Web tracking and "Do Not Track"

Web site visits are increasingly being tracked by advertisers and others ostensibly to better target advertising. But recording which sites we visit as we click our way around the web is not only an invasion of privacy, but one that has multiple avenues for abuse. Both Mozilla and Google have recently announced browser features that could reduce or eliminate tracking—at least for advertisers that comply.

Using a wide variety of techniques: browser or Flash cookies, web "bugs", JavaScript trickery, browser fingerprinting, and so forth, advertising and tracking companies are getting a detailed look at the web sites we visit. Most web advertising also provides a means to track web site visitors on a wide variety of sites, not just the single site where that particular ad appears. It is somewhere between difficult and impossible for users to stop this behavior, if they even know it is taking place. The information is then stored by these third-parties for their use—or to sell to others

What privacy advocates would like is a way for users to opt-out of tracking. It would be better still if users had to opt-in to tracking, but an initiative like that is vanishingly unlikely because of opposition from advertising/tracking companies. A subset of advertising companies have come together in a group called the Network Advertising Initiative (NAI), which provides an opt-out service to disable tracking by member companies. That web page gives an eye-opening list of advertisers and the status of their cookies in your browser. On can then choose which to opt-out from (with a helpful "Select All" button if one is willing to turn on JavaScript for that site).

There are a number of problems with the NAI approach, as outlined in a recent Electronic Frontier Foundation (EFF) blog posting. The biggest problem from a privacy perspective is that some members interpret opting out differently than others:

Another problem is that the opt-out choice is recorded in a cookie for each different advertising or tracking company, so one must visit that page frequently as additional companies join the NAI. Privacy conscious users will also periodically delete their cookies, which also necessitates revisiting that page. Overall, it is a fairly fragile solution.

Google's idea is to provide a Chrome extension ("Keep My Opt-Outs") that blocks the deletion of the opt-out cookies (both browser and Flash cookies) so that users can still delete the rest of their cookies without having to re-up at the NAI web site. It is fundamentally just a list of cookies that shouldn't be deleted, and that list will need to be updated periodically, presumably through the extension update mechanism. It is similar to the Beef TACO (Targeted Advertising Cookie Opt-Out) Firefox extension, though TACO handles more than just the NAI-listed companies' cookies.

Keep My Opt-Outs and TACO are useful today, though they can't address the problem of differing interpretations of the opt-out. Mozilla has gone a step further and implemented a more sweeping change with its "Do Not Track" HTTP header. Do Not Track is going to require buy-in from other browsers and the tracking companies before it can even work, but it "solves" the problem in a much simpler way.

The basic idea is straightforward: a user can indicate that they do not wish to be tracked and Firefox will send a Do Not Track HTTP header with every request. That header could be interpreted by the tracking companies as the equivalent of their opt-out cookies. It would be even better if they interpreted it to mean what it clearly says and would turn off all tracking, rather than just turning off targeted (i.e. behavioral) advertising. The latter will undoubtedly take some major convincing—or regulatory pressure.

Using an HTTP header for this purpose is a far superior technical solution in that users (or their browsers) don't have to keep track of lists of advertisers and their cookies, while clearly indicating to the web sites that the user has requested that tracking be disabled. No new cookies need to be installed or preserved and violators will be fairly easily spotted. While the EFF has made it clear that it is backing the Do Not Track header approach, there are still several groups that will need to be convinced: advertising networks, tracking companies, and browser makers (some of which run their own ad networks: Google and Apple).

Though there are already Firefox extensions that implement the X-Do-Not-Track header (and the related X-Behavioral-Ad-Opt-Out header), like Universal Behavioral Advertising Opt-out and NoScript, but, for now at least, they are just "feel good" extensions. It remains to be seen if the NAI and other advertisers/trackers start to handle these headers. One might guess they would be resistant—probably will be—but there's no real reason to believe that users would opt-out in droves. There are also reasonable arguments that Do Not Track will have a minimal impact on online advertising.

Of course, even if there were, miraculously, full adoption by advertisers or, rather less miraculously, regulations from the US Federal Trade Commission (FTC) and other, similar, agencies that require advertisers to adopt it, there will still be some amount of tracking. Whether those violators are outside of the FTC's jurisdiction or just flying below the radar, clickstream information has value and there will always be those trying to extract that value. Unfortunately, there doesn't seem to be any possible technical—or regulatory—solution to that particular problem.