Firefox Do-Not-Track Feature Has a Fatal Flaw

Mozilla is working on a new privacy feature for its Firefox browser that will enable users to opt out of online tracking by enabling a do-not-track setting in the HTTP header. The approach is better than nothing, and arguably better than rival do-not-track proposals, but still has a fatal flaw–it relies on the tracking Web sites to play nice.

The United States Federal Trade Commission (FTC) has recognized that tracking is a privacy concern for Web-surfing citizens, and it has proposed implementation of some sort of do-not-track framework similar to the do-not-call lists that are supposed to keep annoying telemarketers from calling you.

Following the FTC call for better privacy protection, Microsoft revealed security controls in the upcoming Internet Explorer 9 which enable users to restrict tracking efforts. The problem with the Microsoft approach, though, is that it is a sort of manual black list requiring user’s to identify and block Web sites on a case by case basis. The IE9 do-not-track solution requires too much user intervention and relies too much on users being able to determine which sites need blocking.

A blog post from Mozilla’s head of privacy explains, “The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn’t rely on user’s finding and loading lists of ad networks and advertisers to work,” adding, “We’re not the only ones who think this approach makes sense. The FTC calls for a “more uniform and comprehensive consumer choice mechanism for online behavioral advertising.”

The post goes on, however, to acknowledge the major hurdle facing this solution. “The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective.” In other words, you can set the do-not-track opt out feature in your Firefox browser all you like, but if the Web sites that are doing the tracking choose to ignore Mozilla’s do-not-track header it won’t do any good.

The problem with laws is that they only affect the law abiding, and this Mozilla privacy feature is no exception. The problem with expecting cooperation from Web sites that are tracking Internet usage and gathering information on users’ Web habits is that most of those organizations are already aware that it is ethically questionable, and that the FTC is working to combat the practice, yet they choose to continue collecting the data anyway.

Imagine a stretch of highway where the speed limit is 65 miles per hour. Some will drive under 65 mph, most will drive the established 65 mph (within reason), and a few will exceed the speed limit–possibly far exceed it. Lowering the speed limit to 55 mph would affect the first two groups–slower drivers would drive under 55 mph and most drivers would honor the 55 mph limit, but the drivers who were already speeding already knew they were speeding and are unlikely to pay attention or care about the lowered limit.

That is essentially the situation here. Some Web sites don’t track at all, most Web sites track a reasonable amount and are conscious of users’ privacy and preferences regarding tracking, but the sites that cross the line and abuse tracking already know that their activities are ethically wrong and frowned upon by both the FTC and the general public. If they cared, they wouldn’t be doing it to begin with, so they are unlikely to cooperate with Mozilla’s effort to protect privacy by honoring the do-not-track HTTP header.

I am not knocking Mozilla for trying. I certainly agree that the approach makes more sense than the IE9 do-not-track functionality, and it is better than nothing. At the same time, though, I don’t expect either solution, or threats from the FTC, to have any impact on the worst of the privacy-breaching offenders.