A deeper dive into Do-Not-Track

FTC technologist Ed Felten on how a "Do-Not-Track" tool might work.

The FTC has released a new online privacy report that could reshape advertising, media and business on the Internet. A key element of the report is the FTC endorsement of a “Do-Not-Track” mechanism for web browsers.

Yesterday, the Federal Trade Commission’s new technologist, Princeton University computer scientist Ed Felten, talked about the basic idea for Do-Not-Track in a call with the media. Unedited audio of that call is embedded above, featuring extensive remarks from chairman Jon Leibowitz, Jessica Rich, deputy director of the Bureau of Consumer Protection, and Felten.

When reached for further comment after the call, Felten elaborated on what Do-Not-Track might look like:

The basic idea of Do Not Track, as discussed in the report, is to have an opt-out mechanism for tracking.  The consumer would express their desire to opt out, and this choice would be recorded in the browser or on the device.  When the browser or device connected to a site (assuming the user had opted out of tracking), the site would be notified that the user had opted out. The site would see the notification and refrain from tracking. The report does not advocate a centralized Do Not Track list or registry. That is a different approach that raises concerns that are discussed in the report.

The idea of Do-Not-Track has been explored in several places online, including at DoNotTrack.us. Today, online privacy hearings on “Do-Not-Track” legislation in the United States House of Representatives are exploring the feasibility of a technical mechanism for opting out of Internet tracking. As open government technologist Harlan Yu explained in August, however, Do-Not-Track is not as easy as it sounds:

The underlying difficulty in designing a simple Do Not Track mechanism is the subjective nature of privacy. What one user considers harmful tracking might be completely reasonable to another. Privacy isn’t a single binary choice but rather a series of individually-considered decisions that each depend on who the tracking party is, how much information can be combined and what the user gets in return for being tracked. This makes the general concept of online Do Not Track — or any blanket opt-out regime — a fairly awkward fit. Users need simplicity, but whether simple controls can adequately capture the nuances of individual privacy preferences is an open question.
Another open question is whether browser vendors can eventually “win” the technical arms race against tracking technologies. If so, regulations might not be necessary, as innovative browsers could fully insulate users from unwanted tracking. While tracking technologies are currently winning this race, I wouldn’t call it a foregone conclusion.

The FTC’s online privacy plan will continue to receive attention over the next two months. As Erica Newland wrote at the Center for Democracy and Technology, “Do-Not-Track solves only part of the problem.” For more views on the issue, consult the debate on a Do Not Call registry at the New York Times.

The FTC is actively seeking comments on the report, so if Radar readers have wish to comment on the online privacy report, do so.

Beyond the Do-Not-Track issue, I posed three questions to the FTC on the call yesterday. The FTC’s answers follow below.

What guidance do you offer with regards to a standard for “baking privacy in” for startups?

Chairman Leibowitz acknowledged that new startups “are innovators in our economy” and said that the FTC spends a “fair bit of time talking to them” and that they participated in the online privacy workshops. He pointed out that one of the FTC privacy workshops out in Berkeley, which he said was in part because the FTC wanted to make it easier to reach out to the startup community in the Valley. How should they be thinking about online privacy?

It’s really in our report. Bake privacy protections into operations, make sure choices can be presented to consumers in a simple, more streamlined way, and try to improve transparency. And companies have been working on this. Some companies are doing pretty good jobs on some of this, and some are doing good jobs on all of this, and I like to think that the innovator community in Silicon Valley, they’re the ones that should be the leaders here.

Rich asserted that baking privacy in is “particularly good for small businesses.”

When you’re designed systems, and put it in right at the outset, you’re in much better shape than adding it later. Behavioral advertising, when we came in and started calling on companies to add privacy to their business models, they were saying “privacy is very costly, and privacy is not in our business models, and you’re changing our business models.” The idea of baking it in from the start is actually very good for small businesses.

The online privacy report calls for comment on how to bake in privacy, especially with respect to how this issue affects small businesses and startups, said Felten. When reached for further comment, Felten elaborated: 

This is a topic on which the report calls from comments. Some things are unchanged: companies that handle large amounts of sensitive consumer data, whether or not they are startups, have basic responsibilities to protect that data and to handle it responsibly.  Startups are in a good position to “bake in” privacy, compared to bigger, more established companies, because they are not constrained as much by past design decisions.  As with security, it is easier to design-in privacy in advance than to retrofit it later.

What problem needs to be solved with Adobe and Flash?

Felten:

With respect to Flash, the issues have to do with the uses for tracking, so-called Flash cookies for example, and the fact that today, when you use the cookie controls in your browser, they don’t directly affect the treatment of Flash local storage objects or cookies.There’s some other issues with Flash that I could suppose we could address at another time.

That statement was limited, although the chairman observed that “we could tweet on it” later in the first FTC Twitter chat.

When reached for further comment, Felten simply observed that “at present, browser privacy controls do not offer the level of control over Flash cookies that they offer for ordinary HTTP cookies.”   

Does Google Chrome’s “Incognito mode” satisfy what Do-Not-Track is meant to achieve?

“I guess I would say this about Incognito,” said the chairman. “We think that’s a good innovation. What we’re looking for is a bit more ubiquity.”

“Incognito mode allows the user to create a temporary period that is not linkable at all, ideally, to what they do otherwise,” said Felten on the call. “Although that is useful for consumers in some settings, in a lot of other settings what consumers are going to want is to be able to establish a session say, with a website that they use over time while also having some control over things like tracking. Incognito mode is useful but doesn’t provide exactly that.”

Reached for further comment, Felten elaborated:

Incognito mode in Chrome and similar modes in other browsers offer some useful protection, but they do not achieve the goals of a Do Not Track mechanism.  These modes try to give the user a way to disconnect their browsing temporarily from everything they have done before or will do after they are in the private mode. This is often helpful, but users also want a way to prevent unwanted tracking by third parties, while retaining some state in the browser, such as login cookies obtained in a first-party setting.

Related:

tags: , ,