As the Do Not Track standard unravels, privacy alternatives emerge

As the Do Not Track standard unravels, privacy alternatives emerge

Summary: The W3C standards body responsible for developing the Do Not Track standard is lurching toward a final document, roughly 18 months behind schedule. The likelihood that a useful standard will emerge is small, leading one Mozilla-backed group to develop its own set of tougher privacy controls.

TOPICS: Privacy

When the Do Not Track standards-setting process began, some observers had high hopes, while others had skepticism.

Two years later, the entire process appears to be fizzling out. One privacy expert I spoke with earlier this week argued that the advertising industry has successfully "filibustered the standard to death."


Some members of the standard-setting committee have publicly declared their doubts that the much-delayed process will ever achieve consensus. And if a standard actually emerges from the current contention, it will likely be almost completely ineffective at doing what its name suggests it should.

See also:

There were two big Do Not Track developments today.

First, the W3C via conference call agreed to accept a draft of the standard (the so-called June Draft) and try to work toward Last Call, the stage where the document is presented for final vote. The June Draft contains significant unsettled points that still need to be worked out among factions that are far apart.

Second, Stanford’s Center for Internet Society announced that it is launching a “Cookie Clearinghouse” to create and maintain “allow lists” and “block lists” to help Internet users protect their privacy on the Web.

The Clearinghouse will identify instances where tracking is being conducted without the user’s consent, such as by third parties that the user never visited. To establish the “allow list” and “block list,” the Cookie Clearinghouse is consulting with an advisory board that will include individuals from browser companies including Mozilla and Opera Software, academic privacy researchers, as well as individuals with expertise in small businesses and in European law. ... The Clearinghouse will also offer the public an opportunity to comment.

One name appears in common on both projects. Jonathan Mayer is the author of the “Grand Compromise” document submitted to the Tracking Protection Working Group a little more than one year ago. At that time, he said:

As you review the draft, please recognize that it is a compromise proposal [that] reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it.

In anticipation of this week’s teleconference, Mayer wrote an email to the public mailing list expressing his doubts that the standard could ever be settled:

Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.

There must come a stopping point. There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.

I would make two proposals for next Wednesday's call. First, that we commit to not punting our July deadline. If we have not attained agreement on Last Call documents, we should wind up the working group. Second, that we begin planning a responsible contingency process for winding up the working group if we miss our deadline. 

Mayer wrote a more pointed email to the group yesterday, suggesting five possible outcomes, with three of them being “irresponsible.”

Reached for comment, Peter Swire, director of the Tracking Protection Working Group, told me:

Here is what happened today:

We followed the procedure announced to the group last week in an email from the co-chairs.  Members of the group were invited to propose alternatives to working on the June Draft.  Aleecia MacDonald and Jonathan Mayer both introduced such proposals, but the group did not agree with either.  Therefore, as announced previously, the group is moving ahead with the June Draft.

MacDonald, a former chair of the Tracking Protection Working Group, is a leader of the Cookie Clearinghouse project. Mayer, a Stanford graduate student, is also closely tied to the project, which appears to follow up on code he wrote that was incorporated into Mozilla Firefox last February. Thanks to Mayer’s patch, Firefox now follows the same guidelines as Safari, rejecting third-party cookies unless you actually visit the site.

The Cookie Clearinghouse goes considerably further, providing a privacy option that doesn’t require extensive user interaction. Both Mozilla (of Firefox fame) and Opera are early backers of the program. But the program’s founders make it clear that the project is open to other browsers as well. Given Microsoft’s recent propensity for using privacy as a competitive weapon against Google, it would not be surprising to see them join the nascent effort.

The problems with Do Not Track appear insurmountable. Representatives of the advertising industry have watered down the latest draft so that its tracking protection is paper-thin. Here are the biggest problems with the standard in its current draft form:

  • The entire program is opt-in, with browsers that enable Do Not Track by default penalized.
  • Default settings give advertisers and trackers carte blanche to collect and use any information they like.
  • First party tracking, regardless of how intrusive it might be, is expressly permitted.
  • Multiple exceptions are granted to advertising and analytics companies, which means that even if you explicitly turn the Do Not Track option on, your information is going to be shared with web sites.

The bottom line is widespread consumer confusion. At this point, maybe the best thing that could happen for the privacy movement is to let the Do Not Track standard die a painful and public death and turn the task over to the companies that actually connect people to the web.

Topic: Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • turn the task over to the companies that actually connect people to the web

    For example, like Verizon, AT&T and Cox Communications? (omk = Online Media Kit)

    I hate to say it, but if anything is going to get done with 'Do Not Track', it will likely take a similar path to that taken for 'Do Not Call'. The path being an act (or multiple acts) of Congress signed by the President and implemented by the FCC. And 'Do Not Call' is opt-in and has some exceptions as well.
    Rabid Howler Monkey
    • Nah

      Just replace your hosts file and be done.
      • For us Newbies...

