Lawmakers, analysts, and industry representatives have expressed differing views on whether a browser-based do-not-track mechanism is feasible, following calls for such a feature in a report issued last week by the FTC.
During a House of Representatives subcommittee hearing on Thursday, David Vladeck, director of the FTC’s Bureau of Consumer Protection, implied a do-not-track option could be easily implemented with cooperation from browser makers. “We’ve learned from our technologists that do-not-track is a feasible technology… Browsers could be programmed to send a do-not-track signal as users browse the Internet,” he said. He suggested third parties would receive that signal and refrain from tracking behaviors exhibited through that browser.
Vladeck said the commission is “seeking comment on the best way to implement the mechanism,” but the commission’s report, titled “Protecting consumer privacy in an era of rapid change,” clearly implied it views the cookie-based opt-out solutions now being tested by industry as insufficient. “The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach,” the report stated.
Testifying alongside Vladeck during the House hearing, Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, argued the approach would not be as straightforward as the commission implied, and that it might have unintended consequences for the future of the Internet. A browser-based opt-out could “significantly harm the ecosystem of the Internet,” he said, adding that it would be costly to implement and difficult to enforce.
Castro suggested opting out will not limit the delivery of online advertising, but will instead restrict the use of targeted advertising specifically. Users could therefore find themselves subjected to more ads as publishers attempt to account for the fact advertisers are willing to pay smaller amounts for less qualified audiences. He also pointed out that websites might simply choose to block users that do not allow tracking to help convince them to do so.
Charles McCathieNevile, chief standards officer for browser maker Opera, sees no technical limitations for a browser to emit a permanent “do-not-track” data packet as users browse the Internet, besides the marginal slowing of networks. The effect would be “not negligible, but not the end of the world,” he told ClickZ.
But McCathieNevile also said such a setting could impact the basic functionality of many websites that rely on tracking to provide services to users. The FTC has not strictly defined which types of data the do-not-track mechanism would apply to, suggesting it could include tracking for purposes such as analytics, on which the majority of online publishers rely. McCathieNevile also raised the question of how such a mechanism would be enforced. “Is the FTC going to go around updating every browser?” he asked.
According to a recent Wall Street Journal report, Mozilla – maker of the popular Firefox browser – is already investigating ways to include a do-not-track mechanism in its product. Mozilla refused to comment on how that might work technically, but in a blog post general counsel Harvey Anderson said, “While we’ll need more time to digest and evaluate the details, we’re encouraged by what we’ve seen so far. In particular, the FTC has proposed a set of principles that align well with the Mozilla manifesto and our approach to software development.”
Cookie Versus Browser-Based Opt Out Mechanisms
In response to scrutiny from the FTC, industry bodies have already begun trialling the use of cookie-based opt out mechanisms, through which a user can express choices around which parties have access to their data. A cookie is then placed on that user’s machine, which prevents participating companies from collecting data from for advertising purposes.
However the FTC’s report pointed to the limitations of cookie-based opt-outs, as well as the fact that users will effectively be opted back in to targeted ads if and when they choose to delete their cookies.
“Consumers are not likely to be aware of the technical limitations of existing control mechanisms. For example, they may believe they have opted out of tracking if they block third-party cookies on their browsers; yet they may still be tracked by Flash cookies or other mechanisms,” the report said. Flash cookies can in theory be used to reinstate HTML cookies without users’ knowledge or consent, potentially limiting their ability to control how their data is used.
Opting out of Ad Targeting, or all Third-Party Tracking?
It’s also unclear exactly which types of tracking the FTC refers to in its report. Vladeck suggested existing opt-out mechanisms can suggest to consumers they are opting-out from “all third party tracking mechanisms” while they’re in fact opting out from ad targeting only.
Potentially, therefore, a universal tracking opt out could have wider implications than just behavioral ad targeting, potentially affecting all aspects of online ad serving – such as frequency capping and inventory management – and the use of analytics tools used by the majority of online publishers.
In reference to that possibility, Pam Horan, president of the Online Publishers Association said, “We’re concerned about the concept of do-not-track if it specifically impacts the first party [publisher sites]…. Cookies are really critical to the operation of publishers’ websites to do a variety of things.”
Beyond the Browser
Another fundamental question yet to be addressed by the FTC is tracking beyond the browser. With the proliferation of smartphones and other Internet-enabled devices such as TVs and game consoles, the browser will likely account for a progressively smaller portion of user data over the next few years.
As Joe Pasqua, VP of research for online security firm Symantec stated in his testimony to the House, “The browser alone is not enough. Consumers using websites is just one form of tracking; we need to think about tracking and privacy in a wider scope than just browsers.”