At times it can seem like protecting one's online privacy is a
Sisyphean struggle. Even when the software industry listens to the
concerns of privacy advocates, the site owners and secretive
data-collectors who profit from pillaging private information are
quick to find every loophole and work-around in existence to regain
their access to profitable data. Such seems to be the case with the
Do Not Track HTTP header (DNT),
which has garnered support from browser vendors — plus a steady
stream of assaults aimed at undermining it, courtesy of advertisers.
Preferences, browsers, and intent
Although "opt out" mechanisms for web tracking have been discussed for
years, the DNT HTTP header approach was first
proposed by Mozilla's Mike Shaver. It has subsequently been
developed under the stewardship of the World Wide Web Consortium's
(W3C) Tracking Protection Working Group. According to the latest
draft of the specification,
DNT is an optional HTTP header field that can take either 0 or 1 as a
value, where 1 indicates that the user prefers not to be tracked, and
0 indicates that the user prefers to allow tracking. The key issue,
however, is that the header is intended to represent a user
preference — which most interpret to mean a conscious
choice on the user's part — and it must not be sent at all if
the user has not expressed such a preference to the browser.
Initially Mozilla was the only browser vendor behind DNT, but Opera added
support in July in Opera 12, as
did Apple a few weeks later in Safari 6. Google
support in Chromium on September 13. In all four browsers, the DNT
setting must be manually enabled in the application preferences.
from quite early on that this is a critical facet of making DNT a
workable solution. If DNT were enabled automatically or by default,
it would no longer represent "a choice made by the person behind
the keyboard," but one made by the browser vendor.
The decision was controversial — after all, reasoned critics,
who in their right mind wants to be tracked? But Mozilla
stood firm, and eventually the other browser makers followed suit.
Until June 2012, that is, when Microsoft announced that Internet
Explorer (IE) 10 (which is scheduled to ship with Windows 8) would
present the DNT option as a check-box shown to the user during
installation, with the do-not-track option selected by default.
But enabling DNT by default violates the specification, opponents
argued, and strips it of its meaning. And if the DNT header does not
reflect an actual user's decision, the argument goes, advertisers will
be justified in ignoring it. Apache's Roy Fielding objected strongly
enough that he committed a change
that causes the web server to un-set the DNT header when it is sent by
IE 10. Fielding is a member of the W3C Tracking Protection Working
Group, and his log message for the commit said that "Apache does
not tolerate deliberate abuse of open standards." He
elaborated on that interpretation in the inevitable argument that
followed on GitHub,
Microsoft's decision broken because it violates the specification's
requirement that the DNT header default to "unset." Apache, he said,
"has no particular interest in what goes in the open standard --
only in that the protocol means what the WG says it means when the
extra eight bytes are sent on the wire."
Conspiracy theorists might suspect that Microsoft's decision is a
subtle ploy to undermine DNT entirely to curry favor with advertisers
and other user-tracking firms. If so, the advertising world
is doing an excellent job of maintaining a cover story; the
Association of National Advertisers (ANA) publicly
criticized the decision in an open letter to Microsoft management.
Step right up
Regardless of what happens on the browser and server fronts, DNT still
relies on voluntary compliance on behalf of site administrators and
service providers — and, by extension, compliance that matches
up with what the user intends. The meaning of DNT might seem to be
straightforward, but the people who make their money tracking users
cannot be forced to agree. In September, Ed Bott at ZDNet
reported that the Interactive Advertising Bureau (IAB) and the
Digital Advertising Alliance (DAA) "devised their own
interpretation" of DNT, under which they would continue to
collect information, but would refrain from using that information to
deliver targeted ads to the browser. Presumably that restraint lasts
only for the duration of the browsing session in which DNT is sent.
Lest anyone propose a "Do Not Target Ads" HTTP header that IAB and DAA
might conversely interpret as a reason to stop collecting tracking
information, remember that nothing obligates advertisers or other
information brokers to react to the header at all. Grant Gross at IDG said
at least one site, a "tech-focused think tank" called the Information
Technology and Innovation Foundation (ITIF), has unilaterally decided
it will simply ignore the DNT header, and its site will report that
fact to visitors.
Other members of the advertising business have embarked on their own
campaigns to nip DNT in the bud. In June, the US Senate held hearings
about tracking and DNT in particular. As the Electronic Frontier
Foundation (EFF) observed,
ANA representative Bob Liodice testified at the hearings that DNT
would undermine cybersecurity, including "issues such as online
sexual predators and identity theft." The Senate did not seem
to buy Liodice's argument (Senator Jay Rockefeller, chairman of the
Committee on Commerce, Science, and Transportation, declared the
cybersecurity argument "a total red herring"), although
the EFF noted that online tracking does raise important law
enforcement questions in addition to its advertising angle.
Most recently, DNT critics gathered at the W3C Tracking Protection
Working Group meeting in Amsterdam, where the Direct Marketing
Association (DMA) proposed that an exception be added to the DNT
specification for "marketing." The EFF blog
entry about the meeting quotes the DMA representative as saying:
Marketing fuels the world. It is as American as apple pie and delivers
relevant advertising to consumers about products they will be
interested at a time they are interested. DNT should permit it as one
of the most important values of civil society.
Such an "exception" would seem to cover the precise tracking scenario for
which DNT is designed, and indeed other members of the working group
fought back. Fielding accused
DMA of "raising issues that you know quite well will not be
adopted." The EFF views DMA's participation in the meeting as
an attempt to undermine or derail the specification-writing process.
That is a bit of a judgment call, but it is clear from the latest
traffic on the working group's mailing
list that DMA, DAA, and other advertising groups are not meshing
well with the software industry representatives who typically account
for the bulk of W3C participation. In recent weeks there have been
multiple threads about redefining basic terms like "service provider"
and "user agent" that indicate (at the very least) a culture clash.
On the plus side, there have been sites and web services that have
voluntarily announced their intention to comply with DNT; Twitter is
the highest-profile. But the specification is far from completion,
and as recent events show, voluntary compliance will only take care of
a subset of the data-collecting entities on the web today. In the
GitHub comment linked to above, Fielding speculated that the long-term
ploy of DNT advocates was to get widespread adoption, then to push for
mandatory compliance through legislation. Whether that will happen is
anyone's guess; the US Federal Trade Commission (FTC) has endorsed
DNT, which in addition to the US Senate hearings might provide enough
evidence to make the advertising industry wary.
Implementing a campaign of "good enough for most" self-regulation
would be one path to avoiding such government oversight, and derailing
or gutting the specification could be effective, too. At the moment,
the advertising business seems to be pursuing both tactics. It is up
to the W3C and privacy advocates to respond, but at least for the time
being the only guaranteed way for users to safeguard their privacy
remains the do-it-yourself approach: Tor, NoScript, Adblock Plus, and
so on. A world where user-tracking is simply not an issue sounds
nice — it just doesn't sound likely in the near-term.
to post comments)