Microsoft’s welcome announcement that it plans to leave a “Do Not Track” flag turned on by default for its users has been very revealing in a number of respects. It also risks distracting from more important issues in the debate over commercial online surveillance.
Microsoft’s step is exactly the right thing to do and the company is to be applauded. With this announcement coming in the wake of similar steps by Twitter, we can hope that it is the beginning of a trend. Of course, some have pointed out that this may just be an attempt to undermine Google, which depends far more heavily than Microsoft on ad revenue. But if so, who cares? Competition over privacy may not be dependable enough to replace the need for regulation in some areas (in part because privacy violations are often silent and invisible). But when it does take place, this is exactly what it looks like: one company seeking to undermine another by offering products that are more protective of privacy and attractive to consumers.
The situation in our society as a whole, and with regards to online tracking in particular, should never be, “you have no privacy (unless you go out of your way to insist upon it).” It should be, “your activities are private (unless you consciously agree to share them).”
The Interactive Advertising Bureau predictably blasted Microsoft’s move. Calling it “a step backwards in consumer choice,” the trade association declared,
IAB is committed to empowering consumers with meaningful choice when they have legitimate privacy concerns…. A default setting that automatically blocks content violates the consumer’s right to choose….
We do not believe that default settings that automatically make choices for consumers increase transparency or consumer choice.
The IAB claims that setting the browser default to “do not track me” robs consumers of choice—yet somehow the reality that consumers are tracked en masse without their knowledge or permission, using sophisticated tools they cannot hope to understand unless they are Internet technology experts, does not rob consumers of choice?
In fact, the idea that one default setting robs consumers of choice, while the other provides it, makes no sense. There has to be some default setting—and that setting will either permit tracking or not. (As the old Rush song “ Freewill” has it, “you can choose not to decide but you still have made a choice.”) There is no reason why one default setting deprives consumers of choice any more than the other, as long as they have the option to switch at any time.
However, one default setting does comport with every principle of privacy and fairness, while the other violates our civilization’s oldest norms. You don’t watch people without asking their permission—it’s as simple as that.
The IAB wants to make a choice for consumers, too—they just want the other choice.
The IAB also says, “we believe the only workable policy is to educate consumers and allow them to control how data is collected for certain purposes, including interest-based advertising.” Translation: “We’ll accept a DNT mechanism for those few who manage to learn what we’re up to, but for the vast majority of people we want to continue spying on their internet activities with ever-increasing intensity.”
The fact is, when new surveillance technologies first come into use, there is always a lag between people being watched in a new way, and people realizing that they’re being watched in a new way. The disingenuousness of the IAB’s insistence that “education” is the proper solution is that, with polls indicating that Americans by wide margins reject the concept of having their internet activities tracked, it is just this lag in understanding (combined, perhaps, with feelings of helplessness) that the internet advertising industry is currently depending upon. They may talk about education but they don’t really want it to happen.
Interestingly, the nonprofit Mozilla Foundation (which has been a consistently good actor in the area of privacy), has taken a stance against the DNT-on default. They argue that the DNT mechanism should be used only to broadcast a conscious intentionality. The way Mozilla is implementing the concept in Firefox is that the DNT flag can either be set to on, off, or not to broadcast at all, with the first two signaling a conscious choice on behalf of the user, and the lack of any signal indicating the user has not taken any action. How users in that category are handled, Mozilla reasons, is a question for policymakers, and not one that should be decided by the technology.
It’s a plausible position, but in the end, the most we can expect in the current political climate is that Congress and the FTC will require companies to respect a DNT signal. There is no sign that Congress is poised to remedy the lack of modern privacy protections in the United States and require an opt-in to internet tracking for those who have not expressed a preference. Beyond that, we’re in the realm of “code is law”—the way our browsers and other devices are programmed will have more effect on our rights than any regulatory protections. That means users—and browser programmers—are still effectively faced with a binary choice.
One final point: Microsoft’s chief privacy officer wrote that the company is committed to allowing users to “opt out of behavioral advertising.” I’m not sure what he meant by that, but it’s important that we not let this controversy over DNT default settings distract anyone from the more significant battle that is underway in this area: the effort by advertisers and others to swap in a fake Do Not “Target” substitute for the genuinely protective Do Not “Track” concept. The idea of Do Not Target is that companies would still carry out commercial surveillance—they just wouldn’t serve ads based on the results of that spying to those who request Do Not Target. This is silly because it is the tracking that is a privacy invasion, not the receipt of targeted ads that reveal the tracking. Do Not Target seeks to protect the advertising industry from true restraints on their spying by inoculating it with the empty shell of privacy protection, instead of something truly potent such as Do Not Track.