If you choose not to decide, your web browser will make your choice

By Lorrie Faith Cranor

Posted on June 3, 2012


Increasingly, online advertising companies are tracking users' Internet activities so that they can show users targeted ads that they are likely to be interested in. Social networks and other websites also track users across the web to build rich profiles of user interests. Many users find this tracking creepy and would like to turn it off. The World Wide Web consortium is working on a standard called Do Not Track (DNT) that is designed to allow users to signal to web sites that they don't want to be tracked.

If you don't know enough about online trackers, DNT, or configuring your web browser to make a choice about DNT, your web browser will decide for you. If your web browser is Mozilla Firefox and you live in the United States, the choice will effectively be to keep tracking turned on, and you will see ads selected for you based on your past browsing history -- perhaps skimpy underwear or adult diapers, depending on what your browsing history says about you. If your web browser is Microsoft IE 10, the choice will be to turn off tracking (by some definition of tracking still to be announced), your privacy will be somewhat better protected, and you will continue to receive non-targeted ads for products that promise to help you lose belly fat. The ad industry, not surprisingly, is upset about Microsoft's decision to make no-tracking the default. And Mozilla is also critical of Microsoft's decision, saying the choice should be up to users. But as things stand now in the United States, a non-choice will almost certainly be interpreted as choosing to be tracked. That's why Microsoft's decision to turn DNT on by default is so important, and also why it is viewed as disruptive by the online advertising industry.

Microsoft has a long history of adding privacy features to their Internet Explorer web browser that force online advertising companies and others who have built business models around tracking users across the web to take privacy a bit more seriously. In 2002, when Microsoft introduced the W3C's Platform for Privacy Preferences (P3P) standard into the IE6 web browser with a default setting that blocked third-party cookies that were not P3P-compliant, it pushed network advertising companies to adopt P3P quickly and to make opt-outs available. At the time, even some of the largest ad companies hailed this as an important step to ensure that P3P would not be doomed to fail due to lack of incentives for adoption. Indeed, this move by Microsoft arguably provided more of an incentive for P3P adoption than any other factor. However, P3P was still doomed to fail. Eventually it became clear that IE's cookie blocking could be circumvented easily, apparently without triggering any sort of enforcement action from regulators. In 2010 when Microsoft announced the addition of "tracking protection lists" in IE9, the announcement was greeted less warmly by the advertising industry. However, the industry did not have much to fear as the feature was turned off by default and had a somewhat confusing user interface. Last week's announcement by Microsoft that DNT will be turned on by default in the IE 10 web browser has provoked a quick and strong negative reaction from the online advertising industry, as well as by some of the strongest proponents of Do Not Track.

The ad industry response to Microsoft's announcement is consistent with ad industry views on DNT from the beginning. The Digital Advertising Alliance (DAA) devoted a lot of effort to developing a set of self-regulatory principles for online behavioral advertising. The industry has called for, among other things, the use of an Advertising Option icon to notify consumers about behavioral ads, as well as providing consumers with the ability to opt-out of being targeted for behavioral advertising (trackers can still collect users' data, they just can't use it to target ads). As far as the industry is concerned, their AdChoices program satisfies their commitment to self-regulate. However, when interest in DNT started to increase in 2010, it became clear that the Federal Trade Commission was looking for an industry solution that included DNT. Reluctantly, the ad industry joined the Do Not Track effort in 2011 and has been attempting to steer the effort into something fairly similar to what they are already doing in their AdChoices program. In February they announced their commitment "to add browser-based header signals to the set of tools by which consumers can express their preferences under the DAA Principles." In other words: we will support Do Not Track as long as the definition of not tracking is the same as the definition in the DAA Principles. The industry has been pushing to get their definition of tracking adopted in the W3C standard, as well as to make sure the standard does not result in users being opted out of tracking by default.

