Edward Snowden might just about have had enough Caramel Pecanbons® from his friendly Russian airport Cinnabon but the debate on what data governments should be allowed to collect rages on. For the vast majority of law-abiding citizens, however, the main threat to privacy is not NSA high-tech spying (at least so far). It’s the routine, day-to-day tracking of your every click by businesses and advertisers that makes us question if we are still able to decide what should stay private online.
But surprise! – in this world of 24/7 data collection there is currently some movement towards more privacy protection for consumers. The most ambitious effort is the ongoing attempt to come up with a uniform Do Not Track (DNT) standard. The W3C just this week announced that it has chosen “a foundation” for future discussions on ad targeting. The fact that this is billed as major progress shows the gridlock in the “Tracking Protection Working Group”.
So what exactly is DNT? Essentially, it is a HTTP header that is sent every time a browser requests a web page, asking advertisers and other third parties not to follow the user around the web. From a privacy protection standpoint, this is necessary because advertising networks and other entities are tracking a users’ behavior online and serving up corresponding ads. It’s the phenomenon of the “following ad” we all know – when suddenly all the ads we see are about the hiking shoes we looked at half an hour ago.
This practice is called “behavioral retargeting” and it’s done through cookies. The amount of cookies has risen sharply in recent years, with the top 100 websites serving up an average of 57 cookies. If you value your privacy (so-called), browser or device fingerprinting is even more worrisome. This technique combines readily available information (browser version, plugins and fonts installed, language etc.) for a unique user profile.
According to a study of the Electronic Frontier Foundation, 83% of browsers have uniquely identifiably fingerprints (94% if Flash installed). This means that even if you diligently delete cookies, it is still likely that you are being tracked. In this scenario users have lost control over their data as they have no way of opting out.
As the informed reader knows, the DNT header is already supported in almost all major browsers. But there is no obligation to honor the request – so most tracking companies don’t. They do have some powerful arguments. Advertising revenue is the fuel that keeps the Internet’s free content machine running, and targeted ads are the ones that really work. The “long tail” of small online businesses especially relies on them as they lack the size to sell their own ads. Plus, consumers often can’t make up their minds. They overwhelmingly support DNT but would also prefer customized offerings.
So that’s where DNT stands: caught between public support for more individual privacy rights and a well-financed business coalition pointing to the collective economic benefits of continued data collection. But over the last few months a powerful force has taken up the fight for privacy and DNT: browser manufacturers.
First, Microsoft opted to set Internet Explorer 10’s default to DNT-on which was quickly rendered ineffective by an update to the ubiquitous Apache Server. Then, Mozilla announced that it would block cookies by default in its upcoming Firefox versions. Apple also announced its support for DNT, bringing all major browser makers – except for Google, of course – into the pro-DNT camp. (To be fair, Chrome does have a DNT option). According to advertising industry sources, 25% of web users are already sending the DNT signal with the number to grow to 50% in the near future.
DNT is still only a signal of intent as tracking companies don’t have to honor the request. But the default blocking of cookies in a majority of browsers could make a real difference. Some expect a continued “arms race” between browser makers and online advertisers pitting new privacy features against smarter tracking mechanisms. In the long run, however, it seems likely that some kind of regulation will be enacted. Retiring Senator Jay Rockefeller (D-WV) seems eager to push both sides towards an agreement. His Do-Not-Track-Online Bill would give the FTC broad powers to enforce DNT and is designed to put pressure on the industry.
Most likely, all this will not solve all privacy issues online. It will also not devastate the online economy as advertisers claim. It’s just another round in the long fight between privacy rights and business interests. Somewhat surprisingly, this time privacy might win.