Do Not Track debate reveals cracks in online privacy consensus

Do Not Track debate reveals cracks in online privacy consensus

Summary: Earlier this week, some reporters were a little too quick to declare that Microsoft's latest online privacy move is dead. The debate over the Do Not Track standard is far from over.

TOPICS: Browser

If you love sausages or web standards, you should never watch either one being made.

That’s especially true when the web standard in question involves ad tracking, and the participants in the standards group consist of people whose views on online privacy are diametrically opposed.

The online advertising industry, web developers, and privacy advocates are vigorously debating a standard called Do Not Track (DNT), which would put a burden on advertisers who agree to comply with requests from users who send a DNT signal with a page request. The goal of the World Wide Web Consortium (W3C) is to publish a final standard by the end of 2012.

In Internet Explorer 10, Microsoft has gone much further on online privacy issues than any other browser developer. In the Release Preview of Windows 8, IE 10 is set to enable Do Not Track by default.

That decision sparked a heated debate this week at the W3C Tracking Protection Working Group, which is developing the DNT standard.

Based on that discussion, Ryan Singel of Wired reported earlier this week that Microsoft’s decision to enable Do Not Track as the default for Internet Explorer 10 had been snuffed out. (IE 10′s ‘Do-Not-Track’ Default Dies Quick Death was the exact headline.)

The story was picked up by other reporters, including ZDNet’s own Zack Whittaker.

But it’s way too early to write those obituaries. And it’s also clear from the tone of the debate (which is conducted openly, with a public record) that the discussion is far from over.

For starters, this is a draft specification, and a very contentious one at that. Stanford’s Jonathan Mayer, a co-author of the latest draft specification, tried to strike a conciliatory note in his email to the working group:

As you review the draft, please recognize that it is a compromise proposal. The document is not a retread of well-worn positions; it reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it.

In short: Advertisers 2, Privacy Advocates 1, with the potential for a brawl on the field.

In a separate email, Aleecia M. McDonald, who works on privacy issues for Mozilla, tried to summarize the consensus of the working group:

Today we reaffirmed the group consensus that a user agent MUST NOT set a default [Do Not Track value], unless the act of selecting that user agent is itself a choice that expresses the user's preference for privacy. In all cases, a DNT signal MUST be an expression of a user's preference.

That decision is one of the “complete concessions [by] privacy-leaning stakeholders” that Mayer referred to. Under that language, a browser maker like Microsoft would be required to ask users to express a preference before it could enable a Do Not Track setting.

But McDonald got into hot water with this addition:

Implication A: Microsoft IE, as a general purpose user agent, will not be able to claim compliance with DNT once we have a published W3C Recommendation. As a practical matter they can continue their current default settings, since DNT is a voluntary standard in the first place. But if they claim to comply with the W3C Recommendation and do not, that is a matter the FTC (and others) can enforce.

After several participants in the working group expressed strenuous objections, McDonald had to backtrack:

Bjoern [Hoehrmann] makes a fair point that it will be quite a while before we have a final recommendation with which to comply or not. … [U]ntil there is a final recommendation, there is no way for a user agent (or anyone else) to be complying or not complying: there simply is no published recommendation yet.


Another very important note: at least one person misread my post as I suggesting I believed Microsoft would eventually claim compliance when they do not comply. That is not at all what I was suggesting. My apologies to anyone who misunderstood me. I was not trying to malign Microsoft here.

The crux of the controversy is this: are online advertisers required to comply with a Do Not Track request if it comes from a browser like IE 10, where there is no evidence that the user explicitly selected that setting?

Google’s Ian Fette notes that “some people in the working group [feel that] you have no business second-guessing the UI decisions made by the browser” but adds:

There's other people in the working group, myself included, who feel that since you are under no obligation to honor DNT in the first place (it is voluntary and nothing is binding until you tell the user "Yes, I am honoring your DNT request") that you already have an option to reject a DNT:1 request …

Interestingly, Microsoft’s representative to the working group has been silent in this discussion. (In a statement via email, the company's Chief Privacy Officer Brendon Lynch said, diplomatically, "We are engaged with the W3C, as we are with many international standards bodies. While we respect the W3C's perspective, we believe that a standard should support a privacy by default choice for consumers.")

David Singer of Apple, another working group member, was much more blunt in expressing his frustration over the “consensus”:

It's a choice to implement DNT (on either end), but once you do, your obligations -- what you signed up for -- should be clear (for both ends). "Yes, we implement DNT and comply with the W3C specifications" should mean that both ends should know what to expect of the other.


Overall, the way to get good behavior in any protocol is to strive to be *more compliant* than the other end. At the moment, people are arguing that they should be allowed, encouraged even, to be *less compliant* (because you would ignore a DNT signal from users who did, in fact, mean it). This is a race to the bottom, and a recipe for something worthless.

Overall, reading the public discussions of this negotiation is a depressing exercise, as it has become apparent that the online advertising industry is doing everything it can to water down the Do Not Track standard.

For the advertising industry, being able to work out a voluntary standard that would be mostly ignored is the best of all possible outcomes. Ironically, that’s what happened the last time the industry tried to put together a comprehensive and voluntary privacy policy for the web. That resulted in the Platform for Privacy Preferences, or P3P, adopted in 2002.

Earlier this year, Google and Microsoft engaged in a very public dispute over P3P in Internet Explorer. Although P3P is still considered a valid standard, only Microsoft supports it in a modern browser. In a statement to my colleague Mary Jo Foley, Google expressed its disdain for that tired old standard:

“Microsoft uses a ’self-declaration’ protocol (known as ‘P3P’) dating from 2002 ...  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. … Today the Microsoft policy is widely non-operational.”

Do Not Track appears to be heading for a similar fate.

