"Do Not Track" is a Web privacy scheme that tells online advertisers not to collect or use information specific to a user's Web requests and responses. Advertisers can still show advertisements, but they're not allowed to, for example, record that a user browsed several hotel websites to then show ads for other hotels.
The scheme uses an HTTP header sent with every request to every Web server to indicate the user's preference. The Do Not Track header, named "DNT," can either have the value 1, indicating that the user does not wish to be tracked, or 0, meaning that tracking is acceptable. The DNT header can also be missing entirely, which leaves the decision up to the advertiser.
The fundamental problem faced by Do Not Track (or any other similar privacy mechanism) is that sending a header doesn't do anything in and of itself. Advertisers need to both look for the header and honor it if it shows that the user does not want to be tracked. This is problematic, because it's not actually in advertisers' interest to not track users. Tracking Web users enables advertisers to show ads that are more relevant to the user, and hence more likely to be clicked on.
Nonetheless, advertisers were tentatively getting on board with the Do Not Track scheme, likely motivated by their fear of something worse. Governments around the world are taking a closer look at the issue of Web privacy, and voluntary support for a privacy scheme could prevent the imposition of more onerous government mandates. While Do Not Track may not be ideal from an advertiser standpoint, it certainly beats something more drastic, such as a government ban on such tracking activities.
Microsoft's June announcement threatened this tentative agreement between privacy advocates and advertisers. The company said that its browser would not only support the Do Not Track header, but that, by default, it would opt out of tracking. Internet Explorer is still the most widely used browser on the Internet. Internet Explorer 10 is likely to see significant adoption once it is released. In turn, this means that a significant number of Web users are likely to be sending the DNT header and opting out of tracking by advertisers.
Unsurprisingly, advertisers had a fit. While they were willing to give their tentative support to Do Not Track, they were only willing to do so on the basis that it was something that users had to explicitly enable. The advertisers know that most users don't bother to change the default behavior of their systems, and so were unlikely to bother enabling Do Not Track. Only a particularly privacy-conscious minority of users would opt out of tracking, and these privacy conscious customers are likely to be the kind of Web users who never click on advertisements anyway.
An explicitly enabled Do Not Track was therefore a pretty safe thing to support. An implicitly enabled Do Not Track, however, ran the risk of large-scale opting out of targeted advertising, and subsequently significant damage to the advertisers' businesses.
Within days, the group creating the Do Not Track specification released an update saying that the Do Not Track header only counted when it was explicitly chosen by the user. Browsers that sent the header by default wouldn't be compliant with the specification. This in turn would give the advertisers some latitude to ignore its stipulations. Specifically, advertisers argue that, in the face of such non-compliant implementations, they can ignore the header entirely.
Microsoft, however, argues that software should be private by default, saying that its decision "put[s] people first," and that the textual description during the Windows 8 setup process provides adequate information to let users know what's going on, and the ability to customize the setup gives users enough control. It may be a default, but it's an informed default that the user has explicitly agreed to.
Regulators have weighed in on the subject, and Microsoft's stance has some backing. In late June, the European Commission's director-general for Information Society and Media, Robert Madelin, wrote to the World Wide Web Consortium's Tracking Protection Working Group (the group of industry experts working on the Do Not Track specification) saying that in the European Commission's view, browser-specified defaults do not undermine consumer choice and should not be penalized by the specification. In the EC's view, such behavior could distort the marketplace.
Moreover, Madelin wrote that the Do Not Track specification should expect browsers to both inform users of the Do Not Track option, and to opt out of tracking by default.
The EC's stance echoed that of the Congressional Privacy Caucus. Co-chairs Edward Markey (D-MA) and Joe Barton (R-TX) wrote that "browsers that default to Do Not Track provide consumers with better control and choice with respect to their personal information." Microsoft's policy was specifically endorsed, with the congressmen asking W3C "to make the protection of consumer privacy a priority and support Microsoft's announcement by endorsing a default Do Not Track setting."
FTC Commissioner J. Thomas Rosch, meanwhile, took the contrary view, saying in a letter to W3C that "Microsoft's default [Do Not Track] setting means that Microsoft, not consumers, will be exercising choice as to what signal the browser will send."
Second-guessing the DNT header sent by browsers is fraught with difficulties. A browser could market itself as being private by default, and even enumerate in its feature list that it sends the DNT header, opting out of tracking, by default. The mere decision by a user to install this browser would be a positive step taken toward opting out of tracking. Such a thing is hardly inconceivable; there are already browsers that vaunt their privacy as their unique selling proposition.
It would be absurd for a tracking advertiser to ignore this DNT header, as it was plainly an accurate expression of user intent. However, that is what advertisers are wanting to do.
While W3C has agreed that browsers shouldn't set a default, the group has reached an impasse when it comes to saying how such a default should be handled. Yahoo has suggested that perhaps servers could respond to requests from browsers that set a default with a message informing users that their Do Not Track preference was being ignored because they might not have intended it—but this too is problematic. Servers cannot distinguish between, for example, users who accepted Internet Explorer's defaults, and those who customized their options but still opted out of tracking. They would all have their preference ignored. Continued use of the browser in spite of such a warning could also be argued to be an explicit decision to opt out.
The group intends to meet again on Wednesday. The default issue isn't on the agenda, but with Microsoft's reiteration of its plans to enable Do Not Track in Internet Explorer 10, it would be no surprise if the matter received further consideration.
If W3C stays the course, and advertisers continue to insist that Internet Explorer 10's default setting justifies ignoring the header entirely, then there's a very real prospect that the Do Not Track header will be both widely used, and widely ignored. In this situation, it would be difficult to describe it as anything other than a failure.
Microsoft's action may cause W3C to reassess its position. It might just as well derail the entire Do Not Track effort, or at least cause the advertisers to drop their already tentative support. That in turn could be the stimulus legislators need to take action of their own. Given the murmurings of legislators on both sides of the Atlantic, that could turn out to be good for privacy advocates, but it may be disastrous for advertisers.
Listing image by Alexander Montuschi
reader comments
122