Advertisers tracking consumers online: Do Not Track at the W3C
Between 2009 and 2012, all of the major Web browser applications added a “Do Not Track” (DNT) preference setting. If this setting is turned on, whenever the user loads a page, or a piece of content on a page, the provider of that page or content is notified that the user does not want to be “tracked” – whatever that means. But the problem is, at this point, there is still no agreed standard on what it does mean, so the setting is presently ineffective.
The original proposal for a DNT specification was submitted in 2011 by privacy advocates from Stanford University, and Mozilla (which is responsible for the Firefox browser), and it has since been taken up by the Tracking Protection Working Group of the World Wide Web Consortium, where it is being discussed amongst a group of advertisers, website owners, browser vendors and consumer privacy advocates.
The DNT specification consists of two public working drafts, a Tracking Compliance and Scope Specification, and the more technical Tracking Preference Expression specification. Together they define a procedure whereby a tracking preference is sent by a user's Web browser, the website that receives it signals whether and how this preference will be honoured, and the user is given the opportunity to approve site-specific exceptions to the overall DNT preference as desired.
The same group at the W3C is also separately working on a complementary specification called “Tracking Protection Lists” which rather than just expressing the user's preference, would act on that preference by blocking elements of websites that are used for tracking, based on a supplied blacklist. The “Tracking Protection Lists” specification is at an earlier stage of development, and does not yet have a public working draft.
Traditionally, the W3C's standards (or “recommendations”) are entirely voluntary, and are adopted by Web content providers and browser developers without legal compulsion. But DNT is somewhat different, because it has been developed in the shadow of regulatory interest in the issue of online behavioural advertising of consumers.
Accordingly Neelie Kroes, of DG Connect (the European Commission Directorate General for Communications Networks, Content and Technology) has been very keen for the DNT specification to be finalised, and gave a June 2012 deadline for this to happen, if further regulation was to be avoided. Obviously, that deadline has now slipped. The American Federal Trade Commissioner (FTC) has since 2010 also repeatedly called for a DNT standard, and has given until the end of 2012 for a self-regulatory solution to be put in place. So the clock is ticking on both sides of the Atlantic.
But while regulators and consumer privacy activists have been pushing for an effective DNT standard, industry has been pushing the other way, and the results has been something of a stalemate at the W3C. In particular the Interactive Advertising Bureau and the Digital Advertising Alliance, who together represent about 90% of online advertisers, are pushing an interpretation of DNT that would prevent them from serving customised content, but still allow them to collect and store almost all of the same data that they now do.
The argument is that even where a user expresses their preference not to be tracked, there are a long list of exceptional reasons why their data still needs to be collected and analysed, without which the Web would fall apart. However were all of these exceptions to be allowed, it could whittle down the effect of DNT to almost nothing. The current wish-list includes:
A very open-ended exception for short-term collection and use (“short term” has not been defined, but could be as long as three months) – provided only that the collection is not used to build a user profile or to alter the user's Web experience.
An exception that would allow content or ad delivery by a third party based on context (such as the website on which the content or ad appears, the Web browser and operating system used, the IP address and the geographical location that it maps to), and the user's previous visits to that content provider's own website.
Exceptions to allow for capping of the frequency of advertisements shown to a particular user, and for billing the advertiser for those advertisements – for example, counting ad impressions, clicks and “conversion” (ie. clicks that led to sales).
Security and fraud detection, and debugging of Web applications.
Aggregation of usage information to be used in reports for purposes such as market research.
Another spanner thrown in the works of the DNT standard has been Microsoft's surprise decision to turn DNT on by default in its upcoming new browser, Internet Explorer 10. This could erode the support of advertisers for the standard, as they had previously agreed to honour it only on the basis that DNT would not be enabled by default. In retaliation for Microsoft's move, an update to the world's dominant Web server software, Apache, would have it completely ignore DNT signals sent from Internet Explorer 10.
Whilst the list may vary by the time this draft is released, at the time of writing some of the most important outstanding issues in the DNT standard include some very fundamental ones:
What actually is tracking? Are we concerned about a first party tracking its own users across multiple visits to their site (ie. tracking across time), or are we only concerned about first parties sharing user information that they collect with third parties (ie. tracking across space)?
What actually is a first party – under what conditions can service providers acting on behalf of a first party fall under that party's umbrella? Can there ever be more than one first party? For example, if you visit Coca-Cola's Facebook page, who is the first party – Coca-Cola, Facebook, or both?
Similarly, what is a third party? Often it is simple enough – a third party is anyone other than the owner of a website that a user visits, who would usually be identified by its brand on that site. But what if another brand is shown on the page too? To continue the above example, Coca-Cola may have a Facebook “Like” button on its own website. The current consensus has it that Facebook would be a third party if you don't click that button, but a first party if you do.
To the extent that exceptions to DNT are allowed only where the data collected is unlinkable to particular users, what does “unlinkable” mean? After all, research has shown that re-identification of supposedly anonymous data is easier than you might think.
How is the user's consent expressed to either the setting of the overall DNT preference, or the setting of exceptions for particular sites? Should the dictates of EU law bear on the requirements of the specification in this regard?
To the extent that any exceptions will be allowed that will permit the collection and use of personal data by third parties, even when the user prefers not to be tracked, what limits are these exceptions subject to? Proposals are that there should be no secondary uses of data collected for such permitted purposes, that data minimisation and transparency should be practised, as well as reasonable security measures to protect the data, and that the collection should generally not result in personalisation of the user's Web experience in contravention of their wishes. But probably most contentious is the question of whether those taking advantage of an exception may do so by setting persistent unique identifiers such as cookies. Consumer privacy advocates say no; advertisers say yes.
Also contentiously, should the standard allow an exception to the usual treatment of the DNT preference when it is sent by a browser such as Internet Explorer 10, that hasn't presented the user with a choice to allow tracking or not?
The consumer movement has been represented within the W3C primarily by a few US-based NGOs – very well, but also, by definition, very narrowly. Direct involvement in the working group has proved untenable for most other groups, probably due to its punishing work schedule, and the highly technical nature of its discussions. For example, one of the US groups' proposals for the standard contains this baffling text:
N-unlinkability is the special case of K-anonymity where all values are considered part of the pseudo-identifier. A dataset is "unlinkable" when there is a high probability that it contains only information which, for a skilled analyst, is 1024-unlinkable with respect to particular users, user agents, or devices.
To provide a smoother experience for non-specialist consumer activists to participate in the discussions, a community group was formed last year, but whilst well-intentioned, in practice it has not been any more effective at facilitating widespread participation. Perhaps the last hope for the global consumer movement to provide useful input into the standard before it is finalised will come in October, when the working group is expected to finalise a “Last Call” draft for broader public review.
This work is licensed under a Attribution Share Alike Creative Commons license