Chalk up another victory for corporate surveillance: Five years after advocates came up with an easy way to let you browse the Web with just a little privacy, the Do Not Track system is in tatters and that pair of boots you looked at online last month is still stalking you from website to website.
In 2009, a few Internet privacy advocates developed an idea that was supposed to give people a way to tell websites they don’t want to be monitored as they move from website to website. The mechanism, which would eventually be built into all the major browsers, was called Do Not Track.
With a single browser setting, these advocates thought, users would be able to communicate a preference for their privacy. It would be easier than downloading add-on software or creating a blacklist of specific companies to block. Do Not Track, or DNT, would be the Web’s version of the telemarketer Do Not Call list.
But today, DNT hangs by a thread, neutered by a failure among stakeholders to reach agreement. Yes, if you turn it on in your browser, it sends a signal in the form of an HTTP header to Web companies’ servers. But it probably won’t change what data they collect.
That’s because most websites either don’t honor DNT—it’s currently a voluntary system—or they interpret it in different ways. Another problem—perhaps the biggest—is that Web companies, ad agencies and the other stakeholders have never reached agreement on what “do not track” really means.
“It was conceived to be a uniform signal,” said Sid Stamm, one of DNT’s three founders. But, “part of the problem is there’s a wide range of expectations,” said Stamm, who is senior manager of security and privacy engineering at Mozilla. Mozilla’s Firefox browser has the DNT tool, as do Safari, Internet Explorer, Chrome and Opera.
Web users who are hopeful about DNT got a small boost Wednesday in California. State Attorney General Kamala Harris issued guidelines to help companies comply with a new state law requiring them to disclose whether they honor users’ DNT requests. But the law doesn’t force them to use the system.
Today, with the exception of a few companies that act on DNT requests, its inclusion in browsers is essentially cosmetic. “The original idea was to replace a variety of opt-out mechanisms with a browser preference,” said Arvind Narayanan, a computer science professor at Princeton who worked with others on developing a standard around DNT. “But opt out of what? That’s where there’s disagreement,” he said.
Is the user opting out of being tracked altogether, being tracked for advertising purposes, or being tracked for some other reason? There is no agreement among those involved.
Some experts say DNT should focus on third-party cookies. When someone visits Facebook, for instance, it uses cookies to keep track of how the person uses the site, to provide various features around security and advertising. But Facebook also runs an advertising exchange that works with other firms to deliver ads to Facebook users based on what they do outside the social network.
It’s those third-party ad companies that should be the targets of DNT’s signal, some experts say. They include names like AppNexus, BlueKai and Conversant.
But because big online firms like Google, Yahoo and Facebook also run ad exchanges that place ads across the wider Web, DNT might apply to them too.
The whole thing is a mess. Yahoo recently said it would no longer honor the DNT signal, citing the lack of “a single standard that is effective, easy to use and has been adopted by the broader tech industry.” Instead, Yahoo says its users can manage their privacy settings themselves with tools on its site.
It’s hard to get a firm count on how many companies honor, in some way, DNT. DoNotTrack.Us, a website maintained by Stanford researcher Jonathan Mayer and Princeton’s Narayanan, pegs the number at under two dozen, though the list is not regularly updated.
But maybe the list should be empty. “There is no such thing as Do Not Track right now,” said Mike Zaneis, executive vice president, public policy, and general counsel at the Interactive Advertising Bureau. “It’s a gimmicky marketing term,” he said.
Twitter and Pinterest are two of the few household names on the “good actor” list, which is reflected in their privacy policies.
Money could also be driving companies’ refusal to honor DNT, given that their businesses largely run on ad dollars. Delivering ads to the right people at the right time is harder if they’re hiding from you.
“DNT isn’t being honored because advertising companies like Yahoo just don’t care very much about user privacy, or haven’t been forced to care,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation, via email. Eckersley is also someone who has worked on the DNT technology to develop a standard, so far to no avail.
There are plenty of other privacy-themed browser extensions, search engines and even social networks out there now, designed to block tracking and targeted ads. The browser extensions, like Ghostery or AdBlock Plus, are designed to automatically prevent the person’s browser from connecting to ad companies’ servers.
Research conducted by Evidon, which makes Ghostery, shows these tools are better at keeping users anonymous than DNT. They work better because using them is like locking your house, versus putting a sign in your yard that says, “keep out,” said Princeton’s Narayanan.
The future doesn’t look bright for DNT. Progress toward a standard has been slow. The World Wide Web Consortium recently published a paper aimed at a standard, but it’s long overdue.
The Electronic Frontier Foundation has voiced fears that any standard that does come about may be so watered down that it won’t have any real protections. If there is a stronger standard, regulatory action could be the only thing to get companies to comply.
Chris Soghoian, an Internet privacy researcher and activist who led much of the original development of DNT, foresaw the challenges from the get-go.
“The technology behind implementing the Do Not Track header is trivially easy,” he wrote in a blog post in 2011. The more complex problem revolves around what ad networks should do when they receive the header, he said, which is “very much still up in the air.”
Three years later, that problem persists.