Thoughts on the Do Not Track Workshop

By Chris Hoofnagle

Posted on April 15, 2011

The W3C is holding a workshop at the end of April on Web Tracking and User Privacy, led by Lorrie Cranor and Thomas Roessler. This event could start to build consensus on the meaning of "track" in the do not track debate. The papers are in, and one can start seeing areas of consensus and controversy.

General thoughts--

Overall, few papers discuss the idea that the privacy problems of online behavioral advertising are tethered to existing business models--models that emerged from technical/legal design--not to targeted advertising itself (notable exceptions: Jonathan Mayer and Hamlin/Hodder). There have been models proposed, such as AdNostic, for privacy-preserving targeted advertising. Thus, this debate is really about business models. Implicitly, we could make different choices about design (see Craig Willis' paper) to shape the ability to collect information about users. The current incentive structure has produced hundreds of companies all struggling to listen in to the conversation between the consumer and a website. Because their business models are inherently about eavesdropping, they either argue 1) a variation of "no privacy harm," and/or 2) the revenue gains of tracking outweigh the privacy interests involved. I hope that at the workshop we can discuss whether a different incentive structure could produce business models with less conflict between targeting and privacy.

Some of the papers engage in sophomoric question begging (especially around "free" exchange for content) and typical Washington-style false dilemma argument (either you have no limits on tracking or privacy kills the internet). I hope that at the workshop we can dispose of this noise quickly and discuss third-way approaches, such as limits on retention of data, or Ashkan Soltani's proposal for "do not identify." William McGeveran's paper seems to get this right--he wishes to explore lighter touch policy interventions that could nudge businesses towards respecting consumer privacy.

Promoting "transparency" is a recurring theme, but if you think about it for a minute, do consumers really want "transparent notification" about hundreds of companies that they have no relationship with? Do we really think that they are going to spend their time clicking on icons in the corner of ads?

Perhaps this reflects my provenance, but the important papers seem to come from technologists concerned about actual implementation of do not track. Lorrie Cranor explores whether it can be implemented in such a way that users can understand and activate it. Morris and Cooper work through the logic of technical approaches, mindful of objections concerning under-inclusiveness and consumer confusion. Grossklags goes beyond the industry papers that invoke transparency and thinks about what ends transparency will serve. Lowenthal argues that there should be a tussle between web browsers and trackers, with browsers taking up a strong, pro-privacy posture by default. Toubiana and Nissenbaum argue that mechanisms should exist to prevent tracking on a subject-by-subject manner, an approach that the self-regulatory groups agree with in theory, but in implementation have made illusory. Soghoian deconstructs the security exceptions to tracking, noting that assuming away the legitimacy of security justifications is unjustified because some security goals could be accomplished without tracking.

Finally, I hope that we discuss the application of do not track to Facebook. Facebook's like button and its single sign on service are likely not to be covered by definitions of "track," yet Facebook presents the biggest tracking risk to consumers online.

Interesting aspects of specific papers--


Adobe's paper discusses the idea that do not track should be guided by consumers' "reasonable expectations." Of course, we do know something about that--Aleecia MacDonald's paper presenting preliminary results finds that, "a majority of users expect Do Not Track to eliminate all data collection." Adobe however seems to get out of this predicament by stating, "Any 'fix' requires a clear articulation of the harm to be addressed and a solution narrowly tailored to address that harm. Simple solutions that prohibit all collection of data fail both prongs of this test." Aha! So, the answer could be that consumers expect no tracking, but that expectation is unreasonable...Adobe's position on this could reflect its acquisition of Omniture.

Adobe does make a rather troubling point--"Local storage used by Flash Player (sometimes referred to as Flash Cookies) may be used to track users in place of cookies." The word choice here, "may," suggests that this is permissible, but as my Flash Cookies paper points out, Flash is a tracking vector that limits consumer choice and is even used to undo consumer choices. I hope that Adobe just chose the wrong word, and hope that the industry recognizes that it shouldn't use such technologies for tracking because of the negative effect on consumer choice.


Apple discusses the need to "minimize [consumer] surprise." I'd like to know whether this means actually protecting privacy or simply getting users used to privacy invasions so that they are no longer surprised.

Also interesting: "The member submission also has a proposal for an exclusion list. I have doubts about the efficacy of this, if it were widely deployed. Sites whose business model depends on their users seeing advertisements, for example, would probably object if it became commonly easy to view the site with the advertisements missing. Since the technique is, in a sense, ‘hostile’, they may feel no compunction in taking counter-measures; rapid cycling of their DNS registrations, for example. This technique looks likely to lead to an arms race, and in arms races, there are usually no winners."


Proposes a tiering system so that users with a do not track header can be segmented into "free" and premium portions of websites.


Evidon's submission begins with a discussion of the telemarketing do not call registry, recognizing that telemarketing is "categorically invasive." This is interesting in light of how our attitudes towards telemarketing have changed. During the telemarketing debate, industry was making the same arguments as OBA companies do today--that one's privacy wasn't really invaded by telemarketing and even if it was, the invasion was justified by the benefit of telemarketing. Only the acronyms have changed from DMA and ATA to IAB and NAI! (Interesting postscript: the DMA now claims that telemarketers make even more money now then they did before do not call!)

Evidon goes on to explain that do not call is different from do not track, and rightly so. But then uses a different false metaphor--the "friendly shopkeeper." You don't find it creepy when the shopkeeper remembers your name, thus online advertising shouldn't be considered creepy either. Of course, online behavioral advertising is like the shopkeeper that stands a bit too closely to you in the store and pays a little too much attention to you and follows you to the next store in the mall and after that and won't go away even when you ask him to and then buys information about you from others. If the shopkeeper was trying to kiss you, it would be stalking, but since he's trying to sell you something, it's obviously not creepy at all.
Update: I missed the fact that Evidon stated that the online shopkeeper is creepy--unless there is transparency about the data collected. However, I think my critique holds. Evidon's submission shows why transparency isn't really about privacy (in the sense of reducing collection of information)--it's about eliminating surprise and regulatory intervention.


Hailing from London, Manhattan, Mountain View, Munich, and Washington, Google tells us that collection of information has social utility. Without needing to shift upon their laurels, they conclude that transparency about this utility and choice is important. Of course, Google has real data that could quantify this social utility and help policymakers make informed decisions about issues such as retention of data. As Abine put it in their paper, "It seems ironic in an industry full of measurement and tracking, the discussion on curtailing these includes so little relevant data."

Google is really behind its competitors on the do not track issue and they seem to still not have their act together.