It took Sid Stamm, the lead privacy engineer at Mozilla, a few minutes to create the first prototype of the Do Not Track header. Then came the hard part.
Do Not Track is a one-click, browser-based signal which users can turn on to tell websites not to track their online browsing habits. Websites use that behavioural data to create targeted advertising. Mozilla introduced Do Not Track in 2011 with Firefox 4, and now all the major browsers offer it. The Federal Trade Commission (FTC) has been an advocate.
Yet, while users can voluntarily enable the technology, advertising networks can choose whether to honour that request. So far few have. It's a signal with virtually no listeners. The reality is that users can be tracked no matter what they decide.
“It's still not clear exactly what the signal is supposed to mean globally,” says Stamm. The reason is that there is no current standard. Two years ago, the World Wide Web Consortium (W3C), an internet standards-setting group, became the venue for browser makers and advertisers to iron out any differences in understanding. However, the disparate interests have been unable to even agree to a definition of “tracking.”
A final deadline for producing standards is scheduled for this month. But the more likely outcomes are a meaningless document, or a punting of the the deadline, says privacy researcher Jonathan Mayer, a graduate student at Stanford University, in California, and a participant in the talks.
“After some two years of conversations, 75 conference calls and 10 meetings, we haven't made any meaningful progress on the big policy issues,” Mayer says. “I'm not sure what happens next. It concerns me.”
At stake is how far Do Not Track should go. Advertising on the internet is like a license-plate recognition system where everybody is uniquely followed. Do Not Track is meant to make a license plate harder to read, affording more privacy. But by how much?
“I think there's this bag gap...between what people think is happening online and what's actually happening,” Stamm says. “One of the ways to improve privacy is to close that gap.”
This gulf is most pronounced in the actions of third-party advertisers. These companies follow consumers' every online move, creating a profile of their actions and selling that data for targeted advertising. For instance, when someone about to be married shops for a wedding ring online, thereafter, a number of websites they visit offer ads for wedding venues. In other instances, an individual who visits Amazon, might be fine with the shopping site using their history to create focused ads. But how about third-party companies they never see and of which they have never heard? Should they be allowed to collect and then monetise that personal information?
What's the need?
“The privacy thrust is really the notion of un-linkability,” says Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, an organisation that works to protect privacy rights. “We're not looking to say there can't be advertising. We're looking to say, ‘Wait a minute, why do you have to track?' The goal is to figure out: Can you do your business of advertising without tracking?”
Tien says the answer, technically, is yes. But advertising groups argue that their business models depend on this monitoring. Hence the belief surrounding the W3C that advertisers are dragging their feet and resisting privacy efforts. Tien says advertisers are concerned that Do Not Track will become more popular as more people learn about it.
Major online ad networks have long offered users “opt-out” mechanisms, worked via cookies, as a way to avoid targeted advertising, but few were aware of this. In addition, for almost a decade, Apple's Safari has blocked cookies from third-party sites. Mozilla began offering the same option in March. But cookies are imperfect and only block off parts the web, says Stamm. He argues that Do Not Track, though not a Holy Grail, differs in that it cuts through any particular blocking technology and gives users transparency and streamlined control over what they want. If that includes privacy, they get it.
Mozilla has tabulated the percentage of Firefox users who have activated Do Not Track: 11 percent worldwide and close to 17 percent in the United States. Fourteen percent of mobile users of Firefox have turned it on. “I see that as a plea to the websites to say, ‘I may not understand what you're doing, but please, please respect my desire for a little bit of privacy and control over my data,'” says Stamm.
The advertising ecosystem is unbelievably complex – so much so that Stamm, who has a doctorate in computer security and writes software, jokes that he barely understands it. There are ad agencies on one end and on the other are the publishers of websites who sell advertising space. In between, there are scores of intermediaries – networks, servers, exchanges for ads, data suppliers, media-buying desks, and creative optimisation and analytic companies – who share and measure and profit from personal data. There are also a number of practical distinctions in this space: large and small, first party and third party.
As far as Do Not Track, the right solution for supporting or opposing is concerned, “the ecosystem depends on where you sit,” says Tien.
The push for anti-tracking policy goes back to the turn of the millennium, when the FTC began pressuring advertisers on the concept of third-party trafficking. Then, in 2007, several public interest groups proposed a Do Not Track list, akin to the popular “Do Not Call” list. The technical design was inadequate, but the phrasing canny, and though the idea went nowhere the branding would ultimately resurrect itself.
In March 2009, privacy researcher Chris Soghoian, who is now the principal technologist at the American Civil Liberties Union, modified a Google browser add-on that addressed “opt-out cookies.” Immersing himself in the world of online advertising, Soghoian located more than a hundred advertising networks with opt-out cookies that he could clone. It required continual modification, however, and was not scalable. He noted that a header mechanism – a universal signal – would be a superior replacement for opt-out cookies
Soghoian's goal was not to laboriously maintain a browser plug-in, but “to poke the advertising industry in the eye,” he wrote in a 2011 blog post. So he approached Stamm, his friend from the graduate program at the University of Indiana, to beg Mozilla to take it off his hands. Soghoian and Stamm put together a prototype Firefox add-on that added two headers to outgoing HTTP requests: one to opt-out out of behavioural advertising, the other to not track. The reason they decided on both was because even after one opts out of the former, many advertisers still track the user.
In mid-2010, former FTC Chairman Jon Leibowitz breathed new life into Do Not Track. Mozilla's support, plus a critical mass of privacy advocates, sent the issue off to the races. The focus shifted to a single header to communicate a user's preference not to be tracked. The groups congregated at the W3C, but the result has been gridlock. Edith Ramirez, the new chairwoman of the FTC, recently called a functioning Do Not Track system “long overdue,” and implied that self-regulation by the advertising industry is not enough.
The question is whether the various stakeholders exist on the same plane, regardless of good faith. Mayer says the pro-privacy side has given near-complete concessions on major issues – the information practices of first-party websites, information sharing with affiliates, no silent defaults on browsers – and “haven't gotten an inch in return.”
Stamm seems more forgiving. Whatever comes out of the W3C, he says, will not be a silver-bullet for privacy. It will, however, serve as an important first step. “Do Not Track came out of a browser, not W3C,” he says. “We shipped it first and we're going to stand by it. We're going to find a way to make it work. But ultimately we're going to do what we need to do to get users what they want.”