Is Do Not Track dead on arrival?
Privacy wonks and advertisers are struggling to come up with a way for consumers to say 'Don't track me, bro'. Here's what DNT may look like when the dust finally settles.
Asking the ad industry to regulate itself is a bit like handing Lindsay Lohan the keys to the liquor cabinet and saying “Make sure nobody touches a drop.” Even if the spirit is willing, DNA is destiny – and it’s in advertisers’ DNA to monetize your data as profitably as possible.
And yet, save for a handful of exceptions, self regulation has ruled data collection on the Internet. Over that same period of time, the amount and types of information total strangers can collect about us has grown at a staggering rate – and a thriving though largely invisible tracking industry has grown along with it.
This is why for the past two years privacy advocates, technologists, and tracking industry geeks have been meeting regularly in person and on the phone and exchanging thousands of emails, trying to hammer out a compromise that allows consumers to say Don't Track Me Bro, while allowing publishers and the ad industry to collect data they need in order to survive.
Last week the World Wide Web Consortium (W3C) Tracking Protection Working Group convened its last face-to-face meeting prior to the July deadline imposed by current group chair Peter Swire. Like a handful of other journalists, I’ve been lurking on the email convos between the various parties.
It’s been a fascinating trip into the arcana of how browsers and ad servers work. If you just can’t get enough about first- and third-party cookies, de-identification, rotating hashes, user agents, siloization, etc – and you suffer from incurable insomnia – I suggest signing up for the list.
But it all boils down to a simple piece of HTML code your browser sends to every Web server you visit, and what happens afterward.
If your browser code is set to DNT: 1, you’re telling the site to get its filthy tracking cookies off my computer you damn dirty ape. If your browser is set to DNT: 0, you’re saying please track me, I am a sponge for that kind of impersonal but persistent attention.
Beyond that, the devil is in the details, and frankly the details make my brain hurt. But if both sides do manage to reach an agreement by July, it will probably look like this:
1. Tracking will be set by default
The ad industry has been adamant about this from the get go: They want to track people from the day they install their browser. They want to make people go in and deliberately alter their settings to turn tracking off. Why? Because they know at least 90 percent of Netizens won’t bother.
And if the browser maker (like Microsoft) goes ahead and sets the browser to DNT: 1 (don’t track me), they’ve already vowed to ignore it.
Assuming advertisers actually honor this flag, it would be a marginal improvement over what we have now. Today if you don’t want to be tracked you have two options: Manually opt out of tracking (hundreds and hundreds of times), or install a browser plug-in like DoNotTrackMe or Ghostery that automates that process.
This would be a single setting inside your browser. And it wouldn’t rely on creating a do-not-track cookie, which could easily be deleted. But it still puts the burden of opting out entirely on the consumer.
2. Some data will still be collected
Every site, including the one you are now reading, collects data about you, some of it more sensitive than others. That’s not necessarily a bad thing. Advertisers need to be able to record what ads were displayed and how many people clicked on them; publishers need to know which stories got the most readers.
DNT is designed to prevent sites from hoovering up that data from multiple sites to create a profile of you and your interests, or using that data for any other purpose. Exactly what other kinds of data are still collected and what happens to it is still being debated. But rest assured, even with DNT: 1, some data will be collected.
3. The ad industry may be playing bad cop
Though this is far from settled, the latest draft circulated by Swire suggested that companies which fail to follow the rules – like by ignoring that DNT: 1 flag in your browser and tracking you against your wishes – would be forced to suffer the terrible wrath of the Digital Advertising Alliance.
If that sounds remarkably like self regulation, that’s because it is. The DAA would “sanction” these rogue companies, though what that means I’d really like to know – I can’t find anything in the DAA’s self regulatory principles that describes what would happen if somebody flauts the rules. The Network Advertising Initiative is a scosh more forthcoming: The NAI says it would try to persuade the companies to comply, threaten to to expel them if they don’t, and as a last resort, report them to the FTC.
In other words, if you don’t play by our rules you can’t be in our club. Of course, once outside the club, there are no rules to play by. And the vast majority of tracking companies (albeit smaller ones) belong to neither the DAA nor the NAI in any case.
If enforcement is left in the hands of the industry, then this whole process has just been a waste of time. This is why I think we will ultimately end up with a Do Not Track law of some kind.
4. The song remains the same
So has this whole process been a waste of time? I asked Stanford privacy researcher Jonathan Mayer, who has been in the thick of these proceedings. He wrote:
“The group remains deeply divided on the data that websites can collect, retain, and use despite a consumer's Do Not Track signal. In particular, we are no closer to agreement on whether a website can continue to compile a user's browsing history. We also have not reconciled sharp differences about browser user interface, both in what is required of browsers and whether websites can ignore facially valid "DNT: 1" headers.”
I also asked Scott Meyer, CEO of Evidon, an organization that manages the AdChoices transparency program for the DAA. He wrote:
"In February 2012… The FTC, Department of Commerce and the Administration all endorsed an approach to Do Not Track, with the default signal being set to off [DNT: 0]…. That agreement obviated any need for the complex and frustrating negotiations that have now reached their end. When Microsoft changed their stance to set Do Not Track to on by default, that started an impossible task for the W3C of defining what tracking should be subject to the default blocking. I do think there is an agreement that everyone can embrace - it's the one we embraced in February 2012."
In other words, both sides seem to be just as far apart as they were when they started. The final word goes to privacy researcher Ashkan Soltani, who has been watching the proceedings from afar.
“I'm pretty sure they'll get to a compromise that nobody will be happy with and won't do much for consumers but that politically they can call 'a win'” he says. “All of this has happened before, all of this will happen again.”
It’s enough to drive a man to drink. Where’s Lindsay? I need that key.
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.
Now read this: