Back in 2010, the Federal Trade Commission pledged to give Internet users the power to determine if or when websites were allowed to track their behavior.
With just a few clicks, the FTC’s Do Not Track initiative promised to let consumers opt out of having any of their online data hoovered up by just about anyone on the Internet. It would be easy for consumers to find and use, be persistent (and not be overridden when consumers update their browsers), apply universally to anyone who tracks consumer activities online and be enforceable, according to former FTC Chairman Jon Leibowitz’s Senate Commerce Committee testimony in 2012.
But five years out, the same agency whose Do Not Call initiative failed to stop unwanted telemarketing calls once again has little to show for its efforts, this time to control tracking on the Web.
Last month, two members of Congress resurrected the plan. Sen. Ed Markey, D-Mass., and Sen. Richard Blumenthal, D-Conn., filed a bill that seeks to finish what the FTC started — giving consumers control over their personal information online and preventing companies from collecting data when users don’t want to be tracked.
“Consumers need this protection against invasive tracking — companies that collect private, sensitive information with every online click,” Blumenthal said in a statement. “The ‘Do Not Track Act’ prevents privacy abuse and gives back control over personal lives online. People deserve to be empowered to stop trackers who collect and store their personal, private information.”
Good luck with that.
We thought it would be instructive to review just how the best intentions of FTC’s Do Not Track initiative went so wrong. The industry group that set out to define how Do Not Track would work has yet to finalize a standard, despite years of meetings and thousands of emails. Meanwhile, key players — including groups representing the online ad community and consumers — have abandoned the effort. And the FTC, the government’s leading consumer privacy watchdog, seems to have lost interest altogether since Leibowitz resigned in 2013.
“Why did we bow out of standards setting? I just didn’t think we were getting anywhere,” said John Simpson, privacy director of the Santa Monica-based the nonprofit group Consumer Watchdog.
Foxes in the Henhouse
In reaction to numerous media reports, and notably the Wall Street Journal’s “What They Know” series, which exposed the sinister and largely invisible practice of tracking users online, the FTC leapt into action in 2010.
But the strategy was flawed from the start. By tapping the World Wide Web Consortium, an organization that sets standards for the Web, to work out the details for implementing Do Not Track, the FTC relied on a group dominated by powerful Internet companies. These companies included Google, Facebook and Yahoo, whose businesses depend on online advertising, which require precision tracking of users. To put it another way, that’s like Sony Pictures inviting the North Koreans to run vulnerability tests on its computer networks.
It’s of little surprise, then, that the Consortium, which created a working group that initially involved representatives from technology, advertising and publishing — found a way to make life difficult for everyone but the biggest Internet players.
“Incredibly, the same big players who hijacked the process could make this one-sided policy a de facto global standard. This gives them a data advantage through tricks and traps, not product innovation,” said David Wainberg, privacy counsel for AppNexus, an ad-tech company.
The proposed a set of rules released last August for public comment allow Internet publishers with a direct relationship with consumers — say, Facebook or Google — to remember who you are, what you looked at and what you did while on their sites, so long as they don’t pass the information along to third parties. Third parties, such as independent ad networks, would be required to “treat you as someone about whom they know nothing and remember nothing.”
That brought immediate criticism from third-party ad tech companies like AppNexus, which said the Do Not Track standards put them at a competitive disadvantage because they’ll be forced to abide by stricter privacy rules than giant rivals like Google or Facebook.
“The Do Not Track debate has put us in an uncomfortable position,” Wainberg said. “In opposing the Do Not Track policy, people can characterize us as anti-privacy. What we do not want [are] policies that tilt the competitive playing field, especially without a commensurate privacy benefit for users.”
Some members of the U.S. Congress agreed, writing the World Wide Web Consortium to criticize the proposed rules as giving unfair competitive advantage to some Internet players while failing to deliver on the promise of protecting consumer privacy. It urged the group in October to “re-examine the proposal.”
A spokesperson for the consortium did not respond to a request last week seeking comment.
There were plenty of signs that Do Not Track was going off the rails long before Markey and Sen. Al Franken, D-Minn., weighed in.
The Digital Advertising Alliance, a consortium of the biggest advertising firms and online ad tech companies, including Omnicom MediaGroup, BrightRoll and TubeMogul, withdrew from the process in frustration in September 2013. It said it would develop its own solution — a system that would allow consumers to opt out of targeted advertising.
“After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the [working group] is capable of fostering the development of a workable ‘do not track’ solution,” wrote Lou Mastria of the Digital Advertising Alliance.
The California-based advocacy group Consumer Watchdog similarly abandoned work on Do Not Track about a year and a half ago because the recommended standards would be voluntary — so therefore, in its view, toothless. Online companies would have little incentive to honor a consumer’s Do Not Track request.
“The standard they’ve come up with, I don’t think [it’s] strong enough; it’s loophole-laden and there’s nothing to make a company do it,” said Consumer Watchdog’s Simpson.
The Electronic Frontier Foundation, which was also a member of the task force, took matters into its own hands. It released a final version of a free plugin called the Privacy Badger for Firefox and Chrome browsers in August. Whenever a user turns on Do Not Track within the browser setting, Privacy Badger acts as an enforcer — it scans any website to determine if the publisher has agreed to honor this privacy request. If it can’t find a policy, it scans for third-party scripts that appear to be tracking — and blocks them.
“At the core of our project is the protection of users’ reading habits and browsing history,” the EFF wrote in introducing Privacy Badger. “And a conviction that this is personal information that should not be accessed without consent.”