Why Do Not Track is worse than a miserable failure

Why Do Not Track is worse than a miserable failure

Summary: As a consumer, you'd think that the meaning of "Do Not Track" is pretty clear. But the big data-collecting companies that are behind this standard seem intent on making sure it does nothing at all.

SHARE:
TOPICS: Privacy
105

In theory, Do Not Track is a brilliant idea.

It’s an elegant, simple bit of technology. A user-agent (typically a web browser, but it could be anything) that is compliant with the Do Not Track standard adds a tiny snippet of information in its header. DNT=1 means that the owner of that user-agent has expressed a desire that his or her online movements not be tracked.

Too bad it doesn’t work.

The trouble with this voluntary standard is that it requires good faith cooperation from the parties at the other end of the web connection. And those parties are actively subverting the intent of DNT, as I wrote about earlier this year. (See Do Not Track debate reveals cracks in online privacy consensus.)

As a consumer, you’d think that the meaning of “Do Not Track” is pretty clear. You’re making a polite request of the web sites and advertisers: “Don’t collect and store any information about me without my explicit permission.”

And yet, according to Sarah Downey, an attorney and privacy advocate who works for the online-privacy firm Abine, that’s not what’s happening.

Two big associations, the Interactive Advertising Bureau and the Digital Advertising Alliance, represent 90% of advertisers. Downey says those big groups have devised their own interpretation of Do Not Track. When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”

That’s a perverse interpretation, and certainly isn’t what an ordinary consumer would expect. Indeed, some giant web properties have been more faithful to the spirit of the standard. Twitter, for example, has publicly stated that it supports Do Not Track:

When you turn on DNT in your browser, we stop collecting the information that allows us to tailor Twitter based on your recent visits to websites that have integrated our buttons or widgets. Specifically, we remove from your browser the unique cookie that links your browser to visits to websites in the Twitter ecosystem. We then cannot provide tailored suggestions for you.  For more on how this works, see our privacy policy. 

Further, we respect DNT preferences by turning off tailored suggestions by default…

The trouble is, Twitter is one of the few online properties that actually adheres to that common-sense interpretation of Do Not Track. The Associated Press made some noise last year when it publicly committed to implementing the DNT header on the 800 sites in it AP News Registry service. But that network’s privacy policy, which was updated in January 2012, doesn’t mention DNT at all and still includes an “Opt Out” button.

And if you think this is just about online advertising, think again. As privacy advocate Downey points out, “Tracking is happening at a scale and rate we've never seen before.” And your online activities are increasingly being correlated with your offline activity.

At the recent TechCrunch Disrupt conference, Robert Scoble reported approvingly about new apps that are using mobile devices to collect data about you:

Glympse‘s CEO, Bryan Trussel, told me his team develops its contextual mapping app on Android first, then moves it to iPhone. Why is this? …

Android lets developers have access to the dialer so that app developers can watch who calls you and who you call.

Android lets developers look at the wifi and bluetooth radios on the phone so app developers can build better systems to track where you are, who you are near, and whether you are near things like your car.

Yikes.

An enormous industry has grown out of collecting and collating online and offline data, run by companies that deliberately stay under the radar. But every so often, hints of a dark future appear. In the United States, political campaigns are eager to correlate your voter registration with your online activities:

Two digital ad firms that offer voter file-driven ad targeting are now part of [Facebook]'s growing group of third-party partners. … Both Intermarkets and CampaignGrid enable advertisers to target digital ads based on publicly-available national voter file data. Intermarkets partners with data powerhouse Aristotle to aim ads based on party affiliation and degree of voter activity in addition to information such as demographic info on gender and household income levels, and psychographic information.

[…]

Facebook's real-time bidding exchange opens the site up to a large pool of data for display ad targeting, but advertisers cannot combine native Facebook profile data with its partners' outside data, which would be sure to ruffle feathers among privacy advocates. Some observers, however, expect Facebook eventually to allow integration of its rich profile data with its partners' data, in part because the company is scrambling to attract more ad dollars and such an offering could command premium ad prices.

