When the Do Not Track standards-setting process began, some observers had high hopes, while others had skepticism.
Two years later, the entire process appears to be fizzling out. One privacy expert I spoke with earlier this week argued that the advertising industry has successfully "filibustered the standard to death."
Some members of the standard-setting committee have publicly declared their doubts that the much-delayed process will ever achieve consensus. And if a standard actually emerges from the current contention, it will likely be almost completely ineffective at doing what its name suggests it should.
- Do Not Track debate reveals cracks in online privacy consensus
There were two big Do Not Track developments today.
First, the W3C via conference call agreed to accept a draft of the standard (the so-called June Draft) and try to work toward Last Call, the stage where the document is presented for final vote. The June Draft contains significant unsettled points that still need to be worked out among factions that are far apart.
Second, Stanford’s Center for Internet Society announced that it is launching a “Cookie Clearinghouse” to create and maintain “allow lists” and “block lists” to help Internet users protect their privacy on the Web.
The Clearinghouse will identify instances where tracking is being conducted without the user’s consent, such as by third parties that the user never visited. To establish the “allow list” and “block list,” the Cookie Clearinghouse is consulting with an advisory board that will include individuals from browser companies including Mozilla and Opera Software, academic privacy researchers, as well as individuals with expertise in small businesses and in European law. ... The Clearinghouse will also offer the public an opportunity to comment.
One name appears in common on both projects. Jonathan Mayer is the author of the “Grand Compromise” document submitted to the Tracking Protection Working Group a little more than one year ago. At that time, he said:
As you review the draft, please recognize that it is a compromise proposal [that] reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it.
In anticipation of this week’s teleconference, Mayer wrote an email to the public mailing list expressing his doubts that the standard could ever be settled:
Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.
There must come a stopping point. There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.
I would make two proposals for next Wednesday's call. First, that we commit to not punting our July deadline. If we have not attained agreement on Last Call documents, we should wind up the working group. Second, that we begin planning a responsible contingency process for winding up the working group if we miss our deadline.
Mayer wrote a more pointed email to the group yesterday, suggesting five possible outcomes, with three of them being “irresponsible.”
Reached for comment, Peter Swire, director of the Tracking Protection Working Group, told me:
Here is what happened today:
We followed the procedure announced to the group last week in an email from the co-chairs. Members of the group were invited to propose alternatives to working on the June Draft. Aleecia MacDonald and Jonathan Mayer both introduced such proposals, but the group did not agree with either. Therefore, as announced previously, the group is moving ahead with the June Draft.
MacDonald, a former chair of the Tracking Protection Working Group, is a leader of the Cookie Clearinghouse project. Mayer, a Stanford graduate student, is also closely tied to the project, which appears to follow up on code he wrote that was incorporated into Mozilla Firefox last February. Thanks to Mayer’s patch, Firefox now follows the same guidelines as Safari, rejecting third-party cookies unless you actually visit the site.
The Cookie Clearinghouse goes considerably further, providing a privacy option that doesn’t require extensive user interaction. Both Mozilla (of Firefox fame) and Opera are early backers of the program. But the program’s founders make it clear that the project is open to other browsers as well. Given Microsoft’s recent propensity for using privacy as a competitive weapon against Google, it would not be surprising to see them join the nascent effort.
The problems with Do Not Track appear insurmountable. Representatives of the advertising industry have watered down the latest draft so that its tracking protection is paper-thin. Here are the biggest problems with the standard in its current draft form:
- The entire program is opt-in, with browsers that enable Do Not Track by default penalized.
- Default settings give advertisers and trackers carte blanche to collect and use any information they like.
- First party tracking, regardless of how intrusive it might be, is expressly permitted.
- Multiple exceptions are granted to advertising and analytics companies, which means that even if you explicitly turn the Do Not Track option on, your information is going to be shared with web sites.
The bottom line is widespread consumer confusion. At this point, maybe the best thing that could happen for the privacy movement is to let the Do Not Track standard die a painful and public death and turn the task over to the companies that actually connect people to the web.