Why 'Do Not Track' Still Doesn't Cut It

Feb 23, 2012 (02:02 PM EST)

Read the Original Article at

On paper, the Obama administration's announcement of a proposed Consumer Privacy Bill of Rights sounds like a great idea. It calls for legislation that allows attorneys general and the Federal Trade Commission to enforce how end-user privacy is protected, and for consistent transparency in how personal data is collected and used online.

After "Do Not Call", and hot on the heels of yesterday's news about California pledging better privacy protection for users of mobile apps, here's "Do Not Track".

Again, it sounds like a great idea: Click a conspicuously visible button in your browser, and third parties are automatically blocked from harvesting unwanted information from your browsing habits. What's more, it wouldn't just be a good idea--it would be mandated and protected by law.

That's the theory, anyway. The practice might turn out to be far thornier. In truth, there is no agreement or rule on what the browser is supposed to do when the user clicks the magical Do Not Track button.

The quest for a universal Do Not Track (DNT) standard has worn on for some time now, with little more than a few competing ad hoc standards to show for it. It's always been possible for end users to purge tracking cookies, use proxies, or block data harvesting with third-party add-ons. But who wouldn't be happy with a single, centralized mechanism to allow users to opt out of online tracking? (Apart from advertisers, that is?)

The problem is figuring out what that one single mechanism is, getting everyone to use it, and making sure it isn't just going to be circumvented or broken.

One of the original DNT initiatives involved using a header, broadcast by the browser, to tell Web servers that the user in question doesn't want to be tracked. A version of this proposal was floated in 2009 (as described by security researcher Christopher Soghoian), but lacked support from the very people who needed most to implement it: the advertisers. The idea also suffered from one major loophole: the burden of support was on the server side, not the client. The server didn't have to honor the header, and there was no enforceable penalty for noncompliance.

Over time the idea of a universal DNT system returned with a vengeance. The problem was, again, how to implement it, since everyone seems to have wildly different ideas--all of which put the burden of support on different parties.

Mozilla added support in Firefox for the above-described DNT header, but didn't present a solution to the whole problem of how to get third parties to bother honoring DNT. The W3C has its own working groups for DNT policies, but by its own admission they are not regulators, and cannot penalize anyone for noncompliance with any standard they might draft.

Microsoft--in a move that could either be seen as insightful or merely contrary--came up with a solution via its own no-tracking technology, called Tracking Protection Lists. Lists of third parties that might be tracking you are maintained and used by the browser (Microsoft has implemented TPL in Internet Explorer 9), and can be blocked automatically by the user. That makes it more immediately useful than the DNT header, as DNT can simply be ignored. But it also requires that the block lists be kept up-to-date, and it forces the user to either be dependent on someone else's block lists or cobble them together himself.

Google had its own solution for Chrome called Keep My Opt-Outs, which persistently stores a user's preferences to selectively opt out of ad tracking even if they delete cookies from their browser. Google claimed this provided a good balance between what advertisers and what users wanted--more or less the position you'd expect from a company that has a foot in both the browser and advertising markets.

So now that there's talk of making DNT mandatory, how is it to be implemented? From what we can tell, it's entirely up to the browser maker how a DNT button would operate.

Given the divergence of opinions between Google, Mozilla, and Microsoft alone on that issue, all this seems likely to do is shift the burden of managing privacy that much more onto the user. If a user expects one kind of privacy-preserving behavior in Chrome, and then get a completely different (or even nonexistent) one in Firefox, that's a problem.

Because the actual details are a long way from being delivered to the end user (Google, for instance, is to release its DNT-button-endowed edition of Chrome by the end of the year), any user who wants to opt out of tracking needs to get in the habit of doing it herself. The tools to accomplish this already exist: IE's TPL, or third-party add-ons such as Ghostery, which lets you see and block ad companies that are following you on a given page.

In short, it's best to assume that until the details are more concrete, and maybe even after that as well, you're better off taking the protection of your privacy into your own hands.