Thursday, February 23, 2012

Do Not Track: First they ignore you, then they ridicule you, then they fight you, then you win.

In July of 2009, my friend and research collaborator Sid Stamm helped me to put together a prototype Firefox add-on that added two headers to outgoing HTTP requests:

X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1

The idea for the Do Not Track header came from a conversation I'd had with security researcher Dan Kaminsky in March of 2009.

A few months after we released the DNT prototype, I started working at the FTC. Once there, Ashkan Soltani and I evangelized the header-based mechanism as a superior solution to the flawed opt-out cookies that the industry had grudgingly delivered. In December 2010, the FTC issued a privacy report that called for a "do not track" system that would enable people to avoid having their actions monitored online.

Today, the Obama Administration, the FTC and the advertising industry will announce that the last remaining web browser (Chrome) will support the Do Not Track header, and that the major online advertising networks will look for and respect it.

The total time, from the first conversation about the concept to a White House press conference announcing broad industry support? 3 years. Decades in Internet time, but this is extremely quick by Washington, DC standards.

First they ignore you:

In mid July 2009, the Future of Privacy Forum organized a meeting and conference call in which I pitched the header concept to a bunch of industry players, public interest groups, and other interested parties. I was perhaps slightly over-dramatic when I told them that the "day of reckoning was coming", for opt out cookies, and that it was time to embrace a header based mechanism...none of the advertising firms showed any interest in the header.

Then they laugh at you:

[Microsoft Vice President Dean] Hachamovitch said it’s naive to simply trust that the tracking sites will obey an anti-tracking signal. “We don’t have ‘do not send me pop-up window’ HTTP headers,” said Hachamovitch, speaking at UC Berkeley. “We just have pop-up blockers.” Similarly, he noted, there’s no “Do Not Phish Me” button on browsers.

Then they fight you:

The Interactive Advertising Bureau, which represents online advertisers, said "there is currently no definition" of what advertisers should do when receiving the do-not-track notification. "It's like sending a smoke signal in the middle of Manhattan; it might draw a lot of attention, but no one knows how to read the message," said Mike Zaneis, senior vice president of the organization.

Then you win:

A coalition of Internet giants including Google Inc. has agreed to support a do-not-track button to be embedded in most Web browsers—a move that the industry had been resisting for more than a year.

Wednesday, February 08, 2012

How long does it take for the FTC to investigate a company?

The Federal Trade Commission is the nation's premier privacy enforcer. In the last few years, it has gone after Facebook, Google, Twitter and several other firms for violating consumers' privacy or deceiving them about the degree to which they protect that privacy. To outsiders, the FTC can seem highly secretive - it doesn't announce when it opens an investigation, only when an investigation ends in a settlement, a lawsuit, or a public closing letter.

As a result, although the newspapers and blogs may be filled with stories about a particular privacy firestorm, there is no way to know if the FTC is investigating a company. A year or two later, the FTC might announce a settlement, or, the FTC may quietly close an investigation, without ever tipping the public off to the fact that agency staff spent months investigating the company.

I spent a year working in the FTC's Division of Privacy and Identity Protection between 2009-2010, where I got to assist with several important privacy investigations. I saw first hand how frustrating it is for staff, when advocates, the media and Members of Congress demand that the FTC investigate a company or worse, criticize the FTC for doing nothing, when FTC staff are already several months into a complex investigation.

In order to try and help the general public better understand this topic, I recently sought and obtained (via FOIA) the official Matter Initiation Notices (pdf) filed by FTC staff when they formally opened investigations into all of the major privacy-related cases settled during the past few years.

As these documents show, even the fastest privacy case (Google Buzz) took a year from start to finish, while others, such as Facebook (2.3 years) and ControlScan (2.7 years) took far longer.

The take-home lesson from this data? The FTC's investigations are not quick. Given that there are just a couple dozen attorneys in the Division, this isn't surprising. If we want better (and faster) privacy enforcement, giving the FTC more money to hire additional staff would be a great first step.