Do Not Track debate reveals cracks in online privacy consensus

Earlier this week, some reporters were a little too quick to declare that Microsoft's latest online privacy move is dead. The debate over the Do Not Track standard is far from over.
Written by Ed Bott, Senior Contributing Editor

If you love sausages or web standards, you should never watch either one being made.

That’s especially true when the web standard in question involves ad tracking, and the participants in the standards group consist of people whose views on online privacy are diametrically opposed.

The online advertising industry, web developers, and privacy advocates are vigorously debating a standard called Do Not Track (DNT), which would put a burden on advertisers who agree to comply with requests from users who send a DNT signal with a page request. The goal of the World Wide Web Consortium (W3C) is to publish a final standard by the end of 2012.

In Internet Explorer 10, Microsoft has gone much further on online privacy issues than any other browser developer. In the Release Preview of Windows 8, IE 10 is set to enable Do Not Track by default.

That decision sparked a heated debate this week at the W3C Tracking Protection Working Group, which is developing the DNT standard.

Based on that discussion, Ryan Singel of Wired reported earlier this week that Microsoft’s decision to enable Do Not Track as the default for Internet Explorer 10 had been snuffed out. (IE 10′s ‘Do-Not-Track’ Default Dies Quick Death was the exact headline.)

The story was picked up by other reporters, including ZDNet’s own Zack Whittaker.

But it’s way too early to write those obituaries. And it’s also clear from the tone of the debate (which is conducted openly, with a public record) that the discussion is far from over.

For starters, this is a draft specification, and a very contentious one at that. Stanford’s Jonathan Mayer, a co-author of the latest draft specification, tried to strike a conciliatory note in his email to the working group:

As you review the draft, please recognize that it is a compromise proposal. The document is not a retread of well-worn positions; it reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it.

In short: Advertisers 2, Privacy Advocates 1, with the potential for a brawl on the field.

In a separate email, Aleecia M. McDonald, who works on privacy issues for Mozilla, tried to summarize the consensus of the working group:

Today we reaffirmed the group consensus that a user agent MUST NOT set a default [Do Not Track value], unless the act of selecting that user agent is itself a choice that expresses the user's preference for privacy. In all cases, a DNT signal MUST be an expression of a user's preference.

That decision is one of the “complete concessions [by] privacy-leaning stakeholders” that Mayer referred to. Under that language, a browser maker like Microsoft would be required to ask users to express a preference before it could enable a Do Not Track setting.

But McDonald got into hot water with this addition:

Implication A: Microsoft IE, as a general purpose user agent, will not be able to claim compliance with DNT once we have a published W3C Recommendation. As a practical matter they can continue their current default settings, since DNT is a voluntary standard in the first place. But if they claim to comply with the W3C Recommendation and do not, that is a matter the FTC (and others) can enforce.

After several participants in the working group expressed strenuous objections, McDonald had to backtrack:

Bjoern [Hoehrmann] makes a fair point that it will be quite a while before we have a final recommendation with which to comply or not. … [U]ntil there is a final recommendation, there is no way for a user agent (or anyone else) to be complying or not complying: there simply is no published recommendation yet.


Another very important note: at least one person misread my post as I suggesting I believed Microsoft would eventually claim compliance when they do not comply. That is not at all what I was suggesting. My apologies to anyone who misunderstood me. I was not trying to malign Microsoft here.

The crux of the controversy is this: are online advertisers required to comply with a Do Not Track request if it comes from a browser like IE 10, where there is no evidence that the user explicitly selected that setting?

Google’s Ian Fette notes that “some people in the working group [feel that] you have no business second-guessing the UI decisions made by the browser” but adds:

There's other people in the working group, myself included, who feel that since you are under no obligation to honor DNT in the first place (it is voluntary and nothing is binding until you tell the user "Yes, I am honoring your DNT request") that you already have an option to reject a DNT:1 request …

Interestingly, Microsoft’s representative to the working group has been silent in this discussion. (In a statement via email, the company's Chief Privacy Officer Brendon Lynch said, diplomatically, "We are engaged with the W3C, as we are with many international standards bodies. While we respect the W3C's perspective, we believe that a standard should support a privacy by default choice for consumers.")

David Singer of Apple, another working group member, was much more blunt in expressing his frustration over the “consensus”:

It's a choice to implement DNT (on either end), but once you do, your obligations -- what you signed up for -- should be clear (for both ends). "Yes, we implement DNT and comply with the W3C specifications" should mean that both ends should know what to expect of the other.


Overall, the way to get good behavior in any protocol is to strive to be *more compliant* than the other end. At the moment, people are arguing that they should be allowed, encouraged even, to be *less compliant* (because you would ignore a DNT signal from users who did, in fact, mean it). This is a race to the bottom, and a recipe for something worthless.

Overall, reading the public discussions of this negotiation is a depressing exercise, as it has become apparent that the online advertising industry is doing everything it can to water down the Do Not Track standard.

For the advertising industry, being able to work out a voluntary standard that would be mostly ignored is the best of all possible outcomes. Ironically, that’s what happened the last time the industry tried to put together a comprehensive and voluntary privacy policy for the web. That resulted in the Platform for Privacy Preferences, or P3P, adopted in 2002.

Earlier this year, Google and Microsoft engaged in a very public dispute over P3P in Internet Explorer. Although P3P is still considered a valid standard, only Microsoft supports it in a modern browser. In a statement to my colleague Mary Jo Foley, Google expressed its disdain for that tired old standard:

“Microsoft uses a ’self-declaration’ protocol (known as ‘P3P’) dating from 2002 ...  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. … Today the Microsoft policy is widely non-operational.”

Do Not Track appears to be heading for a similar fate.

See also:


Editorial standards