In a blog post from Thursday, Mozilla’s Brendan Eich said that Mozilla has delayed the implementation of its new anti-cookie patch in Firefox so that it can test for false positives and false negatives. As you may know, the new anti-cookie policy is meant to block third party cookies from sites you haven’t visited while leaving cookies from previously visited sites intact. Eich says that fales positives and false negatives may get in the way of how this policy is meant to work:

False positives. For example, say you visit a site named foo.com, which embeds cookie-setting content from a site named foocdn.com. With the patch, Firefox sets cookies from foo.com because you visited it, yet blocks cookies from foocdn.com because you never visited foocdn.com directly, even though there is actually just one company behind both sites.

False negatives. Meanwhile, in the other direction, just because you visit a site once does not mean you are ok with it tracking you all over the Internet on unrelated sites, forever more. Suppose you click on an ad by accident, for example. Or a site you trust directly starts setting third-party cookies you do not want.

The anti-cookie patch will be turned off by default in the Firefox 22 beta will Mozilla works on these issues. Users on the beta will be able to turn on the patch, however, and mess around with the settings. Mozilla, of course, encourages feedback as it works on it. Those who are using the Aurora release will find that the anti-cookie patch is turned on by default however.

In the end, Eich says that Mozilla’s work on the patch doesn’t represent any change to its previous anti-cookie philosophy:

We have heard important feedback from concerned site owners. We are always committed to user privacy, and remain committed to shipping a version of the patch that is “on” by default. We are mindful that this is an important change; we always knew it would take a little longer than most patches as we put it through its paces.

For those who read this as Mozilla softening our stance on protecting privacy and putting users first, in a word: no. False positives break sites that users intentionally visit. (Fortunately, we haven’t seen too many such problems, but greater testing scale is needed.) False negatives enable tracking where it is not wanted. The patch as-is needs more work.

[h/t: PC World]

In an interview with AdExchanger, Jonathan Mayer, privacy advocate and Mozilla’s cookie policy maestro, says that the current Do Not Track negotiations forced his hand in writing the anti-cookie policy. Those negotiations, which were previously reported as being in danger of breaking down, see both sides not being able to agree on what Do Not Track means. Mayer indicates that it’s worse than that as both sides are refusing to negotiate:

The advertising side would be expected to reevaluate their hardline “We’re not going to negotiate” stance and rethink their strategy. Unfortunately, that hasn’t happened. So I’m not too optimistic on negotiated terms for Do Not Track, but I’m increasingly optimistic that by virtue of the browsers’ efforts, consumers will get the choices they want. It looks like consumers will get some pretty good privacy in the near term. If the W3C’s process is unsuccessful in developing a consensus on what the standards are, companies could be in a difficult spot, but consumers may be okay because of the technical countermeasures that are starting to be drawn over browsers.

In other words, Mayer is saying that it’s up to the browsers to give consumers the choice that privacy advocates are fighting for in the “Do Not Track” negotiations. Of course, that choice comes in the form of either “Do Not Track” being turned on by default in Internet Explorer 10, or Firefox outright blocking all third-party cookies. Advertisers don’t take well to either of those scenarios, but are apparently unwilling to negotiate for more favorable terms.

What would happen if the advertisers were to give in then? What system would Mayer want put into place? He’s still all for third-party cookies being blocked as the default option, but he also calls upon advertisers to prove to consumers that they’re trustworthy:

Consumers don’t have a great handle on what’s going on in terms of how their data is being collected and what it is being used for. Therefore it makes sense to shift the burden of explaining to the user what is going on to those who are in the best position to do it. Advertising companies have an incentive to convince users that they’re trustworthy and that users should allow them to collect data.

By setting those default settings to Do Not Track, we give interested parties the incentive to educate consumers about the impacts of those choices. We allocate to them [those parties] the responsibility of getting consumers to give them access.

