Fighting online tracking with obfuscation
Imagine you are browsing your Facebook feed one Saturday morning when you notice an ad for a shoe brand. You think nothing of it, until later that day you happen to walk past a shop selling the very same shoes. You end up buying a pair.
Last month, Google announced it will be registering the success of online advertising in getting you into the store for the sale. The tech giant will now track when users spend money in bricks and mortar shops. More specifically, Google will let advertisers know when their online ads influence offline purchases, by linking online ad clicks with credit card data.
Google claims to have access to 70 per cent of United States credit and debit card data thanks to third-party data-sharing agreements, though the company also says it won’t use the data to personally identify shoppers. A spokeswoman for Google Australia said the tracking is currently only available in the US, and would not be drawn on an Australian timeline.
It’s a huge coup for advertisers, and a possibly scary revelation for those who still view their online and offline lives as separate.
In justifying its ramped-up Orwellian use of CCTV surveillance, the British government employed the tagline: “If you’ve got nothing to hide, you’ve got nothing to fear.” When it comes to privacy, the “nothing to hide” argument is often embraced by those who believe the intrusions into their lives such as data retention don’t outweigh the convenience or safety offered in exchange.
In reality, most of us don’t push back against online tracking because we don’t feel we can – the inner workings of the internet appear overwhelming. Such people may be encouraged to hear the leader of a small but significant movement against Google’s tracking techniques is not a software engineer but a philosopher and academic.
On the phone from New York, Helen Nissenbaum describes the growing movement of “obfuscation”, explaining the seemingly insurmountable fight against Google in terms of another famous big-versus-little story.
“There are things David can do that Goliath can’t,” she says, describing obfuscation as “a tool that favours the weak”.
Nissenbaum, a professor at Cornell Tech and currently on leave from New York University, specialises in the societal, ethical and political dimensions of technology, and is the co-author of Obfuscation: A User’s Guide for Privacy and Protest and the co-creator of two tools that fight increasing online surveillance.
The first thing you need to know about obfuscation is it does not prevent tracking – to “obfuscate” is to make something unclear or unintelligible. To understand its power, you need to understand how Google has used the information you share to become the biggest advertising powerhouse the world has seen.
When you search for something on Google, or click on a Google advert on the side of a web page, you are tracked by your device’s unique identification, its IP address. If you are signed in to any of Google’s login accounts (Gmail, YouTube, Google+), you are identified by those, too. Over time, Google collects a compendium of your habits and preferences, as well as information about your age, income and location. This compendium is advertising dynamite for brands, allowing them to target ads with surprising accuracy.
The first of Nissenbaum’s tools, TrackMeNot, works by constantly performing random Google searches in the background of your browser. With it installed, you can hover your mouse over the icon in the corner of your browser and see it quietly searching terms such as “Sandra Bullock”, “Twitter direct messages” and “iPad cases” while you perform your own browsing undisturbed. Theoretically, TrackMeNot hides your real interests in a noisy crowd.
The second tool, AdNauseam, obfuscates Google’s tracking by automatically clicking on every ad on every web page you visit and collecting them in a “vault”. Your vault stores the huge collection of ads Google thinks you have clicked, as well as the estimated cost to the brands, who often pay per click.
Ironically, it had been difficult for Nissenbaum to track the success of TrackMeNot and AdNauseam until January, when Google banned AdNauseam from the Google Chrome store, making it considerably more difficult to install.
“That was their first aggressive move,” Nissenbaum says of the ban. “But it’s good because it indicates that obfuscation is a challenge for them.”
When pressed, Google tried some of its own obfuscation, claiming AdNauseam was banned because it failed to display a “singular purpose clear to users”. More recently, a Google representative admitted to Nissenbaum – in an email provided to The Saturday Paper – that AdNauseam was actually removed because of its potential to “harm third-party systems such as advertising networks”. Google Australia refused to comment on AdNauseam.
It’s not surprising Nissenbaum is heartened by the ban – it’s the best evidence thus far that they’re doing something right.
“The idea is to look at these huge systems and find the weak spots,” she says.
“The weak spot here is that Google depends on people to respond truthfully in regards to their interests. Do you honestly think we owe that to the advertising industry? No.”
In her research, Nissenbaum argues we aren’t so concerned with black-and-white approaches to privacy as we are with context. When we walk into a bookshop, we don’t reasonably expect our purchase to be recorded alongside a host of other personal data, and onsold to the highest bidder. Google’s advantage is that online we have less clear expectations – but the growing number of obfuscation tools is evidence of a breach.
Ankit, 27, is a Melbourne software developer who uses a number of programs – Privacy Badger, Decentraleyes – as well as writing his own code to protect his privacy online.
“It’s not the same as ad blocking,” he says. “I’m just trying to prevent systems from using sneaky tactics to get more information than they’re letting me know.”
Adam, a 29-year-old from Sydney who works in television, says he uses a number of obfuscators because he knows targeted advertising works.
“I don’t want to be manipulated into buying things I don’t need, and I assume the government wouldn’t be able to catch unethical or illegal behaviour even if they wanted to,” he says.
Nissenbaum knows competing with Google for online privacy is virtually impossible. Her aim is to spill water on the floor until they’re forced to clean up the entire house.
The Australian Privacy Foundation’s David Vaile says the Australian government, in its lack of action, has been complicit in Google’s “incrementalist” attack on privacy.
“It’s undemocratic, it’s manipulative, but it works,” says Vaile. “They argue at each stage that this is just a little step, don’t overreact, don’t be paranoid.”
A spokesman for the Victorian minister for consumer affairs said Google’s latest move didn’t fall into the minister’s “domain”. A spokeswoman for the Office of the Australian Information Commissioner said Google’s promise to keep the credit card information “de-identified” put the issue outside of their domain also.
It’s not unreasonable to suspect Google might change its mind on that score in the future. Last year the company literally crossed out the lines in its privacy agreement that promised to keep the data its advertising network DoubleClick collects about users separate from their names and other personal information collected through Gmail and other accounts.
In fact, Google used to keep personal data scraped from YouTube, Gmail, Google Search and dozens of other services completely separate from each other. Those walls were knocked down in 2012. Four years later, Google’s parent company, Alphabet, took in $A103 billion in advertising revenue – three times more than its next competitor, Facebook.
Vaile believes the genius of Google and Facebook is that both companies have managed to market themselves as liberal radicals, devoted to “the cult of disruption”.
“They promote themselves fantastically as this cool new Californian tech ideology, all the while having 19th-century attitudes to consumers,” he says.
Dissenters such as Nissenbaum believe that consumers’ weakness in the information cycle makes obfuscation perhaps the only strategy to protect themselves from this kind of commercial exploitation.
“The strong don’t need obfuscation,” says Nissenbaum. “They have brute power.”
This article was first published in the print edition of The Saturday Paper on Jul 1, 2017 as "Hide and seek". Subscribe here.