Saturday, March 26, 2016

Do Not Track

Q: The past several years there has been a national debate over whether businesses should be allowed to track the internet activities of users.  Privacy advocates say there should be a “Do Not Track” system (similar to the Do Not Call system) which either bans the collection of such information or allows a user to opt out of any such tracking.  Opponents argue that Internet tracking has many benefits, including allowing businesses and advertisers to deliver more useful and relevant advertising, services and cost savings to Internet users.  Moreover, opponents argue, usage tracking is necessary to support digital advertising which is what allows users to use the Internet free of charge. A working group of industry representatives, advertisers, online businesses and privacy advocates met for three years to develop agreed upon protocols and standards for a DNT system, but have been unable to reach any consensus.  The Digital Advertising Alliance, a non-profit trade association, has developed a self-regulatory program to establish and enforce privacy practices with respect to behavioral or targeted advertising.  Evaluate the DAA programs and opine on whether they adequately protect the privacy of consumers.


Introduction

Christopher Soghoian, in his article “The History of the Do Not Track Header,” writes that the concept of Do Not Track (DNT) can be traced to comments submitted to the 2007 FTC Town Hall “Ehavioral Advertising: Tracking Targeting, and Technology,” following the heels of FTC’s Do Not Call registry.  That proposal relied on online advertisers to compile and submit a list of all the different domains that they were using to track consumers to the FTC in a machine readable form, which would maintain a master list.  Browser vendors and third-party developers could then subscribe to that list to offer DNT protection, and the onus of protection was still on online advertisers.  However, that that effort was a failure, and when the concept was resurrected again in 2010, it bore little technical resemblance to the original.  The Tracking Protection Working Group of the World Wide Web Consortium (W3C) has recommended the Do Not Track (DNT) HTTP request header field as a mechanism for expressing user preference with regard to tracking as well as for websites to communicate whether and how they honor that preference.  

A key distinction between current DNT mechanism as implemented by modern browsers and the older proposals that share the same name is that the onus is now on the presumably well-informed consumer to enable the tracking protection in their web-browsers.  Notably, this also means that the default state of DNT is “disabled,” and consumers need to explicitly state their preferences by enabling it in each and every web browser they use on each and every device.  Browser vendors like Mozilla Foundation, Microsoft Corporation, Google Corporation, etc. started implementing these features since 2010, and along with third parties, have published articles on how to enable DNT functionality.  Disabling DNT by default is explained by Microsoft & Mozilla as being necessary because the standard is meant to convey choice, and most websites will not honor that choice if set by default.  In fact, Microsoft’s initial policy of enabling DNT by default caused a backlash from online advertisers who chose not to honor that setting for Microsoft’s browsers, but not for other browsers, forcing Microsoft to reverse course. 

Opposition to DNT & Self-Regulation

Opposition to DNT comes from two main camps, with vastly diverse interests, and positions on why it is ineffective at best or a bad idea at worst.  At present, DNT is completely voluntary on and there is no legal or technical requirement for enabling the setting or for honoring it.  The voluntary nature of DNT coupled with major websites like Google, Facebook, Yahoo, etc. not honoring the setting could lead users into a false sense of security, and potentially distract from other ways of protecting privacy online.  Additionally, a growing number of consumers are now using mobile devices instead of desktop/laptop computers to browse the internet.  A large percentage of mobile internet use is via apps rather browsers, which makes DNT ineffective in its current form, since apps can have in-app advertising and in-app purchases hard coded in them.  A number of apps relied on identifying consumers by the Unique Device Identifiers (UDIDs) of their devices, and developers built databases of tracking information, which would be unaffected by DNT.  Both Apple and Google, who collectively control over 95% of the mobile OS market have since pushed app developers to stop using UDIDs and rely on virtual unique identifiers, which can be reset by the user, respectively. Recognizing the changing landscape in mobile internet use, the FTC has developed recommendations that would “help build trust in the mobile marketplace,” and has indicated that they have an interest in regulating this space through a platform-level version of DNT (see FTC Staff Report, pages 18-19).

