Following Mitchell’s recent comments on DNT, here’s a riff from me.
There are currently two views of how Do Not Track, the standard for a browser to signal to a website that its user does not want behavioural tracking, should be enabled.
My position (and that, as far as I can tell, of the standardization group, and of many within Mozilla) is that Do Not Track is “no preference” by default (i.e. no header is sent), and must be explicitly enabled or disabled (without specifying an exact user experience). While it may change in the future, Microsoft’s current position is that users will be asked about “Do Not Track” during installation or upgrade, and the checkbox to turn it on (visible only in the non-speedy install) will be checked, and so the feature will be enabled, by default.
This made me think that the two views of “Do Not Track” correspond to some degree to two views of the role of government in innovation and user empowerment.
If you are in favour of market-driven solutions, then the power of Do Not Track comes from the fact that everyone who has it turned on has made a conscious decision to do so. This action speaks with a powerful voice in the market, and is hard to argue against. The idea is that any advertiser which refuses to respect a specific user request will suffer from a poor reputation, and loss of business. Hence, consumer pressure leads to positive change without regulation. But for this to work, it requires that the default be “off” (or “no preference”, which amounts to the same thing).
If you are in favour of regulated solutions, then the power of Do Not Track comes when governments force advertising companies to respect it. So how it gets turned on or not is a secondary question, and your goal is simply to get it enabled on the computers of as many people as possible, and get a law passed that makes website owners pay attention to it. After all, once it’s a government mandate, the advertiser has to respect it, whether the user made a choice to enable it or not. And so having it on by default allows you to make the claim that you are “protecting more users”.
I suggest that history shows us that government regulation of technology is usually written by those who don’t understand it, arrives late, and demonstrates inflexibility in the face of future innovation. The EU cookie law, as implemented in the UK, is a case in point – its net effect is that most UK websites how have to have a click-through dialog before you can continue to use them as before. I doubt that many people’s privacy has been meaningfully enhanced, and website usability has suffered.
Government-mandated DNT would not nearly be as flexible and open to further innovation as market-driven DNT. I hope we get the market-driven sort.
“most UK websites how have to have a click-through dialog before you can continue to use them as before”
Not sure what your evidence is for this? Most I have seen have just gone with a dismissable notification that doesn’t get in the way of anything. Some have a few controls, but most are “we’ve notified you, you’re still here, that means we’ll keep using cookies”.
A typical example is http://www.guardian.co.uk/
My language was a bit loose, and also implementations have varied because the ICO made a last minute change to what was permissible. But yes, it’s now less irritating. But equally useless IMO.
I think the government(s) was/were wrong in the way they implemented it or at least communicated it.
At the end of the day, what this is/was really about is tracking users from website to website to website to website.
Not the cookie Google Analytics creates for the domain of the site people visit.
Showing those notifications helps no1.
Hmm, I’m not convinced that the reputation-based solution would work; after all, the advertisers have no real reason to consider the visitors being tracked as customers – they get paid by the people they’re advertising, and co-operate with the web sites they advertise on. This means that they would get a _better_ reputation by tracking – since it should (hopefully) lead to better conversion for the advertisements. Of course, I don’t think a government-mandated solution is likely to work either; since there is no need for a license to operate (… and let’s hope it stays that way), there’s no real teeth to any regulations.
I don’t see how either version will have any really significant impact.
Users who don’t want to be tracked can already, given reasonably capable client software, easily set things up so that cookies are forgotten on a regular basis (weekly, daily, hourly, whenever the browser exits, whenever the window or tab is closed, whenever the user clicks on a link that goes to a different FQDN, etc). It’s very hard for me to see how Do Not Track can possibly improve on this to any significant degree, even if everyone fully cooperates with the effort, which they won’t.
In the market-driven version of Do Not Track, advertisers can just make the tracking marginally less obvious so that most people will remain unaware of it. (For example, instead of explicitly saying “Other users who bought the book you bought last week were also interested in this new title,” they can just list it as a “popular title” or a “suggested title” and let it go at that. Most people naturally believe that their personal interests are popular and interesting, so only people with a healthier amount of paranoia than average will ever notice anything or care.)
The privacy nuts will of course not be happy, as usual, but they’re a tiny percentage of the user population, and they’re *always* complaining about something, and most people are used to ignoring them most of the time. If their complaints don’t ring any bells with anyone, nothing meaningful will come of it — and the complaints won’t be ringing any bells unless the things they’re complaining about are obtrusive (like pop-ups for example were obtrusive, which is none of the major browsers support them by default any more). Subtle tracking that shows the user advertisements for products they potentially might actually be interested in, instead of ones they clearly don’t care about, is not obtrusive to most people.
The problems with the regulation-driven version are much as you point out.
> it’s only training users to mindlessly
> click-through security and privacy dialogs
That’s been a lost cause for a while, I’m afraid. Navigator’s contributions to this were particularly egregious (notably, throwing up a warning every time the user typed search terms into a search engine and hit the search button, the most extreme example of wolf-crying I’ve ever encountered bar none; there were several other issues as well), but Microsoft and Mozilla and Apple and Gnome and Yahoo and Google are all guilty of contributing to this phenomenon.
Another problem is the privacy community’s habit of making disproportionate noise over relatively minor issues all the time. (Some security software, for example, uses approximately the same kind of warning for tracking cookies as for malware infections, which is horribly confusing and needlessly frightening to people who don’t have enough technical background to know what a cookie is.)
The worst offender of training users to mindlessly click-through things are obviously popup ads. They aren’t security or privacy warnings but they were just as annoying to users and ask for the same don’t read just click it away response.
” I doubt that many people’s privacy has been meaningfully enhanced, and website usability has suffered.”
what’s even worse, it’s only training users to mindlessly click-through security and privacy dialogs when you use it for unimportant details like this..
that’s why we can’t have _secure_ things.. :(
If you need to go as far as a regulated solution, then the issue is important enough that people who don’t understand about it should be protected (i.e. not tracked) and you might as well just ban all tracking, header or not.
Sending a header only makes any sense if it is an informed user choice.
What Ian said. It would be silly to regulate what advertisers must do in response to “DNT: 1”, without also regulating what UI browsers must provide. Because the effect would be the same as regulating what advertisers must do in response to “DNT: no-preference”, except with worse UI and a little bit of wasted bandwidth.
And what Mook said. The “reputation-based” approach seems to be working now, but I suspect that’s only because ad networks are afraid of regulation, and that doesn’t seem like a stable equilibrium. Maybe government could maintain this state for a while by forcing ad networks to disclose their tracking practices (both with and without DNT). But ultimately, ad networks answer to advertisers and webmasters, not to visitors and privacy pundits.