GPC / Global Privacy Control

Do Not Track

It’s quite amazing to think that DNT or Do Not Track was first proposed back in 2009 – 13 years ago. This was a first-stab method at the issue of website privacy and the horrendous marketing machine that is the internet.

DNT was designed to allow users to opt-out of website tracking, which includes the collection of data regarding a
user’s activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. Think same-origin and/or cross-origin tracking. Along with which comes cross-site scripting, the bane of security folk.

Thankfully browsers (Mozilla Firefox was there first) have mostly (Google Chrome is the laggard here – more on this later) been active putting mechanisms, like DNT, in place to stop or at least limit tracking.

But DNT was not universally supported, due to lack of legal enforcement, and it was dropped in 2018 by the W3C (web standards body) – lack of legal mandates to enforce DNT resulted in insufficient deployment and support. Interestingly enough, all major browsers supported DNT at one point so the lack of support is indicative of how difficult it is to pass web standards.

Browser vendors meanwhile have forged ahead with their own solutions to try to stop tracking. Firefox for example has Enhanced Tracking Protection with the following features:

  • block cookies
  • block trackers
  • block cryptominers
  • block fingerprinters

In addition, and while other browser vendors have dropped it, Firefox still supports DNT.

Tracking refresher

What is tracking all about?

In layman’s terms, websites and web applications want to reap information about their visitors so that they can make use of that information for marketing (and sometimes more nefarious) purposes. Cookies were the original mechanism through which this was done – on visiting a site, the site would deposit a tracking cookie on the visitor’s machine through the bowser, allowing the site to track activity such as browsing history, geographic location, purchase trends and other. Basically tracking everything you did on a site.

Per internethealthreport.org:

That’s only a few websites, but every time you’re online, you leave behind traces of your activity. Behind the scenes, a host of “third-party” companies – entities that are separate from the sites you visited – can track your activity and collect your data as you move through the Web. Later in the day you begin seeing recommended tweets about that movie, Web ads for those shoes and suggestions for coffees to try. It’s no coincidence, it’s data tracking at work. And it’s working on tracking your browser, apps and emails.

Have a voice assistant at home ala Google Home or Amazon Alexa? Every noticed seeing ads in your online browsing that relate to discussions you happen to have had in the area of your home assistant but didn’t ask it directly? The age of true tracking has been here for some time already …

You may have noticed a trend over the last few years where on visiting a website, you are asked to accept cookies, or are advised at minimum that cookies are in use and could be tracking you. This action is a result mainly of GDPR, a privacy framework enacted in the EU, which specified that that website visitors needed to be advised that they were being tracked. I’ll mention here as well that these notices are in themselves, quite privacy impacting – the irony.

Hold this thought.

Fingerprinters

There has been a recent and consistent uproar regarding the invasiveness of trackers and legal actions, along with browser privacy functions and ad-blockers (like Ublock Origin) have resulted in a severe backlash against cookies.

Marketers are not a species that is easily swayed. So they had a good think and came up with fingerprinters. Mozilla has the following to say on the topic:

Fingerprinting is a type of online tracking that’s more invasive than ordinary cookie-based tracking. A digital fingerprint is created when a company makes a unique profile of you based on your computer hardware, software, add-ons, and even preferences. Your settings like the screen you use, the fonts installed on your computer, and even your choice of a web browser can all be used to create a fingerprint.

So now we have tracking cookies on steroids. But once again, browser vendors have responded by adding the ability to block fingerprinters. It’s a never-ending cycle of marketers coming up with new tracking methods and browser vendors coming up with blocks.

Tracking Beacons

Besides fingerprinters, tracking beacons are another very invasive method of tracking website visitors.

Tracking beacons are small, transparent “images” often 1 pixel by 1 pixel, that load on on web pages (or within emails) for tracking and reporting purposes. Websites use beacons to get information about how many times visitors load certain pages. Advertisers also use these tracking beacons to determine how many impressions their ads get.

Most web beacons do not have malicious intentions. However, some are used in negative ways. For example, spammers may send emails containing beacons to thousands of email addresses, and then when the email is opened and loaded, it also loads the beacon. This lets the spammer know that the email address is active and that the user is likely to open more spam email.

FLoC

  • Google currently has 64% of the worldwide browser market
  • Google is the largest online advertising enabler on the internet
  • Google Chrome lags its browser rivals significantly when it comes to website privacy

Behind the slick marketing and feature updates, the reality is that Chrome is in a poor state when it comes to privacy and security. It’s lagging its competitors in protecting users from tracking and data harvesting, its plan to ditch bad third-party cookies has been postponed, and the replacement technology it said would prevent users being profiled and tracked turns out to be even worse than tracking cookies. What is this new technology?

Federated Learning of Cohorts, or FLoC for short.

FLoC is Google’s mechanism to deploy anonymised track across the internet, shoehorned into Chrome under the name Privacy Sandbox. Rather than target you as an individual, FLoC assigns you to a cohort of people with similar interests and behaviors, defined by the websites you all visit. Sounds good right?

