Around 50 representatives of various Internet stakeholders squared off for three days in Washington DC this past week as the W3C (World Web Consortium) Tracking Protection Working Group tried to set a standard for what Do Not Track means.
Progress was made, but a huge gulf still exists between the online industry's proposals and those from privacy and consumer advocates. I've still not given up on the possibility of an acceptable agreement.
I think Do Not Track should be pretty straight forward. When I sign on to a website, I don't expect other parties with whom I don't even have a relationship to track me as I surf the web. Actually, I misspoke. Now that I know a little bit about the Internet, I do actually expect to get tracked if the companies can get away with it. It's just that I don't think I should be, if I don't want to be. And, I want a way to tell online companies to mind their own business and leave me alone. That's what Do Not Track is about.
People have a right to know what information is gathered about them and how it is used. They have a right to just say, "no." Do Not Track is a way to send a website the message that you don't want your information to be gathered.
Three of the four most popular browsers in the U.S. — Mozilla's Firefox, Apple's Safari and Microsoft's Internet Explorer — now offer a DNT mechanism. Google, partly because of the focus on Do Not Track prompted by Consumer Watchdog and others over the last two years, recently announced it will offer a Do Not Track mechanism on its Chrome browser by the end of the year. Yahoo! just said it would honor the message at its websites when it receives a DNT message.
But here's the rub. The big problem with all of this is that even if a website gets a DNT message from your browser, it is under no obligation to honor it. And, it's not clear what those who say they will honor it — like Yahoo! — mean. There also is the issue that different browsers might try to send the DNT message in different ways, ultimately confusing various websites. Competition is good, but frequently in the world of high tech it's important to do some basic things the same way. You need standards.
Enter the W3C. I'm now a so-called "invited expert" to the Tracking Protection Working Group. The W3C is a worldwide organization that sets standards for the Internet. The past week's meetings have been about two things: First, figuring out and agreeing to the technical way to send the DNT message and the technical way for a website to send back that the message was received and will be honored. Second, spelling out the compliance obligations when a website gets the DNT message.
The technical messaging issue is not a trivial problem, but I'd say most of us around the table — whether industry representatives, consumer and privacy advocates, academics or regulators — agree that the technical specification is nearly worked out. It's another matter with the so-called Tracking Compliance and Scope specification. This is the document that will spell out the obligations of a website that says it complies with Do Not Track. To suggest that the views of what the obligations should be are widely divergent is an understatement.
Succinctly put, the online industry wants to continue to operate with as few changes as possible from current practices while acknowledging the consumer appeal of the increasingly popular Do Not Track idea. Privacy advocates want more constraints on business. The gulf could prove insurmountable, but I think there is still reason for optimism.
Roughly two thirds of the time this week was devoted to working on compliance standards. The working group managed to distill the issues down to two differing proposals and, I think, understand their respective perspectives.
The industry proposal has a much broader definition of what constitutes a "first party" — the site visited by the user — than the privacy advocates. This is important because under both proposals there are relatively few constraints on the first party even when DNT is enabled. The second difference is around so called "permitted uses." Industry claims that certain activities such as frequency caping, financial reporting, auditing, fraud prevention, security, market research and product development all are necessary and require the placing of "unique identifiers" on browsers. This would allow tracking to continue.
I'd say industry's "permitted uses" potentially are loopholes substantially big enough to get around Do Not Track while claiming you honor it. The privacy advocates point out that there are privacy friendly ways to accomplish most of industry's goals. Some of the "permitted uses" aren't important enough to override privacy concerns.
So far, many in the online business seem to want to have their cake and eat it too. They'll back the W3C technical standard, and then use their own Do Not Track rules, perhaps the weak ones developed by the Digital Advertising Alliance, to define what compliance means.
Well, that simply won't cut it. For a Do Not Track standard to be meaningful, it must be accepted and validated by a substantial number of non-industry stakeholders — organizations like Consumer Watchdog, the Center for Digital Democracy and the Electronic Frontier Foundation (EFF) and various academics. Rules that were made up behind closed doors only by industry participants have absolutely no credibility. Some company representatives get that. That means there is a good chance during the next few weeks there will be real efforts to forge a compromise. A DNT standard validated by an honest, open process with diverse participants is in the online industry's best interest.
But, compromise means everybody has to make concessions. So far, industry reps have not done so. There is, however, a big stick that might push them toward an acceptable deal.
In its recent privacy report the Federal Trade Commission called for industry to implement Do Not Track. The report said DNT could be implemented without legislation, but FTC Chairman Jon Leibowitz said he'd support legislation if there isn't a meaningful standard by the end of the year. FTC Commissioner Julie Brill warned the W3C Working Group that she'd also back legislation, if a meaningful standard is not implemented.
Key European Commissioners have also expressed support for a meaningful Do Not Track standard.
Nothing is more feared by industry than regulations mandated by law. I'm willing to discuss what is necessary for an acceptable Do No Track deal. If industry doesn't want to talk and wants to wait, fine. I'll continue to point out that a purely industry-developed standard is a bogus sham. And then, I'll wait, too — for a Do Not Track law.