Weaving Around Web Privacy Controls

Web browser manufactures often market their products to consumers with an emphasis on privacy, assuring users that their products can better control how personal information is used online. Carnegie Mellon privacy researcher Lorrie Cranor explains that many companies have developed quiet ways to step around some of that privacy-protecting code.

Copyright © 2012 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

IRA FLATOW, HOST:

This is SCIENCE FRIDAY. I'm Ira Flatow. This week, the White House announced a proposed policy for digital privacy, a way for people to tell companies not to track your online browsing habits and setting up what the Obama administration called a consumer privacy bill of rights.

This came just days after companies like Google were found to be sidestepping features built into Web browsers designed to help consumers protect their browsing habits. So just how private can you be? Will the new government proposal change anything? Will companies find other loopholes, ways around any kind of new regulations? Are they going to be voluntary, mandatory?

All kinds of stuff we're going to be talking about, privacy of your browsing habits on the Internet. Our number, 1-800-989-8255, 1-800-989-TALK. You can also tweet us @scifri, @-S-C-I-F-R-I.

Lorrie Cranor is director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University. She joins us from WQED in Pittsburgh. Welcome to SCIENCE FRIDAY.

DR. LORRIE CRANOR: Hi, glad to be here.

FLATOW: Thank you for joining us. First, let me get your take on the administration's proposal for this digital bill of rights. What do you think about it?

CRANOR: Well, it's really good to see such high-level attention to online privacy and to see the administration articulate some of the fundamental privacy principles that a lot of us have been talking about for a long time. As far as, you know, immediate impacts for people, I'm not sure that there's going to be, you know, an immediate change that suddenly your privacy is going to be protected. But it is a step in the right direction.

FLATOW: And it's the president asking first voluntarily for companies to come up with some sort of standard, is it not?

CRANOR: Right, the idea is to ask the industry to come together and come up with a voluntary standard that will help protect privacy.

FLATOW: Let's talk about what happens when you turn on your Web browser and you go to a site. Let's talk about some of the terminology first. There are two disclosures in the week, or so, about privacy in the browsers, both involving cookies. We've all heard of these cookies. What is a cookie? What does it do?

CRANOR: So a cookie is a little bit of text that's sent back and forth between your Web browser and a website, and it's a way that a website can keep track of whether you've been there before.

FLATOW: And what does it - what does it tell other people or other websites about you? Does it tell you your Social Security number, anything like that? What does it say?

CRANOR: Well, all it is is a way to identify people. But if I know who you are - so let's say that you are visitor number 123 at my website, then any information that I've collected about you I can put in a database. So, you know, if I am a retailer website, and you've bought something from me, then I probably know your address and your credit card number and things like that, and that's all linked to the information I have in the database.

So when the Web browser sends that cookie, then the company can just look you up, and whatever the information they have about you, they know ah, this is the right person.

FLATOW: And one of the cases involved Google getting around the privacy settings in Safari that involved the cookies, right?

CRANOR: Yes, so one special type of cookie is something called a third-party cookie. And so a normal first-party cookie is, you know, I go to a website, and that particular website exchanges a cookie with my Web browser. But a third-party cookie is when another website that I don't even realize I'm visiting puts a cookie in my Web browser.

And so that might be a company that's placing an advertisement on a Web page, for example. And so in the Safari Web browser, the default setting is that the Web browser doesn't let third-party cookies in. It just says no, you know, the user wants to only get cookies from sites they know they're visiting. These other advertising sites or whatnot, they don't get their cookies in. And Google found a way around that to let the cookies in.

FLATOW: Wow, is that something, that considered something terrible in the Internet world?

CRANOR: There are a lot of people who are pretty upset about it.

FLATOW: Yeah, and so what has Google said now? Will they change their policy?

CRANOR: Google said yeah, we didn't really understand what we were doing, and yeah, we're changing that.

FLATOW: Yada, yada, yada.

(SOUNDBITE OF LAUGHTER)

FLATOW: Is that something like if you believe that, I have a bridge for you or something?

CRANOR: Well, you know, they're a big company, so...

FLATOW: Yeah, how could they not know that this is what would be happening? The other case involved Internet Explorer. What was going on in that case?

CRANOR: Well, so Internet Explorer also has a function where it protects people's privacy by preventing third-party cookies. But Internet Explorer is actually a little bit more complicated. In that case, instead of blocking all third-party cookies, Internet Explorer actually looks at each third-party cookie and makes a judgment about whether it's a good cookie or a bad cookie, and it only blocks the bad cookies, and bad as defined by Microsoft.

And the way it decides if it's a good cookie or a bad cookie is that cookies sometimes have a special code called a P3P Compact Policy - sounds kind of complicated. And so Internet Explorer reads that code and uses it to decide if it's good or bad. And so what some companies discovered is that they can lie in that code so that their cookies won't be blocked, or, even better, then can make that code basically be a non-code.

