Home / Blogs

Do-Not-Track: Still Not a Great Idea

John Levine

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe.

There's two fundamental reasons that do-not-track is not like do-not-call, identity and auditing. For do-not-call, your identity is your phone number. That works well because the set of numbers is fixed and they change slowly. On the Internet, there's no analogous identity for your browser. The closest thing is an IP address, but all the computers in a household typically share one IP, and in some areas (such as where I live) an entire neighborhood can share a small set of IPs. In August I concluded that the least bad approach was not to try to identify the browser, but to add a flag sent along with each HTTP web request saying that this is a do-not-track request. Looking at the trade press, as well as at the FTC's report, everyone else came to the same conclusion. That's technically straightforward in principle, although it will take a while for the Internet Engineering Task Force, which maintains the HTTP spec, to work out the details, in particular whether it's yes/no or more complex.

This brings us to the next problem with do-not-track — deciding what it means. (This area is treated well in the FTC report, although their recommentations aren't very satisfactory.) The kinds of tracking that happen on the Internet range from very benign to really creepy. At the benign end, if you've bought books from Amazon, when you return to the Amazon site, they'll suggest other books similar to what you've bought. That's relatively benign because it's all within one known organization (what the FTC calls first party marketing) and it's obvious what's going on. At the creepy end, ISPs can use deep packet inspection (DPI) to spy on the contents of all the web traffic to or from your home, figure out what sort of sites you are visiting, and sell that info to marketers. That's incredibly intrusive, since most people (perhaps unwisely) don't expect strangers to be tracking their browsing habits. So to be useful, a do-not-track needs some way to say that the benign stuff is OK, the creepy stuff is not, and perhaps have some way to tell it where you draw the line.

The other difference between do-not-call and do-not-track is auditing, telling whether companies are following the law. With do-not-call, it's pretty simple: if someone makes a sales call to my home phone on the do-not-call list, they've broken the law, unless they can show that they fall into one of a small set of exceptions. With do-not-track, you can't tell. Some tracking uses browser cookies, which are reasonably easy to check, but there's a lot of other harder to recognize techniques, with the worst being DPI which happens entirely at the ISP, invisible to the user. You can sort of guess based on the kinds of marketing shoved at you, but in practice you have to depend on the sites you visit and your ISP doing what you've asked them to, rarely something you can depend on.

I can't help but notice that this whole do-not-track argument is unique to the US. In Canada, the EU, Australia, New Zealand, and every other developed country, they have privacy laws that say that companies can't keep files of personal information without the explicit consent of the subjects. They don't need do-not-track, because tracking without permission is illegal. This flips the process around so that users can give tracking permission just to organizations if they want to. The US is painfully far behind in personal privacy, and although do-not-track is a band-aid, our overall lack of privacy protection is the real problem.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Internet Governance, Policy & Regulation, Privacy, Web


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Radix Announces Global Web Design Contest, F3.space

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Major Media Websites Lose Audience Due to Slow Load Times on Mobile

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

DeviceAtlas' Deep Device Intelligence Now Addresses Native App Environment

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Why .com is the Venture Capital Community's Power Player

Miss.Africa Announces 2016, Round II Seed Funding Tech Initiative for Women in Africa

Airpush Chooses DeviceAtlas to Provide Device Awareness to Mobile Ad Network

DeviceAtlas Releases Q2 2016 Mobile Web Intelligence Report, Apple Loses Browsing Market Share

Effective Strategies to Build Your Reseller Channel (Webinar)

Facilitating a Trusted Web Space for Financial Service Professionals

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

News.Markets: A Rising Star in the World of Financial Trading and New TLDs