"The level of anonymity that society expects-and companies claim to provide-in published databases is fundamentally unrealizable." (Dr. Arvind Narayanan)
Opinions about online privacy run the gamut, from Google CEO Eric Schmidt to those expressed by the Electronic Frontier Foundation. Hence my using Dr. Narayanan's (more from him later) quote, it exposes the problem.
FTC steps in
Last December, the federal government, specifically, the Federal Trade Commission (FTC) began asking about online privacy protection; specifically what it entails and how to enforce it.
"The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation, and consumer choice. We believe that's what most Americans want as well."
The report entertains two concepts that are important to consumers:
- The FTC suggests companies adopt a "privacy by design" policy. The policy should include appropriate security for consumer data, along with restrictions on collection and retention of that data.
- The FTC also suggests creating a persistent "Do Not Track" mechanism that allows consumers to choose whether they want their online activities to remain anonymous or not.
That seems like a good start. Privacy pundits are also glad to see the FTC grappling with whether the consent should be opt-in or opt-out:
"Commission staff recognizes that there are differing views as to what constitutes informed consent. Some roundtable participants recommended that the Commission mandate "opt-in" consent for data practices, while others advocated for "opt-out" consent."
The report adds the following stipulation:
"Staff has already stated that, regardless of how they are described, choices buried within long privacy policies and pre-checked boxes are not effective means of obtaining meaningful, informed consent."
Privacy advocates I talked to are heartened by the report. But, suggest it's an uphill battle.
Existing web browsers offer some protection. If enabled, web browsers will not retain tracking information in the form of cookies. The following links describe how three popular web browsers remove tracking cookies:
- Firefox and Private Browsing
- Internet Explorer and InPrivate Browsing
- Google Chrome and Incognito mode
In some good news, Microsoft announced that Internet Explorer 9 will have additional tracking protection built in. It's an improvement; but requires significant user input, which could make acceptance difficult.
Do Not Track software
"Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a "header." Do Not Track simply adds a header indicating the user wishes to not be tracked."
It's fair to compare "Do Not Track" with the federal "Do Not Call" list. The researchers hasten to add that Do Not Track is simpler. It does not require a centralized database that needs constant updating.
The research team already developed an add-on for Firefox and is working on the Chrome edition. Internet Explorer and Safari at this moment do not support the software.
Interested about how Do Not Track fits in with the FTC report, I contacted Dr. Narayanan and asked him a few questions:TechRepublic: The FTC report must provide encouragement and a certain amount of vindication. Is there anything in the report that we should pay special attention to? Dr. Narayanan: We are happy to see the FTC take an active role in this issue. The report asks questions and requests comments rather than making prescriptions, which we think is the right approach at this point. TechRepublic: Will your approach work without any government regulation? If not, what will be required to facilitate Do Not Track? Dr. Narayanan: It is possible for Do Not Track to work without government regulation -- advertising networks and other entities engaged in tracking will need to respect the Do Not Track HTTP header, which is the browser signal that communicates the user's intent to opt out of tracking.
However, there are two hurdles. First, it remains to be seen whether ad networks will admit that the opt-out cookie approach is not working. Second, for Do Not Track to be effective, there need to be uniform standards defining who is a third party, what constitutes tracking, etc.
Further, these definitions must roughly match consumer expectations. Regulation is one way of ensuring this; without regulation, there needs to be some process by which not only the ad industry but all stakeholders can agree on these standards. This will be challenging to say the least.TechRepublic: I read that you are working on software for web servers that will handshake with the client "Do Not Track" software. Have you approached any web developers with your work? If so what has been the response? Dr. Narayanan: Our server-side code consists of configurations and templates for existing web servers and development platforms, and as such does not require fundamental modifications to server-side software. For that reason we have not approached web application developers. TechRepublic: What are your plans for getting Do Not Track to the mainstream user? Dr. Narayanan: Getting browser vendors to incorporate Do Not Track functionality is part of our vision; the response from browser vendors so far has been encouraging. We also intend to engage with mobile platform vendors and continue our discussions with ad industry groups.
In my research for this article, I was surprised at the diversity of opinion about online tracking and privacy. Let me know your thoughts about online tracking.
Two more bits. Thank you Dr. Narayanan for your insightful comments. Next, the FTC is currently soliciting public comment on their report. If you feel strongly about this, now is the time to make your opinion count.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.