On September 21, 2011, members of a working group tasked with creating a new set of industry standards for online privacy gathered for their first official face-to-face meeting.
One by one, representatives from Yahoo, Microsoft, the Federal Trade Commission, the Electronic Frontier Foundation and elsewhere arrived at the Stata Center, the flamboyant Frank Gehry-designed computer science center on MIT’s campus.
The stated goal of the discussions was to craft common rules for how websites and advertisers would respond when users flipped on a “Do Not Track” switch in their Internet browsers. During introductions, as attendees relayed their hopes for the talks, Stanford privacy researcher Jonathan Mayer said he wanted to see a clear path to adoption for the feature.
“And I want to do it in a few months,” he said.
The room broke out in laughter. Nearly two years later, after dozens of additional meetings and teleconferences, and a series of public and behind-the-scenes squabbles, the response seems only too warranted. There has been scant progress on a Do Not Track definition at the World Wide Web Consortium (W3C) working group and there may be precious little time left.
At issue is the ability of consumers to exercise control over their information, by allowing them to easily communicate to websites and advertisers that they don’t want their online activity monitored. But defining what not tracking means quickly gets bogged down in a slew of technical questions:
Would it still be OK for companies to collect information needed for the basic functioning of websites, like the type of browser or device someone is using? What type of process should be required to strip out personal information from data? Should companies that users have a direct relationship with, like Google or Amazon, be treated differently than the numerous ad networks that run unannounced across much of the Web?
Each choice carries huge implications for both privacy and the ability to target ads online, the core business model of the digital world, so they have been fiercely fought over.
A so called Last Call document is due at the end of next month that is supposed to reflect consensus on the major sticking points among the varied group of advertising lobbyists, online giants, academics and privacy advocates at the table. But reaching that deadline, which has already been pushed back at least four times, would require bridging in a few weeks a yawing gap that has barely narrowed over the better part of two years. Few think it can be done.
“It’s difficult for me to understand how we could possibly reach the goal,” said John Simpson of Consumer Watchdog.
If they fail, rather than setting yet another due date, several participants including Mayer say it will simply be time to call it quits.
“There must come a stopping point,” he wrote in an email to members on Thursday. “There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.”
He stressed that he wasn’t calling for an immediate shut down of the group. But he said they should “begin planning a responsible contingency process for winding up the working group if we miss our dead line.”
The public email chains shows that Center for Digital Democracy Executive Director Jeff Chester concurred, as did Walter Van Holst, a privacy lawyer from the Netherlands.
Privacy advocates long resisted walking away from the negotiations, for fear of being portrayed as the group that abandoned the effort or allowing their opponents to push through their agenda. But a growing number of them have come to believe that the appearance of a good faith debate on the issue — rather than the reality of one — has only served to help the industry avoid pressure for new privacy legislation or regulations. The longer it drags on, they longer they have a free pass.
In fact, the process has served as a relief valve for the government as well, allowing the Obama Administration and Federal Trade Commission to point to progress on one of the key consumer protection issues of the 21st century — online privacy — without actually squaring off against powerful online interests.
Of course, after last week’s revelations about sprawling National Security Agency spying programs, the government faces an entirely different set of privacy perception problems — and new questions about how much they genuinely cared about this issue in the first place.
“The idea was flawed from the get go,” Chester said, stressing the industry was never going to voluntarily accept rules that risked even the smallest slice of their ad revenue, absent any real government mandates. “The fact is Do Not Track was never going to work. We Do Track is the epitome of their business model.
“It’s about to be declared a failure,” he said. ”The industry is not going to change its position. They’ve basically beaten the advocates.”
Not everyone is as pessimistic about the prospects for the Do Not Track talks.
David Singer of Apple disputed Mayer’s claim that the group was at an impasse.
“No, alas, that is what you would like to believe, and what you tell others,” he wrote in response to Mayer. “Determination of consensus, impasse, and alternative routes ahead are primarily the responsibility of the (W3C working group) chairs. It is perhaps kind of you to assume their role, but there is still work remaining for us mere delegates to do.”
