Can "Do Not Track" starve the Web's Cookie Monster?

[nsane.forums]

Last week, the White House announced a new Internet privacy agreement with the companies serving nearly 90 percent of "online behavioral advertisements," theoretically forcing the likes of Google, Yahoo, Microsoft, and AOL to stop monitoring the Web-surfing habits of users who click a "Do Not Track" button on their browsers.

While a good step toward broader Web privacy protections, the agreement itself illustrates the difficulties of enforcing privacy guidelines on the Web: we must rely on advertisers to police themselves and on browser makers to implement functionality that helps users opt out of behavioral tracking. And in the case of the world's biggest advertiser—Google—the advertising company is also the maker of one of the most world's popular browsers, Chrome.

"We're looking at a Web that has been built around the advertising business model and now we want to retrofit privacy back into the Web, and we run into these deep and hard-to-resolve tensions," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation.

The EFF recently argued that Google's circumvention of default privacy settings in Apple's Safari browser in order to serve up advertising cookies shows the need for a system like Do Not Track. It was only several days later that the White House announced its new agreement with Google, Yahoo, Microsoft, and AOL.

But will Do Not Track really work? The idea is a simple one: give users a button that, when pressed, will send websites an HTTP header that signals the user's preference not to be tracked. The White House said companies that make the Do Not Track commitment "will be subject to FTC (Federal Trade Commission) enforcement." Apparently, that means companies that choose not to make the commitment will not be subject to FTC enforcement.

Fortunately, the biggest players are covered by the agreement. But getting the FTC to act is no simple matter. Do Not Track could ultimately supersede another privacy standard built ten years ago, called P3P, or the Privacy Preferences Project. P3P, which is only implemented by Microsoft's Internet Explorer, blocks third-party cookies unless presented with a policy statement promising not to use the cookie to track the user. It turns out Google, Facebook, and thousands of other websites have found simple technical workarounds to trick P3P into letting the tracking continue.

Lorrie Faith Cranor, who chaired the P3P working group for the World Wide Web Consortium (W3C), told Ars last week that she and her colleagues spoke with governments around the world, and were told that P3P was enforceable under privacy laws. Yet in the past ten years, "I don't know of any regulator that has gone after a company for P3P violations," Cranor said.

Prior to the White House agreement, Cranor said she worried that Do Not Track will end up being just as unenforceable as P3P. After the White House announcement, she was still skeptical that Do Not Track can be enforced. "I don't think the White House announcement gives us enough detail to know for sure," she said. "They made statements to suggest they want it to be enforceable, but not enough details on how that is going to happen."

An industry group called the Digital Advertising Alliance (DAA) said advertisers will respect Do Not Track preferences in cases where the user "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected," but not in cases where "where any entity or software or technology provider other than the user exercises such a choice."

A skeptical interpretation of these statements is that the default privacy settings of browsers won't be respected, and that even straightforward language "might turn into some slippery legalese that doesn't promise to do much of anything about tracking," EFF activism director Rainey Reitman states in a blog post.

That skeptical interpretation seems to be confirmed by none other than Google itself. In a statement e-mailed to Ars, Google said its advertising systems "will honor Do Not Track browser signals in accordance with DAA principles, when they see them." The Google statement further notes that "under the agreement, DAA members will respect the header when it is actively chosen by a user, i.e., not as a result of a default setting, and when users are informed of what the header will—and will not—achieve."

In cases when Google's advertising networks see a Do Not Track header and determine that it is legitimate, they will "treat the user’s browsing data in accordance with DAA Principles—including opting the user out of ad targeting and ads using third-party cookies," Google said.

The Web's cookie monsters, including Google, have agreed to new a privacy-protection scheme

Why we should care

The privacy issues raised by advertising cookies are easy for many people to ignore. Being served up personalized ads based on our search and Web browsing histories (or even based on the contents of our e-mail messages) isn't as harmful as the threat of viruses, or the habit certain governments have of blocking portions of the Web. But it's one of those slippery-slope issues, Eckersley argues.

