Do Not Track – the privacy standard that’s melting away

The melting privacy glacier

Melting privacy glacierDo Not Track, the privacy standard that’s supposed to address one of the biggest issues of the 21st century internet – how you control who can track what you’re doing online – isn’t in the news. Again.

That’s no surprise though – despite its importance, Do Not Track hardly ever does anything remarkable or exciting enough to count as actual news.

That doesn’t mean it’s not there or that things aren’t happening, it’s just that they happen so slowly it’s hard to tell.

Do Not Track, or more specifically the Tracking Preference Expression and Tracking Compliance and Scope specifications, is an internet privacy standard that allows users to signal their preferences for being tracked or not online.

The standard is a mess, an epic farrago unfolding in slow motion. It’s unfinished and the subject of fundamental disagreement, but also, strangely, in active use.

It’s never actually failed but it can never succeed. Like a giant glacier it’s slowly melting away beneath us. Eventually we’ll notice we’re stood on bare rock and it’s gone completely but until then we’ll wake up each day with nothing more interesting to wonder at than an occasional dampness in our shoes.

A process in trouble from the start

The idea for a standard crystalised about five years ago as a result of pressure from US and European legislators.

They wanted a way for consumers to indicate that they didn’t want to be tracked by advertisers – an internet equivalent of the ‘do not call’ lists that consumers can use to opt-out of unwanted telephone advertising.

The industry was challenged to agree to a standard, and if it couldn’t it was made clear that laws would be drafted instead.

United around the idea of avoiding ham-fisted government interference, the great and the good – a collection of privacy advocates, advertisers, and tech giants like Google, Microsoft and Mozilla – sat down with the common objective of creating a standard by which a browser can tell a server not to track it.

What actually happened was that they got together to arrange a series of conference calls to decide a round of meetings to endlessly repeat a set of arguments that frame a disagreement about a standard by which a browser could tell a server not to track it.

Deadlines were missed, lines were drawn in the sand, and companies did their own thing.

A year ago, in July 2013, privacy advocate Jonathan Meyer left the Tracking Protection Working Group with a stinging resignation email in which he exposed just how behind schedule they already were.

We first met to discuss Do Not Track over 2 years ago. We have now held 10 in-person meetings and 78 conference calls. We have exchanged 7,148 emails. And those boggling figures reflect just the official fora.

The group remains at an impasse. We have sharpened issues, and we have made some progress on low-hanging fruit. But we still have not resolved our longstanding key disagreements, including: What information can websites collect, retain, and use? What sorts of user interfaces and defaults are compliant, and can websites ignore noncompliant browsers?

Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.

A process designed to fail

DNT was supposed to protect users’ privacy but I think it’s had the very opposite effect.

It’s kept major players occupied for years while simultaneously failing to protect users’ privacy and acting as a roadblock to privacy legislation.

I don’t believe that those outcomes are unconnected to the fact that the companies who stand to lose the most from a DNT standard are part of the working group defining the DNT standard.

It made sense to include the advertising companies in the group drafting the standard but it’s also a decision that made inaction an attractive and achievable outcome.

All the time that DNT is being drafted, is in conflict or remains unfinished the behavioural tracking industry continues to grow without the yoke of an official standard.

I am not privy to the motivations of those involved in drafting the standard but it seems to me that there is a clear conflict of interest at work and that limbo and glacial inaction is by far the best outcome for the behavioural tracking industry.

A standard designed to fail

DNT’s great conceptual flaw is that it’s cooperative rather than coercive.

In HTTP, the language of the web, browsers don’t exert control over servers, they make requests. DNT is a request; “Don’t track me, OK?”

The balance of power in a request/response conversation lies with the responder. Responders can choose to comply with requests or not and there’s absolutely no way to tell if your DNT requests are being honoured.

So you have to trust the people you’re asking not to track you.

That’s right – you’re using DNT because you don’t want to trust a server but the mechanism you’re using to assert your distrust relies upon the server being trustworthy.

I guess what’s supposed to make Do Not Track work is that advertisers have incentives to play along – they’re big commercial organisations with reputations to protect and they’re offering a product, tailored advertising, that users might prefer to the alternative.

Unfortunately, major tracking companies like Clearspring, QuantCast and KISSmetrics have been caught out using unfriendly, reputation-damaging techniques in the past.

The only sensible course of action, the only one that doesn’t put your privacy in the hands of a promise from somebody you don’t know, is to assume that servers are lying to you.

Most of them probably aren’t lying but you can’t tell who is and who isn’t.

And if you assume that servers are lying to you then DNT can’t work.

The only technology that can work in an untrustworthy environment is coercive technology that prevents the server from acting against your best interests.

A standard overtaken by events

It’s impossible to talk about web privacy without mentioning Edward Snowden.

The DNT programme was kicked off before Edward Snowden brought to our attention that our data, in bulk, was of intense interest to the NSA (and let’s not delude ourselves – every other intelligence agency in the world with hackers and hard drives).

DNT was never intended to stave off the interests of attackers or intelligence agencies so it wouldn’t be fair of me to criticise it for failing to do so.

The reason that Snowden is important to DNT is that DNT is a reflection of our thinking and priorities four years ago. We thought that our privacy was under threat from a bunch of ad men who had something to lose by not playing along.

We now know that even if DNT was fully implemented by the entire online advertising industry, our privacy would still be fatally compromised.

What Snowden showed us is that, conceptually and technologically, we were preparing to turn up to a gun fight with a stiffly worded letter.

The idea of governing internet privacy based on a sort of glorified gentlemen’s agreement now looks staggeringly dated.

The standard losing support

It seems that recently some technology companies have felt the ice shifting beneath their feet and have decided to climb off the glacier before it melts. Yahoo made the jump to dry land first, back on 30 April 2014:

As of today, web browser Do Not Track settings will no longer be enabled on Yahoo ... we have yet to see a single standard emerge that is effective, easy to use and has been adopted by the broader tech industry.

The announcement goes on to say that its users can use the Yahoo privacy center to configure their privacy preferences.

Just a few days ago AOL followed suit, changing its privacy policy to state that Gravity, its personalisation technology, will not honour DNT headers from 15 September 2014.

Previously, Gravity provided users with the ability to use the browser "Do Not Track" signal to opt out of certain personalization. AOL has consolidated and simplified many of the preferences and opt-outs we offer, and as a result, "Do Not Track" browser signals will no longer be recognized.

AOL goes on to say that users can still opt-out of Gravity’s personalisation.

Use coercive protection

Responsible online advertisers all operate their own processes for opting out of online tracking and behavioural advertising but managing your privacy with their many and various opt-outs is wildly impractical.

Even if you could find them all and even if you could discover easily when they change their privacy policies, or when a new vendor enters the market, you still have to trust them.

The opt-out approach has the same fundamental flaw as DNT, it’s cooperative, it’s another request – “Don’t track me, OK?”

The only technical solutions that can provide any kind of assurance are coercive.

Coercive technologies work by withholding or disrupting the information that tracking relies on, such as cookies, Flash cookies or local storage. They aren’t a guarantee of success but they do at least understand the nature of the battle they’re involved in.

Modern browsers come with private or incognito modes. You can supplement those modes with a number of useful browser plugins such as noscript and ghostery.

All modern browsers also come with an easy to enable Do Not Track feature. It doesn’t hurt to turn it on but don’t expect it to make any difference to your privacy.