Thursday, January 27, 2011

What the US government can do to encourage Do Not Track

Over the past few months, there has been a lot of discussion about Do Not Track. Although both the FTC and Commerce Department have recently issued privacy reports that mentioned Do Not Track, neither agency has the authority under existing law to make Do Not Track a reality. Either the industry can voluntarily agree to respect such a mechanism, or Congress is going to have to give the FTC the authority to make it happen.

But wait, you might ask, Microsoft has introduced a tracker blocking feature in the upcoming release of IE9 (similar to the massively popular AdBlock Plus add-ons for Firefox and Chrome), and this mechanism doesn't require that the online advertising embrace or respect it.

That is certainly true. However, as the industry has demonstrated time and time again with its use of Flash cookies, css history sniffing, cache cookies, and browser fingerprinting, unless it prohibited from doing so by law, companies will simply "innovate" and engineer around privacy enhancing features in the browser.

What this means is that unless the FTC is given the authority to prevent it, ad networks will either switch domains frequently (so that the blacklists get stale), or host compelling content from the same servers and domains that they use for their ads (for example, if youtube.com is used to deliver videos and track users, consumers won't be able to effectively block it).

The do not track header

As I described in a 2009 blog post, opt out mechanisms that enable a user to affirmatively express her desire to not be tracked finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control. At the time that I wrote that blog post, opt out cookies were the only way to express such a preference, which was unfortunate, because opt out cookies have a number of other problems that prevent them from scaling effectively.

However, since then, the Do Not Track header has emerged as a vehicle for users to express their desire to be left alone, via a single preference in the browser, which will then be delivered to all websites that they interact with.

On Monday of this week, Mozilla announced that it will be including support for the header in a future release of the Firefox browser, which should provide a fix for the current chicken/egg problem, in which no browser sends the header, and so no advertising network looks for and respects for the header.

Even though 300 million users will soon be able to send the Do Not Track header, the advertising industry doesn't seem to keen to support it. The Interactive Advertising Bureau's general counsel Mike Zaneis told MediaPost that:
"It's very simplistic to think that you just put something in a header and people will honor it." He adds that it isn't clear whether Mozilla's definition of online tracking for ad purposes aligns with that of self-regulatory groups. "It's an interesting idea that they can offer this header, but if nobody's reading it, and nobody knows what it means, why should we care as an industry?"

Zaneis adds that the IAB is focusing on building out a self-regulatory system that requires companies to honor do-not-track cookies, but not other mechanisms like browser headers.

Why is the IAB focusing on opt-out cookies? Because they are difficult to discover, obtain, use, and easy to delete. Advertisers want to be able to tell Congress that they are doing something to let consumers opt out, but don't actually want that mechanism to be easy to use. The Do Not Track header is so easy to enable that the ad industry is deeply worried that large numbers of consumers just might enable it. As such, the industry will likely do anything it can to derail the header, which almost certainly means that it won't support it until it is absolutely forced to.

How can the Federal government help, without waiting for Congress to pass new laws

The FTC seems to like the idea of the Do Not Track header -- certainly, the tweet that it issued on Monday praising Mozilla suggests as much.

We’re pleased entities like Mozilla recognize that consumers want a choice in online tracking & are taking steps 2 give it 2 them. #dntrackless than a minute ago via web



Unfortunately, as I described above, neither the FTC or Commerce can currently force the advertising networks to support the header. What they can do though, is to publicly embrace the header as the best way for users to achieve Do Not Track. The best way to do this, even moreso than tweeting about it, would be for government sites to support the do not track header.

Federal cookie rules and opt outs

For more than a decade, Federal agencies were prohibited from using long term tracking cookies on their websites. In 2010, these rules were changed (after a lengthy public comment period, in which the government mostly ignored the suggestions of privacy advocates).

The new rules (pdf) permit tracking technologies, but require opt outs:
Clear Notice and Personal Choice. Agencies must not use web measurement and customization technologies from which it is not easy for the public to opt-out. Agencies should explain in their Privacy Policy the decision to enable web measurement and customization technologies by default or not, thus requiring users to make an opt-out or opt-in decision. Agencies must provide users who decline to opt in or decide to opt-out with access to information that is comparable to the information available to users who opt-in or decline to opt-out.

a. Agency side opt-out. Agencies are encouraged and authorized, where appropriate, to use web tracking and measurement technologies in order to remember that a user has opted out of all other uses of such technologies on the relevant domain or application. Such uses are considered Tier 2.

b. Client side opt-out. If agency side opt-out mechanisms are not appropriate or available, instructions on how to enable client side opt-out mechanisms may be used. Client side opt-out mechanisms allow the user to opt out of web measurement and customization technologies by changing the settings of a specific application or program on the user’s local computer. For example, users may be able to disable persistent cookies by changing the settings on commonly used web browsers. Agencies should refer to http://www.usa.gov/optout_instructions.shtml, which contains general instructions on how the public can opt out of some of the most commonly used web measurement and customization technologies.
Unfortunately, the "recommended" opt out procedures on the usa.gov website merely tell consumers how they can disable cookies on various popular browsers. Those consumers who neglect to disable cookies in their browsers will be tracked whether they like it or not.

This form of "opt out" (take our long term tracking cookies, or disable them in your browser) was exactly the method of choice that the online behavioral advertising industry long offered, until, bowing to pressure from privacy advocates and regulators, they started to offer the cookie based opt outs now featured on the Network Advertising Initiative website.

Thankfully, not all government agencies have followed the sample opt out features on usa.gov. The Office of Scientific & Technical Information (OSTI), for example, has its own opt out cookie, which disables the collection of web measurement and tracking data on the OSTI website.



This is far better than the approach taken by usa.gov, and actually gives visitors to the site a usable mechanism in order to protect their privacy. Unfortunately, if each federal agency develops and deploys their own opt out cookie, we will find ourselves in the same problematic situation that currently exists in the behavioral advertising industry (where there are more than 100 different opt out cookies available from various firms).

In my written comments to the White House back in 2009, I highlighted this problem:
The federal government should learn from the mistakes of the behavioral advertising industry. In your blog post, you also propose that federal government web sites be required to "[p]rovide a clear and understandable means for a user to opt-out of being tracked." As you consider a policy that will require federal websites to offer opt-outs to consumers, it would be useful to look to the situation in the behavioral advertising industry (where opt-out capabilities are widespread, yet difficult to use and discover by consumers), in order to avoid some of the many mistakes and pitfalls that have been made there.
In order to avoid these problems, I suggested that the White House:
Require that Federal web sites support a single, browser based universal opt-out header in addition to the opt-out cookie. This header approach has been repeatedly proposed in the behavioral advertising arena, and would solve many of the problems that plague the current cookie-based opt-out model.

Now that Mozilla has actually embraced the Do Not Track header (a proposal that was implemented in a prototype add-on when I submitted my comments in 2009), the Federal Government could realistically embrace the header as an improved mechanism for tracking opt outs on government sites. This would solve two problems at once: 1. Avoiding the chaos of 100+ different federal agency opt out cookies, and 2. providing early support for the Do Not Track header at a time when the technology proposal could very much use a boost.

No comments: