Privacybadger contacts sites that are not currently being visited for their DNT policies

[fixbuttelecker]

Hi,

I noticed that as soon as I enable the Privacy Badger addon Firefox connects to scorecardresearch.com (with wireshark/etherape). I thought that it helps against tracking, instead it connects me with one. I disabled it now. The Chromium version doesn't do this, at least not instantly. Whats the idea behind this?

Greetings, and thank you for your effort.

[PiRSquared17]

That's almost certainly not coming from Privacy Badger, it's on a page you are visiting. It is possible that the heuristics do not match it (or you have not visited enough sites for the heuristic algorithm to block it). Are you sure this only happens when Privacy Badger is installed?

[cooperq]

Actually it is potentially coming from privacy badger. We check each blocked site to see if they have put up a DNT policy file when privacy badger starts. If the url is scorecardsearch.com/.well-known/dnt-policy.txt then this is actualy the expected behavior.

[PiRSquared17]

True. I just created a pull request to fix #220, so at least no cookies will be added.

[fixbuttelecker]

The connection definitely comes when I start firefox (startpage is startpage.com) with privacy badger enabled. I started firefox in save-mode = no connection. I disabled all addon = no connection with scorecardresearch.com. After I enabled each addon one by one the connection established only with privacy badger enabled. I have no idea what your were talking about - sorry I'm just a slightly advanced dau with a bit of english skills. But as I understand, this behaviour of privacy badger shouldn't be and its a bug?

[PiRSquared17]

Whenever you start Privacy Badger, it starts a timer to check the DNT (Do Not Track) policies of all your blocked sites, every 24 hours. The full request is to host + /.well-known/dnt-policy.txt. If the privacy policy request matches this one exactly, it is determined that the site is no longer tracking the user. Perhaps there could be a feature to disable policy checking (or, preferably, delay the amount of time between checks) for specific domains.

[ChrisAntaki]

@PiRSquared17 This happens more than every 24 hours, it happens every time Firefox is opened.

Let's think about this. Every time Firefox is opened, Privacy Badger is initiating a connection to a long list of ad trackers & popular domains. What gets sent to each of these? The user's IP address, their user agent, and the timestamp of when they connected.

[PiRSquared17]

Yes, I know it happens more than once every 24 hours. I said "it starts a timer" to do it every 24 hours, but I forgot to add that it actually checks on startup as well.

[ChrisAntaki]

No worries. What do you think about the sending of IP, user agent, and timestamp to each of these services?

[PiRSquared17]

I think at the very least there should be an option to disable it and manually recheck. It should also be mentioned in firstRun.html (if it isn't already). Has there ever even been a tracker that added a DNT policy?

[ChrisAntaki]

When people download this plugin, they probably don't want it to broadcast their time of usage, IP, and useragent to a long list of websites including all the big trackers.

For instance, a user specifically blocks scorecard research. They would expect the plugin to block all communication with that tracker. Instead, the plugin proactively sends them intelligence on the user.

You ask a good question too. Not to make your question too complex, but I'd like to add another follow up question. If a tracker did claim to abide by DNT, would there be reason to believe they earnestly weren't tracking you, either blatantly or through a loophole like lightly anonymized data?

:alien:

[cooperq]

The reason that privacy badger hits blocked domains is to check for the presence of the DNT policy file. I currently have it set to check when firefox starts up so that domains will be unblocked as quickly as possible if they actually do comply with DNT. This is our way of rewarding domains for acting responsibly. However, I can understand where this would be a cause for concern for some users. I don't think that this connection really sends that much intelligence to the blocked domain, other than the ip address and the fact that someone at that IP is running Privacy Badger, but again I can see where this could be a cause for concern for some users. One potential solution here is to have privacy badger check for the DNT policy on startup and then not check again for some random amount of time between 1 and 2 weeks. Another possible solution is to have all DNT checks go through a proxy that EFF runs which would get updated at regular intervals. It's not actually clear to me which option here is the more privacy preserving one. On one hand you are potentially letting advertisers know that someone at your IP is running privacy badger. On the other hand you are potentially letitng EFF know which trackers you block. What are your opinions on this? cc @pde

[pde]

My instinct is that it makes more sense to check at a time when you would be loading a resource from the domain, rather than at startup. Since the phenomenon of a domain that was previously blocked posting a /.well-known/dnt-policy.txt file is actually likely to be very rare, I don't think there's any latency consideration (we should think about whether we want to have the blocking WebRequest call wait for the dnt policy check or not... I think probably not...)