See also:


Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The good coming out of all this is everyone gets to see googles view of

    privacy is that by default you should get none and microsofts is that it's none of the advertisers business what other web sites yuo go to. Advertisers dont need tracking to shove ads in your face. They could very easily get consensus to swing in favor of user privacy just by letting more privacy advocates onto the panel. This is by no means a popular consensus, they a skewing this towards advertisers. I hope if MS chooses to "comply" with this DOG CRAP default clause in the proposal, which should be yanked, they do it by putting a first time prompt up that asks users if they want to allow advertisers to track every website they visit and have the default selection be no and this time when users select no they not only turn on DNT but also disable third party cookies in IE so it doesnt matter if the website honors DNT or not. Let the advertisers and their pathetic appologists at the W3C, looking directly at google here, choke that one down.
    Johnny Vegas
    • I think it is funny how...

      Google is increasingly looking more evil, and Microsoft now less so. I've already noticed I can't reach some sites on IE9 without setting my options to full cookie access. I imagine the web site managers, will force the issue no matter who wins the privacy war.

      Personally - I vote for full privacy - if they wan't my information, then they can pay ME for it!
      • Oppertunity!

        Thats not the issue here if you think M$ is less "evil" than Google you know nothing about America and corporations. Corporations are legal entities or in a manner of speaking legal people and a modern corporation that is not run like a psychopath on a rampage will soon get new leadership. So if you think this is a altruistic motive I suggest you buy some of my fine tin hats guaranteed to be worthless in all known forms of mind control. Perhaps you can wear that that while you wait for that privacy check. I am sure its in the email, be sure to click on every link!
      • Session cookies

        I've allowed session cookies and no others for years. If a site needs cookies and can't learn how to use session cookies, they don't see me or people I support. I set up IE9 with the Abine lists for my customers.
      • They're already paying you...

        ...with free content and services.
      • Privacy

        I agree! I actually blogged several places (CNN, Facebook) that we can end this privacy war by making private information like name, address, SS#, likes, dislikes, website history, etc. all copyrighted information that must licensed out for third-party use. Pay me for my info or you can't use it.
  • Mad Men

    Things really haven't got any better in the advertising business since the 60s.

    The only reason advertisers want tracking is so they can sell you things and help their bottom line. Unsurprisingly privacy isn't one of their concerns in much the same way as not caring about the privacy of the sheep you are fleecing.

    I agree with J Vegas, a simple way around the "did they mean it or not" rubbish is to get MS to ask the question on the first running of IE and try not to phrase it too truthfully such as "Would you like sleazy advertisers to know everywhere you've been so they can sell you stuff?".

    If some commercial concern wants demographics so they can target their product, they should pay for it or do their own research, rather than grab it free off us at the expense of our privacy.
    • And in the next version put a box on there for me to enter a paypal account

      if I enable it that they have to stick a penny in for every site I visit. Screw google taking all the ad money :)
      Johnny Vegas
      • Exactly...

        as long as it is my account and not theirs! HA! :D
  • Do Not Track is like the MS Firewall .... fake security

    And idea that depends on the "good faith" of the webpage you are visiting and has ZERO legal weight .... meaning there is ZERO way to enforce it.
    • I don't see

      the correlation. The MS Firewall isn't fake.
    • at least your...

      ....account name gives us a clue as to how much weight to attribute to your comment...

      "wackoae" looks to sound a lot like "whacko"...
  • Take control of your own browsing privacy!

    Adblock Plus, Ghostery, entries in /etc/hosts
    • What percentage of users would even know how?

      This is a point easy to forget on these boards, where the overall competency and know-how is far above that of the 'average' (and I use that word cautiously) user. The uptake of 'user-friendly' [AKA devices requiring little-to-no learning curve] have only gone to further dilute the pool of experienced 'techie-type' user-percentage.

      The growing plethora of mobile devices (smart phones and tablets) being used to browse the internet has also gone to further complicate the matter, especially given the growing percentage of those devices built around Android (we all know how seriously Google treats the privacy of the end user) where implementing DNT or equivalent privacy measures is a whole lot more complex... if the settings even exist in many mobile browsers.

      Before we bemoan the user in their failure to implement good security, maybe we should consider how many of them even know how. Add to that the issue than many many users are convinced that to be a citizen of the web means they must move on from an expectancy of privacy (in other word, a growing percentage now believes that privacy as they once saw it is an impossible pipe-dream) and maybe we should lift our expectations of the vendor instead...
  • Seems like such an obvious solution...

    ...but I know that when I first launched IE8 on a computer (and IE9 as an upgrade), the browser always insists on running a very brief "setup" routine that prompts users for preferences. I see no reason why Microsoft can't comply by offering users 3 choices:

    Express Settings with Enhanced Privacy (Recommended)
    Express Settings without Enhanced Privacy

    Problem solved... users get their "choice" and Microsoft gets their way of strongly pushing the DNT option. It's still more than anyone else is doing.
    • You can't trust M$ on doing the right thing

      M$ would still default to their anti consumer settings and the industry will suffer. We should always trust google since they mean what they say: Do no evil!
      The Linux Geek
      • LOL

        Ahh the Mike Cox of Linux... gotta love it.
      • Oh, that makes sense...

    • no good

      The DNT option is useless. If you really beleive that an aggregator that is short of cash won't ignore that I have a nice bridge to sell you.
  • There has to be some default

    It's binary, right? For a given browser DNT is either turned on or turned off. So this statement is bogus:

    > a user agent MUST NOT set a default [Do Not Track value], unless the act of selecting that user agent is itself a choice that expresses the user???s preference for privacy. In all cases, a DNT signal MUST be an expression of a user???s preference.

    (This analysis assumes that lack of signal is functionally equivalent to a signal that allows tracking.)