CyberNews interviewed Ghostery's CEO, Jean-Paul Schmetz, about online tracking and how to protect your privacy online. Below is a transcript of JP's interview with CyberNews in July 2022.
Many of us are familiar with rumors of trackers that can read messages or “hear” what you are talking about when connected to Wi-Fi. Though it sounds like science fiction, these tools actually exist.
It is widely known that many websites collect information on users to tailor their content and advertising offerings. But how come you get ads about products and websites you had never visited before but perhaps only talked about privately?
To better understand website trackers and what privacy issues we should be more concerned about, we contacted Jean-Paul Schmetz, CEO of Ghostery – free and open-source privacy and security-related browser extension and mobile browser application.
How did the idea for Ghostery originate? What has your journey been like?
Ghostery started in 2009 with the mission of bringing visibility to what was going on beneath the websites that everyone was visiting. Back then, there were just a few requests behind each page - little did we know the scale this was heading to. Today it’s not uncommon to find 50 or 60 companies hiding behind a webpage, watching every move you make online.
The intention of Ghostery has always been to track trackers and challenge the ever-evolving landscape of online tracking techniques. Ghostery has been owned by Cliqz GmbH, a German company developing private search and browsers, since 2017. Cliqz’s parallel mission, in addition to its strong technological capabilities, has helped Ghostery grow and create even smarter privacy solutions.
Together with Cliqz, Ghostery has built WhoTracks.Me, the world’s largest open database of tracker information. Maintaining and growing WhoTracks is core to our mission at Ghostery, to educate and empower individuals to take their privacy into their own hands. By using any Ghostery product, you send a clear message to the data brokers lingering behind every page, that your data is your affair and nobody else’s business.
Can you introduce us to your Ghostery Privacy Suite? What are its key features?
We wanted to make privacy as simple and accessible as possible, so we put together the most convenient set of tools in one elegant package: the Ghostery Privacy Suite powered by Ghostery Private Browser. When using Private Browser, you’re not only protecting your data, but you’ll notice quicker page loads and a plethora of information about your browsing experience.
Ghostery offers a one-of-a-kind tracker visibility feature, the Trackers Preview Wheel, which informs you about detected trackers in the search engine results before you even click on the page. It’s been one of our most popular new features, and the tracker data is gathered and made available via WhoTracks.Me so more people can continue to be made aware of the tracker threats on that particular page.
We also offer our own private search engine, Ghostery Private Search, which is integrated into the Ghostery Private Browser by default and available for integration in Chrome and Firefox. We’re well aware habits can take a long time to break, and sometimes you need to use a specific browser for a specific task. For those moments, we offer the Ghostery ad & tracker blocker, to keep you protected across all of the common browsers, including Firefox, Chrome, and Safari.
Ghostery Analytics delivers everything from forensic tracker analysis to campaign management and tracker audit features. For anyone interested in learning more about what’s going on in the world of privacy and how to better protect themselves, we recommend subscribing to our free Privacy Digest newsletter, which lands in inboxes twice a month.
You often mention website trackers as a serious problem. Could you briefly explain what they are and what issues they present?
Trackers are third-party scripts injected into a website that make requests for your data as soon as you land on the page. They’re not requests, we’d typically imagine, where you get to approve or deny. Unless you’re using a tool like Ghostery, every request for your data that a tracker makes will be completed.
Trackers operate in networks and exchange information. While one has followed you around shopping on your favorite shoe website and picked up on your preferences and personal information, another might be lurking behind WebMD, taking notes on the symptom or disorder you’re experiencing. When they exchange all of this information, they’ve built a comprehensive shadow profile that can include all of your browsing activities, your purchases, health conditions, habits, and worries. Then, they sell this information to data brokers who sell it to advertisers or other parties to target you with ads, offers, and different messages that can influence your choices and beliefs. Facebook–Cambridge Analytica’s data scandal is not far off from the past.
Retargeting ads are the lesser evil compared to other use cases emerging over time, like targeted pricing on online shops based on your income or targeted messaging aiming to influence your thoughts or beliefs on any topic. You have no control over how or when your data will be exposed and used against you. The most recent example is the scandal around SafeGraph on selling abortion clinic traffic data.
How do you think recent global events have affected the way people perceive online privacy and cybersecurity?
With the infamous Facebook-Cambridge Analytica data scandal, it has become clear that social media and advertising platforms have become effective tools of manipulation. However, what is still escaping public perception is the process through which those platforms allow rogue organizations to influence our decision-making or political views.
It is the same tracking used to present you with ads and offers, the same tracking that shows your partner the present you have planned for them, and the same tracking that makes your next flight more costly. Tracking companies, data brokers, and ad networks are happy to share every bit of information about their users with anyone ready to pay. The online profiles they build on us are ever-growing, and nothing is ever deleted.
People are becoming more aware that tracking is unjust, but many are still hesitant to take the next step to protect themselves. We hear a lot of, “well, I have nothing to hide”. The problem is that every decision we make online, every link we click, and every minute we spend reading or watching content is recorded. It’s impossible to even imagine all of the different ways this data could be used by any organization, good or bad, for their aims and benefits. It’s dangerously optimistic to believe your data isn’t of interest and is being used by bad actors. By taking two minutes to install privacy protection like Ghostery, all of those concerns fall away.
What are some of the worst mistakes companies tend to make when it comes to handling large amounts of user data?
