When Stanford researcher Jonathan Mayer uncovered a Google workaround to circumvent the default privacy settings on Safari, EFF called on Google to change their tune on privacy by respecting the Do Not Track flag and building it into the Chrome browser. We specifically praised the World Wide Web Consortium (W3C) multi-stakeholder process, which for a year has been convening consumer advocates, Internet companies, and technologists to craft how companies that receive the Do Not Track signal should respond. Today, in conjunction with the White House’s new publication Consumer Data Privacy in a Networked World (PDF), the Digital Advertising Alliance (DAA) announced (PDF) that it will embrace Do Not Track. (The DAA is the latest self-regulatory organization for online advertising companies.) This is a big step in the right direction for securing user privacy rights in the digital environment, but we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.
There are two parts to Do Not Track: technology and policy. The technology, a simple HTTP header (“DNT: 1”), allows a consumer to signal her privacy preference. The policy specifies what companies can and can’t do when they receive the signal. Read more.
Today’s announcements are great news for the Do Not Track technology. Google, a member of the DAA, has committed to add the feature to Chrome. While we haven’t seen the user interface, presumably it’ll be a one-click check box easily accessible through your browser settings, similar to what other browsers offer. Even better, Google and other members of the DAA -- including Yahoo!, Microsoft, and AOL -- are committing to adding support for the Do Not Track technical signal.
Today also brought good news for enforcing Do Not Track. The White House recognized that user privacy protections are nearly useless without a method of enforcement, so it has reaffirmed that companies that commit to respecting Do Not Track will be subject to Federal Trade Commission (FTC) enforcement.
Time to celebrate? Should we declare February 23rd V-DNT Day? Not quite. While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy. Even as Google and the other giant advertisers make strong gestures toward giving users meaningful choice when it comes to online tracking, portions of today’s two announcements are also undermining some of the most powerful consumer protections. Specifically:
Favoring industry-crafted standards
The W3C is a long-respected Internet governance body that brings together a wide range of stakeholders -- including civil liberties advocates, engineers, and industry representatives -- to reach accord about standards affecting the future of the Internet. EFF and lots of other consumer groups are involved in the process, and anybody can read up on what’s happening through the publicly available meeting notes. For a year, W3C has been working to pin down how various websites should respect the Do Not Track header. Internet companies, including Google, have been actively participating.
The DAA, on the other hand, is an industry group for online advertisers. It includes no consumer advocates or regulators and it doesn’t offer an opportunity for public participation in their decision-making process. Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking. The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking which is the root of the privacy concern.
While we appreciate that DAA is interested in respecting the Do Not Track flag, it’s important that they engage with the larger Internet community in doing so. DAA should use the W3C for the purposes of defining Do Not Track and determining how websites that receive this signal should react. And the White House, similarly, should turn to the well-established W3C multi-stakeholder process for addressing these issues.
Chipping away at Do Not Track’s simplicity
If you’re using the most recent version of Firefox, you can turn on Do Not Track by going into your preferences and checking the box that says “Tell websites I do not want to be tracked.” Pretty straightforward, from a user’s standpoint. But DAA is trying to tamper with this simplicity. In its statement, the coalition of online advertisers say that they'll respect Do Not Track where a consumer "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected." Then they noted their intention to “begin work immediately with browser providers to develop consistent language across browsers.”
The most skeptical interpretation of this statement is that the straightforward language for turning on Do Not Track might turn into some slippery legalese that doesn’t promise to do much of anything about tracking. We hope that’s not the case; much of Do Not Track’s power came from its straightforward, human-readable format.
No privacy-protective default settings
The DAA added another exception into their promise to respect Do Not Track: they won’t respect the setting unless a user affirmatively chooses Do Not Track and won’t respect it if “any entity or software or technology provider other than the user exercises such a choice.” This seems geared toward preventing a privacy-protective browser from turning Do Not Track on by default.
It’s important that advertising companies remember that users can express a preference simply by choosing a privacy-protective browser. In the same way many users may have chosen the Safari browser because of its privacy-protective policies regarding third-party tracking, many users in the future might affirmatively choose a browser that has Do Not Track enabled by default.
While there remain serious concerns about attempts to water down enforceable tracking protection for consumers, one thing is clear: Today represents a powerful step forward in helping users protect their online privacy. We applaud Google’s decision to implement Do Not Track in the Chrome browser, and we’re looking forward to collaborating with the DAA and other stakeholders in the W3C to communicate the concerns of users and advocates in online tracking issues.