Interhack Corporation just released two privacy advisories that show that even systems that claim to respect the privacy of those who would rather not be tracked are subject to failure. Perhaps from these we can draw the conclusion that the only really workable solution for respecting the privacy of the Internet population is "opt in". Opting In, By Accident http://www.interhack.net/pubs/netscape-doubleclick/ Netscape Communicator can inadvertently ``OPT IN'' to tracking sites after an explicit ``OPT OUT'' has taken place. (This happens because when the user selects `Do not send or receive cookies', the cookies database is deleted, including any opt out cookies from banner advertisers like DoubleClick or AdKnowledge. If the user ever reenables cookies, without his knowledge, he's been opted back into the system.) DoubleClick Opt Out Protocol Failure == Opt In http://www.interhack.net/pubs/dc-proto-fail/ The DoubleClick implementation of an opt out mechanism is flawed. This defect could result in resumption of tracking a consumers movements on the web. (This is because DoubleClick's banner ad servers do not properly implement HTTP as described in RFC 2616. Specifically, DoubleClick requires that the Cookies header be mixed-case, with the first character capitalized. This makes it possible for any one of several conditions to result in a user who opted out of banner advertisers' tracking systems to be opted back in without his knowledge.) We have a demonstration program (in Java, distributed as a class file and Java source in a JAR) for the DoubleClick protocol failure called CookiePokey available from http://www.interhack.net/projects/privacy/. -- Matt Curtin [EMAIL PROTECTED] http://www.interhack.net/people/cmcurtin/
