This is part one of a two part series on current updates in Do Not Track. Part two will explore issues around default settings in more depth.
As summer wanes, EFF and other digital rights advocates are continuing to fight for Do Not Track, a one-click browser-based signal users can turn on to tell websites not to track their online browsing habits. In this article, we’ll be reviewing recent Congressional hearings about online tracking and discussing a Do Not Track proposal being promoted by EFF, Stanford, and Mozilla.
Congress Hears from Privacy Experts
In June, the House Subcommittee on Intellectual Property, Competition and the Internet held a hearing on how the technology industry can implement privacy protections that inform and protect consumers. New York Law School Prof. James Grimmelmann discussed Do Not Track and articulated (PDF) three principles that are necessary to achieve genuine consumer choice:
- Usability—privacy interfaces must be clear and clearly disclosed.
- Reliability—a consumer who has expressed a choice is entitled to expect that it will be honored.
- Innovation for privacy—a privacy policy should encourage the development of these technologies, and protect them from interference.
Later in June, the Senate Commerce Committee heard testimony from Ohio State University Law School Prof. Peter Swire. Swire was critical of current online behavioral advertising industry self-regulation, noting that while “the 2011 DAA [Digital Advertising Alliance] principles have a section called ‘Limitations on the Collection of Multi-Site Data'….As drafted, it is difficult to see what limitations on collection could be enforced given the breadth of the exceptions.” Read Swire's testimony (PDF).
If nothing else, this testimony ensures that lawmakers are hearing from privacy advocates about the problem with today’s ecosystem of pervasive online tracking.
World Wide Web Consortium Works to Achieve Consensus on Do Not Track Standards—Especially When It Comes to Browser Defaults
Meanwhile, work in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG) continues. The W3C is a multi-stakeholder group of academics, thought leaders, companies, industry groups, and advocacy organizations like EFF (as an invited expert) working to create voluntary standards for the web. The TPWG charter, which would have expired by now, was extended another six months at the beginning of August.
Earlier this year, EFF, Mozilla, and Stanford’s Jonathan Mayer offered a compromise proposal that concedes to the online behavioral advertising industry a narrow scope of effect for DNT—mainly affecting “third parties” that consumers generally don’t know about —while subjecting such third parties to significant data collection restrictions. Our proposal would limit companies’ ability to collect a user’s browsing or reading history; companies could collect protocol data (like IP address and HTTP referrer) for a reasonable time, if they did not use unique ID cookies or their equivalents. Our proposal also conceded, however, that companies could collect and retain significantly more data for security purposes.
We’ve been talking to companies and trade associations about how to implement these kinds of changes technically. Mayer has done much work in this area, with a video presentation, as well as analysis of targeting without tracking, frequency capping, and advertising measurement.
At a non-technical policy level, the online advertising industry has suggested that companies may be able to meaningfully tighten the scope of permitted uses for online behavioral data and the amount of time that data would be kept or retained. While these would be good steps for privacy, we believe more needs to be done at a technical level. We’re encouraged that there’s been some industry response on these technical issues.
These issues aren’t easy. Entire business models in the online advertising industry are built on the assumption that data about users’ online activities will be easily available. And of course the overall advertising ecosystem isn’t monolithic. “First parties” range from large social networks and search engines to news and blogging sites, and they can also have significant ability to observe users’ behavior on many different sites, e.g. social widgets like a Facebook “like” button. Third-party tracking entities can be large or small, while their economic incentives and financial and technical resources may differ significantly.
The compromise offered by Mozilla, Stanford, and EFF attempts to thread a difficult needle, balancing users’ need for privacy and industry interests in providing advertisements and protecting against security threats. We think it achieves the three principles outlined by Prof. Grimmelman in his testimony to Congress—namely, that is usable (users can set it in the browser with just a couple clicks), reliable (once the Do Not Track standard is set, there will be a recognized understanding of how websites should respond when they receive the Do Not Track signal) and allows for privacy innovation. This third part is essential—the Do Not Track standard we are working to create is one that allows for many new, privacy-protecting business models to flourish. As researchers Jonathan Mayer and Arvind Narayanan articulated in a recent blog, "A rigid use-based approach could lock in current advertising business practices, stifling innovation, or motivate some companies to bend the rules and justify tracking for an ever-expanding set of uses." The compromise agreement on Do Not Track, which limits data collection by third parties but doesn’t tell advertisers what types of ads they can show or limit new forms of future advertising models, provides a framework that’s good for innovation and privacy.