I noticed an article over on Slashdot about a new attribute, ping, that Firefox handles. That is, the development version of Firefox. This isn’t your standard network ICMP Echo Request, but rather an HTTP Request designed to track a users movements.
Ok, ok.. Stop screaming about privacy and security. I’ve thought about this a bit and I think Firefox is doing the right thing. The intention, as far as I’ve been able to tell, is to actually put more control into the users hands.
Let me explain how this “feature” works. There’s a small writeup on the Mozilla Blog that you can read as well. Tracking the browsing habits of a user is actually fairly harmless, at least in my opinion. The idea is to get feedback about what a user at that site likes to see. Do more people click on links to cartoons? Or perhaps to political information? It’s all about creating websites that people want to see.
So, Joe User goes to a website. There he sees a link for a new type of fusion rocket. He’s interested, so he clicks the link. Nowadays, tracking happens one of two general ways. The easy one is that the “real” destination is wrapped up and appended to a link to a tracking site. These links usually have the real destination URL in plain text, but some sites obfuscate the URL so the user can’t bypass the tracking. The other method is to use javascript to change the URL after the user clicks on the link. The user never sees this happen, so, in a way, it’s even worse from a privacy perspective.
Either method then directs the user to the tracking site, which tracks the request (and could, by the way, take advantage of any exploits that may exist), and then redirects you to the real site. This takes time, and the user is generally left sitting there with a blank screen.
The ping attribute, on the other hand, is much nicer. The owner of the website uses the ping attribute to specify tracking urls. When the user clicks on a link, the browser goes directly to the intended site, and then “pings” the tracking sites in the background. This means that there are no redirects, and no “trickery” to get the user tracking info. It all happens in the background, and that’s where all the privacy concerns come from. But, according to the spec, the browser is intended to have controls to allow a user to decide how the pings are handled. A user can choose to disable them completely, or enable them for some sites, etc.
Currently, the development version of Firefox has the bare minimum. That is, it sees and obeys the ping attribute, but there are no fancy GUI interfaces to change settings. Of course, this is the DEVELOPMENT version! They have to start somewhere. It’s not like these new features get a complete GUI, implementation, etc the moment they’re added. This stuff takes time! And it’s enabled by default! Light the torches! Stone the oppressors!
Seriously though, I feel confident, based on their past record, that the creators of Firefox will get this right. Sure, it’s enabled by default. But so is Javascript. The “correct” path is not always clear cut. If a feature is disabled by default, the chances of it ever getting enabled are slim. Most users just don’t know how! So, enabling it by default, and then popping up a message stating that the feature is active, here’s how to disable it, etc. is the right thing to do. I’m actually interested in this feature because it will allow the web, at large, to remove some of the trickery currently used to track users. It will allow this information to be up front and not hidden, and I think it will allow the end user greater control over their own security and privacy.