Do Not Track

Disclaimer: The opinions expressed in this post are, for better or for worse, my own and are not intended to reflect the policies or positions of my employer, Oracle, or those of the W3C

If you have Do Not Track on your radar you must have seen a number of news items and blogs most of them reporting that the Do Not Track initiative is deadlocked; at an impasse. See, for example from Bloomberg: Web’s Mad Men Fight Browser Makers Over Online Tracking which starts off by saying: "Yahoo!, AOL and other companies dependent on Internet ad revenue are fighting Web-browser makers, including Microsoft, over how to let consumers avoid being tracked online." See also the New York Times blog: Wrangling over 'Do Not Track' and review Don't Track Us and Dan Appelquist's blog.

If you have not been following, Do Not Track is a W3C working group that is attempting to standardize a HTTP header that indicates that the user does not want his visits to websites to be tracked and his personal data collected and shared with advertising networks. Other aspects of the proposed standard include a well-known location (URI) for providing a machine-readable tracking status resource that describes a service's DNT compliance and a HTTP response header field for resources to communicate their compliance or non-compliance with the user's expressed preference. The Working Group has been meeting for about two years and browser makers have enabled a Do Not Track option, some of them turning it on by default but compliance from advertisers has yet to come.

At the 2011 Web Tracking Workshop one of the arguments advanced for starting the Do Not Track WG was that if the industry did not agree on a standard it would be imposed on them by legislation.

In May 2011 the EU published an EU e-Privacy directive, that requires websites to indicate on the page whether cookies are being used, where to go for more information and how to give or withhol dconsent. If you visit, for example, the Guardian website there is a banner right at the top that says cookies are being used and points you to a link that tells you more about how the Guardian uses cookies. There is no such legislation in sight for the U.S.

Another option is, of course, self regulation or voluntary compliance. Have you seen the AdChoice icon?

This is brought to us by the Digital Advertising Alliance (DAA), a coalition of advertisers, publishers, and marketers that has been working to increase transparency on the Web and create controls for online advertising. This clickable icon floats near ads and is meant to give users information about targeted ads and the data collected by ads. It also gives users a Do Not Track option. Now, the AdChoice icon is coming to mobile browsers.

The DAA says that the AdChoice icon is used in 30 countries but I have not seen a lot of it on the websites I frequent but that may be just me and where I walk.

On July 26, 2013 the New York Times reported agreement by a variety of groups, including app developers and consumer advocates to test a voluntary code of conduct that would require participating app developers to offer notices about whether their apps collect certain personal data from users or share user-specific data with entities like advertising networks or consumer data resellers.

So, perhaps, we will end up with self-regulation; better than nothing but not really enough. Self regulation may stave off legislation but it is unenforceable and it depends upon the cooperation and goodwill of advertisers :-( .