The EFF has disabled by default an anti-tracking feature in its Privacy Badger browser extension – after Googlers warned it could be abused to track people.
Privacy Badger is a free, open-source add-on for Chrome, Firefox, Opera, and Firefox for Android. It primarily blocks tracking cookies, which are used by online advertising networks to follow you around the web, build up a profile of you and your interests based on the sites you visit, and serve you adverts relevant to your background.
The extension works off a big list of bad stuff on the web to look out for and block. It also has a feature called "local learning" that was on by default. This analyzes the sites you visit to see if it can spot and kill anything that looks like a tracker that's not on the verboten list. As the EFF put it:
When local learning is enabled, Privacy Badger looks at each site you visit as you browse the Web and asks itself, “Does anything here look like a tracker?” If so, it logs the domain of the tracker and the domain of the website where the tracker was seen. If Privacy Badger sees the same tracker on three different sites, it starts blocking that tracker.
However, Googlers on the internet goliath's security team figured out a way an advertising network could manipulate local learning into automatically blocking some tracking cookies, and leaving others alone, and thus fingerprint individual Privacy Badger users, defeating the whole purpose of the anti-tracking tech. This proof-of-concept technique is similar to the one Google used to sink Safari's privacy mechanisms in June.
As a result of this research, the EFF has switched off local learning by default.
"Thanks to disclosures from Google Security Team, we are changing the way Privacy Badger works by default in order to protect you better," explained an EFF crew of Andres Arrieta, Bennett Cyphers, Alexei Magkov, and Daly Barnett on Thursday.
"Privacy Badger used to learn about trackers as you browsed the Web. Now, we are turning 'local learning' off by default, as it may make you more identifiable to websites or other actors."
The extension will still get updated lists of trackers to kill from the EFF mothership. Google Security's Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis were thanked for alerting the digital rights warriors to the vulnerability.
"To be clear: the disclosures Google’s team shared with us are purely proof-of-concept, and we have seen no evidence that any Privacy Badger users have had these techniques used against them in the wild," the EFF team added. "But as a precaution, we have decided to turn off Privacy Badger’s local learning feature by default."
So, users have to decide on a trade-off: either leave local learning off, rely on the supplied list, and deal with Privacy Badger being slightly less effective (the EFF insists that most of the blocks come from the tracker list anyway) or opt into local learning and be able to catch trackers that might not be on the list yet, with the caveat that the feature could possibly be abused to turn the tables and spot you across various websites.
"If you regularly browse websites overlooked by ad/tracker blocker lists, or if you prefer a more hands-on approach, you may want to visit your Badger’s options page and mark the checkbox for learning to block new trackers from your browsing," the EFF advised. ®