Even if you have Do Not Track turned on, that information will be collected and stored and used to create a profile of you that may or may not be accurate. That profile can be used by credit agencies, big corporations, and health insurance companies to make decisions about you that can literally affect your life and livelihood.

And it’s not just the tracking industry that is ignoring the intent of Do Not Track. The most recent version of the open-source web server Apache ignores the DNT header completely if you use Internet Explorer 10, as CNET’s Stephen Shankland reports:

Roy Fielding, an author of the Do Not Track (DNT) standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10. "Apache does not tolerate deliberate abuse of open standards," Fielding titled the patch.

As a result of the Apache update, Web servers using the software will ignore DNT settings for people using IE10.

If you install Windows 8 and choose the custom setup option, one step allows you to enable Do Not Track in Internet Explorer. It’s a clear expression of your intent, and yet that header will be ignored by the software powering more than half the web servers in the world.

So, here's the depressing tl;dr version: To advertisers, “Do Not Track” doesn’t mean “Don’t track me.” It just means they should tone down the ads a bit. And even if you explicitly set the option in your browser, it might be ignored by a web server.

In the real world, Do Not Track is a cruel joke. The companies that are collecting and storing information about you will use their support of the standard for PR purposes and then ignore its intent.

Maybe the best thing to do is to let the standard die. Meanwhile, if you care about privacy, you should ignore Do Not Track and use tools that actively block the tracking industry. I'll have a closer look at some useful active privacy tools in a follow-up post.

Topic: Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

105 comments
Log in or register to join the discussion
  • Quite honestly

    If I am going to be tracked at all (and I'd prefer not to be) I'd at least want to be receiving ads for products that will interest me rather than ads for something that there is no chance in the world I'd ever buy. So it sounds as if turning this feature on gives me the worst of both possibilities, I'm being tracked AND I'm receiving ads I have no interest in.
    Michael Kelly
    • Blocking Scripts & Cookies

      I block anything which I do not need to accomplish the task at hand, and that includes most of the ads.
      rjriley@...
      • Green32.com

        I just got paid $6784 working off my laptop this month. And if you think that's cool, my divorced friend has twin toddlers and made over $9k her first month. It feels so good making so much money when other people have to work for so much less. This is what I do >>> Green32.comREAD MORE
        JoshuaYoung
        • No spam

          Death to spammers
          techrepublic@...
          • Ed, did you post this just for hits? I don't believe that

            woudl be your motive as I trust you as a blogger. But just look at teh mess it's created.
            MSFT can do no good, even when it's trying to do good.
            They will be villified by the truely myopic zealots for all eternity so why hasten another round of listening to fools go off? Aren't you tired of this endless crap?
            Win 8 is of course getting killed by the ABM bloggers, notably SJVN, but his idiotic take on a poll isn't show how those using Win 8 think it's the fastest, most stable Windows ever.
            This crap is so depressing.
            I guess people want to feed Google's bank account really bad while telling us the evils of the giant MSFT out the other side of their mouth.
            xuniL_z
    • stupid idea in the first place

      This is why everyone should root if only for changing the hosts file. Ios folks have it worse.
      LarsDennert
      • Absolutely.

        I love my hosts file.
        Bozzer
    • "Lose weight in 30 days"

      I get these kinds of adverts all the damn time. For one thing, I'm underweight, secondly every other advert is completely irrelevant.
      Spannerz
    • In understand the motivation, but...

      The whole concept of "Do Not Track" is nonsense.

      Most people don't realize this, but the ability to track your movements online is essential to modern web programming technology.

      Take away that capability, and it becomes impossible to buy anything online.

      It becomes impossible to have blogging.

      It becomes impossible for smart phones to have apps.

