Creating A Standard Is Tougher Than It Looks, Apparently
The World Wide Web Consortium, an international group of academics, consumer advocates, and representatives from business, has among its mandates one of acute interest to the online ad industry: how web sites should respond when a user says he'd rather not be tracked, a so-called "Do Not Track" standard.
But that narrow goal has proven nettlesome to the point of distraction. Rather than moving close to a solution, this non-governmental body is taking the concept of government sausage-making to a whole new level.
Granted, its entire process was thrown into flux when Microsoft introduced its default do not track (DNT) system in its latest version of Internet Explorer late last year. Redmond decided that the best way to serve consumers was to turn off tracking by default–and allow them to elect to be tracked by third-parties if they wanted to.
The online ad industry collectively decided to disregard the DNT signals sent by the IE browser, rendering it largely ineffectual from a consumer privacy standpoint. At issue was the fact that the IE tool was turned on automatically, which industry and others said defied the true mission of providing consumers with the choice to turn off tracking.
Some observers also suggest the sluggish W3C process and industry's reaction to Microsoft inspired Firefox maker Mozilla to make its recent, controversial privacy move, in part because the W3C project appeared stalled. The next version of Firefox will include a default setting that disables third-party cookies. Many in the digital ad industry, including the Interactive Advertising Bureau, believe the move will severely detriment the ability for small publishers to earn ad revenue, and unfairly reward larger publishers with sales teams and lots of first-party data. Others including the Online Publishers Association, which represents mainly large brand-name publishers, say Mozilla's plans will not wreak havoc on the ad-supported Internet.
So, is the W3C at a standstill? Not according to Peter Swire, the recently-named co-chair of the W3C's Tracking Protection Working Group. The working group, a coalition of around 100 digital privacy and legal wonks, is tasked with coming up with a DNT standard. "Full Steam on Do Not Track," wrote Mr. Swire in a W3C blog post on February 12, noting, "we are now on a path to devising a workable, meaningful standard."
It's a windy path fraught with brambles of legalese and tangential rabbit holes. "I am struck by the intensive level of labyrinthine minutiae involved in these discussions at this point," said Pam Dixon, executive director of World Privacy Forum. Ms. Dixon is not a member of the working group, but its email archives can be viewed online for anyone to get lost in.
More than 350 messages from around 40 working group participants have been disseminated this month alone. Many of them carried on a conversation that gained steam in February aimed at defining first-party and multiple first-party cookies.
Never heard of multiple first-parties? Well, the working group is still trying to wrap its own hydra heads around that one, too.
Justin Brookman, director of the Center for Democracy and Technology's Project on Consumer Privacy, and a frequent W3C conversationalist, took a stab earlier this month. "On multiple first parties, I still think the simplest and most intuitive solution is that the owner of the domain visible in the address bar is the only first party absent deliberate interaction with a branded widget," he wrote in an email sent to W3C colleagues.
Facebook came up often in the discussions. If someone has DNT enabled and visits the Macy's page on Facebook, who would be a first-party, wondered the participants? If both are, this could be a multiple first-party situation, potentially allowing tracking by the first-parties, depending on the ultimate DNT specs. Mr. Brookman argued Facebook would be the only first-party in the scenario:
I think Facebook should be the first party and Macy's (and everyone else) a third party. If someone posts on the page, likes something, etc., that's a communication to Facebook, but Facebook has the ability to share that information with Macy's and my friends, consistent with my privacy settings. I just visited Facebook.com/Macys — my expectation going there is that Facebook might know that I as a logged-in user went to the page, but I sure don't expect Macys to know I went there based on a passive visit.
Facebook is the only company tracking interactions on its platform, so the example is merely hypothetical.
In the same thread, privacy advocate John Simpson of Consumer Watchdog asked, "Isn't the issue whether Facebook could share all of the data it has gathered elsewhere on the Facebook platform with Macy's?"
"I have found the discussion which has focused on increasingly blurry distinctions between 'first parties' and 'third parties' disappointing and frustrating," noted Marc Groman, executive director and general counsel of the Network Advertising Initiative, the first large industry initiative – established in 2000 –enabling people to opt-out from tracking and targeting by ad networks and exchanges. "The only incentive created by the proposed DNT framework is an incentive to become a big first party. I hope that policymakers will carefully consider the potential impact of that on our diverse, dynamic, innovative and ad-supported Internet. "
The W3C working group is still determining its definitions for first-party and third-party cookies, and is "very close," said Mr. Brookman in an email. He also suggested a final definition for multiple first-parties is on its way.
But the body is not known for its rapid-fire decision making. When it was formed in September of 2011, leaders suggested in a blog post that the group had "an ambitious timeline of publishing standards by mid 2012."