The privacy lobby called out the risks that data brokers would simply add cohort IDs to other data collected on users—IP addresses or browser identities or any first-party web identifiers, giving them even more knowledge on individuals. There was also the risk that cohort IDs might betray sensitive information—politics, sexuality, health, finances, …

And cohort sample sizes are surprisingly small enough that there is still the possibility of identifying individuals.

Google admitted, after another uproar, that “today’s fingerprinting surface, even without FLoC, is easily enough to uniquely identify users,” and that “FLoC adds new fingerprinting surfaces.” Let’s translate that—just as the privacy lobby had warned, FLoC made things worse, not better.

Google ended the FLoC trial last year … and is continuing with cookies as a stop-gap solution until it can come up with something else (probably equally as hair-brained).

It’s ironic that the largest advertising company on the internet agrees there are issues with privacy tracking but can’t do too much about it for fear of cannibalizing its advertising base and revenue.

And finally: GPC

GPC or Global Privacy Control is described as:

a signal, transmitted over HTTP and through the DOM, that conveys a person’s request to websites and services to not sell or share their personal information with third parties. This standard is intended to work with existing and upcoming legal frameworks that render such requests enforceable.

That last bit about legally enforceable is the important bit. Being legally enforceable means that GPC HAS to be used.

Currently you have to opt-out of tracking on a per-site basis which is obviously onerous and problematic:

Several legal frameworks exist — and more are on the way — within which people have the right to request that their privacy be protected, including requests that their data not be sold or shared beyond the business with which they intend to interact. Requiring that people manually express their rights for each and every site they visit is, however, impractical.

So GPC offers a method to do this globally as a one-shot setting:

Given the ease and frequency by which personal information is collected and sold when a consumer visits a website, consumers should have a similarly easy ability to opt-out globally. This regulation offers consumers a global choice to opt-out of the sale of personal information, as opposed to going website by website to make individual requests with each business each time they use a new browser or a new device.

The specification defines and standardizes a new HTTP header “Sec-GPC” which, when affirmatively set, has the
value of “1” meaning “true”.

So how does this become legally enforceable? Per wikipedia:

GPC is a valid Do Not Sell My Personal Information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold. In July 2021, the California Attorney General clarified through an FAQ that under law, the Global Privacy Control signal must be honored.

California has been a future-looking proponent of many technologies over the years eg. clean energy and default password controls, resulting in legally-binding frameworks to manage these technologies. And where California innovates, many follow. So you can expect that GPC will become more pervasive and enforced elsewhere. GDPR by the way supports similar action … So between the US and EU, this is likely to become a universal feature.

Steven Gibson from GRC/Spinrite fame, indicated:

And as individuals we won’t need to enforce that right
since once California’s “right to cure” provision sunsets at the end of this year, it seems clear that the biggest violators of consumer’s asserted legal rights to privacy will be taken to task by California’s Attorney General who has clearly stated their intention to do exactly that.

Nice to see governments (even local ones) putting teeth to laws.

Browser support? Once again we see Chrome on the sideline, being a major browser not supporting or transmitting the GPC signal (no surprise here). But there are add-ons you can use for Chrome – give OptMeowt (nice pun) a go. Being Chrome-based, you can use it on any Chrome-related browser like Brave or Edge.

Firefox has GPC built in already so you just need to activate it – details here.

Philosophy of website tracking

There’s probably many out there who have no interest in this topic yet it is something that affects every internet user, some to lesser and others to greater degrees.

If every website you visit is tracking you, it creates a culture that accepts tracking and by growing indifferent to sharing our information with third-parties, we risk losing control of our private data completely.

Too much tracking shifts power away from consumers and towards advertisers who wish to influence customer purchasing behavior.

Per OpenTracker.net:

It is important to keep in mind the possibility that once a person has entered their email at any point into a site, their email address can be stored with their clickstream in a process called tagging. This means that a connection can be made between, for example, login info, and clickstreams. This possibility will lead to a direct connection between surfing habits and personal contact information. That means that Amazon.com, for example, have the potential to keep a record of every page a visitor has looking into their site, and combine this information with purchase history, and billing details.

What happens in the scenarios presented by privacy advocates is that ‘personally identifiable information’ is collected so that ‘online contact information’ (email address) may or may not be merged with ‘physical contact information’ (billing address). This is called ‘merging clickstream data with personally identifiable information’. This is an understandably worrying scenario presented by privacy advocates, in which a person might receive a catalogue in the mail advertising similar products to those viewed online. In this sense, it seems to be sexual products and information related to adult-content websites that calls for safeguards to individual privacy. 

In addition, there are clear security implications with tracking, and not only with websites – applications and email can be affected too.

Conclusion

While there are benefits to website tracking, for the most part it is implemented in a bad way. We have to allow some kind of tracking to enable advertising, the result of which ‘subsidises’ an economic component of the internet. The problem is that there is no easy solution to the privacy and security issues related to online tracking.

DNT was a half hearted stab without significant teeth. With the onset of legally-enforceable privacy frameworks around the world, GPC has an opportunity to be (more) successful and improve online privacy for internet users – time will tell. It’s impact on internet advertising is another matter.