Other opponents of DNT cite its effect on small business owners who rely on advertising on websites for referrals, and on revenue from online advertising on their own websites.  However, over 85% of referrals for small businesses are by word of mouth, and only about 3% of their ad spending goes toward online advertising.  On the other hand, organizations like the Network Advertising Initiative (NAI) describe the benefits of online advertising in terms of helping keep websites and apps free, providing customized content based on consumer interest, reducing intrusive ads, and helping businesses better serve consumers.  NAI, an industry trade group that formed in 1999, develops standards for online advertising, and also offers an opt-out tool that helps detect and opt out of behavior & interest based advertising by their member companies.  Ironically, this functionality relies on the use of the same third-party cookies that enable the functionality, which requires a user to do this for each browser, and after every time they clear their cookies, which can coincide with clearing browser history in some cases.  This opt-out mechanism is different than DNT, although like the latter, the actual implementation in the hands of individual NAI members, and users explicitly opting out.  However, configuring DNT once for each browser on each device would be less burdensome than remembering to go to an online opt-out tool and opting out of each and every participating NAI member advertiser. 

In 2010, NAI joined the Digital Advertising Alliance (DAA), a nonprofit organization that includes several leading companies and trade associations including the Association of National Advertisers (ANA), the American Association of Advertising Agencies (4A’s), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), the American Advertising Federation (AAF) and the NAI.  DAA offers the same type of opt-out tool that NAI does, and having used both online tools on Safari on the Mac, the NAI tool, followed by the DAA tool, they both identified Criteo, Microsoft Advertising and Yahoo among member sites that were customizing ads for that browser, and both provided options to opt-out.  However, the NAI includes 98 participating members, whereas DAA includes 125, and newer member sites join the alliance, consumers may not be automatically opted out, but expected to periodically visit these websites, run the tool again, and opt out of any new members that were not included in the scan, the last time it was run.  Additionally, as I discovered after running the global opt-out on the DAA tool, the only succeeded on 64 out of 125 participating companies (see screenshot below).  Again, this process seems unnecessarily complicated, whereas requiring member sites to adopt DNT would have been much simpler.


The DAA mentions the Consumer Choice Page as an important prong in a three-pronged choice for consumers in its Self-Regulatory Program, along with consumer education and a mechanism for filing a complaint.  The consumer education approach is a welcome step in the right direction, as is the existence of a mechanism for filing complaints.  However, as discussed above, the consumer choice page—arguably the core of this approach—seems inadequate in protecting consumers in practice.  Additionally, like DNT, the DAA approach does virtually nothing to protect against tracking via mobile apps, which now generate a significant amount of mobile internet traffic.  In the light of these severe shortcomings with industry & standards based approaches discussed above, the FTC’s proposal for a platform-based opt-out seems far more robust.  However, in the meantime, consumers may need to take matters into their own hands using a combination of various software tools, since no single strategy seems to be completely effective.

Random Ways to Protect Privacy Online – Because DNT Does Not Work

1.         Caution – might work better than most other approaches
a.          Follow the Electronic Frontier Foundation’s recommendations for protecting your privacy online.
b.         Avoid clicking on links and opening any attachments received via email.
c.          Avoid clicking on links on web-pages that lead to unfamiliar websites, unless reputable.
2.         Install antivirus software with browser add-ons – can protect against many types of links to malicious software and disreputable sites that serve malware.
3.         Set your search engine & home page to a website that does not track: e.g. DuckDuckGo
4.         Use a different browser like Firefox or Chrome which provide added protections through add-ons, rather than settle for defaults like Internet Explorer (Windows) and Safari (Mac).
5.         Change browser settings
a.          Change settings
                                                  i.        Disable Third Party Cookies
                                                ii.        Disable pop-ups by default
                                              iii.        Enable Do Not Track
b.         Extensions for common browsers
                                                  i.        Basic:
1.         AdBlock Plus – block ads and other types of intrusive content
2.         HTTPS Everywhere – encrypts traffic on sites that support it
3.         Privacy Badger – enforces granular cookie policy
                                                ii.        Advanced: requires some level of familiarity with the technology and may cause certain websites to not function correctly
1.         NoScript (Firefox) – disables javascript, flash, and other active content, unless explicitly enabled, protects against cross-site scripting, etc.
2.         RequestPolicy (Firefox) – blocks third party sites by default unless whitelisted by the user.
6.         Use a hosts file (advanced) – works not just for the browser, but with all programs installed on the computer.
7.         Talk to your representative in the U.S. Congress about your concerns about online privacy – because any long-term solution will in fact take an act of Congress.