        Would you be kind enough to explain how this is done or, better still, refer us to a link (for were once a newbie too weren't you?) that offers the information?
    • "Do Not Call" is a joke!!!

      I long ago gave up on reporting companies which called me despite my being on the Do Not Call list. Evidently, nobody in the government can do anything to stop them.

      So I got Caller-ID. It doesn't stop the phone from ringing, but at least I get the satisfaction of not answering the calls.
  • DNT Patent woes STILL loom...

    Another good 'see also' related to today's DNT developments.

    Ed Bott himself wrote this article for ZDNET back on October 6, 2012.

    9 months later... and there has still been NO PROGRESS on this issue.

    The Patent Advisory Group for the DNT project remains active and has
    issued no public updates, findings, reports, or result letter.

    Article Title: Do Not Track gets support in iOS 6, but patent woes loom...

    By: Ed Bott, for ZDNET, October 6, 2012


    It’s hard to tell whether the possible patent squabble is a speed bump, a pothole, or a massive sinkhole that will swallow the nascent Do Not Track standard completely.

    Ed Bott

    • Good point

      I'd say "speed bump" is the minimal description. It's probably more of a serious roadblock.
      Ed Bott
  • Do Not Track quagmire

    This article reinforces my long-held belief that technical problems can be solved, unless politics gets in the way. Here we have two diametrically opposed camps, with those who make their living monetizing personal information fighting to maintain the status quo. What I fear will happen is that those of us on the privacy side will develop technology to change the equation and the trackers will develop technology to change it back. Thus begins a drawn out game of cat and mouse.
    Craig Herberg
  • It's simply a bad approach to try and compromise

    You might as well have the W3C sort out which of two teenagers will get to sit in the front seat.

    The real controversy exist at all because in the beginning, and even now, the public has little voice over how much of their info can be shared when simply visiting a site. The advertisers will continue to fight anything that limits what they believe is their right to track people. This whole argument of the advertisers having ANY say on what info they can obtain is a bunch of crap. Currently it is simply something we have to live with. Go to a site, be tracked. It should have never gotten to this point. A classic example of bullying the public people simply because NO ONE has the time to read every bit of fine print every time they click something in a browser. It's predatory bull crap.

    The W3C should propose something the people can vote on - plain and simple. After all, we are still a democratic nation and it is the public's info being argued over here.
    • Good analogy, but...

      One of the teenagers is pleasant, polite, interesting and pretty. The other is covered in tatoos and piercings, smells bad, and is obnoxious. The problem is that the obnoxious one covers your car payments.
    • Nope.

      No, we do NOT have to live with it. All you have to do is take a few minutes to Google what privacy add-ons are available for your browser, pick your paranoia level and install the appropriate tools.

      The only sites that are permitted to place cookies or supercookies or to run scripts on my PC are those few with whom I do business and whose services I value (and some of those only temporarily when I want to post a comment, like this one.) Everybody else can take a hike.
      • Thanks. I am aware of the available add-ons

        ... and to prove my point, YOU said:

        "The only sites that are permitted to place cookies or supercookies or to run scripts on my PC are those few with whom I do business and whose services I value (and some of those only temporarily when I want to post a comment, like this one.)"

        You're still living with it. Even if it is minimal.
      • Check GOOGLE? Are you serious?

        I have just upgarde to Firefox 22 and I cannot access Google unless I turn tracking ON!. I have turned on allow cookies but not 3rd party ones, but still cannot access my Google account. I also have a Google Nexus 7, and the abilty to prevnt tracking by anyone seems to have been totally removed. Even my kids learning apps "need2 to know who else has been using the tablet, what phone numbers have been called and when, when I last had a p***! I am in the process of deciding to drop Google and all of its subsidiary apps because I am sick and tired of getting calls based on info that other companies have gleaned from me using a Nexus. Privacy? What's that then?
  • Fox guarding the henhouse

    There never was any chance of success with DNT where the choice of honor or not honor is up to the advertising side. I run IE 9 and 10 with block lists that give no exceptions for "good" advertisers or analytics sites.
  • Tracking Protection Lists

    I'm going to be blogging about this myself on Monday, but here goes anyway. Most of the Cookie Clearinghouse proposal bears a strong resemblance to Tracking Protection Lists introduced by Microsoft in IE9. CC doesn't include an implementation, they leave that to the browser/UA implementers like Mozilla, but TPL would be one way to implement it. And what a coincidence - Microsoft submitted TPL to the W3C and the submission is owned by the same group that owns the DNT header.