Browser

Do Not Track functionality: How it works

Internet privacy is very much in the news. Everything from new technology to government regulation is being promoted. What does that mean to us?

"The level of anonymity that society expects-and companies claim to provide-in published databases is fundamentally unrealizable." (Dr. Arvind Narayanan)

Opinions about online privacy run the gamut, from Google CEO Eric Schmidt to those expressed by the Electronic Frontier Foundation. Hence my using Dr. Narayanan's (more from him later) quote, it exposes the problem.

FTC steps in

Last December, the federal government, specifically, the Federal Trade Commission (FTC) began asking about online privacy protection; specifically what it entails and how to enforce it.

This December, the FTC presented their initial findings in a preliminary staff report (pdf). FTC chairperson Jon Leibowitz gives this overview:

"The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation, and consumer choice. We believe that's what most Americans want as well."

The report entertains two concepts that are important to consumers:

  • The FTC suggests companies adopt a "privacy by design" policy. The policy should include appropriate security for consumer data, along with restrictions on collection and retention of that data.
  • The FTC also suggests creating a persistent "Do Not Track" mechanism that allows consumers to choose whether they want their online activities to remain anonymous or not.

That seems like a good start. Privacy pundits are also glad to see the FTC grappling with whether the consent should be opt-in or opt-out:

"Commission staff recognizes that there are differing views as to what constitutes informed consent. Some roundtable participants recommended that the Commission mandate "opt-in" consent for data practices, while others advocated for "opt-out" consent."

The report adds the following stipulation:

"Staff has already stated that, regardless of how they are described, choices buried within long privacy policies and pre-checked boxes are not effective means of obtaining meaningful, informed consent."

Privacy advocates I talked to are heartened by the report. But, suggest it's an uphill battle.

Current options

Existing web browsers offer some protection. If enabled, web browsers will not retain tracking information in the form of cookies. The following links describe how three popular web browsers remove tracking cookies:

In some good news, Microsoft announced that Internet Explorer 9 will have additional tracking protection built in. It's an improvement; but requires significant user input, which could make acceptance difficult.

Do Not Track software

Researchers Jonathan Mayer and Arvind Narayanan have come up with a simple solution for the no-tracking issue. The researchers' web site describes how it works:

"Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a "header." Do Not Track simply adds a header indicating the user wishes to not be tracked."

It's fair to compare "Do Not Track" with the federal "Do Not Call" list. The researchers hasten to add that Do Not Track is simpler. It does not require a centralized database that needs constant updating.

The research team already developed an add-on for Firefox and is working on the Chrome edition. Internet Explorer and Safari at this moment do not support the software.

Interested about how Do Not Track fits in with the FTC report, I contacted Dr. Narayanan and asked him a few questions:

TechRepublic: The FTC report must provide encouragement and a certain amount of vindication. Is there anything in the report that we should pay special attention to? Dr. Narayanan: We are happy to see the FTC take an active role in this issue. The report asks questions and requests comments rather than making prescriptions, which we think is the right approach at this point. TechRepublic: Will your approach work without any government regulation? If not, what will be required to facilitate Do Not Track? Dr. Narayanan: It is possible for Do Not Track to work without government regulation -- advertising networks and other entities engaged in tracking will need to respect the Do Not Track HTTP header, which is the browser signal that communicates the user's intent to opt out of tracking.

However, there are two hurdles. First, it remains to be seen whether ad networks will admit that the opt-out cookie approach is not working. Second, for Do Not Track to be effective, there need to be uniform standards defining who is a third party, what constitutes tracking, etc.

Further, these definitions must roughly match consumer expectations. Regulation is one way of ensuring this; without regulation, there needs to be some process by which not only the ad industry but all stakeholders can agree on these standards. This will be challenging to say the least.

TechRepublic: I read that you are working on software for web servers that will handshake with the client "Do Not Track" software. Have you approached any web developers with your work? If so what has been the response? Dr. Narayanan: Our server-side code consists of configurations and templates for existing web servers and development platforms, and as such does not require fundamental modifications to server-side software. For that reason we have not approached web application developers. TechRepublic: What are your plans for getting Do Not Track to the mainstream user? Dr. Narayanan: Getting browser vendors to incorporate Do Not Track functionality is part of our vision; the response from browser vendors so far has been encouraging. We also intend to engage with mobile platform vendors and continue our discussions with ad industry groups.

Final thoughts

In my research for this article, I was surprised at the diversity of opinion about online tracking and privacy. Let me know your thoughts about online tracking.

Two more bits. Thank you Dr. Narayanan for your insightful comments. Next, the FTC is currently soliciting public comment on their report. If you feel strongly about this, now is the time to make your opinion count.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

32 comments
Poordirtfarmer
Poordirtfarmer

I bristle to see a proposed solution that compares to the do-not-call list. I oped-in for the do-not-call and the solicitation calls keep coming in. There is plenty of abuse of existing relationships ?such as banks / credit card outfits asking about present service then barging on about some new offering feature or whatever. Charity call are a nuisance too, but most of the solicitations I get are truly third-party calls - outfits I?ve never heard of who can hardly speak the language and certainly can?t pronounce my name. When challenged on why they?re calling, the challenge is either ignored or the response is something nebulous. There needs to be true enforcement. And the penalties need to be severe. I?d suggest $10,000 and one year in prison for both the caller and the company owner or CEO per each and every phone call. Internet protection should merit even more severe penalties because the risk to the consumer is higher.

tmcclure
tmcclure

I just as well not have the FTC involved at all. I really don't want or trust their help.

dogknees
dogknees

If it relies on the site/server to comply, how are we going to enforce it on ALL servers out there? I'm thinking pirate sites, porn sites, ... ie The ones people really don't want to be tracked at!

revlarry
revlarry

As much as I like the idea (and I am a privacy nut to the extent that my own anxiety levels can stand it), it should be noted that cats are seldom coaxed back into bags from which they've been released.

