NYT Spreads Privacy Hysteria

A brief look at recent developments in the war on third party trackers and federated services.

Last week, NYT reporter Farhad Manjoo wrote an op-ed about his experience having all of his digital activity tracked.

Manjoo, working with The Times’s Privacy Project team, installed a version of Firefox that was created by researchers at the Princeton Web Transparency & Accountability Project (but is now maintained by Mozilla).

NYT Data Tracking Visualization

In typical fashion, the op-ed illustrates the omnipresence and weaponization of third party tracking, deployed by tens of millions of websites. Only, unfortunately for Manjoo, some if its primary claims are patently false.

In an article this week, aggregator theorist Ben Thompson invalidated many claims. Manjoo had visited Ben’s site, Stratechery, and reported on the third party trackers present. Ben debunked these claims:

Consider Stratechery: the page in question, given the timeframe of Manjoo’s research and the apparent link from Techmeme, is probably The First Post-iPhone Keynote. On that page I count 31 scripts, images, fonts, and XMLHttpRequests (XHR for short, which can be used to set or update cookies) that were loaded from a 3rd-party domain. The sources are as follows (in decreasing number by 3rd-party service):

  • Stripe (11 images, 5 JavaScript files, 2 XHRs)
  • Typekit (1 image, 1 JavaScript file, 5 fonts)
  • Cloudfront (3 JavaScript files)
  • New Relic (2 JavaScript files)
  • Google (1 image, 1 JavaScript file)
  • WordPress.com (1 JavaScript file)

You may notice that, in contrast to the graphic, there is nothing from Amazon specifically. There is Cloudfront, which is a content delivery service offered by Amazon Web Services, but suggesting that Stratechery includes trackers from Amazon because I rely on AWS is ridiculous. In the case of Cloudfront, one JavaScript file is from Memberful, my subscription management service, and the other two are public JavaScript libraries used on countless sites on the Internet (jQuery and Pmrpc).

This is just the latest in a series of attacks on third party and federated services. Apple recently updated the WebKit tracking prevention policy to be more vigilant in protecting users from third parties. My favorite part of the new policy includes this statement:

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact. These practices include:

  • Funding websites using targeted or personalized advertising (see Private Click Measurement below).
  • Measuring the effectiveness of advertising.
  • Federated login using a third-party login provider.
  • Single sign-on to multiple websites controlled by the same organization.
  • Embedded media that uses the user’s identity to respect their preferences.
  • “Like” buttons, federated comments, or other social widgets.
  • Fraud prevention.
  • Bot detection.
  • Improving the security of client authentication.
  • Analytics in the scope of a single website.
  • Audience measurement.

When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.

I’m still wrapping my mind around some of these claims. Federated login and SSO (single sign-on) are bad for users? What about Apple’s new Sign In With Apple federated login product (which will be required for many mobile apps in the App Store in the near future)? Is that bad for users too? How about Apple hiring third party contractors to review Siri voice recordings?

It’s not just Apple. Google recently updated their tracking policy as well, which was promptly eviscerated by researchers from Princetons’ Center for Information Technology Policy. One of Google’s primary claims is that by blocking cookies you’re somehow enabling opaque practices, such as browser fingerprinting. I guess, the official stance is then, give them something they can use, or else suffer the consequences. It should be noted that the Google ad network is widely used for ad retargeting campaigns.

The bottom line here, really just underscores what all of the privacy wonks have been saying for a long time. We (the individuals) are on our own here:

  • We can’t rely on big tech (who want us locked into their platforms and write policies that defend their business interests)
  • We can’t rely on popular news reporting (who chase pageviews and recommend against solutions they themselves employ)
  • We can’t rely on regulation (which typically protects the entrenched and provides high barriers to challengers)