There is a lot of discussion about Do Not Track at the moment. The FTC has announced support for the idea; Mozilla has added a Do Not Track header option into Firefox betas, and Congresswoman Jackie Speier has introduced a Do Not Track bill. Other proposed privacy legislation, such as Rep. Bobby Rush's bill, could also achieve similar objectives. And yesterday, EFF submitted comments urging the Federal Trade Commission to defend online privacy by supporting the header-based Do Not Track feature.
Do Not Track is important because it creates a policy mechanism to augment the privacy enhancing technologies that we currently have. There is an arms race between practical privacy tools and ubiquitous online tracking, and we fear that the trackers have powerful techniques that will almost always allow them to win the arms race against ordinary people.
Some other anti-tracking technologies have also been discussed a lot recently, including
Microsoft's IE 9 Tracking Protection Lists, and AdBlock Plus with EasyPrivacy. These are great tools, and very much complimentary to the Do Not Track header proposal. We'll be posting about them at greater length soon.
Do Not Track is a technically simple proposal: add a header1 to the messages that browsers and other HTTP clients send when they fetch web pages. The header simply requests that webservers not track the user's behavior. It could be turned on if the user enters "private browsing mode", or if they have enabled a separate configuration setting.
There is more flexibility on the policy side of Do Not Track: "what is tracking?" "what should websites do to avoid tracking users who set the DNT header?" "would any websites be required to comply with the header?
There is a spectrum of good answers to each of these questions. This post will try to set out what we think some of the good answers are.
What is Tracking?
Tracking is a very simple, general concept. A good definition would be:
Tracking is the retention of information that can be used to connect records of a person's actions or reading habits across space, cyberspace, or time.
Despite this simple answer, we believe that there are some kinds of web tracking which — while they are still tracking — may not need to be categorically prohibited when the DNT header is set. A reasonable set of exceptions might be:
- Tracking that is limited to a single "1st party"1 website (either by the website itself or by an analytics provider subject to suitable contractual and technical protections)
- Tracking that is necessary to prevent fraud or respond to security incidents, provided such data is minimized, only kept for as long as necessary, and not used for other purposes.
- Tracking of users who have agreed to a clear and non-confusing “opt back in”
- Tracking that is necessary to complete an online transaction that the user has engaged in.
The existence of such excepted kinds of tracking does not, of course, mean that websites should not consider respecting DNT where possible in these cases too. For instance, we hope that many 1st party domains will choose to adopt limited logging and retention practices for users who enable DNT. There are other definitions of tracking that have been proposed. For instance, CDT proposed a slightly different draft definition, and our approach is largely in agreement with theirs.2
What should websites do in response to the DNT header? Should they be required to comply?
For most websites, and especially 1st party websites, DNT may make more sense as a voluntary convention, like ROBOTS.TXT, rather than a mandatory rule. However, there is a subset of websites where there is a stronger case for requiring compliance with DNT. These are the websites that (1) act as 3rd party tracking domains, invisibly monitoring people's reading habits as they browse the web; and (2) monitor a large number of users' browsing. There are several approaches to incentivizing compliance by large 3rd parties — some commentators have called for pressure in the marketplace via technical means ("if a large 3rd party appears not to be complying with DNT, add it to privacy blacklists"); the Rush bill incentivizes compliance with DNT-style opt outs through a "safe harbor"mechanism, while the Speier bill is more direct. We believe that legislation granting narrow authority to the FTC to set opt-out standards could be constructive, provided it focuses on the task of incentivizing compliance with consumers' preferences and avoids mandating particular technical methods of compliance.
Will a header always be the best mechanism for DNT?
Not necessarily. Over time, we will have new platforms and protocols to which DNT should apply, and perhaps more granular controls for users to express their preferences. Whatever path we follow for getting DNT deployed by browsers and respected by servers, we should be planning to have opt-out standards that evolve and support innovation.
- 1. Standard terminology is that the website you can see in your browser's address bar is the "1st party" and other domains in the hypertext page are "3rd parties". It would have made more sense to say that you are the 1st party; the website you're looking at is the 2nd party, and embedded domains are 3rd parties.
- 2. We think it makes slightly more sense to draw the line at the "retention" of tracking data, rather than "collection and correlation", because when trying to enforce DNT it's hard to tell the difference between data that is retained and correlated and data that is retained and not correlated.