Digging in on 'Do Not Track'
The interest around simple, universal opt-out mechanisms for opting out of online tracking – also known as "Do Not Track" proposals – continues to grow. On Wednesday, FTC Chair Jon Leibowitz reiterated the FTC’s support for the development of such tools in testimony before the Senate Commerce’s Subcommittee on Commerce, Science, and Transportation. Earlier this week, just before Internet Explorer 9 was released to the public, Microsoft announced that it added support for an HTTP header-based "Do Not Track" mechanism to the Tracking Protection List (TPL) technology already present in its browser. We are pleased to see these steps being taken in parallel with efforts in Congress and at the White House to move baseline consumer privacy legislation forward, as both the technical proposals for "Do Not Track" and the legislative efforts are necessary to ensure that consumers are fully protected.
With a number of different technical proposals on the table for meeting the challenge of providing a universal and simple binary choice mechanism effectuated through the web browser, we thought it would be helpful to review each of the proposed mechanisms, discuss the pros and cons of each, and identify areas where standardization across browsers and web sites may be necessary. To that end, I recently co-authored a submission to the Internet Engineering Task Force (IETF) (submitted version here and a slightly updated CDT PDF version here) , one of the Internet's leading standards-setting bodies, that provides an overview of five different mechansims:
- Permanent opt-out cookies: Several browser plug-ins allow the opt-out cookies already in use by some advertising networks to be retained even when users clear their cookies.
- Cookie blocking: All major browsers include controls for blocking first and third-party cookies, which can be used to prevent some forms of tracking.
- Domain blocking: Browser functionality that blocks communication to certain web domains (as provided by a number of browser plug-ins and the TPLs in IE 9) can prevent those domains from conducting tracking.
- "Do Not Track" HTTP header: The idea of a "Do Not Track" HTTP header (now operational in both Firefox and IE 9) is to send the user’s preference not to be tracked within all or some subset of web requests. This requires some common understanding of what "tracking" means, which CDT and others have been working to develop.
- "Do Not Track" Document Object Model (DOM) property: The Document Object Model (DOM) allows a web browser to interact with web pages that are loaded in the browser. Storing a "Do Not Track" preference in the DOM (as has been implemented in IE 9) would allow code embedded in web pages to find out the user’s preference and honor it.
We hope that the overview helps to distill some of the similarities and differences between the mechanisms as the web community continues to explore them and as potential standardization efforts within both the IETF and the World Wide Web Consoritum (W3C) are considered.