Governments requesting information about citizens from the advertising companies that know so much about us would be bad enough in the US, but "could become a matter of life and death in the Arab Spring," he said. No matter where you live, there are things you just want to keep private from family, friends, or employers. A person's search history could show that they're looking for a new job, a fact many people would want to keep secret from employers, he said.

Do Not Track won't stop practices such as Gmail's use of targeted advertising based on the contents of e-mail messages. In general, if you sign into a service you're giving up anonymity no matter what browser preferences you have set.

"The general spirit of Do Not Track is that it's there to protect you against companies that you have no relationship with, or companies you're not currently interacting with," Eckersley told Ars. "If part of the bargain for a free webmail service is seeing customized ads, that's something that consumers can make a reasonably informed choice about (in contrast to being tracked by invisible third parties all over the Web)."

You may recall Google's Safari controversy was related to ads served to signed-in Google users. However, that case was threatening because Google's workaround ended up causing Safari to accept all cookies from DoubleClick, Eckersley said. (Google used a hidden form to trick Safari into thinking the user is accepting certain cookies from the Google-owned DoubleClick.) "Even though they weren't doing this circumvention for the main tracking ID cookie on DoubleClick.net, once it had been done, the next time the browser saw a DoubleClick ad it would accept the tracking cookie," Eckersley said. "Google was trying to punch a tiny little hole in Safari privacy protection mechanisms, and that causes the whole thing to burst. The tiny hole becomes a giant hole."

Where is that Do Not Track button, anyway?

All major browsers today support blocking cookies. While this may help maintain privacy, blocking all cookies can limit functionality users want. Cookie-blocking is also not foolproof, because of so-called "supercookies" that resist blocking and deletion attempts, and other tracking tools such as browser "fingerprints" that can identify users with great accuracy even when users block cookies.

That's why a simple "Do Not Track" button is needed, Eckersley argues. But today's Do Not Track options are not made obvious to users. Google provides a "Keep My Opt-Outs" extension for Chrome that "permanently opts your browser out of online and personalization via cookies," but users must locate it in the Chrome Web Store. It's not a native part of the browser, although Google promises to both build a Do Not Track option into Chrome and have its advertising network respect Do Not Track requests by the end of the year.

Firefox has the simplest mechanism, a checkbox providing the option to "tell websites I do not want to be tracked."

Microsoft boasts that "Internet Explorer was the first major browser to respond to the Federal Trade Commission’s call for a do-not-track mechanism," but Internet Explorer's Tracking Protection Lists require customization and are more complicated to use than the Firefox option. Microsoft said in a statement to Ars that it will provide a simpler Do Not Track browser signal as part of its agreement with the White House. Apple signaled its support of Do Not Track in Safari early in 2011.

Ultimately, the success of Do Not Track will depend on it gaining the kind of broad acceptance that P3P never acquired. The White House agreement with advertising companies is a good first step, because Do Not Track is basically unenforceable except when companies agree to follow it. "Today there is no obligation [to respect Do Not Track preferences] except in cases where companies made statements to that effect," Eckersley said.

The EFF hopes Do Not Track will be a platform both government and industry can build on. Now that the mechanism exists, Congress could theoretically write laws or policies requiring its use, Eckersley said. Even companies that don't plan to stop tracking users could come up with user privacy selections that are complementary to Do Not Track.

Facebook, Eckersley said, "is probably never going to comply with requests to not track people when they log into Facebook. It's contrary to the entire design of their website." Still, when Facebook receives a Do Not Track header, perhaps the site could notify users with a popup that says "when you come to Facebook.com, we do track you but here are some settings you might be interested in to control what data you're sharing with other people," Eckersley speculated.

Today's methods for ensuring privacy are so ineffective that many people have simply turned to blocking ads entirely, he noted.

"The problem is if the only way people can get privacy is by blocking all the ads, then we're in a bind," Eckersley said. "If we block all the ads we've pulled the rug out from under the business model that's funding so much of the Web. What we really want is a way to say 'yes I'd like my privacy, but i'm willing to look at ads as well.' That's the thing that's really missing right now."

View: Original Article