For nearly two years now, industry and advocates have been discussing how to implement "Do Not Track" -- a setting in browsers that would allow companies to serve ads while limiting the collection of personal information about users. This week, dozens of ad industry representatives, browser makers, and consumer advocates are gathering in Amsterdam during a World Wide Web Consortium (W3C) meeting to fine tune the details of how such a setting will work. However, in recent days, we have suddenly seen an all-out blitz of attacks on Do Not Track, both in Washington and Silicon Valley decrying Do Not Track as a disaster that would destroy the advertising-supported web.
This sudden onslaught of debate targeting the merits of Do Not Track is surprising, as the advertising industry already voluntarily agreed to deploy Do Not Track by the end of this year. At a White House event in February, the Digital Advertising Alliance -- the umbrella self-regulatory group consisting of the Interactive Advertising Bureau, Network Advertising Initiative, Better Business Bureau and others -- publicly committed to honor browser-based signals to control "online behavioral advertising... and all other collection and use of web viewing data" (emphasis in original).
Industry has honored requests to opt out of behavioral targeting for years -- but because those opt-outs were cookie-based (ad networks would place a cookie on your browser to indicate you'd opted out of behavioral advertising), they weren't very persistent. If you cleared your cookies, you cleared your opt-outs, too. We had all agreed that Do Not Track settings that were saved in the browser were supposed to solve this problem.
Enter a handful of House Republicans, who recently sent an incensed letter to the Federal Trade Commission over its involvement in the W3C effort to standardize the meaning of the Do Not Track header. In it, the members excoriate the FTC for its involvement in an "international organization" that might restrict online advertising without explicit Congressional approval. The letter even invokes the recently passed House Resolution 127, which declares that the U.S. should "promote a global Internet free from governmental control and advance the multistakeholder model that governs the Internet today."
When the House endorsed the existing multistakeholder Internet governance model, it should be noted that W3C was precisely what they were endorsing. W3C is a voluntary, collaborative body that companies (mostly) and advocates participate in to set non-legal standards for how the Web works. The alternative to institutions such as W3C is control by competing national governments, the United Nations, or the International Telecommunication Union -- governmental bodies that CDT, the Obama administration, and members from both Houses of Congress have urged not to exert regulatory authority over the internet. As such, it is a curious thing to cite fear of governmental involvement as a reason to back away from a consensus-based, multistakeholder approach such as W3C's Do Not Track working group.
Just as vexing, the letter also queries the FTC whether they've considered the antitrust issues that may be implicated by companies developing a Do Not Track standard in W3C. It is not clear what the implication of this question is supposed to be. If an open, multistakeholder standard development violates antitrust laws, so too would any collaborative self-regulatory effort -- even more so closed door agreements negotiated by industry associations such as the Network Advertising Initiative or Interactive Advertising Bureau. Is the message supposed to be that cooperative self-regulation is illegal? That the only way to rein in deviant behavior is through legislation and regulation? Are these members really arguing that industry shouldn't be negotiating a voluntary, consensus Do Not Track standard?
No Need for Controversy
It is, in fact, difficult to understand why Do Not Track is controversial. For years, many privacy advocates argued for an opt-in approach to behavioral marketing online, to no avail. So in 2007, CDT and a number of other privacy groups called on the FTC to develop a Do Not Track standard -- that if behavioral tracking wasn't going to be opt in, then consumers needed a one-time, straight-forward, across the industry way to opt-out of all behavioral tracking, rather than try to find every third party on the web and tell each not monitor you. Because if you believe in opt-out instead of opt-in, you at least need an opt-out mechanism that works.
It is possible that this uproar stems entirely from Microsoft's decision in June to aggressively steer its users to turn on Do Not Track during install (initially, it sounded like Microsoft would silently turn on Do Not Track for all users; since, they have decided to list Do Not Track as "on" in the "express settings" you are encouraged to choose as you set up your Windows device).
It remains an open question what industry or the W3C will do to respond to Microsoft's implementation. At the end of the day, advertisers might decide to ignore en masse headers from browsers like Microsoft's where they don't like the user interface. Of course, ignored browsers can respond in kind -- either blocking third-party cookies from companies that ignore their headers (indeed, Apple already prevents all third parties from setting cookies in Safari, Do Not Track or not), or even blocking the third parties from rendering ads at all. Sites then could the respond in turn by blocking users who block cookies or ads (as happens sometimes today for users who install Ad Block), thus pushing users to install work-arounds that forge (or exchange) cookie values or out of desperation pirate publishers' content entirely. The result would be turning the online ecosystem into an ever-escalating war between privacy interests and advertisers -- precisely the war that a negotiated Do Not Track setting was designed to avoid.
Rather than rush headlong into a privacy arms race, all stakeholders need to work together to develop a meaningful standard that allows valuable ad serving but stops the boundless collection of online web surfing behavior by a host of unknown companies. At the end of the day, privacy advocates will have to settle for something less than they would like in an ideal world. And advertisers must honor their commitment to comply with users' Do Not Track instructions.
Justin Brooksman, director of CDT's Consumer Privacy Project, co-wrote this piece, which first appeared on CDT's blog.