Conclusion

DNT, although well-intentioned, failed for various reasons including lack of consensus between the online advertising industry and browser vendors/developers.  The online advertising industry-developed alternatives like DAA’s self-regulatory programs seem like a step in the right direction on some fronts, but fail to address the shortcomings of DNT.  Ultimately, an FTC-developed platform-based approach might end up being the solution we need, although it would require Congress to act.  Regardless of how that part plays out, the ultimate responsibility of ensuring online privacy might lie with the consumers themselves, and there are an assortment of tools and techniques that might help accomplish that goal. 

6 comments:

  1. The two biggest problems I see with DNT, as Vik alluded to, are that (1) consumers don't know it is an option and/or how to implement it, and (2) that it's even possible for companies to not participate. This second fact, in my opinion, renders the whole DNT movement null. That a company can render an agreement between the internet browser and the user completely void seems to be a huge weakness in the structure of that agreement. Maybe the internet browser could refuse to allow a user to access a site, for companies that refuse to comply? (The browser could give the user an error message along the lines of: "We are sorry. The site you are trying to reach is unavailable because the company does not comply with our privacy policies.") But then a user will probably just not use that internet browser. I guess Congress or the FTC could act and say that companies must comply with an internet browser's privacy settings. But even if this second problem could be solved, it's still an issue that consumers don't know that it is an option to turn of tracking and/or how to implement DNT. Facebook relies on this naïveté. There has been much backlash over Facebook updates which automatically change one's privacy settings, and default to a less-private state, without the user being aware of it. The same would be true with DNT--unless there was a banner that scrolled the top of an internet page, warning that "this company tracks" and "please see the browser settings if you want to disable tracking," users won't even know it is an option. So real-time consumer education will be an important aspect (not just some webpage the consumer has to first know to navigate to, that lays out the information). Then compliance needs to be resolved--otherwise, the whole DNT movement is null and void.

    ReplyDelete
  2. There are three important distinctions between “Do Not Track” (DNT) and “Do Not Call” that should be considered when contemplating the effectiveness and privacy implications of DNT. The first, and most important, distinction between the two is that there was legislation that led to the creation of the “Do Not Call” list. The Telephone Consumer Protection Act of 1991 gave the FCC the authority to establish a single national database of telephone numbers of residential subscribers who did not want to be called. In 2002, the FTC was granted the authority to implement the do not call list. In the case of DNT, there is no legislation and no regulation from the FTC or FCC to establish or enforce DNT. Absent this standardization and enforcement, we see the results of companies choosing on their own when to honor DNT and when not to, making it much less effective.

    A second distinction is the difference between tracking and calling. Tracking is a more passive, while calling requires the company to actively call the person. This factor would support the idea that there should be some sort of DNT list in the sense that consumers may have no idea their activity is being tracked. Consumers are aware when they receive a phone call from a telemarketer, but generally are not aware that their internet activity may be tracked.

    Finally, it could be argued that there are more privacy interests at stake in having one’s web activity tracked than there is in receiving a telemarketer’s phone calls. Consumers don’t have to give away any information to telemarketers, it is arguably more of the interest in being undisturbed that it is at issue. The potential implications of tracking someone’s web activity seem to implicate far greater privacy concerns. By tracking what sites people visited, links clicked, time spent on sites, etc. companies could potentially gain insights into sensitive information people are searching for online.

    The above three distinctions support the idea that there should be some sort of DNT list, because (1) consumers are generally not aware they are being tracked, and (2) the significant privacy interests one has in their internet activity. However, absent legislation and accompanying regulatory standardization and enforcement, it is unlikely that DNT will be effective.

