In theory, Do Not Track is a brilliant idea.
It’s an elegant, simple bit of technology. A user-agent (typically a web browser, but it could be anything) that is compliant with the Do Not Track standard adds a tiny snippet of information in its header. DNT=1 means that the owner of that user-agent has expressed a desire that his or her online movements not be tracked.
Too bad it doesn’t work.
The trouble with this voluntary standard is that it requires good faith cooperation from the parties at the other end of the web connection. And those parties are actively subverting the intent of DNT, as I wrote about earlier this year. (See Do Not Track debate reveals cracks in online privacy consensus.)
As a consumer, you’d think that the meaning of “Do Not Track” is pretty clear. You’re making a polite request of the web sites and advertisers: “Don’t collect and store any information about me without my explicit permission.”
And yet, according to Sarah Downey, an attorney and privacy advocate who works for the online-privacy firm Abine, that’s not what’s happening.
Two big associations, the Interactive Advertising Bureau and the Digital Advertising Alliance, represent 90% of advertisers. Downey says those big groups have devised their own interpretation of Do Not Track. When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”
That’s a perverse interpretation, and certainly isn’t what an ordinary consumer would expect. Indeed, some giant web properties have been more faithful to the spirit of the standard. Twitter, for example, has publicly stated that it supports Do Not Track:
Further, we respect DNT preferences by turning off tailored suggestions by default…
And if you think this is just about online advertising, think again. As privacy advocate Downey points out, “Tracking is happening at a scale and rate we've never seen before.” And your online activities are increasingly being correlated with your offline activity.
At the recent TechCrunch Disrupt conference, Robert Scoble reported approvingly about new apps that are using mobile devices to collect data about you:
Glympse‘s CEO, Bryan Trussel, told me his team develops its contextual mapping app on Android first, then moves it to iPhone. Why is this? …
Android lets developers have access to the dialer so that app developers can watch who calls you and who you call.
Android lets developers look at the wifi and bluetooth radios on the phone so app developers can build better systems to track where you are, who you are near, and whether you are near things like your car.
An enormous industry has grown out of collecting and collating online and offline data, run by companies that deliberately stay under the radar. But every so often, hints of a dark future appear. In the United States, political campaigns are eager to correlate your voter registration with your online activities:
Two digital ad firms that offer voter file-driven ad targeting are now part of [Facebook]'s growing group of third-party partners. … Both Intermarkets and CampaignGrid enable advertisers to target digital ads based on publicly-available national voter file data. Intermarkets partners with data powerhouse Aristotle to aim ads based on party affiliation and degree of voter activity in addition to information such as demographic info on gender and household income levels, and psychographic information.
Facebook's real-time bidding exchange opens the site up to a large pool of data for display ad targeting, but advertisers cannot combine native Facebook profile data with its partners' outside data, which would be sure to ruffle feathers among privacy advocates. Some observers, however, expect Facebook eventually to allow integration of its rich profile data with its partners' data, in part because the company is scrambling to attract more ad dollars and such an offering could command premium ad prices.
Even if you have Do Not Track turned on, that information will be collected and stored and used to create a profile of you that may or may not be accurate. That profile can be used by credit agencies, big corporations, and health insurance companies to make decisions about you that can literally affect your life and livelihood.
And it’s not just the tracking industry that is ignoring the intent of Do Not Track. The most recent version of the open-source web server Apache ignores the DNT header completely if you use Internet Explorer 10, as CNET’s Stephen Shankland reports:
Roy Fielding, an author of the Do Not Track (DNT) standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10. "Apache does not tolerate deliberate abuse of open standards," Fielding titled the patch.
As a result of the Apache update, Web servers using the software will ignore DNT settings for people using IE10.
If you install Windows 8 and choose the custom setup option, one step allows you to enable Do Not Track in Internet Explorer. It’s a clear expression of your intent, and yet that header will be ignored by the software powering more than half the web servers in the world.
So, here's the depressing tl;dr version: To advertisers, “Do Not Track” doesn’t mean “Don’t track me.” It just means they should tone down the ads a bit. And even if you explicitly set the option in your browser, it might be ignored by a web server.
In the real world, Do Not Track is a cruel joke. The companies that are collecting and storing information about you will use their support of the standard for PR purposes and then ignore its intent.
Maybe the best thing to do is to let the standard die. Meanwhile, if you care about privacy, you should ignore Do Not Track and use tools that actively block the tracking industry. I'll have a closer look at some useful active privacy tools in a follow-up post.