The Do Not Track standard has crossed into crazy territory

The advertising industry wants to change the definition of Do Not Track into something Orwell would be proud of. One influential member of the W3C working group says he's lost the energy to go on. Is it time to kill Do Not Track?
Written by Ed Bott, Senior Contributing Editor

The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland. These days, I'm not sure whether it's 1984 or Brazil.

In a sane world, telling a website “do not track me” would result in behavior that assumed the person making the request did not want to have unnecessary data collected about them.

But to the online advertising industry, that DNT:1 signal means, “Right, you’re one of those idiots who thinks this is about privacy. Now give me all your data. You're welcome.”

I cannot make this stuff up. The representative to the W3C working group from the Direct Marketing Association (DMA) proposed this change the other day to the Tracking Definitions and Compliance section of the DNT standard:

Marketing should be added to the list of "Permitted Uses for Third Parties and Service Providers" in Section 6.1 of the Tracking Definitions and Compliance Document.

Via email, two other members of the working group expressed confusion. One asked, “What do you mean by marketing? What would be permitted?” Another said, “I don’t follow.”

(This is how polite people in standards groups say "WTF?")

That set off this astonishing outburst from the representative of the DMA, which boasts that it "represents thousands of companies and nonprofit organizations that use and support data-driven marketing practices and techniques":

Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested.  DNT should permit it as one of the most important values of civil society.  Its byproduct also furthers democracy, free speech, and – most importantly in these times – JOBS.  It is as critical to society – and the economy – as fraud prevention and IP protection and should be treated the same way. 

Marketing as a permitted use would allow the use of the data to send relevant offers to consumers through specific devices they have used. The data could not be used for other purposes, such as eligibility for employment, insurance, etc. Thus, we move to a harm consideration. Ads and offers are just offers – users/consumers can simply not respond to those offers – there is no associated harm.

Further, DNT can stop all unnecessary uses of data using choice and for those consumers who do not want relevant marketing the can use the persistent Digital Advertising Alliance choice mechanism.  This mechanism has been in place for 2 years.

So there you have it. If you oppose online tracking, you’re un-American and you hate democracy. Also, the fact that big corporations can collect and collate personal data about you without your permission is a cornerstone of civil society, you communist.

Also, jobs.

Did I mention that the DMA is also one of the prime movers behind the Digital Advertising Alliance (DAA)? They'd prefer to regulate themselves, thank you very much.

One of the authors of the draft standard, Adobe’s Roy Fielding, gently rebuked the DMA representative in this reply:

I appreciate that the DAA has done a lot of work in a somewhat related area to the WG's efforts.  However, raising issues that you know quite well will not be adopted is not an effective way to contribute to this process.

(This is how polite people in standards groups say "STFU.")

Although Fielding hasn’t always been so level-headed. It looks like some members of the open-source community aren’t thrilled that Fielding, in his role as a founder of the Apache Group, submitted a patch to the Apache web server project that causes it to completely ignore Do Not Track settings coming from the Internet Explorer 10 agent.

That led to this spirited debate on the Apache mailing list, starting with this objection on August 11:

I've come around on this one over time. While I appreciate the message/intent, I don't think this is reasonable for the default configuration because it errs on the side of ditching a privacy header and information loss for a (sensitive) header that we're not yet interpreting.

Another member's response was posted on September 13:

What Microsoft has done is, to say the least, disappointing from a technical aspect, as it muddies the waters, and I think Jeff's thoughts about an open letter would be a very good idea, but it is hard for me to technically justify editing the DNT header from within httpd, thus also denying DNT for those who explicitly want it on. The error, as I see it, lies with Microsoft, and in the end, it should be Microsoft that fixes it, not httpd that has to make a workaround.

Remarkably, at least one member of the group believes “Microsoft is putting their users at risk” by implementing Do Not Track as the default setting in Internet Explorer 10.

Terry Gilliam and Eric Blair together would have been hard-pressed to come up with a better line of absurd dialog.

Meanwhile, Fielding himself sounds downright bitter about the state of the entire standards-setting process, judging from this snippet of his reply:

Given the pathetic way that the Tracking Protection working group members have addressed this issue, both for and against the behavior of IE 10.0, I have lost any energy I once had for defending Mozilla's original definition. It was the only issue of substance that the WG had managed to record consensus, in over a year of deliberation. I would prefer that the WG change the text, one way or the other, before we make another change, but I also want anything we do to be based on what we think is right, not what others think or fail to do.

Regardless, I am +0 to revert, for none of the above reasons.

And in a late-breaking development, the DAA has now issued a press release that outlines its formal stand on the Do Not Track effort. After three paragraphs of throat-clearing, the press release finally gets to the point:

The DAA does not require companies to honor DNT signals fixed by the browser manufacturers and set by them in browsers.  Specifically, it is not a DAA Principle or in any way a requirement under the DAA Program to honor a DNT signal that is automatically set in IE10 or any other browser.  The Council of Better Business Bureaus and the Direct Marketing Association will not sanction or penalize companies or otherwise enforce with respect to DNT signals set on IE10 or other browsers.
The trade associations that lead the DAA do not believe that Microsoft’s IE10 browser settings are an appropriate standard for providing consumer choice.  Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice.  Allowing browser manufacturers to determine the kinds of information users receive could negatively impact the vast consumer benefits and Internet experiences delivered by DAA participants and millions of other Web sites that consumers value.  In addition, standards that are different than the consensus-based DAA Principles could confuse consumers and be difficult to implement.  A “default on” do-not-track mechanism offers consumers and businesses inconsistencies and confusion instead of comfort and security.

(That's how a rich and powerful lobbying group tells a polite standard committee, "GFY.")

In an e-mailed statement, Brendon Lynch, Chief Privacy Officer, Microsoft, responds to the DAA:

Consumers want and expect strong privacy protection to be built into Microsoft products and services. A recent Microsoft survey of U.S. and European consumers shows 75 percent of PC users want Microsoft to turn “on” Do Not Track (DNT). This reaffirms our decision to enable DNT in the “Express Settings” portion of the Windows 8 set-up experience. There, consumers can easily switch DNT off if they’d like. Transparency and choice guide our approach. We will continue to innovate and compete on privacy.

That reference to Europe is not accidental. European regulators might choose to do something about this issue. But the standards-setting group, dominated by Americans, won't.

So there you have it. The advertising side wants the standard to be rendered meaningless, the tech guys throw up their hands and say they have lost any energy to go on with a "pathetic" process. And privacy advocates are completely marginalized.

Someone should just kill this standard.

Or maybe we should make a reality TV show out of it. We could put all of the W3C members together in a big house on the beach to argue and fight while live cameras record every interaction.

We could call it Big Brother.

Editorial standards