Home / Blogs

Do-Not-Track: Still Not a Great Idea

John Levine

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe.

There's two fundamental reasons that do-not-track is not like do-not-call, identity and auditing. For do-not-call, your identity is your phone number. That works well because the set of numbers is fixed and they change slowly. On the Internet, there's no analogous identity for your browser. The closest thing is an IP address, but all the computers in a household typically share one IP, and in some areas (such as where I live) an entire neighborhood can share a small set of IPs. In August I concluded that the least bad approach was not to try to identify the browser, but to add a flag sent along with each HTTP web request saying that this is a do-not-track request. Looking at the trade press, as well as at the FTC's report, everyone else came to the same conclusion. That's technically straightforward in principle, although it will take a while for the Internet Engineering Task Force, which maintains the HTTP spec, to work out the details, in particular whether it's yes/no or more complex.

This brings us to the next problem with do-not-track — deciding what it means. (This area is treated well in the FTC report, although their recommentations aren't very satisfactory.) The kinds of tracking that happen on the Internet range from very benign to really creepy. At the benign end, if you've bought books from Amazon, when you return to the Amazon site, they'll suggest other books similar to what you've bought. That's relatively benign because it's all within one known organization (what the FTC calls first party marketing) and it's obvious what's going on. At the creepy end, ISPs can use deep packet inspection (DPI) to spy on the contents of all the web traffic to or from your home, figure out what sort of sites you are visiting, and sell that info to marketers. That's incredibly intrusive, since most people (perhaps unwisely) don't expect strangers to be tracking their browsing habits. So to be useful, a do-not-track needs some way to say that the benign stuff is OK, the creepy stuff is not, and perhaps have some way to tell it where you draw the line.

The other difference between do-not-call and do-not-track is auditing, telling whether companies are following the law. With do-not-call, it's pretty simple: if someone makes a sales call to my home phone on the do-not-call list, they've broken the law, unless they can show that they fall into one of a small set of exceptions. With do-not-track, you can't tell. Some tracking uses browser cookies, which are reasonably easy to check, but there's a lot of other harder to recognize techniques, with the worst being DPI which happens entirely at the ISP, invisible to the user. You can sort of guess based on the kinds of marketing shoved at you, but in practice you have to depend on the sites you visit and your ISP doing what you've asked them to, rarely something you can depend on.

I can't help but notice that this whole do-not-track argument is unique to the US. In Canada, the EU, Australia, New Zealand, and every other developed country, they have privacy laws that say that companies can't keep files of personal information without the explicit consent of the subjects. They don't need do-not-track, because tracking without permission is illegal. This flips the process around so that users can give tracking permission just to organizations if they want to. The US is painfully far behind in personal privacy, and although do-not-track is a band-aid, our overall lack of privacy protection is the real problem.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Internet Governance, Policy & Regulation, Privacy, Web

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

Join dotMobi at World Hosting Days 2014, April 1 - 3

2013: A Year in Review, End of Year Message from DotConnectAfrica

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

Social Networks Likely to Lose Grip on Brand/Consumer Conversations in Wake of New "Dot Brand" TLDs

DotConnectAfrica Attends Transform Africa 2013 Summit in Rwanda

dotMobi and Verio Introduce goMobi Mobile Website Solution in Europe

DCA Trust Raises Ethical Questions, Writes to Newly Elected African Union Leaders on .africa Debacle

Small Business: Extracting More From An Online Presence

DCA Registry Services Kenya Participates in 2nd African IGF - Updates its .africa Bid

DotConnectAfrica Refuses to Withdraw its Application for .Africa before Accountability Hearing

SPECIAL: Updates from the ICANN Meetings in Durban

DotConnectAfrica Trust Attends the ICANN-47 International Meeting In Durban South Africa

Comments and Questions by DCA Trust on .Africa at the ICANN-47 Public Forum, Durban SA

DCA Registry Services Contribute to Second Africa DNS Forum, Durban, SA

Maximizing the Mobile Web User Experience: Tips of the Trade

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Neustar Names John Caldwell Vice President of Media and New Ventures

Sponsored Topics