So Google and Facebook and some other companies said in their special code: This is not a policy. And by saying this is not a policy, they were able to trick Internet Explorer into accepting their cookies.

FLATOW: Is there anything we can do, as consumers, to further protect our privacy when we're surfing on the Web?

CRANOR: Well, so you can change your browser privacy settings or use some third-party software that is going to provide additional protections if you want to be able to, you know, stay in control of this. So, you know, in the Internet Explorer Web browser, besides the default settings, they have something called tracking protection lists that you can use, or you can download some free software called Ghostery, G-H-O-S-T-E-R-Y, that you can add to your Web browser.

There's also some software from a company called Abine, A-B-I-N-E, that you can download and add to your Web browser.

FLATOW: Wow. 1-800-989-255 is our number. You can also tweet us @scifri, @-S-C-I-F-R-I. Let's go to the phones, to Andrew(ph) in Bend, Oregon. Hi, Andrew.

ANDREW: Hi.

FLATOW: Hi there.

ANDREW: I wanted to phone in and address this issue that I believe this - the government's initiative in this area is failing to address what I call the data collectors. These are people, large, huge organizations like LexisNexis, that buy information on individuals from all over the place and scour the Internet for it but don't necessarily have anything to do with the online listing of websites and cookies.

What they do is provide the translation of your computer's IP address or your email address, however you've logged on to those sites, and provide the demographics of who you are to agencies. I know, for instance, the police, the CIA and all those other organizations, they rely on companies like LexisNexis.

And your data is collected by them and resides in their databases forever, unless America adopts a, European data privacy policies that sets deadline for how long that information can be held and your right to see it and change it.

FLATOW: Let me get - Professor Cranor, do you understand what he's talking about there?

CRANOR: Yes, I do. He raised a lot of interesting and important issues. So you mentioned that things are a bit different in Europe. You know, in the U.S., we don't have any comprehensive data privacy laws. We have some specific laws for things like health care privacy, but we don't have any over-arching laws.

In Europe, they do have some comprehensive privacy laws that put a lot more limits on what companies can do with your data. So here in the U.S., as you point out, we're focused on some very particular types of companies, and this week's announcement was aimed mainly at some of the online companies, especially online advertising companies and their sort of data collection.

But there are these other companies that do collect large amounts of data on people that kind of aren't really the main companies that we're talking about here, and there may not actually be any laws in the United States that specifically address the types of data collection that they're doing.

FLATOW: So is this like a straw horse then, just let's throw this up, that, you know, it's a minor problem but ignore what the real big problem is?

CRANOR: There are certainly some people who think that, and they feel that until we get some sort of comprehensive privacy legislation that will apply across all sectors that it's going to be the case that we're still going to have these privacy violations that aren't really covered.

FLATOW: Thank you, Andrew.

ANDREW: Thank you.

FLATOW: 1-800-989-8255 is our number, lots of people, as you can imagine, are interested. Tony(ph) in Honolulu, hi, Tony.

TONY: Oh hi, good afternoon, is it?

FLATOW: Yeah, sure.

TONY: Yeah, quick question, quick question. These companies, many of these companies are large, multinational corporations. So they're precluded or prevented from gathering this data in America. But what would prevent Google from just using a subsidiary or some other part of Google in another country from getting the same data?

FLATOW: All right. Let's ask Professor Cranor.

CRANOR: Yes. So that's a good question. So the - many of these companies do do business in multiple countries. It turns out that in some of the other countries they do business in, like in Europe, they actually have more protective privacy laws. So the Europeans are asking the same question, only what they're saying is, well, you know, we have some protections here. But what about when they collect data in the United States, where they don't have those sorts of protections?

But there are also plenty of countries that have, you know, almost no protections. And so in this international domain that the Internet is, it gets very, very interesting as far as what happens when a company collects data in one country and uses it in another country. And some of the European privacy laws actually specifically address some of this issue of what happens when you take data across national borders.

FLATOW: 1-800-989-8255. Andrea in Morehead, North Carolina. Hi. Welcome to SCIENCE FRIDAY.

ANDREA: Hi. Thank you. I just looking at the Internet as a big junk mailbox, OK? In the traditional sense, you know, we get junk mail in our mailboxes and, of course, the postal service is now paying for that. But when they - they're companies. They exist to make money. So the information is not free. And I want to share a positive note. I have the Ocean Conservancy calendar in front of me. I have the National Wildlife Federation information, the Nature Conservancy, the Arbor Day Foundation, the National Gardening Club, these are things I do, not on the Internet, but in - by ordering, you know, subscriptions once a year and then, of course, I get on their mailing list.

And it works the same way with the Internet. So, to me, I'm not quite sure all the drama around the privacy issue is really justified so much, because when you give them their - your information and you're buying something, you're paying for it, and they provide you a service. And, yes, and then they share that information with your consent, now, to someone else. And so I don't know. I think the Internet is the same thing. Ninety percent of it is basically advertising. And so 10 percent when you're looking for something on Google or another search engine, you're trying to find something specific, but the price for that is that you've got to go through and wade through the advertising...