It’s unlikely that the advertising lobby will give in though. Some even fear that Web sites will begin blocking browsers that block cookies. Some sites already block browsers with AdBlock software installed so it’s not much of a stretch to see some advertisers going the extra mile.

It would be truly unfortunate if it were to reach that point. As always, advertisers have a right to the Internet just as much as anybody else does, but they should be held to a consumer friendly standard. Maybe it’s time they started paying more attention to the “acceptable ad” idea.

[h/t: Business Insider]

Facebook Exchange, or FBX, lets advertisers target ads to users with a cookie-based real-time bidding platform. Before today, those ads only appeared on the right-hand side of you desktop news feed (and they’ve been doing pretty well).

“We wanted to give advertisers and agencies the opportunity to deliver highly relevant ads in News Feed, the most engaging place on the web. Previously, advertisers could run standard ads on the right hand side of Facebook on the desktop. Starting today, advertisers can run Page post link ads on the right-hand side of Facebook and in News Feed on desktop. As they do today, these ads will point back to specific landing pages to help direct-response advertisers drive conversions,” said Facebook in a Studio blog post.

Note: these ads won’t appear in your mobile news feed.

It’s also important to note that this is not going to drastically increase the amount of ads you’ll see in the news feed, so you’re not going to get inundated with ads at a higher frequency – it’s just that some of these page post ads will be much better targeted based on your other activities.

Facebook says that it’s all about providing users with more relevant ads, which is synonymous with better ads:

“Allowing advertisers to reach people in News Feed is important because people spend more time in News Feed than any other part of Facebook. We also believe that ads delivered through FBX will create more relevant ads for people.”

The Interactive Advertising Bureau sent out a press release this week claiming that Mozilla is “undermining American small business” by choosing to block cookies by default. The group says that the makers of Firefox are also undermining consumer choice by automatically blocking cookies, instead of giving users a choice.

“Thousands of small businesses that make up the diversity of content and services online will be forced to close their doors,” said Randall Rothenberg, President and CEO, IAB. “This move will not put the interest of users first. Nor does it promote transparency or ‘move the web forward’ as Mozilla claims in its announcement. It will not advance Mozilla Corporation’s objective, as stated in its bylaws, of ‘promoting choice and innovation on the internet,’ but will, instead, impede both.”

As Consumer Affairs points out, Firefox isn’t the first browser to block third-party cookies by default. Apple’s Safari has been doing it for quite a while as well. It’s also not like Mozilla will be blocking all cookies anyway. It will only be blocking cookies from Web sites that users don’t frequently visit. What that means is a user’s one time visit to a blog covering the world of decorative dog sweaters won’t see any tracking cookies installed on their browser.

This isn’t the first or last time that advertisers will be upset with browser makers over controversial pro-privacy practices. Microsoft was caught in the middle of a controversy last year over its decision to make Do Not Track the default option in Internet Explorer 10. That decision has yet to break the Web or online advertisers, and Mozilla’s move will probably not affect much either.

That being said, advertising has a valid purpose on the Internet, and shouldn’t be blocked just because. Many of the things we enjoy for free are paid for with advertising. That’s why there needs to be choice in the matter, and Mozilla will hopefully make that choice clear when it starts to block third-party cookies by default later this year.

HTML5 local storage, according to the report, allows developers more flexibility and much more room to store data locally. Though the report states that the increase in HTML5 storage does not mean an overall increase in websites tracking users, the data stored through this method can persist and track users in ways that Flash cookies cannot.

Speaking of Flash cookies, the internet’s top websites have begun shifting away from them in favor of HTML5 storage. As seen in the graph below, Flash has quickly fallen out of vogue with the top 100 sites on the web. The number of those sites that use HTML5 storage has doubled since last year, and the raito of Flash cookies to HTML5 has nearly reversed :

The census concludes that this trend is likely to continue, and that, in general, third-party tracking will continue to increase online. In subsequent quarterly reports, the researchers hope to examine trends over time. Also, this census did not take any of its results while logged into a third-party service, such as Facebook or a Google account. The researchers state that, as many internet users do stay logged into such services while browsing the web, examining their tracking implications will be a future consideration.