ByteBin-20472379147970077837000261110898
ByteBin-20472379147970077837000261110898

What about those in areas/jurisdictions where their activities, while it should be their legal right as sentient beings to conduct (as they are not hurting anyone or themselves, and are expressing maybe just opinions) are tracked by governments or high-power organizations bent on doing them in over what they believe or their opinions? How do you keep a government out of your private life and still protect your right to express your opinion? What about those who get fired over their opinions? Personally, I'm an American working for a very wonderful employer, so I'm pretty free to do whatever the hell I want. But, what about those who are restricted, threatened, etc.? How would this protect them? I agree it's a great first step. But, I hope it doesn't stop there. I also hope it goes global.

Craig_B
Craig_B

This sounds ike a good idea, it's simple and could work. The default should be Do Not Track and should I wish to allow tracking I could opt-in. A problem though is this sounds like a global option, that is if I wished to allow TechRepublic to track but didn't want Google to track could this be configured that way? Another problem even with all this, it still becomes a matter of trust. Some party could simply ignore your wishes and it may be hard thing to validate. If only people would treat others how they wish to be treated.

Spitfire_Sysop
Spitfire_Sysop

to allow backwards compatibility with browsers that do not support the new "do not track" flag. It would need to default to "do not track". Otherwise they could call it an "opt-out" yet people with old browsers have no choice at all.

jfuller05
jfuller05

works without Government intervention. I can see it working without the Government because privacy is a crucial issue to the standard user, businesses, and everyone in between. Maybe it's blind naivety, but I think there will be a third-party standard committee enforcing Do Not Track.

bboyd
bboyd

Until they (The Government) make it painful to sell private data it won't make any meaningful affect. Since ignoring the header will be the first step and the real offenders are the ones linking it all to our credit cards. We will only use the data internally or with our "Partners"...really honestly for true. Not seeing the likely hood of all those web trendies giving up their billions.

Michael Kassner
Michael Kassner

I am. Learn what is being done to preserve our privacy.

seanferd
seanferd

I have to say that this is another area in which you excel. Edit: I had to go here http://noscript.net/getit to get 2.0.9.1. If you choose to install from the main page, 2.0.8.1 is downloaded. (And the extension isn't auto-updating via the browser.)

four49
four49

Legislative solutions to technical problems rarely end well. How many legislators even understand the difference between HTTP and FTP? Some struggle to identify an email address vs. a URL. These boneheads do not need to be passing legislation affecting the internet (which is largely unregulateable anyway).

Michael Kassner
Michael Kassner

I would like to learn why you feel that way? Is it a government thing or just the FTC?

Michael Kassner
Michael Kassner

It will also require an international buying-in as well. I liken it to one of the layers of protection. I think the researchers were mainly concerned about advertisers and entities that are using behavioral targeting.

Michael Kassner
Michael Kassner

Thanks for the memory jog. It is so true and relevant to this discussion.

Michael Kassner
Michael Kassner

It essentially will have to to be accepted internationally. If not, there will always be concern about being tracked. The flip side is that any web-browser application used to protect the user will never be current, so doubt will creep in that way as well.

Michael Kassner
Michael Kassner

I asked the researchers about this and they are working on developing a listing method.

Michael Kassner
Michael Kassner

Right now targeted ads are opt-out and privacy pundits are totally against that.

Michael Kassner
Michael Kassner

The Doctor also does. It will require buy in by all concerned parties to make it work. But, the ball is now rolling. Did you leave a comment at the FTC site?

Orodreth
Orodreth

So, am I. I think the simplistic concept of adding HTTP code for "x-Do Not Track" is a start. #1 IMHO, it would be best if the "x-Do Not Track" HTTP could enable "In Private Browsing" option in the browsers when the "x-Do Not Track" is not accepted by a site. #2 I'm not sure how to circumvent cookies allow access to a website's service, as when a cookie or more are needed to enable Flash Videos.

Orodreth
Orodreth

Thank you for the link. Microsoft has already experimented with finding alternatives to "x-Do Not Track". Increasingly something more substantial is needed if there is going to be privacy on the public Internet. TOR is good enough for most people but it's clumbersome and slow. May be the right solution is to mandate strict international rules on the collection and dissemination of personal information. Such as forbidding browsing patterns from being identified to a person, home, business, etc. Or jail and penalties for sharing electronic personal records without the opt-in of subject or person. To prevent cottage industries from cyber sleuthing.

Michael Kassner
Michael Kassner

That is an interesting concept. Could you explain your second point? I am not sure what you are saying.

Michael Kassner
Michael Kassner

Have you checked out Witopia? It's like ToR, but much faster. I am a big fan of it. I also had better mention that I have no relationship with the company.

Michael Kassner
Michael Kassner

I disallow all third party cookies and use Google Apps. I will have to look into that. What is interesting is that The research team is working with AdBlock Plus. It seems they may be incorporated. Which would be cool.

Orodreth
Orodreth

Thank you. #2 point is that there's double digit the number of cookies posted from a single visit to a popular site, from 3rd parties like Facebook. IMHO, it is these cookies that circumvent the intent of the "x-Do Not Track". At least in FireFox I can set "Do not Allow" 3rd party cookies but sometimes those cookies are needed to enable an application. I think an example would be googleapps (or something named like that) which is required to complete a web page display. There's other cookies for *.net (like revicsi.net), *.com that seem to be network streams or backbones but who knows what they are? More importantly why are their cookies required and what are they tracking? That's why IMHO, "x-Do Not Track" is a good simple start better used by the browser developers to force security compliance on web page developers.

Editor's Picks