What you need to know about Do Not Track
As the White House pushed a privacy bill of rights this week and readied new online privacy legislation for Congress to consider, Google decided on Thursday to get behind Do Not Track, technology that lets users opt out of online tracking done by websites and Internet advertisers.
Some proponents of Do Not Track called yesterday V-DNT Day, in a hat tip to the likes of VE-Day in May 1945 as World War II ended in Europe. Others were more cautious, saying that the job was only half finished. So where does Do Not Track stand now? We’ve put together some answers for you.
What is Do Not Track? It’s technology that relies on information in the HTTP header, part of the requests and responses sent and received by a browser as it communicates with a website, to signal that the user does not want to be tracked by online advertisers and sites.
In the browsers that support the Do Not Track header, a user selects a single option to tell websites that he or she does not want to be tracked. In Mozilla’s Firefox, for instance, that’s done through the Preferences (Mac) or Options (Windows) pane by checking a box marked, “Tell websites I do not want to be tracked.”
So what exactly did Google just agree to do? It will add support for Do Not Track to its Chrome browser.
So, Chrome supporting Do Not Track is a good thing? Very much so, according to Jonathan Mayer, one of the two Stanford University researchers who came up with the header standard. “This is a great step forward. For some time, Google has been the last holdout among the major browsers,” he said in an interview Thursday.
What does Mayer mean by “last holdout?” What other browsers support Do Not Track? Apple’s Safari, Microsoft’s Windows-only Internet Explorer 9 (IE9) and Mozilla’s Firefox. Mozilla’s browser was the first browser to adopt Do Not Track with Firefox 4 in March 2011, and IE9 followed suit almost immediately. Safari has supported Do Not Track since version 5.1, which debuted in OS X Lion last July.
Currently, Safari hides the setting: To switch it on, select “Send Do Not Track HTTP Header” from the “Developer” menu. If you don’t see the Developer menu, activate it from the Advanced section of Preferences by checking the box “Show Developer menu in menu bar.” Apple will expose this setting in the Privacy section of the Preferences pane when it releases OS X Mountain Lion this summer.
Additionally, Opera Software has added Do Not Track to the alpha build of v. 12, which will work its way toward a production edition in the coming months.
I thought Chrome already used Do Not Track... What gives? You were wrong. Rather than support Do Not Track, Chrome relied on a plug-in, dubbed Keep My Opt-Outs, that blocks targeted ads produced by more than 80 ad networks and companies—including Google, Microsoft and Yahoo.
When will Chrome add Do Not Track, and how will users turn it on? Google hasn’t said, exactly. A company spokeswoman said that Chrome will support the technology “by the end of the year,” but declined to get more specific. She also declined to spell out the user experience, saying “We will have more to say as development proceeds.”
Presumably, Chrome will add a check box to the user settings panel—as Firefox and Safari have—most likely in the “Under the Hood” section where other privacy options are now available.
What about mobile browsers? Do they support Do Not Track? Firefox for Android does. Safari on iOS and Chrome for Android do not, although Apple and Google will presumably add support in future versions to match their desktop browsers. As for IE9 on Windows Phone 7, we haven’t been able to confirm whether it does or doesn’t support Do Not Track. We’ve asked Microsoft for an answer, but haven’t heard back.
So, when I tell my browser to send the Do Not Track request, no one will monitor my movements? Hold on there, pardner. Thursday’s commitment by Google to support Do Not Track in Chrome may have been a clear win for the specific way that request is communicated, but there’s no such clarity on what websites do—or don’t do—when they receive that signal.
“On the technology side, this is an unambiguous win, but on the policy side there is still a lot of work to be done,” Mayer said yesterday.
The Electronic Frontier Foundation (EFF), an online privacy advocacy organization, said much the same. “While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy,” said Rainey Reitman, the EFF’s activism director, in a blog on Thursday .
What have sites agreed to do with Do Not Track? They’ll stop using cookies to craft targeted ads, the kind pointed at you based on your past surfing and other online behavior.
But the companies that lined up Thursday to support Do Not Track—the ad networks, websites and corporations who belong to the latest online ad industry trade group, the Digital Advertising Association (DAA)—haven’t promised to actually stop tracking users’ Web movements. Instead, they’ve pledged to not use tracking data to serve targeted ads—which the DAA calls “behavioral advertising—or use that tracking information “for the purpose of any adverse determination concerning employment, credit, health treatment or insurance eligibility, as well as specific protections for sensitive data concerning children.”
(IDG, the parent company of Macworld, is a member of DAA, according to the association’s list of participating companies and ad networks. Other media firms that will hew to the DAA’s behavioral ad guidelines around Do No Track include Conde Nast, ESPN, Forbes and Time.)
What? So Do Not Track doesn’t mean just that? Right, which is why privacy groups are pushing for a stricter interpretation. The EFF, for one, is leery of the advertising industry’s sincerity.
“Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking,” said EFF’s Reitman. “The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking, which is the root of the privacy concern.”
Reitman worried that the DAA would mess with the simplicity of Do Not Track, and try to turn it into “slippery legalese that doesn’t promise to do much of anything about tracking.”
Anything else about the Do Not Track promises made by the advertising industry I should know? One interesting aspect: The DAA said it would not honor the setting if “any entity or software or technology provider other than the user exercises such a choice.”
EFF’s Reitman interpreted that as a pre-emptive strike against browser makers that may want to turn on Do Not Track by default. (None do at this point. It’s off in Firefox, IE9, and Safari until the user manually changes the setting.)
How will Do Not Track be enforced? Because Do Not Track remains voluntary, only those companies and organizations that commit to supporting it—but then renege on the promise—will face the music.
The Federal Trade Commission (FTC) will enforce Do Not Track. The 52-page proposal published Thursday by the White House (download PDF) spelled it out: “The Administration expects that a company’s public commitment to adhere to a code of conduct will become enforceable under Section 5 of the FTC Act (15 U.S.C. S 45), just as a company is bound today to follow its privacy statements.”
What’s next for Do Not Track? Work, work, work. The W3C (World Wide Web Consortium), one of the Internet’s primary standards-setting bodies, has been hammering out a specification for Do Not Track’s policy—what websites should be obligated to do/not do if they support the standard—since February 2011.
W3C is shooting to wrap up the spec some time this year. Apple, Google, Microsoft, Mozilla and Opera all have representatives on the W3C’s “Tracking Protection Working Group,” the committee that’s working on a Do Not Track policy standard as well as considering Microsoft’s own Tracking Protection idea , which IE9 also uses (and which, until Microsoft jumped on the Do Not Track bandwagon, was the way IE9 stopped cookie and other tracking technologies).
Mayer, Reitman and others—including the FTC—stressed the importance of the W3C’s work, and called on the DAA and its members to collaborate with the group to come up with a Do Not Track policy standard rather than circumvent the standards body.
“The [advertising] industry deserves credit for this commitment, though the details of exactly what ‘Do Not Track’ means still need to be worked out,” Justin Brookman, the director of consumer privacy at the Center of Democracy & Technology (CDT), a Washington, D.C.-based Internet policy group, said in a statement yesterday. “CDT will continue to work through the W3C standards setting process to develop strong and workable ‘Do Not Track’ guidelines.”