After nearly two years of negotiations over how to put in effect a standardized “Do Not Track†mechanism for online users, Apple, Microsoft and Mozilla, along with some consumer and privacy groups, have lined up against the online advertising industry.
The parties have been wrangling over how to provide a uniform option, called Do Not Track, that would allow individuals to opt out of having information about their online actions collected, retained and analyzed for purposes - like ads tailored to user behavior - not directly related to their activities.
Browsers including Microsoft’s Internet Explorer and Mozilla’s Firefox already include such Do Not Track options for users. Until the ad industry, technology firms and advocacy groups come to an agreement, however, the don’t-track-me browser settings represent little more than symbolic consumer flags that companies are free to ignore. An international Web standards body called the World Wide Web Consortium, or W3C, is overseeing the working group that has been trying to reach a consensus on the mechanism.
But last week, a variety of participants rejected a last-minute proposal spearheaded by the Digital Advertising Alliance, or D.A.A., an industry self-regulatory body, that would have defined the Do Not Track option as prohibiting ad networks from retaining the URLs of the sites a user visited, but permitting the categorization or scoring of users based on their browsing activities.
“Mozilla doesn’t believe the D.A.A. proposal aligns with user expectations of a Do Not Track feature, and it is a step in the wrong direction for any privacy technology,†Sid Stamm, the lead privacy engineer at Mozilla, wrote in his response. People are choosing the Do Not Track browser setting, Mr. Stamm said, because “they want unauthorized data collection and tracking to stop. Making a weaker standard where collection continues as-is and compliant service providers only claim to use the data for fewer things would clearly be ignoring these widespread pleas.â€
Yahoo and Nielsen, along with advertising and marketing industry groups, rejected a proposal put forward in June by Peter Swire with Matthias Schunter, the co-chairs of the W3C working group, as too stringent to be workable. Mr. Swire is a law professor at Ohio State University, and Mr. Schunter is chief technologist at the Intel Collaborative Research Institute for Secure Computing.
“The June draft doesn’t provide for a framework that will likely be adopted by much, if any, of the online ecosystem that relies on advertising to monetize their free services - which is the vast majority of online user engagement today,†Shane Wiley, the vice president of privacy and data governance at Yahoo, wrote in his objection. “The working group should appropriately leverage the option that has the greatest chance of mass, global adoption, which is the D.A.A. proposal.â€
Working group participants say they expect the co-chairmen to issue a decision taking participants’ objections into account in the next few days. Mr. Swire did not return e-mails seeking comment.
Among the contentious issues the co-chairs are expected to weigh in on is the very definition of “Do Not Track.†That is whether users who activate the don’t-track-me features will only be able to opt out of receiving targeted advertising - an option offered already by the digital ad industry - or whether they will also be able to restrict some data-mining of their online activities.
In fact, some participants in the W3C negotiations have contended that data collection itself, not advertising based on user data harvesting, has the potential to harm consumers.
Witness this exchange last year between Mr. Wiley of Yahoo, who argued that data usage was the issue, not data collection, and David Singer, a multimedia and software standards expert at Apple, who disagreed.
“The issue,†Mr. Wiley wrote, “is that those records don’t represent your behavior unless someone uses them to try to determine your behaviorâ€
Mr. Singer responded:
They may represent my behavior and then become available to someone who I never agreed could know anything about me. Isn’t that one of the essences of privacy - being able to choose who knows what about you? *Secrecy* is choosing things that *no-one* will know about me. Privacy is at least partly having some say over who knows what about you, isn’t it? Yes, the actual harm happens when you become aware through some negative impact of that unwanted information, but the privacy problem is with the information, not the later harm.
If the local drugstore keeps records of my nonprescription purchases, and later my insurance company discovers from them that I buy a lot of painkillers, and they later deny me health coverage because they suspect I have a condition, when did the privacy problem occur? It’s somewhere in the keeping of records and their being available to the insurance company, isn’t it? The denial of coverage (the thing I see) is (‘just’) a symptom.
