The Do Not Track standard has crossed into crazy territory

The Do Not Track standard has crossed into crazy territory

Summary: The advertising industry wants to change the definition of Do Not Track into something Orwell would be proud of. One influential member of the W3C working group says he's lost the energy to go on. Is it time to kill Do Not Track?

TOPICS: Privacy

The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland. These days, I'm not sure whether it's 1984 or Brazil.

In a sane world, telling a website “do not track me” would result in behavior that assumed the person making the request did not want to have unnecessary data collected about them.

But to the online advertising industry, that DNT:1 signal means, “Right, you’re one of those idiots who thinks this is about privacy. Now give me all your data. You're welcome.”

I cannot make this stuff up. The representative to the W3C working group from the Direct Marketing Association (DMA) proposed this change the other day to the Tracking Definitions and Compliance section of the DNT standard:

Marketing should be added to the list of "Permitted Uses for Third Parties and Service Providers" in Section 6.1 of the Tracking Definitions and Compliance Document.

Via email, two other members of the working group expressed confusion. One asked, “What do you mean by marketing? What would be permitted?” Another said, “I don’t follow.”

(This is how polite people in standards groups say "WTF?")

That set off this astonishing outburst from the representative of the DMA, which boasts that it "represents thousands of companies and nonprofit organizations that use and support data-driven marketing practices and techniques":

Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested.  DNT should permit it as one of the most important values of civil society.  Its byproduct also furthers democracy, free speech, and – most importantly in these times – JOBS.  It is as critical to society – and the economy – as fraud prevention and IP protection and should be treated the same way. 

Marketing as a permitted use would allow the use of the data to send relevant offers to consumers through specific devices they have used. The data could not be used for other purposes, such as eligibility for employment, insurance, etc. Thus, we move to a harm consideration. Ads and offers are just offers – users/consumers can simply not respond to those offers – there is no associated harm.

Further, DNT can stop all unnecessary uses of data using choice and for those consumers who do not want relevant marketing the can use the persistent Digital Advertising Alliance choice mechanism.  This mechanism has been in place for 2 years.

So there you have it. If you oppose online tracking, you’re un-American and you hate democracy. Also, the fact that big corporations can collect and collate personal data about you without your permission is a cornerstone of civil society, you communist.

Also, jobs.

Did I mention that the DMA is also one of the prime movers behind the Digital Advertising Alliance (DAA)? They'd prefer to regulate themselves, thank you very much.

One of the authors of the draft standard, Adobe’s Roy Fielding, gently rebuked the DMA representative in this reply:

I appreciate that the DAA has done a lot of work in a somewhat related area to the WG's efforts.  However, raising issues that you know quite well will not be adopted is not an effective way to contribute to this process.

(This is how polite people in standards groups say "STFU.")

Although Fielding hasn’t always been so level-headed. It looks like some members of the open-source community aren’t thrilled that Fielding, in his role as a founder of the Apache Group, submitted a patch to the Apache web server project that causes it to completely ignore Do Not Track settings coming from the Internet Explorer 10 agent.

That led to this spirited debate on the Apache mailing list, starting with this objection on August 11:

I've come around on this one over time. While I appreciate the message/intent, I don't think this is reasonable for the default configuration because it errs on the side of ditching a privacy header and information loss for a (sensitive) header that we're not yet interpreting.

Another member's response was posted on September 13:

What Microsoft has done is, to say the least, disappointing from a technical aspect, as it muddies the waters, and I think Jeff's thoughts about an open letter would be a very good idea, but it is hard for me to technically justify editing the DNT header from within httpd, thus also denying DNT for those who explicitly want it on. The error, as I see it, lies with Microsoft, and in the end, it should be Microsoft that fixes it, not httpd that has to make a workaround.

Remarkably, at least one member of the group believes “Microsoft is putting their users at risk” by implementing Do Not Track as the default setting in Internet Explorer 10.

Terry Gilliam and Eric Blair together would have been hard-pressed to come up with a better line of absurd dialog.

Meanwhile, Fielding himself sounds downright bitter about the state of the entire standards-setting process, judging from this snippet of his reply:

Given the pathetic way that the Tracking Protection working group members have addressed this issue, both for and against the behavior of IE 10.0, I have lost any energy I once had for defending Mozilla's original definition. It was the only issue of substance that the WG had managed to record consensus, in over a year of deliberation. I would prefer that the WG change the text, one way or the other, before we make another change, but I also want anything we do to be based on what we think is right, not what others think or fail to do.

Regardless, I am +0 to revert, for none of the above reasons.

And in a late-breaking development, the DAA has now issued a press release that outlines its formal stand on the Do Not Track effort. After three paragraphs of throat-clearing, the press release finally gets to the point:

The DAA does not require companies to honor DNT signals fixed by the browser manufacturers and set by them in browsers.  Specifically, it is not a DAA Principle or in any way a requirement under the DAA Program to honor a DNT signal that is automatically set in IE10 or any other browser.  The Council of Better Business Bureaus and the Direct Marketing Association will not sanction or penalize companies or otherwise enforce with respect to DNT signals set on IE10 or other browsers.

