Carnegie Mellon Research: Internet Privacy is Hard to Find

• By Dian Schaffhauser
• 11/07/11

Users who feel inadequate to the task of protecting their privacy online aren't alone. The types of tools available for opting out of Internet tracking are hard to set up and confusing to use, according to new research from Carnegie Mellon University.

The university's CyLab Usable Privacy and Security (CUPS) Laboratory examined the efforts of 45 Internet-savvy but non-technical people using nine different tools in 90-minute lab settings. Based on what researchers saw among the users, all of the programs had serious usability flaws, said Director Lorrie Cranor. "We found that most people were confused by the instructions and had trouble installing or configuring the tools correctly. Often, the settings they chose failed to protect the privacy as much as they expected, or to do anything at all."

According to CUPS' 39-page report, "Why Johnny Can't Opt Out," the users faced a number of challenges. They tended to be unfamiliar with most advertising companies, which meant they were unable to make meaningful choices. They tussled with installation and configuration of blocking lists. They often mistakenly concluded that they were shutting out online advertising when in reality they hadn't set up the blocks properly. Also, although users liked the browser-based do-not-track features, they didn't necessarily believe that advertising companies would respect the preference.

The study grew out of a desire to understand online behavioral advertising (OBA), an expanding practice that customizes the advertising that individuals are exposed to based on what they're doing online. Since there is no federal "do-not-track" mechanism, people have been on their own to put limits on the amount of information that companies can gather about their online activities.

The researchers evaluated the privacy settings on two browsers, Mozilla Firefox 5 and Internet Explorer 9; three tools--DAA's Opt Out Page, Evidon Global Optout, and Privacy Choice PrivacyMark--that set opt-out cookies to prevent ad networks from displaying ads to users; and four programs that are supposed to block certain sites from tracking the user: Ghostery 2.5.3, Abine TACO 4.0, Adblock Plus 1.3.9, and IE9 Tracking Protection.

The 45 people whose competency in blocking ads was being put to the challenge were interviewed and assigned tools for testing based on their browser and operating system preferences.

Here's what researchers discovered:

• Users are unfamiliar with companies that track their behavior, which means that tools such as Ghostery and TACO that require them to set opt-out or blocking preferences on a per-company basis are ineffective.
• Privacy tools and opt-out sites generally don't block tracking as a default setting.
• Information provided to users is either so lacking in details as to be useless or too technical to be understood.
• Few tools provide feedback to let the user know whether the opt-out is actually working.
• Tool interfaces were hard to understand. Several users opted out of one company on the DAA Web site, for example, when they intended to opt out of all of them. Users couldn't understand Adblock Plus' filtering rules. And nobody who used IE's Tracking Protection knew that they'd also need to subscribe to a Tracking Protection List until prompted later in the process.

None of the nine tools tested sufficiently helped the study participants to control tracking and behavioral advertising according to their personal preferences, the researchers concluded.

"The status quo clearly is insufficient to empower people to protect their privacy from OBA companies," Cranor said. "A lot of effort is being put into creating these tools to help consumers, but it will all be wasted--and people will be left vulnerable--unless a greater emphasis is placed on usability."

The CyLab research was supported by grants from The Privacy Projects and the National Science Foundation.