Tuesday, October 16, 2012

Do Not Track, Why Does it Matter?

Figure [1]: Do Not Track
If your a software developer or browser power user it's likely you've heard some discussion around Do Not Track(DNT) features[2].  Like the name implies, DNT communicates the user's desire to the application not to be tracked[3] -- simple enough.  The fire storm around DNT is the implications for individual privacy and industry access to your personal information.

From a technical perspective, DNT is implemented as an HTTP header and sent by the web browser to the web application.  The application receives the DNT header and hopefully honors the user's wishes.  The setting is user adjustable via browser configuration settings, if supported.  The technologies are well established and relatively simple to implement.

The meaning of DNT is clear enough to many users and hardly requires explanation.  However, advertisers steadfastly refuse DNT since it impacts access to user personal data.  Favoring instead to self-regulate or other measures.  The Digital Advertising Alliance(DAA), representing over 5000 advertisers, does not support DNT[7].  So what's the problem?  Are the specifications not clear enough?  Nobody understands that user's value their privacy?  No, not at all.  So if industry understands what we want why don't they keep our information private?  To understand the industry viewpoint about your data a Verizon exec captures it succinctly -- "Data is the new oil"[8].  To me that says, our personal data is an incredibly valuable product.  A trip to the gas pump helps put the comparison in perspective.

The challenges of DNT are...
  • How best to implement within the applications.
  • Industry favors unfettered access to your personal information.
  • Support for DNT is voluntary.  Few rules and consequences around use or even abuse of your data.
  • Incredible financial incentive exists not to implement DNT.
  • It's not clear when -- if ever -- DNT will be formally adopted by IETF.  In fact, it's not looking good at all.
Beyond the commercialization of your data, there are practical reasons to retain some user information.  Clearly, information about the user must be retained to promote a good experience with the application.  Imagine if Facebook didn't have access to your list of friends -- the service would not be very useful.  Implementation of "no tracking" in the strictest sense is not desirable for anyone.  On the other end of the spectrum, data brokers gathering your personal information for resale is likely considered abusive to most users; that is, if they were even aware their data was being sold.  All this begs the question, what is considered good and bad tracking?

A Stanford University team did a pretty good job at defining good and bad tracking[6].  Their starting point was to consider tracking from the user's perspective.  A site you visit and interact directly is considered a 1st party.  Sites you do not directly interact with directly are considered 3rd parties.  The scope of DNT applies specifically to 3rd parties.  Any practices defining bad tracking apply to 3rd party use of your information.  Of course, there are some legitimate 3rd party uses like supporting infrastructure services so definition is tricky.

Thinking more about data again.  On deeper and more personal level, information about your present medical and financial conditions and history you post to friends on social media can be gathered and used by potential employers, insurance companies, to their benefit.  Be mindful of everything you discuss online and every bit of personal information you enter.  Unlike derogatory credit reporting data there is no limitation on life span of derogatory social media or even rules about how your personal Internet data may be traded or brokered[5].  My rule of thumb, if it's technologically possible to achieve and beneficial to someone or group, than I assume it's being done.
"If you don't know who the customer of the product you are using is, you don't know what the product is for. We are not the customers...we are the product".  --Doug Rushkoff[4] 
So to answer, why does DNT matter?  DNT matters because it communicates the individual's desire not to be tracked.  Any web site that does not comply with your privacy wishes runs the risk of a flogging by the court of public opinion.  DNT stabs at the very heart of information profiteers benefiting by knowing everything about you.

Individual privacy is an unfolding drama that will take years to sort out but I have every confidence it will be sorted out.  I have faith the industry will continue to misbehave, and regulators will do what they do best -- nothing or error on the side of more money for business.  Eventually, the confluence of injustice will produce a public outcry for privacy the likes we have never seen.  Already privacy is in the news every day.

Most people understand, to use a really good web site for free they must give up something.  Most think in terms of tolerating some advertisements in the web page.  However, many don't have a good understanding of what is being negotiated away and industry likes it that way -- but people are learning fast.

[1] Bug. Digital image. http://donottrack.us/. Stanford, n.d. Web. 10 Oct. 2012 <http://donottrack.us/images/bug.png>.
[2] "Do Not Track." - Universal Web Tracking Opt Out. Standford, n.d. Web. 10 Oct. 2012. <http://donottrack.us/>.
[3] Mayer, J., A. Narayanan, and S. Stamm. "Do Not Track: A Universal Third-Party Web Tracking Opt Out Draft-mayer-do-not-track-00." Ietf.org. Internet Engineering Task Force, 7 Mar. 2011. Web. 10 Oct. 2012. <http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt>.
[4] Solon, Olivia. "You Are Facebook's Product, Not Customer." Wired UK. Wired.co.uk, 21 Sept. 2011. Web. 11 Oct. 2012. <http://www.wired.co.uk/news/archive/2011-09/21/doug-rushkoff-hello-etsy>.
[5] Singer, Natasha. "Senator Opens Investigation of Data Brokers." The New York Times. The New York Times, 11 Oct. 2012. Web. 11 Oct. 2012. <http://www.nytimes.com/2012/10/11/technology/senator-opens-investigation-of-data-brokers.html?_r=0>.
[6] Mayer, Jonathan, and Arvind Narayanan, Ph.D. "Re: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." Letter to Federal Trade Commission, Office of the Secretary. 18 Feb. 2011. Donottrack.us. Stanford University, n.d. Web. 12 Oct. 2012. <http://donottrack.us/docs/FTC_Privacy_Comment_Stanford.pdf>.
[7] Naples, Mark. "DAA Statement on DNT Browser Settings." BusinessWire.com. WIT Strategy, For the DAA, 9 Oct. 2012. Web. 16 Oct. 2012. <http://www.businesswire.com/news/home/20121009005980/en/DAA-Statement-DNT-Browser-Settings>.
[8] Morran, Chris. "Does Verizon’s Monitoring Of Customer Behavior Violate Wiretap Laws?" Http://consumerist.com/. The Consumerist, 16 Oct. 2012. Web. 17 Oct. 2012. <http://consumerist.com/2012/10/16/does-verizons-monitoring-of-customer-behavior-violate-wiretap-laws/>.

Share It!