He declined further comment. Google and the Digital Advertising Alliance didn’t respond to inquires from The Chronicle. Yahoo replied but didn’t provide a response before press time.
Alex Fowler, the global privacy and public policy lead at Mozilla, agreed to speak on this issue recently and said that productive discussions have been taking place behind the scenes since a meeting in Sunnyvale last month.
“I am optimistic,” he said. ”We’ve heard from senior executives in both the U.S. and Europe that represent some of the leading ad technology companies and they recognize that there are some real privacy challenges facing the industry.”
A joint email on Friday from the working group’s co-chairs, Peter Swire and Matthias Schunter, stressed that the talks will proceed: “The goal to end up with a final call document, which can be supported by the whole group (in the “can live with” manner), remains untouched.”
Asked in a recent interview what happens if an agreement isn’t reached by late July, Swire told me: ”I’m not going to speculate, we’re working toward the deadline.”
Swire, a law professor at Ohio State University who served as a privacy official under President Bill Clinton, earns high marks from participants for working hard to cobble together an agreement.
At this point, though, the privacy advocates at the table are just as worried about rushing out a Last Call document with few substantive demands on businesses, as not creating one at all. In recent days, Swire and Schunter put forth a streamlined document as a proposed starting point for the next few weeks of negotiations, replacing one that the parties had been working on for months.
“Based on our experience to date on issue-by-issue discussion in the (working group), our assessment has been that a streamlined, unified document would provide the best baseline for the group’s deliberations in our efforts to reach consensus for the Last Call deadline,” they wrote in the joint email. “The goal was to design a ‘package’ that addresses essential concerns of all parties in a fair manner.”
But some privacy advocates say the new document heavily favors the interests of the advertising groups on critical questions, including the appropriate methods for rendering user data anonymous.
“If you have a deal that doesn’t protect privacy, it’s not a deal worth doing,” Chester said.
For now, the long-running debate simply means Do Not Track offers very little protection for consumers. All of the major browsers have added the feature, but only a handful of companies have agreed to honor the request, including Twitter and the Associated Press. Most ad networks and sites simply ignore it.
“You could make a compelling argument that we’re in fact worse off than we were,” Consumer Watchdog’s Simpson said. “At one time people could assume that they were tracked. Now you can select Do Not Track and naively think you’ve done everything you need to do and you really haven’t.”
It’s not clear what happens if the talks ultimately break down. But at least one possibility for privacy advocates is pursuing technical solutions to these issues.
Frustrated with the pace of the conversations, Mayer did exactly that. In between his computer science and law studies at Stanford, he began developing a patch for Mozilla’s open source Firefox browser that would block third party cookies, meaning ad networks couldn’t drop the tracking software onto user’s devices without additional approval.
On his Web Policy blog on Feb. 22, he said this would become the default setting in the next version of Firefox.
The ad industry was not pleased, as exemplified by the following tweet from Mike Zaneis, general counsel for the Interactive Advertising Bureau.
Firefox to block 3rd party cookies? http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/?utm_source=rss&utm_medium=rss&utm_campaign=the-new-firefox-cookie-policy …. This default setting would be a nuclear first strike against ad industry
In fact, it would be a slightly lower standard that Apple’s Safari browser already applies, but it caught the industry’s attention because Firefox has at least four times more market share.
A week after the most recent face-to-face W3C session, last month in Sunnyvale, Mozilla walked back Mayer’s announcement a bit, saying it would take additional time to test the feature before included it in the official version of the browser.
Mozilla co-founder Brendan Eich insisted on his blog that the organization wasn’t softening its stance on privacy. They simply wanted more time to ensure the patch wasn’t producing false positives or negatives.
“The patch as-is needs more work,” he wrote.
But some privacy advocates are dubious that advertising pressure didn’t play a part. If so, it highlights yet again the numerous political, business and technical challenges that stand in between consumers and a simple option for exercising control over their own information.