The trade associations that lead the DAA do not believe that Microsoft’s IE10 browser settings are an appropriate standard for providing consumer choice.  Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice.  Allowing browser manufacturers to determine the kinds of information users receive could negatively impact the vast consumer benefits and Internet experiences delivered by DAA participants and millions of other Web sites that consumers value.  In addition, standards that are different than the consensus-based DAA Principles could confuse consumers and be difficult to implement.  A “default on” do-not-track mechanism offers consumers and businesses inconsistencies and confusion instead of comfort and security.

(That's how a rich and powerful lobbying group tells a polite standard committee, "GFY.")

In an e-mailed statement, Brendon Lynch, Chief Privacy Officer, Microsoft, responds to the DAA:

Consumers want and expect strong privacy protection to be built into Microsoft products and services. A recent Microsoft survey of U.S. and European consumers shows 75 percent of PC users want Microsoft to turn “on” Do Not Track (DNT). This reaffirms our decision to enable DNT in the “Express Settings” portion of the Windows 8 set-up experience. There, consumers can easily switch DNT off if they’d like. Transparency and choice guide our approach. We will continue to innovate and compete on privacy.

That reference to Europe is not accidental. European regulators might choose to do something about this issue. But the standards-setting group, dominated by Americans, won't.

So there you have it. The advertising side wants the standard to be rendered meaningless, the tech guys throw up their hands and say they have lost any energy to go on with a "pathetic" process. And privacy advocates are completely marginalized.

Someone should just kill this standard.

Or maybe we should make a reality TV show out of it. We could put all of the W3C members together in a big house on the beach to argue and fight while live cameras record every interaction.

We could call it Big Brother.

Topic: Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Definitely Brazil

    I'm actually on the DMA mailing list (I find it useful) and their newsletter included an announcement from the "Digital Advertising Alliance" announcing that "do not track" requests from browsers where that is the default will be ignored (

    Of course, it never occurs to them that such policies might inspire more people to install ad blockers.
    John L. Ries
    • Class action lawsuits

      Such policies really might inspire state attorneys general, not to mention class action law firms. DMA put it in writing and Apache put it in code, just to make it a bit easier.
    • It's a numbers game...

      The DMA knows that while this might increase the number of people using ad blockers and other privacy extensions, it will remain a very small number because the majority of Internet users simply don't know enough about how they're being tracked. At least in comparison to how the DMA would be negatively impacted by any implementation of DNT with teeth and/or browsers defaulting to DNT being enabled.
      • Ad blocking

        If they go too far down the arms race route, they could see a mainstream browser or two with an on/off switch for the ads themselves, not just DNT - or indeed a blacklist of non-DNT-compliant ad servers: even a very small proportion of users blocking their servers entirely would quickly wipe out any gain from more precisely targetted ads through ignoring DNT.
    • Do Not Track

      Why not offer the option during install, or the first time the browser is run ?
      That way is cannot be considered a default, and IS a choice that the user must make.
      • It is an option during the install/first time the browser is run

        You can select default settings (and it is highlighted that Do Not Track is ON) or select custom settings and you go through each setting.
        • No...REQUIRE a user choice

          If ShaneK is talking about the same idea I was going to post about, he's not talking about including DNT in the default settings. He’s talking about EXCLUDING it from the default settings.

          Anyhow, my idea is that the DNT settings would have their own separate dialog in the set-up process. Neither "On" nor "Off" is selected, and the user MUST choose one of them in order to complete the setup and get the browser to run for the first time. If the user doesn’t make a choice, the browser won’t launch.

          That would completely undermine the DMA's argument, because each user will have made the choice, and Microsoft will have completely insulated themselves from any accusation that they have made the choice for the user.

          That's the solution to this Orwellian mess.
          • No default

            slingzenarrowz has the right idea. Don't even set a default. Force the choice on installation. I can't believe nobody has proposed this, it's a glaringly obvious solution.
          • Re:Forcing a choice

            I think the reason why this isn't being done is because at least somebody considers forcing a decision is going to substantially negatively impact the OOBE/initial configuration of the browser... by adding one more screen to a zillion that already exist.
            (Though, when somebody chooses between Express settings / Customized setting, that is a forced choice, or not? As "Express" isn't necessarily the default, it is simply a predefined configuration... which you can choose to go with or not
            -- so is the problem with the default to do with whether DNT is checked when you hit customize?)
          • one small hiccup

            While clearly many of the readers on this site are sufficiently tech savvy and do their own installations, there is a huge mass of folks out there who simply have the Geek Squad install and set up everything on their new computer and then do nothing further until it's time to buy a new one. The setup techs are therefore going to be making those decisions on behalf of the consumer. Considering the amount of advertising companies like Best Buy do there would need to be a law requiring the wolves - er techs to request this information from the sheep - er consumers - and to make sure they understand the reason for the decision to be made. I have a pair of friends who recently bought their new HP from BB and being very non-technical they had no idea what questions to ask, and the techs were quite unforthcoming about details of the setup.
    • Criminalize Unauthorized Possession or Use of Personal Data

      The solution to this problem is to severely criminalize the knowing possession of personal information and / or the use of such information for ANY purpose when the individual has not affirmatively opted-in, and even then only for a limited period of time, say a year, from the 'opt-in'.

