Monday, 15 October 2012

Don't track me now, I'm having such a good time!

The concept of online privacy has been in the news extensively in the last few years, with first the introduction and then the implementation of the EU Directive on Privacy and Electronic Communications. We of course covered this extensively through our Cookie OK website.

One of the provisions of the Directive - which covered a wide swath of scenarios yet ended up being colloquially referred to as the 'Cookie Law' - was that it should be up to an individual user as to whether their information was shared with websites. With browsers lacking the ability to give the users this choice directly it was left to the developers of individual sites to implement, in a range of differing ways, methods of gaining the users' permissions to allow their progress to be tracked for analytical, personalisation and advertising purposes.

There has been another solution in the background for the last few years, in the form of a 'Do Not Track' option that both the major browser vendors (Microsoft, Google, Mozilla, Apple and Opera) and web server vendors (primarily Microsoft and Apache) aim to support. The history of how this option evolved from the original discussions in the US is an interesting but complex one, and outside of the scope of this post; it is best told by one of those originally involved, Christopher Soghoian. The purpose of the option, on the other hand, is much more straightforward:
"Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. At present few of these third parties offer a reliable tracking opt out, and tools for blocking them are neither user-friendly nor comprehensive. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking."

The problem with such a simple technology as this - implemented, in theory, as an "on/off/no preference" switch on a browser - is that its effects can be widespread amongst a variety of other organisations. To a user, switching "Do Not Track" on implies that websites that users visits in the future will not track them; a setting that, as it is within the browser, is significantly more far-reaching than a simple cookie. To a website, that same switch may only apply to certain types of tracking. As Ed Bott reports, the Direct Marketing Association is lobbying for "Marketing" to be added to the list of organisation types allowed to track users:
"Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested.  DNT should permit it as one of the most important values of civil society.  Its byproduct also furthers democracy, free speech, and – most importantly in these times – JOBS.  It is as critical to society – and the economy – as fraud prevention and IP protection and should be treated the same way. "

The whole situation took a further turn to the ridiculous in June 2012, as it was discovered that the DNT option would by default be switched 'On' in Internet Explorer 10. As the whole point of DNT is to promote consumer choice, by doing this arguably there has been no actual choice made by the consumer. With this as a justification, a patch was submitted to Apache that caused it to completely ignore the DNT option when a user was using Internet Explorer 10. The patch was not added to the code, but the point was made, and many believe that Microsoft are taking away choice rather than providing it.

The Digital Advertising Alliance further stated that organisations are free to ignore DNT without fear of sanctions:
"Specifically, it is not a DAA Principle or in any way a requirement under the DAA Program to honor a DNT signal that is automatically set in IE10 or any other browser.  The Council of Better Business Bureaus and the Direct Marketing Association will not sanction or penalize companies or otherwise enforce with respect to DNT signals set on IE10 or other browsers."

Ultimately, the DNT is a good concept, and implemented correctly and responsibly by all parties it would almost certainly have allowed the avoidance of many years of doubt, website re-engineering, and of course all the associated costs, that the implementation of the 'Cookie Law' introduced. As things stand now, it has been hijacked by too many third parties to be anything other than an interesting blip in web browser history. Returning back to Christopher Soghoian's original account:
"If industry (or the FTC, Commerce and Congress) ultimately settle on the header based approach, there will likely be an intense lobbying effort on industry's part to define what firms must do when they receive the header. Specifically, they will seek to retain as much data as possible, even when they receive the header. As such, the devil will be in the details, and unfortunately, these details will likely be lost on many members of Congress and the press."