      It becomes impossible to do almost anything except have plain, static, HTML-only pages that have to be created by hand by a web designer...you know, like the stuff we had back in the 1990s.

      The reason is that all web platforms have to track visitors in order for the sites to function properly. Session cookies are essential to a properly functioning web site. Yet, session cookies also create data that marketing people can use.

      For instance:

      Take away tracking, and secure checkout will be no longer possible.

      Posting blog entries will be impossible.

      Virtually everything we take for granted online will become impossible.

      Yet, the moment that you're tracking something (or someone) is the moment when you're collecting data that marketing folks can use.

      In fact, tracking is essential to having online security. Without tracking, online security becomes impossible.

      Without tracking, crackers/hackers, spammers, con artists, and online terrorists would have a field day. Think all that stuff is bad now? Try eliminating tracking...the web would lose all popularity within a week.

      Those who argue for "Do Not Track" don't realize that what they're really arguing for is the end of the web.
      wt@...
      • Straw man arguement

        Theres a HUGE difference between using cookies to log into a site and cookies that track everything you do.

        That I need cookies to log into amazon is much different than me logging into amazon and they then track me on every sites I go to. Amazon is just an example. Facebook tracks you all over the place, unless you log out.
        notsofast
      • I don't think you really understand how the Internet works.

        You might want to read up next time before coming out with some of your absolute corkers.

        Still, made me chuckle.

        Don't worry, I admire you're enthusiasm. Please, don't let mirth at your expense get in your way.
        Bozzer
      • you're a bit confused

        tracking in the context ed is talking about means recording the activities of your browser as you travel from site to site in order to build a marketing profile of you. that profile is used to deliver targeted ads; it might also be used for other less benign purposes (like showing you higher prices as you shop).

        none of that is necessary to do any of the things you note above. a cookie that exists for the purpose of authenticating you for a site does not need to know where else you've been or what your other interests are. so you can shop, blog, etc, and still not be tracked.

        and now for a word from our sponsor:

        http://www.itworld.com/it-management/373904/browser-cookies-are-dead-online-tracking-still-alive-and-kicking

        cheers

        dt
        tynanwrites
  • You didn't expect anything different did you?

    Any MS sponsored "voluntary" specification is useless. And likely worse than useless as what it DOES is usually opposite what it is NAMED.
    jessepollard
    • Please pay attention

      This is not Microsoft-sponsored. It's from the W3C, an industry standards body. If you read the link at the top of the post you can get the full story.
      Ed Bott
      • I wouldn't say sponsored but...

        Microsoft is leading he way in making this the standard for "tracking choice, and getting people to believe this false standard of "privacy". Giving the option is one thing. Trying to get people to think it solved any emerald privacy problem is fecicous.
        http://www.webmonkey.com/2012/08/microsoft-do-not-track-is-good-for-users-on-by-default-in-ie-10/
        It's good they include it, but those promoting it as solving anything are just trying to sidestep the implementation of real privacy solutions...
        ossoup
        • Of course, Mozilla created it so you could say they sponsored it...

          ... And I do trust Mozilla so I'm not gonna just bash Microsoft.
          In any case, I think it is a real bad idea creating a false sense of privacy. It would be like creating anti virus that politely asks the virus to skip you. Maybe it would be a good idea if the concept is reinforced that it doesn't really do anything in terms of privacy and was implemented along with something real as well.
          ossoup
          • Then Bash Microsoft

            Microsoft is stupid for making their own web browser in the first place. Chrome, Opera, and Mozilla all search faster and cleaner than IE ever will. Only a fool who understands computers uses IE over something better.
            Sparkles501
          • Wow. Just ... wow.

            I am trying to make sense of that and just completely unable to do so.
            Ed Bott
          • Um no actually IE is now faster and more html/css compliant than

            chrome, ff, safari, opera etc.
            Johnny Vegas
          • You realize they always say that

            And a lot of tines it hurts how painful they make things because you have to program do much more because IE ignores so many standards.
            ossoup