Home / Blogs

Do-Not-Track: Still Not a Great Idea

John Levine

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe.

There's two fundamental reasons that do-not-track is not like do-not-call, identity and auditing. For do-not-call, your identity is your phone number. That works well because the set of numbers is fixed and they change slowly. On the Internet, there's no analogous identity for your browser. The closest thing is an IP address, but all the computers in a household typically share one IP, and in some areas (such as where I live) an entire neighborhood can share a small set of IPs. In August I concluded that the least bad approach was not to try to identify the browser, but to add a flag sent along with each HTTP web request saying that this is a do-not-track request. Looking at the trade press, as well as at the FTC's report, everyone else came to the same conclusion. That's technically straightforward in principle, although it will take a while for the Internet Engineering Task Force, which maintains the HTTP spec, to work out the details, in particular whether it's yes/no or more complex.

This brings us to the next problem with do-not-track — deciding what it means. (This area is treated well in the FTC report, although their recommentations aren't very satisfactory.) The kinds of tracking that happen on the Internet range from very benign to really creepy. At the benign end, if you've bought books from Amazon, when you return to the Amazon site, they'll suggest other books similar to what you've bought. That's relatively benign because it's all within one known organization (what the FTC calls first party marketing) and it's obvious what's going on. At the creepy end, ISPs can use deep packet inspection (DPI) to spy on the contents of all the web traffic to or from your home, figure out what sort of sites you are visiting, and sell that info to marketers. That's incredibly intrusive, since most people (perhaps unwisely) don't expect strangers to be tracking their browsing habits. So to be useful, a do-not-track needs some way to say that the benign stuff is OK, the creepy stuff is not, and perhaps have some way to tell it where you draw the line.

The other difference between do-not-call and do-not-track is auditing, telling whether companies are following the law. With do-not-call, it's pretty simple: if someone makes a sales call to my home phone on the do-not-call list, they've broken the law, unless they can show that they fall into one of a small set of exceptions. With do-not-track, you can't tell. Some tracking uses browser cookies, which are reasonably easy to check, but there's a lot of other harder to recognize techniques, with the worst being DPI which happens entirely at the ISP, invisible to the user. You can sort of guess based on the kinds of marketing shoved at you, but in practice you have to depend on the sites you visit and your ISP doing what you've asked them to, rarely something you can depend on.

I can't help but notice that this whole do-not-track argument is unique to the US. In Canada, the EU, Australia, New Zealand, and every other developed country, they have privacy laws that say that companies can't keep files of personal information without the explicit consent of the subjects. They don't need do-not-track, because tracking without permission is illegal. This flips the process around so that users can give tracking permission just to organizations if they want to. The US is painfully far behind in personal privacy, and although do-not-track is a band-aid, our overall lack of privacy protection is the real problem.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Internet Governance, Policy & Regulation, Privacy, Web

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

DeviceAtlas Brings Device Awareness to HAProxy

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Protect Your Privacy - Opt Out of Public DNS Data Collection

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Dyn Comments on ICG Proposal for IANA Transition

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Verisign Launches New Monthly Blog Series: Top 10 Keywords Registered in .COM and .NET

Standards and Browser Compatibility

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

.nyc Goes Public to Brand the Big Apple

Afilias Director Wins ICANN's 2014 Leadership Award

Mobile Web Traffic: A Dive Into the Data

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Sponsored Topics



Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by

DNS Security

Sponsored by