Thursday, February 23, 2012

Do Not Track: First they ignore you, then they ridicule you, then they fight you, then you win.

In July of 2009, my friend and research collaborator Sid Stamm helped me to put together a prototype Firefox add-on that added two headers to outgoing HTTP requests:

X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1

The idea for the Do Not Track header came from a conversation I'd had with security researcher Dan Kaminsky in March of 2009.

A few months after we released the DNT prototype, I started working at the FTC. Once there, Ashkan Soltani and I evangelized the header-based mechanism as a superior solution to the flawed opt-out cookies that the industry had grudgingly delivered. In December 2010, the FTC issued a privacy report that called for a "do not track" system that would enable people to avoid having their actions monitored online.

Today, the Obama Administration, the FTC and the advertising industry will announce that the last remaining web browser (Chrome) will support the Do Not Track header, and that the major online advertising networks will look for and respect it.

The total time, from the first conversation about the concept to a White House press conference announcing broad industry support? 3 years. Decades in Internet time, but this is extremely quick by Washington, DC standards.

First they ignore you:

In mid July 2009, the Future of Privacy Forum organized a meeting and conference call in which I pitched the header concept to a bunch of industry players, public interest groups, and other interested parties. I was perhaps slightly over-dramatic when I told them that the "day of reckoning was coming", for opt out cookies, and that it was time to embrace a header based mechanism...none of the advertising firms showed any interest in the header.

Then they laugh at you:

[Microsoft Vice President Dean] Hachamovitch said it’s naive to simply trust that the tracking sites will obey an anti-tracking signal. “We don’t have ‘do not send me pop-up window’ HTTP headers,” said Hachamovitch, speaking at UC Berkeley. “We just have pop-up blockers.” Similarly, he noted, there’s no “Do Not Phish Me” button on browsers.

Then they fight you:

The Interactive Advertising Bureau, which represents online advertisers, said "there is currently no definition" of what advertisers should do when receiving the do-not-track notification. "It's like sending a smoke signal in the middle of Manhattan; it might draw a lot of attention, but no one knows how to read the message," said Mike Zaneis, senior vice president of the organization.

Then you win:

A coalition of Internet giants including Google Inc. has agreed to support a do-not-track button to be embedded in most Web browsers—a move that the industry had been resisting for more than a year.

6 comments:

Prohest said...

Thank you for persisting, and getting this done.

Anonymous said...

I personally wouldn't ever trust ad companies to respect law and many countries doesn't even have laws about privacy on the net so I'm inclined to laugh out loud at the idea.

I will continue to recommend and help friends and family to install and configure adblockplus, noscript and ghostery "correctly" (as in "extremely restrictive mode") for them to evade as much ads and profiling possible.

Anonymous said...

Thank you for all your work with this Chris - this is the way to effect change.

People should not have to bear the cost of manually covering their tracks - who has the time/knowledge?

The default tech & policies should be "just right" for most of us and this is a step in the right direction.

Well done!

Sarah said...

Viva la revolucion, and hooray privacy. Thanks for doing what you do. Still, we need "do not track" to actually mean "do not collect and sell my info, because that's what I really care about, not the targeted advertising tip of the iceberg." Keep pushing.

Anonymous said...

then I poison myself

http://cs.nyu.edu/trackmenot/

Unknown said...

I'm not surprised there was a lot of initial disapproval in the online marketing community regarding the do-not-track option. Still, that only means ny seo services will focus on getting quality content to make people track their clients' sites.