Earlier this week, the World Wide Web Consortium (W3C) announced another major milestone in the standardization of Do Not Track. Most notably, the technical mechanism will soon be certified for widespread implementation.
While this progress is noteworthy, it’s also important to recognize that the W3C’s Do-Not-Track work has changed a lot in recent years. Originally, the goal was to get broad consensus between industry and advocates on a regime for limiting cross-site tracking at a user’s request. For a variety of reasons, that consensus never developed. Today, Do Not Track does not exist as a broad voluntary regime but instead as a mechanism for transparency and enforcement of potentially divergent user preferences.
It remains to be seen whether this new approach will be more widely successful, but we’re already seeing promising implementations, though perhaps not in the way originally conceived.
Obviously, we had hoped that making progress on tracking protection would be easier. When FTC Chairman Jon Leibowitz called for the deployment of Do Not Track nearly five years ago, the major web browsers acted quickly to allow users to set persistent Do-Not-Track instructions that would be broadcast to all sites the user visited. The advertising industry was initially reluctant to engage with the issue—pointing instead to the deployment of the AdChoices program. However, in February 2012, at a White House event to announce the President’s Consumer Privacy Bill of Rights, the Digital Advertising Alliance ultimately committed to honoring Do-Not-Track signals within a year
Ultimately, that never happened.
Today a few companies—such as Twitter, Pinterest and Medium—voluntarily honor Do-Not-Track requests, but the vast majority of third-party sites do not. For years, companies pointed to a lack of clarity about what Do Not Track means and how they should comply. The progress in standardization weakens those arguments, but still it is not expected that a lot of companies are going to adhere to users’ Do-Not-Track instructions in the short term.
However, while industry as a whole is currently not willing to voluntarily honor Do Not Track, there is reason to think that that incentives may change over time. Ultimately, two threats might force compliance with user preferences: the increasing deployment of tracker blocking and the potential for data protection regulators enforcing users’ rights to opt out of data processing.
Privacy advocates have long warned that industry failure to self-regulate would force consumers to block ads; if ad companies weren’t willing to honor requests to stop tracking, then people would look for ways to affirmatively stop that tracking themselves. And as support for Do Not Track has faded, ad blocking has risen dramatically.
The Do-Not-Track standard has evolved to reflect this trend.
The most significant change in the W3C’s Do-Not-Track work in recent years has been a modification of the technical standard to support different compliance regimes—instead of just one unitary W3C compliance rule set. For example, if you want to write your own set of Do-Not-Track rules, you can configure your browser to require that tracking companies signal to you that they follow your rules.
That’s exactly what tracker blockers such as EFF’s Privacy Badger browser add-on does—it requires that ad companies assert compliance with EFF’s rather strict Do-Not-Track rules. If companies don’t agree to the data collection rules, the software can block them from setting or reading cookies or block the resource entirely.
This federated approach to Do Not Track mirrors a suggestion in last summer’s Big Data report from the President’s Council of Advisors on Science and Technology. The report argued that users can’t reasonably be expected to exercise informed notice-and-choice over every website or service that they use. Instead, they should be empowered to adopt privacy rulesets by trusted entities (like the ACLU or Consumers Union—or in the case of Privacy Badger, the EFF) that are enforced by their devices. In essence, these rules would function as reverse privacy policies—consumers set the rules they’re comfortable with, and their user agents enforce them.
At some point, enforcement of user preferences like Do Not Track may become the norm for all user agents—if websites are blithely ignoring the instructions of the user agent’s customers, then that’s not a tenable situation in the long run. Either you need to enforce the setting you offer, or you need to deprecate it. Right now, given increasing interest in tracker-blocking solutions—as well as recent efforts by Apple and Mozilla to build tracker-blocking into operating systems and browsers—it looks like the momentum is toward the former.
In addition to self-help solutions, privacy regulators may at some point act to enforce compliance with user’s Do-Not-Track requests. While U.S. citizens may not have legal rights to control much of their personal information, many other countries do provide enforceable rights over the processing of all personal information. In the EU, consumers already have the right to affirmatively opt out of certain data processing. In the General Data Protection Regulation passed by the European Parliament last year, that right was clarified to include automated signals generated by a user agent such as a browser or operating system (the final version of the law still needs to be worked out by the Parliament, Commission and European Council). As the meaning of the Do-Not-Track signal becomes standardized, regulators may look askance at companies that disregard users’ exercise of their rights over the processing of their personal information.
In any event, the debate about online tracking isn’t going away.
It won’t go away because ordinary consumers have strong concerns about the surveillance of their online activity—whether companies agree that those concerns are justified or not.
The W3C’s current Do-Not-Track standard facilitates communication about tracking behavior between online services and a user’s device, empowering individuals to enforce whatever rules she chooses over how her information will be treated. Obviously, online services might decide they can’t afford to provide content if they find those rules to be too onerous, but hey, that’s what markets are for.
For too long, the value proposition for online tracking has been opaque to users who vaguely understand that advertising supports free services but don’t broadly comprehend data collection practices. Do Not Track may provide a scalable technical solution to help consumers and companies have an overdue meeting of the minds about the tradeoffs between privacy and content.
Photo Credit: Google Trends chart on ad blocking search terms.
If you want to comment on this post, you need to login.