(Pictures courtesy The Web Privacy Census)

The premise of Facebook Exchange is pretty simple: When you visit a site (other than Facebook) and spend some time looking at a product, but don’t make the final purchase – that third-party site will be able to follow you to Facebook and target you there with a highly specialized ad.

For example, let’s say that I spent a good while checking out a new watch on a third-party retailer’s site (that has enlisted a demand-side platform) – let’s go with Swatch. Although I didn’t actually end up buying the watch, I was on the site long enough for them to determine that I was very interested in it – so they hit me with a cookie.

If the advertiser (in this case Swatch) wanted to pursue me beyond the walls of its site, the demand-side platform would contact Facebook and use an anonymous User ID to show intent to target me. Now, the next time I log in the Facebook, that cookie alerts everyone to my presence and the advertiser is allowed to make a real-time bid to show a pre-rendered ad to me.

And if everything goes according to plan, I’ll see a perfectly targeted ad for that blue Swatch watch I was eyeing earlier that day – or even earlier that week.

There are currently 8 DSPs involved in the testing of Facebook Exchange: TellApart, Triggit, Turn, DataXu, MediaMath, AppNexus, TheTradeDesk, and AdRoll.

Of course, the first question on everyone’s mind is “how can I opt-out?” According to Josh Constine at TechCrunch, users will not be able to opt-out of the program completely from inside Facebook. But they can opt out of future Facebook Exchange ads from individual DSPs. Apparently, if a user Xs out of one of the targeted ads, they’ll be given a link where they can opt out of future ads.

And as far as privacy goes, Facebook says that they won’t give up your data – all of that juicy social graph stuff (biographical, social, etc) in combination with the cookie-based targeted ads. However, I have a feeling that many users still won’t be too thrilled with this level of tracking across multiple sites (although it’s not uncommon at all across the web).

But, there’s no denying that this is a possible lucrative hit for Facebook, a company who has seen its stock price plummet since its IPO and who has had to stave off concerns about their monetization strategies. This is a pretty bold advertising strategy, and could excite advertisers due to its highly specific and real-time approach. “Give ‘em exactly what they want, exactly when they want it.”

Facebook Exchange will launch in a more widespread format in the next few weeks, according to the report.

From that description alone, it sounds like a pretty good law. It’s on par with our own proposed legislation to install “Do Not Track” buttons on Web browsers that serve American citizens. Unfortunately, the word of the law and the implementation of said law are vastly different. The good news is that the cookie law does work as advertised. The bad news is that the EU thinks that it’s above the law.

ZDNet has found that Web sites run by the EU like the European Parliament and the European Commission are still installing cookies without asking for permission. It’s kind of hypocritical to impose a law and not follow it yourself, but there might be a loophole that the EU could exploit. The cookie law only applies to member states. It might be a frivolous distinction, but there is a difference between EU member states and EU institutions at large. Those installing cookies fall into the latter.

ZDNet argues, however, that a loophole might not work this time around. They spoke to Stewart Room, data protection expert, and he says that the EU is bound by the 2001 Data Protection Regulation. One could argue that the use of cookies could be tantamount to processing personal data which would put the EU in direct conflict of its own laws.

As mentioned previously, this smacks of the current debate over the “Do Not Track” button in the U.S. The idea is to give consumers an option to disable online tracking, which is often accomplished through cookies. We discussed in length on how such an option is good at face value, but does little to actually protect privacy.

It remains to be seen if general Web sites within the EU will comply with the law or just work around it. If the government’s approach is any indication, it seems that the EU will have a bill with a pretty face that does little to protect the privacy that it claims to hold dear.

For its part, an EU spokesperson seems to be ignorant to the governing body’s own sites still installing cookies without permission. The spokesperson offered to hear any proof that found the EU “not being transparent about cookies.” It’s a start, but we’ll have to see what the future holds. The law did just go into effect yesterday. We’ll keep you updated on both the cookie law and the “Do Not Track” button.