24 hours also seems pretty often. Randomly every 24-72 or 24-168 hours seems ok...

[ChrisAntaki]

Thanks for being open to feedback!

cooperq: I don't think that this connection really sends that much intelligence to the blocked domain, other than the ip address and the fact that someone at that IP is running Privacy Badger, but again I can see where this could be a cause for concern for some users.

The requests also contain the user agent, which describes which OS you are using, its version, and Firefox's version. Additionally, the requests provide the time Firefox was opened. The time & user agent could be used together to build usage patterns per device.

One potential solution here is to have privacy badger check for the DNT policy on startup and then not check again for some random amount of time between 1 and 2 weeks.

Would this still mean that every time Firefox was closed & opened, all the requests would be sent out? Perhaps Firefox's simple-storage API could be used to persist data & achieve the target durations?

Another possible solution is to have all DNT checks go through a proxy that EFF runs which would get updated at regular intervals. It's not actually clear to me which option here is the more privacy preserving one.

Phoning home to EFF directly would be 100x less creepy :+1:. Having an option to never phone home would be awesome too.

On one hand you are potentially letting advertisers know that someone at your IP is running privacy badger. On the other hand you are potentially letitng EFF know which trackers you block. What are your opinions on this?

Thanks for asking. As a user, I'd like to be able to block certain trackers, and then have those decisions persist. If my decision to block a tracker was undone because of privacy claims from the tracker itself, which aren't verifiable without access to their codebase, I would feel like the plugin contradicted itself and wasn't adding security.

pde: My instinct is that it makes more sense to check at a time when you would be loading a resource from the domain, rather than at startup.

That would be a good idea. If a user blocks a domain specifically, never checking that domain's DNT again makes sense.

[fixbuttelecker]

Hi,

as a future user of privacy badger I fully agree with ChrisAntaki opinion. Thank you again for your efforts.

[ChrisAntaki]

I like the title of #234, it encompasses the issue

[ChrisAntaki]

Tracking companies are kind of like professional stalkers. They follow people around, take notes on all their interests, and then sell that to the highest bidder. This DNT feature seems like it knocks on their door, and asks "Hey! I have this note on my back that says not to stalk me, you down to respect that?".

Then, whatever their answer is, they'll still be at all the same places, taking all the same notes. We're just hoping they'll tell us they are throwing the notes away.

What if instead, the plugin walked up to EFF's door & knocked, then asked for updates on any new stalkers in town. Perhaps EFF could still tell the plugin about stalkers who claimed to respect notes on people's backs.

The plugin might ask the user if he/she would like to trust stalkers who claim to throw away notes on them.

[cooperq]

So for now, I have fixed this in ba17ee6835ccea56ebdd205cbe855c099d53d82e. Privacy Badger now only checks for dnt policy files at a random interval between one and two weeks instead of every time at startup. There is also an option to turn off DNT policy checking. Additionally we are discussing building a proxy hosted at EFF which will notify the user about new DNT policies and revocations of DNT policies. We will have to wait until we have the resources to do this but I think that people having the option to opt out of the DNT policy check is a good start for now. As for your analogy it's not quite correct. If someone were to post the DNT policy and not actually stick to the agreement we think that it is pretty likely that we could sue them for unfair business practices. It's not quite the same as just politely asking to not be tracked. It should have a bit more teeth than just DNT alone.

[ChrisAntaki]

This is great, thanks! On Oct 24, 2014 11:03 PM, "Cooper Quintin" notifications@github.com wrote:

So for now, I have fixed this in ba17ee6 https://github.com/EFForg/privacybadgerfirefox/commit/ba17ee6835ccea56ebdd205cbe855c099d53d82e. Privacy Badger now only checks for dnt policy files at a random interval between one and two weeks instead of every time at startup. There is also an option to turn off DNT policy checking. Additionally we are discussing building a proxy hosted at EFF which will notify the user about new DNT policies and revocations of DNT policies. We will have to wait until we have the resources to do this but I think that people having the option to opt out of the DNT policy check is a good start for now. As for your analogy it's not quite correct. If someone were to post the DNT policy and not actually stick to the agreement we think that it is pretty likely that we could sue them for unfair business practices. It's not quite the same as just politely asking to not be tracked. It should have a bit more teeth than just DNT alone.

— Reply to this email directly or view it on GitHub https://github.com/EFForg/privacybadgerfirefox/issues/225#issuecomment-60472976 .