The Drawbacks of Relying on Browser Controls for Cookie Privacy

Quite a lot of websites have opted for an ‘easy’ solution to complying with the cookie law that relies on pointing people to sites that tell them how to use their browsers to prevent ‘their’ cookies from being set.

On the surface of it this seems a good approach.  It means the site doesn’t have to provide any functionality of its own and users are given a choice – they can accept the cookies that the site uses, or they can change their browser settings.

So lets have a look at the types of controls offered by the three main browsers and look at what choices they give people.

Internet Explorer 

I am using IE9 but 7 and 8 are broadly similar. IE lets you create settings to separately allow, block or provide a prompt request for first and third party cookies.

Setting it to prompt on either type is the worst for the user, especially as the warning box that comes up tells you just that the site wants to set a cookie – with no information of its name or type.  You can allow or block it but there is nothing to enable you to make an informed  choice.

A good balanced approach is to allow first party and block third party.  However this can still mean you are denied some services you actually want, lots of websites use third parties to deliver key functionality.  It also of course blocks the advertising tracking that helps to pay for many sites – so this option still does not deliver the best for anyone – user, site owner or advertiser. However, it is a good setting for the privacy conscious.

There is also a setting in IE that enables you to delete browsing history when you close it down.  For the user this is in many ways quite powerful. It enables the best browsing experience, without interruptions, but gets rid of all those really intrusive tracking cookies.  However, unless you fiddle around with the settings in more detail, it will also wipe out all the useful saved data as well – like passwords, and of course cookies that you wouldn’t mind hanging on to.

Mozilla Firefox

Firefox doesn’t have the ‘prompt’ option that IE does but otherwise has a similar set of controls as IE, with a couple of additional refinements.

Unlike IE it enables you to selectively delete only third party cookies on closing.  In theory this should preserve the ‘good’ cookies and throw out the bad, however I have found that even with this setting, certain sites force me to login again when I would be happy not to have to do that.

Firefox has a couple of other features that IE does not.  It allows me to see a list of all the cookies by host domain – and delete them individually.  However, whilst this is quite useful for testing, it is not something I would see as particularly user friendly for every day purposes.

The other is the ‘Tell websites that I do not want to be tracked’ option – also known as Do Not Track, or DNT.

This feature looks on the surface of it pretty good – and something that is going to be introduced in IE10 when it comes out later this year, however it has one severe problem – it doesn’t actually protect you from being tracked.

What it does do is send a flag to every website, telling them your preference.  However, the vast majority of sites ignore it, as do many advertising trackers.  This is in part because there is currently no clear shared understanding about what it actually means (although an agreed standard is in development), but also because there is no requirement in any law or regulation, for websites to respect it. This too may come soon, but for now it is a bit of aplacebo – it may make you feel more like your privacy is being respected – but it mostly isn’t.

One further feature is the ‘Exceptions’ button in the privacy settings.  This enables you to list individual websites and decide to block or allow their cookies.  Again in theory this is a good idea, but in reality it is quite a painful process to set this up for each of the sites you visit, or might want to visit – plus it is not really very good for making choices as you browse – being highly interruptive of the user experience.

Google Chrome

Chrome again has similar sets of controls to Firefox, although it has no Do Not Track Option, and it doesn’t allow you to delete only third party cookies when you close it down.

What is helpful in a way the others are not, is that you access settings controls via a new browser tab, rather than a pop-up.  This enables you to keep it open all the time as you surf – and change your settings more dynamically.  With Firefox and IE – you have to shut down the pop-up each time before you continue.

Other features in Chrome are that you can choose to clear cookies and history from different time periods – like the last hour or day.  This means that if you have visited a particularly tracking heavy site recently, you can delete that data in one click whilst keeping most of the rest of the cookies that you find useful.

Like Firefox you can also access a list of individual domains and cookies on Chrome and delete them one by one.  It also shows you not just cookies but other types of local storage – include Flash objects and HTML5 local databases.

However, as with the others, you do need to be a sophisticated user to take advantage of all of these.

Conclusions:

Although these browsers (and the others not covered here) do provide user controls to increase privacy for users, to make use of them is quite interruptive of the user experience, an dindeed much more so than providing a control interface like Optanon on the site.  

The browser controls do not encourage making decisions as your browse, and they are also in many ways blunt instruments of choice.  They don’t provide enough information or flexibility for the average user to make informed decisions about how they allow data to be collected and shared, and by whom.  

So when a website is telling a user that by changing their browser settings, they can control ‘their’ (the website’s) cookies, this is by and large not true.

I am sure that this is not deliberate misinformation, more likely poor advice.  The fact remains that few people really try to use these controls to protect their privacy anyway – but this cannot be taken as a clear indication of privacy preferences.

This indeed is one reason why the ICO gave guidance that current browser controls cannot be relied upon as a mechanism for communicating consent – they are simply not good enough.

However, with many sites now more actively telling people to look at how to use their browser to control their privacy, and with privacy becoming more important to many more people, there appear to be two potential outcomes – neither or which is going to be in the long term interests of either users or website owners.

One is that people will keep surfing but use the blunt browser controls more.  This could lead to a significant reduction in the collection of valuable data as people choose the simple, strictest, privacy option – and that will hurt major site owners, advertisers, and the whole web-eco system more than it needs to.

The other is that they won’t bother changing their settings – just their behaviour.  This could mean stopping using sites they don’t trust, in favour of ones they do and which offer them better privacy choice.  Which of course would damage the business of sites that don’t offer choice and favour those that did.

Of course, they might do neither.  They might ignore the messages, ignore their privacy concerns, and just keep surfing as before.  That is what business would prefer, but hoping that your customers continue to do what you want out of apathy has long been proved to be a high risk strategy.

So What is the Alternative?

We believe that in a world where trust of business is at a low ebb, and where people are being encouraged to think more carefully about their privacy online, business will gain more than they lose by taking their own responsibility for the choices they offer consumers online.

By relying on the blunt instrument of a browser, a website owner risks being placed in a general ‘not to be trusted’ category, simply through user convenience.

By saying to people ‘we are giving you power to control your data on our site’ – you are much more likely to get yourself put into a smaller ‘happy to trust’ category – potentially resulting in major competitive differentiation and advantage.