As you might expect, there was a significant uproar over the issue. Google quickly issued a statement claiming that the workaround was developed in-house by Google, and meant solely to allow Google to deploy certain web features to users who had indicated in their account settings that they wished to activate them. Such features included Google’s +1 button on websites and targeted advertising. They insisted that the workaround was necessary because the unique structure of Safari prevented those features from functioning for those who had chosen to activate them. Unfortunately, the presence of the workaround allowed other parties to set tracking cookies for Safari users as well.

As you might expect, the news caused all manner of uproar, including a lawsuit and the attention of the U.S. Congress. Now it looks like Google is also looking at a hefty fine. Bloomberg is reporting this afternoon that negotiations between Google and the Federal Trade Commission are nearing completion.

According to “a person familiar with the matter,” Google could be on the hook for upwards of $10 million as the FTC collects its first fine for internet privacy issues. According to the FTC, Google broke a 2011 consent order dealing with user privacy and engaged in “unfair and deceptive” practices by creating the workaround that allowed cookies to be set on the browsers of those who did not want them.

What do you think? Is a $10 million fine a fair punishment for Google? Sound off in the comments.

When Juliette Gordon Low brought 18 girls together in Savannah, Georgia for the first ever Girl Scout meeting, it’s safe to say she couldn’t imagine her efforts turning into an organization that features 3.2 million members in every state across the country.

Anna Maria Chávez, CEO of Girl Scouts of the USA, said this of reaching the centennial mark, “Our 100th anniversary is our moment in time to bring the nation together to make a difference in the lives of girls” continuing, “Girls represent an incredible resource for our country and Girl Scouts has always provided them a platform for success, and during our centennial we want everyone—men and women alike—to join us in making sure that every girl achieves her full leadership potential.”

The Girl Scouts is lauded as a force for race relations, and fully integrating their groups by the 1950′s. Dr. Martin Luther King Jr. called the organization – “a force for desegregation”.

When you read their simple, yet effective law, it’s no wonder they have such a universal appeal…

I will do my best to be
Honest and Fair,
Friendly and Helpful,
Considerate and Caring,
Courageous and Strong, and
Responsible for what I say and do,
And to
respect myself and others,
respect authority,
use resources wisely,
make the world a better place, and
be a sister to every Girl Scout.

So reach out to someone you know involved in the organization, or show your support like me by buying as many boxes of Thin Mints as you possibly can.

The issue was brought up by Australian hacker/writer Nik Cubrilovic, who did some testing with the cookies, and found that logging out doesn’t keep Facebook from knowing every page you visit.

The relevant part of Facebook’s Privacy terms:

We receive data whenever you visit a game, application, or website that uses Facebook Platform or visit a site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID.

Facebook responded to the conversation, saying that they don’t track users across the web, but use the cookies for content personalization, and for safety and security reasons. Then they said the cookie in question, the one which contains the user’s ID was now being destroyed upon log-out.

Now, Cubrilovic is reporting that the “datr” cookie, first removed by Facebook and was no longer being set for logged in or logged out users when they visited a page integrating Facebook, is back. He shows this in a screenshot for Chrome after visiting CBSSports.com.

This particular cookie, Facebook says, helps them identify suspicious login activity.

Various mentions of the cookie by Facebook include:

“We set the ‘datr’ cookie when a web browser accesses facebook.com (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.”

“We don’t use them for tracking and they’re not intended for tracking.”

Facebook may indeed have honorable enough intentions for the cookie(s), but that doesn’t mean everybody feels comfortable with the company knowing everywhere they’ve been on the web, particularly as they face other privacy concerns with how they’re interacting with web content and it’s being viewed on the recently launched Ticker feature.

Meanwhile, reports have surfaced that lawmakers are urging the FTC to investigate Facebook over potential privacy issues.