    ReplyDelete
  3. I personally feel like the DNT concept is a great idea. Clearly the problem, which both Angela and Laura identified and explained is in the enforcement and education of DNT. I wonder if there would perhaps be a better approach to the problem. I think that if Apple or Microsoft created a Tracking identifier that alerted you that you were about to visit a page or use an app that tracked data and what kind of data it was tracking then consumers could choose to visit that site or not. Im thinking along the lines of the function that your email has that notifies you if you are about to open an email from a new sender. The little window pops up and tells you that the email is from an untrusted source. At that point you have to affirmatively accept the attachments on the email by clicking "trust" of "allow". This function could solve both the problems identified by Angela and Laura. First, Everyone would be notified everytime they are entering a "Tracking site" or app. This would significantly reducing user obliviousness/ignorance. This would allow even unsavvy users to make an informed decision about whether or not to proceed. If consumers are not visiting sites because they are tracking then site owners would be pressed to develop of more user friendly way of switching between "Allow Tracking" option and DNT options. This might also lead to companies creating different tiers of tracking options that give consumers a choice allowing for some tracking of purchases, no tracking, or unlimited tracking if the consumer was in favor of tracking. This would begin to resolve the second problem by facilitating a more informed and effective market based regulation.

    ReplyDelete
  4. I think Vic does an adroit job underscoring both the lack of consensus among the national online marketing groups regarding DNT and the complexity of the problem as far as providing consumers with a meaningful opportunity to opt-out of online tracking. These two concepts, from my perspective, reinforce the need for Congress to either pass legislation of empower the FTC to enact a rule that creates uniformity and accountability with regard to DNT. As Laura points out, there is a significant difference in the privacy interest associated with internet tracking and a Do Not Call list. Given the lack of oversight and accountability of companies who track consumer activity, coupled with the adverse impact on privacy, regulation and uniformity in this area seems paramount. On the other hand, as the NAI points out, this type of targeted advertising allows apps and websites to remain free, giving consumers the convenience of free access. Assuming consumers web browsing habits and purchase history can be archived in way that maintains anonymity, I think there is an interesting debate to be had concerning the trade off between the convenience of free access to apps and websites and the sacrifice of a consumer's commercial privacy.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Due to the Unique Device Identifiers on mobile apps I agree with Vik that the FTC platform approach may be the best option going forward, especially considering that enforcement of the DNT has been faced with outright indignation. Standardization of apps would be a plus as people would not having to sort through a myriad of privacy policies just to maintain privacy. This seems especially important in relationship to children. If apps marketed to children are gathering information and sharing such information with third parties, something must be done to fully educate parents—a uniform rule here would be advantageous. A rating system similar to movies with age range recommendation for an app, what data, how data is shared, and what is considered a kids app. In addition, children are very susceptible to commercials; if children are engaging in integrative advertising mechanisms, then a uniform rule is paramount. I will always remember the day two of my children came screaming in the room about this contraption that did all of these amazing things, what I didn’t realize was the TV was showing infomercials—they were excited about a magical vacuum that could clean the ceiling.
    The requirement of a uniform disclosure for these types of apps seems apropos when considering the amount of time, knowledge, and energy it would take to read every privacy policy.

    One issue I have with implementing a strict DNT is with regard to small businesses. As people rely more and more on the internet, their I-phones, and on-line consumer reviews; I am concerned that small businesses will loose out of being able to be linked to other pages of relevance and fight for their space in highly relevant advertisements. Word of mouth is obviously essential, but I don’t remember the last time I even ate at a restaurant due to word of mouth by another—simply google and critical review.

    Moving forward I am concerned that the greedy nature of advertisers will not comply with any of these regulations and will continue to track in a predatory manner every consumer thought and action.

    Moreover, I am concerned by the issue of transparency and opting out. A default opt-out should exist not only on google, Mac, Facebook, etc., but simply because the older generation not incredibly savvy with regard to technology and the younger generation may not as concerned with repercussions of not thinking prior to searching.

    Finally, I am incredibly conflicted with how law enforcement or the state might want to use such technology. If consumers become so predictable then it could be advantageous for law enforcement to "see" a potential harm--but where would this end.

    ReplyDelete