands now, turning off javascript and carefully noting URLs
(I usually notice oddball redirect URLs when present) are indeed of
some value in controlling certain classes of tracking abuses.  We do
not need an even more invisible mechanism built into what has been
(up to now) an excellent browser.

Limiting the "pings" to the same server does not solve the problem
-- abuses of this feature are just as possible (even more likely,
actually) using the same server.

That the development team would even consider enabling such a
feature by default suggests a tin ear when it comes to privacy
issues that will be worthy of considerable ongoing concern (an
earlier example is the page prefetch feature enabled by default
which also carries significant privacy risks).  A clue to fuzzy
thinking in these regards is talk of setting the default differently
in Firefox vs. Thunderbird -- creating a privacy policy variation
with no obvious rationale.

I urge the parties involved to reconsider their support of this "URL
ping" feature as described, a feature that I can guarantee will
bring Firefox under intense public criticism.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

 - - -

> Begin forwarded message:
>
> From: Don Drake <don () drakeconsult com>
> Date: January 18, 2006 10:49:07 AM EST
> To: dave () farber net
> Subject: <a ping> tracking what links you click on
>
> Dave,
>
>
>
> I found this via Slashdot, a new attribute to anchor tags that is
> being implemented in the next version of Firefox (1.6a) that makes it
> easier than ever to track what links you’re clicking.
>
>
>
> -Don
>
>
>
> http://weblogs.mozillazine.org/darin/archives/009594.html
>
>
>
> I've been meaning to blog about a new web platform feature that we've
> added to trunk builds of Firefox. It is now possible to define a ping
> attribute on anchor and area tags. When a user follows a link via one
> of these tags, the browser will send notification pings to the
> specified URLs after following the link.
>
>
>
> I'm sure this may raise some eye-brows among privacy conscious folks,
> but please know that this change is being considered with the utmost
> regard for user privacy. The point of this feature is to enable link
> tracking mechanisms commonly employed on the web to get out of the
> critical path and thereby reduce the time required for users to see
> the page they clicked on. Many websites will employ redirects to have
> all link clicks on their site first go back to them so they can know
> what you are doing and then redirect your browser to the site you
> thought you were going to. The net result is that you end up waiting
> for the redirect to occur before your browser even begins to load the
> site that you want to go to. This can have a significant impact on
> page load performance.
>
>
>
> Websites even employ "onmousedown" event handlers that change the
> href attribute at the very last second before a click occurs. This
> makes it so that hovering over the link displays the location that
> you want to go to, but it still ends up taking you someplace else.
>
>
>
> This change is being considered in large part because some very
> popular websites have asked for a solution to this problem. The
> feature itself was designed and specified by the WhatWG.
>
>
>
> Donald Drake
>
> President
>
> Drake Consulting
>
> http://www.drakeconsult.com/
>
> 312-560-1574
>
>
>
>
>
> -------------------------------------
> You are subscribed as lauren () pfir org
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/