The movement to improve web users’ ability to avoid tracking got some serious wind in its sails yesterday as a Federal Trade Commission report endorsed the notion of a “Do Not Track” feature built into web browsers.
It could work. As I’ve mentioned recently, there are plenty of problems it could create, some of which aren’t yet forefront in the conversation, but this could be a valuable enough change that everyone would be willing to put up with disruption.
It’s refreshing to see that the FTC has abandoned the previous (stupid) idea of a “Do Not Track” list, analogous to the Do Not Call list. In fact, it was clear in a press call yesterday that FTC Chairman Jon Leibowitz understood the issues. The call included representatives from industry and privacy advocates and there was a consensus that the best way to address the problem was through changes in software and business practices, not through regulation, although regulation could play some useful part later on. Using spam as an example, there are strong laws on the books and they have been effectively irrelevant; all the protection users get from spam comes from technology.
There have been attempts at this in the past, most prominently a World Wide Web Consortium (W3C) project called P3P (Platform for Privacy Preferences) which debuted in Internet Explorer 6. To put it bluntly, P3P has been a failure because it’s too complicated to use. Configuring it requires the user to make numerous policy decisions on technical matters about which they know nothing.
Thus the call for a simple way to say “Don’t Track Me.” The likely method will be an HTTP header with a value like “DONOTRACK=[0/1]“. Headers are sent to web servers with every request. A simple user interface will allow the user to specify that they don’t want to be tracked and the value in the header will depend on that setting. Browser vendors will decide what the default should be.
The big question, and the one left essentially unanswered for now, is what the rules are for sites which receive this header. Some will take it in good faith and not send cookies or otherwise track the user. (This could be something new to them; even sites which let you “opt out” often still track the user, but don’t use the data.) Other sites will try to comply minimally, and some will just ignore it.The feeling seems to be that we’ll see how voluntary compliance goes before we start making rules. The international nature of the web limits the value of such rules anyway.
As Microsoft pointed out yesterday, their InPrivate browsing blocks all tracking (as do similar features in all the other major browsers), but such browsing goes much further than Do Not Track envisions.
Perhaps the answer to both problems is a hybrid implementation: When the browser is set so that the header has a “1″ value, the browser will also block all tracking cookies and other tracking mechanisms. There needs to be an interface for plugins like Flash to read the global browser setting.
It could work. The real wildcard is the impact it will have on the economics of the web. Who can say what that will be.
– on Security Watch
