Do Not Flack

Microsoft’s welcome announcement that it plans to leave a “Do Not Track” flag turned on by default for its users has been very revealing in a number of respects. It also risks distracting from more important issues in the debate over commercial online surveillance.

Microsoft’s step is exactly the right thing to do and the company is to be applauded. With this announcement coming in the wake of similar steps by Twitter, we can hope that it is the beginning of a trend. Of course, some have pointed out that this may just be an attempt to undermine Google, which depends far more heavily than Microsoft on ad revenue. But if so, who cares? Competition over privacy may not be dependable enough to replace the need for regulation in some areas (in part because privacy violations are often silent and invisible). But when it does take place, this is exactly what it looks like: one company seeking to undermine another by offering products that are more protective of privacy and attractive to consumers.

The situation in our society as a whole, and with regards to online tracking in particular, should never be, “you have no privacy (unless you go out of your way to insist upon it).” It should be, “your activities are private (unless you consciously agree to share them).”

The Interactive Advertising Bureau predictably blasted Microsoft’s move. Calling it “a step backwards in consumer choice,” the trade association declared,

IAB is committed to empowering consumers with meaningful choice when they have legitimate privacy concerns…. A default setting that automatically blocks content violates the consumer’s right to choose….

We do not believe that default settings that automatically make choices for consumers increase transparency or consumer choice.

The IAB claims that setting the browser default to “do not track me” robs consumers of choice—yet somehow the reality that consumers are tracked en masse without their knowledge or permission, using sophisticated tools they cannot hope to understand unless they are Internet technology experts, does not rob consumers of choice?

In fact, the idea that one default setting robs consumers of choice, while the other provides it, makes no sense. There has to be some default setting—and that setting will either permit tracking or not. (As the old Rush song “ Freewill” has it, “you can choose not to decide but you still have made a choice.”) There is no reason why one default setting deprives consumers of choice any more than the other, as long as they have the option to switch at any time.

However, one default setting does comport with every principle of privacy and fairness, while the other violates our civilization’s oldest norms. You don’t watch people without asking their permission—it’s as simple as that.

The IAB wants to make a choice for consumers, too—they just want the other choice.

The IAB also says, “we believe the only workable policy is to educate consumers and allow them to control how data is collected for certain purposes, including interest-based advertising.” Translation: “We’ll accept a DNT mechanism for those few who manage to learn what we’re up to, but for the vast majority of people we want to continue spying on their internet activities with ever-increasing intensity.”

The fact is, when new surveillance technologies first come into use, there is always a lag between people being watched in a new way, and people realizing that they’re being watched in a new way. The disingenuousness of the IAB’s insistence that “education” is the proper solution is that, with polls indicating that Americans by wide margins reject the concept of having their internet activities tracked, it is just this lag in understanding (combined, perhaps, with feelings of helplessness) that the internet advertising industry is currently depending upon. They may talk about education but they don’t really want it to happen.

Interestingly, the nonprofit Mozilla Foundation (which has been a consistently good actor in the area of privacy), has taken a stance against the DNT-on default. They argue that the DNT mechanism should be used only to broadcast a conscious intentionality. The way Mozilla is implementing the concept in Firefox is that the DNT flag can either be set to on, off, or not to broadcast at all, with the first two signaling a conscious choice on behalf of the user, and the lack of any signal indicating the user has not taken any action. How users in that category are handled, Mozilla reasons, is a question for policymakers, and not one that should be decided by the technology.

It’s a plausible position, but in the end, the most we can expect in the current political climate is that Congress and the FTC will require companies to respect a DNT signal. There is no sign that Congress is poised to remedy the lack of modern privacy protections in the United States and require an opt-in to internet tracking for those who have not expressed a preference. Beyond that, we’re in the realm of “code is law”—the way our browsers and other devices are programmed will have more effect on our rights than any regulatory protections. That means users—and browser programmers—are still effectively faced with a binary choice.

One final point: Microsoft’s chief privacy officer wrote that the company is committed to allowing users to “opt out of behavioral advertising.” I’m not sure what he meant by that, but it’s important that we not let this controversy over DNT default settings distract anyone from the more significant battle that is underway in this area: the effort by advertisers and others to swap in a fake Do Not “Target” substitute for the genuinely protective Do Not “Track” concept. The idea of Do Not Target is that companies would still carry out commercial surveillance—they just wouldn’t serve ads based on the results of that spying to those who request Do Not Target. This is silly because it is the tracking that is a privacy invasion, not the receipt of targeted ads that reveal the tracking. Do Not Target seeks to protect the advertising industry from true restraints on their spying by inoculating it with the empty shell of privacy protection, instead of something truly potent such as Do Not Track.

View comments (3)
Read the Terms of Use

Peter Cranstone

Sadly DNT is not potent at all. Why? Because it lacks a compliance mechanism in the protocol. For example this browser right now is sending at DNT=1 header to your server. Not only does your server not know to look for the header, but I have no way to know if it was ever received by the server.

Secondly - third parties can inject new or different DNT values after i have made my choice. As there's no way to verify back to me what has been either sent or set i have no idea of the server is complying.

Thirdly - DNT is a recommendation not a law. And without compliance there is no potency in this spec.

Fourth - it infringes on US. Pat 8,156,206

Peter Cranstone
CEO 3PMobile

Anonymous

Sending "DNT: 1" on every HTTP request message does nothing to improve privacy. It only adds another eight bytes to every request. The part of DNT that improves privacy is the recipient's willingness to turn off data collection because they believe the user has made a choice. Industry will accept that choice because angering the user is counterproductive to the whole point of advertising.

What Microsoft is suggesting is that they will make that choice for the user, which is something that the rest of industry simply won't accept (Microsoft is their competitor and is tracking the same user via other means). Hence, sending DNT by default will just result in DNT being ignored based on the browser version, which is a waste of bytes and a considerable waste of time. Microsoft's move will have the end result of denying IE users an easy way to configure "do not track" on their own.

If denying tracking is believed to be good for all users, then it should be legislated as the default for all users regardless of browser. We would then have no need to send those extra eight bytes on every request, and services that depend on high value advertising will switch to an account or consent-based system of their own design. That is, in fact, how the laws are likely to work in Europe. The targeting industry will accept this because they have no choice (aside from moving out of jurisdiction) and because it creates a level playing field, assuming our government can manage to write a law that isn't a porkenstein nightmare.

In other words, the ACLU is doing the public a poor service by congratulating Microsoft on their announcement. What you should be doing is encouraging greater cooperation with the W3C standards effort, or proposing effective legislation that would make DNT obsolete.

Anonymous

like the EU forced win os to have a default browser choice screen;
public needs a visible option to chose !

Stay Informed