FLATOW: So...

ANDREA: ...and that's just the nature of Internet.

FLATOW: So, Andrea, that's what you're saying that if they're going to be a player on the Internet, that's - this is the cost of playing on the Internet...

ANDREA: Yeah, yeah. Same thing.

FLATOW: Yeah.

ANDREA: I don't see any - I don't know if it's right or not. It's just a - it's a thought I had about it. I don't know.

FLATOW: Well, thanks for sharing that thought with us.

ANDREA: Thank you.

FLATOW: I'm Ira Flatow. This is SCIENCE FRIDAY from NPR. Talking about Internet privacy with Dr. Lorrie Cranor, who is director of the CyLab Usable Privacy and Security Lab at Carnegie Mellon. What do you do in that lab over there? It's got a big name to it.

CRANOR: It does. It does. Well, we do research looking at the types of attitudes people have about online privacy. We look at the usability of privacy tools. We also look at security and usability. So right now, we have a big research experiment going on about how to make passwords easier to use.

FLATOW: Oh, tell us about that. How - yeah. How do you make passwords?

(SOUNDBITE OF LAUGHTER)

FLATOW: You know, because we think - we have all these different passwords we have to have. What's - give us a secret there.

(SOUNDBITE OF LAUGHTER)

CRANOR: Well, one of the things we found is that you can have a really strong password if it has a lot of characters in it, a really long password. And it's a lot easier for us to remember long passwords than it is to remember passwords that have lots of funny symbols and numbers in them. And so - and you might try to think of a phrase that you can remember and use that as part of your password.

FLATOW: And how long should that phrase be?

CRANOR: Well, it really depends on the type of system you're using and how many characters they allow you to have...

FLATOW: Right.

CRANOR: ...but, you know, if you have something that's, you know, like 14 characters long, that's going to be pretty good.

FLATOW: So if you use like encyclopedia or something multi-syllable, even though...

CRANOR: Well, you don't...

FLATOW: ...you don't want to use a regular word there.

CRANOR: You don't want to use just one word. But you could use a string of words together, rather than just one word. Or you could think of a phrase and use maybe the first letter of each word in the phrase - or something like that.

FLATOW: My dog has fleas.

CRANOR: Well, you shouldn't do a really common phrase, though. You know, it should be a phrase that is meaningful to you but maybe isn't sort of the thing other people would guess.

FLATOW: But a phrase makes it easy to remember and you don't have to put those special characters in it. That's something I hadn't heard of before. But that's nice to hear.

CRANOR: Yeah. Yeah. So as long as the place you're creating your password for allows it. I mean, some of them force you to put special characters. But if you're not forced to do it, this can be an easier way to remember a password.

FLATOW: And where should you store your passwords, now that you have all these?

(SOUNDBITE OF LAUGHTER)

CRANOR: Right. Somewhere safe. So, yeah, I mean, it depends, but, you know, putting it in your wallet with your credit card might be a safe place if you keep your wallet secure, for example.

FLATOW: How about these software programs that store them for you, you know, in one central databank? Are those good?

CRANOR: Yeah.

FLATOW: But you have to remember that password, the master password.

CRANOR: Right. If you can remember that one master password, that can be a good solution that a lot of people use.

FLATOW: Should people have any expectation - the caller talked about this. Is this the price we do pay for the Internet - the expectation that you're not going to have any privacy online anymore?

CRANOR: Well, I think that's a pretty controversial idea. I certainly have heard people articulate that idea before. And people say that, you know, something has got to pay for all these great services we have on the Internet, and it's your data is how you're paying. But I think there are a lot of people who disagree with that and say that, you know, people should have a choice of whether or not to reveal their data and to be tracked. And it's not just that I'm seeing an ad. You know, you turn on the TV, and you see an ad.

But it's that they're collecting data about me in addition to showing me an ad. And that's what a lot of people find unacceptable. And so, you know, it should be the consumer's choice. And that if there are some services that really require money in order to, you know, make them work, perhaps they can give you a choice that you can use the service for free and provide data, or maybe you pay a small fee to use the service.

FLATOW: If we - could we adopt the European standards and feel more secure about our privacy?

CRANOR: Well, it would certainly be possible for the U.S. to adopt something similar to the European approach. I don't think, right now, there is kind of the will to do that. I think that's been a fairly unpopular idea among regulators and legislators in the U.S. But it would be possible. Now, people say that the European notion is not necessarily a panacea either, because they've had a number of problems in actually enforcing their laws.

FLATOW: Yeah.

CRANOR: But it is an approach to look at.

FLATOW: All right. Thank you very much, Dr. Cranor. Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab at Carnegie Mellon University. We're going to take a break and come back and talk about the moon. Yeah. Some interesting stuff discovered about it. Stay with us. We'll be right back.

Copyright © 2012 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.