The ad industry isn't alone in pushing for a standard that does not have opt-out turned on by default. Mozilla, an organization that describes itself as "a proudly non-profit organization dedicated to keeping the power of the Web in people's hands," has been a strong advocate for Do Not Track, as well as an early adopter. But Mozilla has been insisting for a long time that they won't enable Do Not Track by default because "it's important that the signal represents a choice made by the person behind the keyboard and not the software maker." Mozilla has insisted repeatedly that Do Not Track is about representing "the user's voice":

When DNT is off, it doesn't mean "please track me", it means that the user hasn't told the browser their choice yet. (Mozilla Privacy Blog, Nov. 15, 2011)

W3C's latest draft of the Do Not Track standard emphasizes this as well:

Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control. (Tracking Preference Expression, W3C Editor's Draft, 29 May 2012, Section 3)

The W3C draft introduces a DNT variable that can be in three states: 0, 1, or not set at all. Mozilla's Chief Privacy Officer explains that these states mean:

  • User says they accept tracking
  • User says they reject tracking
  • User hasn't chosen anything

At first this seems like a really elegant solution that allows browser vendors to offer choices to users without having to set any defaults, thus avoiding making a value judgement of their own. But this is a naive view. This solution merely kicks the can down the street and lets the tracking companies decide what to do about users who don't send them a signal (unless they are in a country where regulators have told them what they have to do). In the United States, where there are no regulations that would require them to do anything else, it is pretty clear that the ad industry will treat users who haven't made a DNT choice the same way as they will treat users who explicitly say they accept tracking.

As the song goes, "If you choose not to decide, you still have made a choice." The user who hasn't chosen anything has chosen the default option. There is always a default option. The tri-state solution does not actually succeed in avoiding the need for default options. It gives browser vendors cover to claim they are not making the decision for users, when in reality, they know that they are making a choice about what the vast majority of users will get. Research has shown that most users do not understand how behavioral advertising or tracking mechanisms work, and they find it creepy when they find out about it. Those who hear that there is an opportunity to turn off tracking may try to do just that, but the tools they have available to them are pretty difficult for them to use. The Advertising Option icon seems to communicate little to users, and combined with the AdChoices tag line many users seem to be wary of clicking on it. So, it seems likely that most users -- even those who express a desire not to be tracked -- will not realize that they can turn off tracking (or at least some definition of tracking, still to be determined) or understand how to do it. When users do not make a choice, the default will be more tracking and less privacy.

I am often critical of Microsoft, but if I take them at their word that they decided to turn Do Not Track on by default "because we believe in putting people first," then this seems to me to be the right thing to do. Microsoft's default will be less tracking and more privacy (although, unfortunately, they are choosing to adopt the DAA's very narrow view of tracking as targeting rather than the more privacy-protective view of tracking as data collection). Of course there is still a lot of devil in the user interface details that I haven't yet seen. How difficult will it be for users who see value in targeted ads for products they may actually be interested in to find the controls and turn tracking back on? How clearly will the interface communicate what it means for tracking to be on and off? And how well will the interface support users in turning tracking on for some sites and not for others, perhaps on the basis of the content of each site or whether or not they will be selling the user's profile to the highest bidder? Microsoft (nor any other browser vendor) has not impressed me in the past with the user interfaces they have developed for their browser-based privacy tools, but they do have a real opportunity here to do the right thing and build a truly usable and useful privacy tool. In this case, since Microsoft is also in the online advertising business, they have an incentive to make it easy for users to opt-in to tracking.

Nonetheless, Microsoft's announcement has the ad industry scared. On the same day that Microsoft made this announcement, one industry group issued a statement condemning Microsoft's announcement and the DAA said they might ignore IE10 DNT requests if they don't represent a user's choice. In essence the industry is saying that they will not participate in Do Not Track unless the default (where permitted by law) is less privacy and more tracking.

Many computer users are not able to make informed decisions about configuring their software. They may lack computer expertise or simply not wish to take the time to figure out configuration options. Especially on matters of security and privacy, they expect the people who setup their computer and the companies that manufacture their software to take steps to see that they are protected. When browsers force users to make security and privacy choices, for example what to do with an expired security certificate, users tend to just choose the option that lets them get on with their work most quickly. Browsers should offer privacy and security default configurations that provide a good user experience while protecting users who are not informed enough to make choices on their own. While DNT user interfaces should be designed to facilitate meaningful and informed user choices, active user participation should not be a requirement for privacy.