      Criminal and civil penalties should apply to both the organizations and the individuals involved and class-actions should be allowed. If having advertisers so knowledgable of my personal information is beneficial to me, then the advertisers can merry well make that argument to me and ask me to opt-in. Until then, these parasites should be invited to roast in hell.
      • Strongly

        ...worded letter to follow.
      • but...

        there is already a huge business in exactly such information - it might be a hard sell to retroactively make such a huge industry retroactively illegal. I spent 25 years in direct mail marketing, and some of the practices made me nauseous. At the time I was finally given my marching orders (glass ceilings still exist) my old firm had control over far more data than most people would ever imagine, and due, to the nature of the way the raw data is handled, nowhere nearly as securely as they would have you - or the DMA - believe. They already have credit card numbers, purchase history, where you vacationed etc, but programs designed to extrapolate family members by address, last name and credit cards - the list in privacy invasions just goes on. They can fine tune the catalog you get - or the particular website you are shown - based on this accumulated history. When you get an email they can detect when it has been opened and whether or not you clicked on a link, even if you don't make a purchase. Of course they collect info from casual visitors as well, but the primary emphasis is on paying customers. This is huge, and getting bigger - at the time I left they were already starting to default to email ordering through websites over catalog mailings for the savings. How are you expecting to simply shut this down? These companies rely on data collection to grow their business - they won't give that up easily. As a result of my experiences in that company I now guard my privacy diligently, use AdBlocker and Ghostery, and only rarely buy online, and only from companies I trust - and even those get as minimal info as I can manage. I have on occasion cancelled a transaction if the final form is too intrusive. I realize this is only partially related to tracking - but the fact is that if you buy online your info IS out there, and these companies buy and sell that info among themselves.
      • Criminalize? Unworkable

        Who is going to go after these crimes? About as effective as bailing the ocean.

        What *is* workable would be to pay each of us to do so, and thus give us the leverage to set a price so high that it wouldn't be done to those who choose not to participate. Given the billions going into marketing and advertising, it wouldn't be any big deal to set up a programatic way to credit my pay pal account. Not unlike what already happens on YouTube.
  • What I see

    "The representative to the W3C working group from the Direct Marketing Association (DMA)"

    • What I see...

      Is that we may be overlooking a bigger piece of the puzzle here with the DNT.

      I'm for advertising not tracking us. Why would they need to? The cable companies don't implant cameras to look at my house to determine what I need? How did this come to be the status quo in the first place?

      Now for the bigger issues that plague this DNT: If I am on a website, say Amazon, does that mean they are no longer allowed to track what I look at on their site? Does this mean I will no longer receive valuable suggestions? Perhaps I misunderstand... Is it just third parties that suffer the wrath of DNT? If so, why are we even discussing this? Of course they shouldn't have access.
      • Just third parties

        First-party tracking is allowed. You chose to go to the site, you chose to interact with them, there's a privacy policy that defines your interaction, etc.
        Ed Bott
      • Enough said:

        "Is it just third parties that suffer the wrath of DNT? If so, why are we even discussing this? Of course they shouldn't have access."

        I'll say it again in case you missed it: OF COURSE THEY SHOULDN'T HAVE ACCESS!
  • This trashes the reputation of the whole W3C. That they would let this

    WG get populated by those that are there to represent the wishes of the advertiser versus the wishes of the web user is a complete travesty. And to all the other members like Roy Fielding, if you're not there to represent the users, and your actions clearly indicate that, then take a hike and don't come back. Hey W3C here's an idea, why dont you take an online vote asking the users if they think the default should be track or do not track and asking them if the server code should be considered compliant if it doesnt honor the setting? That will give the replacements for all those that should be chucked off this committee a good idea where their starting point should be. No MS did not make a mistake, they implemented what the WG should have specified as the only compliant behavior. There's plenty of non targeted ad revenue to continue to support a very healthy growing internet. Get some new blood with spines and balls. W3C you need to step in and take back control of you WG from these syncophants and lobbyests.
    Johnny Vegas
    • You need them (DMA, DAA, etc.) there and taking part

      DNT doesn't work if it is disregarded by the companies making the technologies behind ad serving and user tracking. The crux of the issue discussed here is about whether those companies will ignore DNT and track anyways, if it is turned on by default.

      So, you need to pull in people from the publishing and marketing industries and try to get them to agree to some common practices; or get left with no privacy protections at all, except for the most savvy users, who can find hacks and install special tools (which will generally undermine usability).