Did Microsoft put a two-year privacy negotiation in danger or expose it for a shabby compromise? Who should the burden of consent for tracking fall on? Ad-funded services; innovation or intrusion?
DNT stands for Do Not Track, a header that Mozilla suggested browsers send to web sites to tell them that users don't want their information tracked. DNT isn't fully defined; the W3C group negotiating on it hasn't got agreement on whether 'do no track' means 'do not identify me', 'do not pass on my information' or 'do not store my information' for instance. Privacy advocates want one thing, advertisers want another. Few sites respect DNT in any of those ways although Twitter recently announced it would respect DNT.
So far, so much business as usual. And then, even though Internet Explorer has a more robust - and much more complex - Tracking Protection List feature already, where you can choose which third-party tracking tools services to block (individually or based on an AdBlock-style list), the platform preview of IE10 in Windows 8 Release Preview turned on DNT by default.
The ad industry was furious; Microsoft was depriving users of their rights to get the benefits of tracking as free services, the argument went. W3C members were upset too; after two years the ad industry seems to have backed the privacy advocates into a corner and setting DNT by default might threaten the W3C 'compromise proposal' at http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0095.html.
This came out almost a week after the IE 10 announcement and includes what the editors admit are "extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues". Even so, they note "some participants have already indicated that they believe the proposal goes too far and are unwilling to support it". Microsoft is being diplomatically silent about both the arguments and the suggestions that it's being heavy handed. What's going on? I don't think Redmond is being tone deaf here, or that this is as simplistic as a dig at ad-funded rival Google (or Google-funded rival Mozilla). It could just as easily be a way of bringing this debate front and centre, in an attempt to get things thrashed out before Windows 8 launched.
These issues have been simmering away for years but new developments outside Redmond have already brought them close to the boil - especially the EU's regulations on cookies which are widely misunderstood (or misrepresented) in the US. The Information Commissioner's Office in the UK hasn't been particularly helpful to businesses wondering what these mean - how expensive a redesign do you need to do on your web site to comply with the rules? - but Microsoft has plenty of smart lawyers to look at the rules as well as plenty of people working on privacy initiatives who have strong views (Marc Davis on the Bing team is also a member of the Steering Board for the World Economic Forum’s Rethinking Personal Data Project , for example). It's unlikely that the still-undefined DNT proposal is enough to address the EU's cookie plans, but having these come into force recently could be an incentive for making a push to get all this clarified.
In the US, the Federal Traditional Commission has said that web tracking is going to be regulated. The ad industry is keen for this to be self-regulation and based on what the FTC Bureau of Consumer Protection Director David Vladeck told us at the Future in Review conference last week, the FTC agrees.
Vladeck talked about a framework that has some restrictions - but not hard restrictions on data collection - supplemented by self regulation developed by the industry and enforcement of that regulation by the FTC. He said that some EU proposals worry the FTC and described the EU's proposed 'right to be forgotten' in the most extreme of terms. If you post a photo of yourself on Facebook and then delete it, does Facebook have to hunt down everyone who downloaded it and delete it from their hard drive the way he suggests? Hardly. But if you put some personal information onto a site that sells it on to a third party, should the commercial agreement they have say that when you delete the information from the first site, the company that bought the information should delete it as well (and put the same clause if it sells the information on to someone else)? Seems fair. That sort of 'pass on the responsibility as well as the benefit' rule is the basis of copyleft and the GPL - things that built much of the Internet the commercial companies are merrily data mining.
Vladeck commented on how the EU rules will an impact on US companies if their service is available in the EU, calling it a "claim of worldwide jurisdiction over US companies with no EU presence if their service is available in the EU". Leaving aside the question of whether having a service available in a country isn't de facto having a presence there, that's not a million miles away from the extra-territoriality of the Patriot Act, with the US claiming the right to inspect the data of EU companies in cloud services owned by US companies even if the server is physically located outside the US. When we made that comparison he agreed some of the EU's desire to "discipline US companies and get them to act more in affordance with EU directives" is legitimate but in his view innovation comes first.
The FTC isn't interested in putting privacy first; it is a trade commission at heart, of course. Vladek referred to the ad-funded web as "the goose that lays the golden eggs" and fretted about "speedbumps on the information superhighway" (a phrase we haven't heard in some years). The FTC is looking for more of a balance; "How do we allow innovation to go on unimpeded but give consumers back some of their control over their data?"
Unlike the EU, the FTC isn’t worried about online behavioural traction; it cares more about "take it or leave it" privacy policies on large platforms like Google properties, iOS and Android; it's holding a workshop this autumn looking at the mass collection of individual data on large platforms like these. What you choose to watch deserves more privacy than the information sites can garner from your behaviour in the FTC's view. "Should a cable operator be able to say you cant have cable unless you agree to deep packet inspection that shows what movies you rent, what shows you watch and when you fast forward through ads?"
There's a clear philosophical difference between the EU and the US here. There's quite a difference between the attitude of silicon valley companies like Facebook and Google and what many people are comfortable with as well. Small, gradual changes - what Google's Eric Schmidt has called "going right up to the creepy line" and we call "boiling the frog of privacy" (start with cold water and heat imperceptibly) - have led to an expansion of the data that's collected about you.
Visit the average Web site and in 150 milliseconds it examines your IP, looks up where it's located, correlates that IP address with what it already knows about you (perhaps from your Facebook profile) and auctions the ad spot on the page off to the highest bidder (passing along some of that information). You might be happy with that if you get free content; less happy when the information is further correlated. Checking prices on lotion and cotton wool balls? Maybe you're pregnant (US discount store Target says there's a strong correlation); have a nappy ad. Is that innovation or intrusion?
It's not just ads. Is personalized search creepy, useful or useful and slightly creepy? That depends on your attitude.
I often refer to the differences in attitude as an impedance mismatch and it's one of the most dangerous problems facing technology companies because they're no longer designing products for customers who are just like them. Just as, increasingly, the people who use the chips Intel designs do not work at Intel and are nothing like anyone the average chip designer at Intel will ever meet, so users of online sites are nothing like the people who build them and don't think the same way or have the same values.
The way silicon valley thinks about the users it mines to create the free products it sells ad space on and the way the users think about the free service is often very different. That's fine if everyone understands the implications, but it's fairly clear that many users don't. Having a debate about what tracking means and what tracking sites can and can’t do is hugely important. Did Microsoft deliberately turn on DNT in IE 10 to bring that debate to a wider audience? Maybe, maybe not (never attribute to conspiracy what can easily be coincidence); but it's a debate we need to be having.