Looking back, it used to be a common strategy for startups to embrace a culture of ignorance on privacy. When you’re starting a company, you’ve got one hundred things to think about, and privacy was something that was easy to ignore and check off the list, and your customers wouldn’t notice at first. There was a naivete that even if it wasn’t paid attention to, nothing would go wrong. And if something did go wrong, users would not have to deal with the consequences. Now that stricter data protection laws are in place, the mindset has started to shift, and startups are becoming more aware of the need to address privacy.
However, recently leaked documents from Facebook illustrate how difficult it is to adjust the flow of data later to achieve compliance with existing regulations. Also, it does not come as a surprise that Facebook had an unfortunate track record of various major data leaks over the years. The best solution is to avoid storing user data at all. It might not be possible in all cases - your bank has to keep records of your payments – but often it is, and data is just gathered for the sake of it or with the intent to monetize it.
At Ghostery, we receive data from millions of users to build the biggest public data set on online trackers. Yet there is not a single bit of user data involved! None of the data points used in the computations could be traced back to the person sending it, nor could we tell whether two data points came from the same user, as we built our product from the ground up with privacy in mind.
In the age of remote work, what can companies do to ensure cybersecurity as well as privacy protection for their workforce?
Attacks are getting more sophisticated over time, so there is no easy answer. For individuals working from home, installing security patches, using password managers and VPNs, and being aware of social engineering attacks is important. If you are not sure if a document or link in an email is genuine, reaching out to the sender over a different channel (e.g. chat instead of responding to the email) can help to detect phishing attacks. On the organizational level, enforcing two-factor authentication wherever possible and protecting communication by setting up VPN access is a good start when companies make the transition to supporting remote work.
When it comes to protecting the privacy of their workforce, choosing the right tools is critical. Hosting everything in-house is often not practical – both from a cost and security perspective. Many third-party solutions are available, but favoring those with higher privacy standards should be part of the decision-making process. If companies choose to give employees remotely administered devices where they are unable to install new software, consider pre-installing a privacy-focused browser like Ghostery Private Browser. Otherwise, it is hard to avoid being tracked when you have to open links on that device.
What data privacy issues do you believe more people should be concerned about?
Everything we all share publicly on social media and forums is being collected and indexed. There are acceptable use cases by parties like law enforcement, but it is impossible to avoid data being used by bad actors with ill intentions. It used to take weeks or months to find information about one person. Now it is possible to access it in a couple of minutes. What data is available will depend on how much that person shared in the past. Unfortunately, it is not only about publicly shared data, but it includes data breaches at services you have used securely.
Still, there are other areas where it is harder to protect against data gathering. There is a trend towards more tracking in areas that are almost impossible to avoid. Not all of this is bad, but you lose the ability to choose what to share. In non-digital parts of our lives, we benefit from established consumer protection laws, like food safety. Especially, for vulnerable groups like children and elderly people who are not tech-savvy, we should push for a similar level of protection in the digital world.
We provide tools that everybody can use to protect against online tracking. We also continue to build and grow powerful, open resources with the hope they will help advocates, researchers, and policymakers in their efforts to create a safer internet. In addition, our educational content, like our new Privacy Digest newsletter, aims to make people more aware of the fight for online privacy. Tools can help, of course, but it is still important for people to be aware of situations where they have to be careful with what information they share online.
What do you think is going to be the next major threat to privacy protection? What safety measures should be implemented before it is too late?
It should come as no surprise to anyone caring about online privacy that Google, being the world’s largest search engine, browser and by far the largest tracker, is planning to monopolize online privacy beginning in 2023.
The so-called Extension Manifest V3, presented as a solution to improve web extensions’ privacy, security, and performance, will dramatically handicap all privacy extensions by removing their access to the browser’s network layer. We have written a detailed blog post on the nature of Manifest V3, but in a gist - Google does not improve privacy on the web. On the contrary, Google is removing the most powerful tool at our disposal, motivating their decisions with a grander vision in which the extension ecosystem is lighter and more constrained. Google completely ignores the implications of those decisions for online privacy.
People who care about privacy should already change their browser to one that allows genuine privacy protection. Our own browser - Ghostery Private Browser, being Firefox-based, is a solid choice for anyone who wants to set and forget about all tracking online.
It’s critical to note that Google, being a monopolist, is effectively defining all web standards. Organizations like Mozilla may not follow suit yet, but in the long run, they may be forced to adopt the suboptimal de-facto standard set by Google. This is why web diversity is so important. If we only have one engine (Chromium), there will be no privacy, as all data will effectively land at Google.
Share with us, what’s next for Ghostery?
At Ghostery we recognize a new category of tracking, which we named Consent Management. As a first step, we’re listing companies and other popular tools to manage consent and stop blocking them - so that users can make a choice and we can ensure they’re not being tracked by default. But this is not how we envision the future of the internet. We are releasing a new feature called Automated Consent Management in the coming months, automatically opting users out of tracking on all consent dialogs without users having to click through them all manually.
Regardless of the user’s choice of the consent dialog, Ghostery blocks all tracking and ads. What we believe, however, is important, which this will address, is that publishers receive accurate feedback from users on their preference to not be tracked. So automated consent management is the most convenient way to both add convenience for users and make sure that important feedback gets to publishers.
The second huge development on our roadmap is opening the Ghostery Trackers Database to the public. We are going to open the list of patterns that non-profit organizations can use to classify traffic so they are able to tell if a given URL is a tracker, an ad, or a CDN, and which exact company they belong to. This is another way we're fulfilling our mission of bringing transparency to the web. We also hope that our open Trackers Database will attract a wider community of people that, just like us, want to understand the intentions behind different scripts that publishers use on their websites.
Edit 21 May 2023: Changed "Glow" to Private Search and "Dawn" to Private Browser.