Developments in web tracking protection

Mozilla first announced Firefox 4 support for the X-Do-Not-Track HTTP header (DNT) in January, but for a while it appeared that it would be the lone browser implementing the privacy-protecting option. The movement has picked up considerable steam in recent weeks, however, with both Safari and Internet Explorer (IE) adding support for the header. IE 9 also adds a related feature: Tracking Protection Lists (TPLs), a form of subscription-based block list similar to that offered by the AdBlock Plus project. Yet while both are improvements from the viewpoint of most consumers, their real value remains up in the air in light of important unanswered questions.

The limitations of DNT and block lists

DNT is an HTTP header that a web browser would send along with a page request to a web server — the idea being that it requests that the server not employ "tracking" to monitor the user's behavior during the session. It is currently an IETF Internet Draft, and is still undergoing changes. For example, the actual header now simply reads "DNT: 1" or "DNT: 0", instead of the comparatively wordy original form, "X-Do-Not-Track: N". But the bigger debate remains over what "tracking" actually means. The draft concisely defines it as "Tracking includes collection, retention, and use of all data related to the request and response."

The Electronic Frontier Foundation's Peter Eckersley tackled that question in an EFF blog post in February, where he observed that the simple definition encompasses some techniques that are generally agreed to fall outside the average person's conception of "tracking." Examples include single-site statistics such as might be gathered by standard web server logs or an analytics tool, tracking necessary to complete online transactions, and tracking necessary to prevent fraud or respond to security breaches.

What constitutes "tracking" is a nebulous question without a bright-line, technical answer, but that is acceptable because, Eckersley argues, DNT is a ultimately a policy tool and not a privacy-enhancing technology. He expounded on that distinction in a March post written in response to the announcement of IE 9's support for DNT and TPLs. There, he argues that block lists and DNT can complement each other, but that neither is 100% effective on its own.

Block lists, the term Eckersley uses to describe both TPL and plug-in solutions like AdBlock Plus, block outgoing HTTP requests that match a set of URL patterns that are created to catch known advertising, tracking, and cookie APIs. They have the advantage that they can stop privacy-risking HTTP connections altogether (in a manner that is relatively easy for the user to verify), and that they place the end user in control, without depending on legal or regulatory means to enforce compliance.

On the other hand, block lists are highly dependent on human list-maintainers keeping up to date with thousands of site APIs, correctly discerning which are performing tracking, and determining which will break functionality if blocked. There is also a growing list of tracking mechanisms like fingerprinting that do not rely on cookies, static domains, or other easily-caught factors. Fingerprinting as implemented by EFF's Panopticlick is a proof-of-concept, but there are already businesses performing similar techniques in the wild to collect data for commercial usage.

Block lists also require a trust relationship with the list maintainers, and the trustworthiness of any given list maintainer is difficult to verify. Eckersley points to one particularly untrustworthy IE 9 TPL offered by the privately-owned TRUSTe corporation. TRUSTe's TPL blocks only 23 domains, and explicitly whitelists 3,954 others. Thanks to IE 9's implementation of TPLs, any domain whitelisted by TRUSTe's list cannot be overridden by appearing on the blacklist of another TPL. Consequently, subscribing to TRUSTe's TPL has the net effect of opting-in to nearly 4,000 tracking domains.

But even for any specific definition of "tracking" agreed upon, DNT suffers from a lack of agreement over what sites should do when encountering an opt-out visitor. The draft says that a server encountering the header must delete any previously-stored data used for third-party tracking. It does not address serving different content back to the client, nor the case where an API enables tracking but also implements other functionality. Finally, as we observed in January, a large number of tracking companies currently regard "opt-out" choices as applying solely to "behavioral advertising."

Most importantly, however, DNT's effectiveness hinges on its adoption by web sites, which at present is entirely voluntary, much like the robots.txt de facto standard for search exclusion. A small handful of sites have publicly announced their support for DNT, including the Associated Press, but Eckersley argues that requiring compliance is the only way to guarantee consumer protection.

DNT enforcement

The US Federal Trade Commission (FTC) endorsed DNT in December of 2010 in a "preliminary staff report" that outlined a framework for consumer privacy protection. The framework includes recommendations for limited data collection and retention, transparent data collection policies, and straightforward opt-in/opt-out mechanisms clearly presented to consumers.

The EFF submitted a public response to the paper, providing answers to the FTC's "questions for comment." In it, the EFF weighs in on the scope of the framework, advocating that the proposed rules be applied for any data that can be "reasonably linked to specific consumer, computer or other device" and not limited to "personally identifiable information" only. That distinction would encompass fingerprinting as well as cookie-based tracking, because as the EFF also points out, almost any information from a browsing can be "linked" to a user: location information, browsing history, browser settings, even time-based access patterns.

The historical standard, which assumes that only "personal" information (such as account names or email addresses) can be associated with an individual, is built on top of the notion that people can remain anonymous by "hiding in the crowd" from which it is infeasible to extract enough information about one user to track him or her. Given current computer power, however, that assumption is no longer true: almost anyone can mine the crowd's data and extract or "re-link" an individual. Ultimately, the EFF says, "the linkability problem is a function of the universe of available data, not merely the particular data that one is exchanging."

The EFF also recommends that no businesses be exempted from the rules a priori, but recommends that the FTC (which is tasked with consumer protection and fraud prevention) not police the marketplace as a whole and instead focus on responding to businesses that engage in abuse. Finally, the EFF recommends that the US federal government lead by example and embrace the DNT header for all federal agency web sites.

The EFF's comments and the FTC's staff report do not carry the force of law, but two bills have been introduced in the US House of Representatives that do mandate DNT compliance in one form or another. Eckersley notes in the February post that there are some commenters who believe technical means would be a better incentive for businesses to comply, such as the browser community adding violators to public block lists. He does not include a citation, so it is unclear exactly who the commentators in question are, or whether they have TPL-style block lists or a different mechanism in mind.

The two-handed approach

It might sound odd to suggest that block lists would be the compliance guarantee for DNT, but consider that Mozilla is no longer the sole browser vendor supporting the header. With IE9 and Safari also implementing the header, only Google Chrome remains a hold-out among the first-tier browser makers. That percentage of the browser market carries considerable weight.

Eckersley ultimately concludes that both block lists and DNT are required to protect consumer's online privacy. Block lists provide verifiable, immediate privacy protection, while DNT provides a regulatory tool for relief against sites that actively seek to harm consumers.

Ideally, widespread adoption of DNT puts privacy back into the hands of the user by default, although that depends on how simple and prominent the DNT settings are exposed to the user in the browser. It is probably still wishful thinking to expect browser makers to set DNT: 1 by default. Block lists, especially when enabled by default as in IE9, remain a valuable safety net, particularly for people who forget to check their DNT setting. Just remember to avoid TRUSTe's list — and to double-check the contents of any other block list, lest those intent on gaming the system open the door to still more privacy violations.