CFP 2011: “Do Not Track” Debate
So, do you want to be followed around by shadowy corporations compiling deep profiles about your activities on the Internet? Or would you prefer to enjoy hundreds of free online services, such as Google Search, which are supported by advertising revenue? The issue that these questions revolve around — developing user profiles that make it profitable to advertise on the Internet — was debated in a panel discussion on the first day of the Computers, Freedom, and Privacy 2011 conference.
The speakers in favor of a Do Not Track mechanism were arguing in favor of a proposed Internet standard that would embed the online equivalent of a “don’t call” list in your Web browser. Your desire to be tracked or not would be a simple on-off switch; when this switch is turned on, every Web page you request would also tell the Web site that you do not want your information to be compiled, resold, or data-mined.
But those against a Do Not Track approach stated that this option was too broad and would have unintended consequences: if you make it easy to shut off the entire flow of data — or worse in their opinion, the default situation — the revenue that drives all of the free services we have come to rely upon would dry up.
The Internet as presently implemented uses browser cookies to “solve” this problem, and solve is in quotes because it arguably doesn’t do a very good job of giving users any control over their privacy. It is exceedingly difficult for even technical users to discover how many third-party companies are being pinged with your data when you visit a Web page; Chris Soghoian from the Center for Applied Cybersecurity Research cited the Wall Street Journal’s site as sharing its Web data with 38 outside companies (although it was unclear if this was an accurate count, or a rhetorical flourish). The issue, as he put it, is whether we should move on to use the Do Not Track header, which provides more control to every user, or use
sledgehammer-like approaches such as ad-blocking services that shut down the entire torrent of targeted ads.
Not so fast, countered the opposition. A header system that makes it easy to block tracking mechanisms will have the unintended consequence of making it too easy; users will cease to benefit from tracking mechanisms in their favor, such as advertisements that are actually interesting, or other adjustments to the presentation and content of Web data designed to make the information more useful. The biggest concern, they said, was that the U.S. federal government may step in with a heavy-handed approach that will stifle free market innovation and new information services. The European Union is already moving in this direction, and its draft directive to implement privacy by default will make many online services impossible in
I’ll switch to editorializing here; if you want to watch the debate yourself, I’ll post the link here as soon as I have it.
My biggest issue with the people arguing against the Do Not Track header implementation was that many of their arguments were disingenuous; all three speakers were clearly well-versed in both the business and technical aspects of what they were presenting, and as such, they should have seen several flaws in their arguments.
Argument 1: Opposing Do Not Track promotes user empowerment, as it provides more granular ability for people to control what they see. This argument relies on the fact that you can now delete individual cookies, whereas a master switch would be all-or-nothing.
The problem with this is how many Internet users are “12:00 flashers,” meaning the people back in the 90s who were incapable of setting their VCR clocks. Today’s equivalent: the millions of people who type “google” into a Google search bar to get to Google, where they search for “apple” to get to Apple’s Web site.
These people do not want or need to be “empowered.” Empowerment in this sense is the privacy controls on Facebook: they’re granular, but they’re so darned hard to use — deliberately so, in my opinion — that most people don’t know they’re there, or what they’re for. “Empowerment” in this sense is code for “if we make it difficult, we’ll keep our status quo.”
Argument 2: If people stop trusting the Internet because their privacy is being exploited, that will kill Internet commerce; therefore, the free market can be trusted to set up a safe system.
I think this argument is a bit more difficult to untangle, but if I may be allowed to make an assertion without evidence: few people still think of “the Internet” as a monolithic system that can or cannot be trusted. It is simply too convenient to order books from Amazon and check your bank account statements online; the tipping point of “trust,” which was a serious issue ten years ago, has been passed. I’ve personally lost track of how many times Sony has had its PlayStation network hacked, or what data are circulating in the wild, but over ninety percent of their customers are back online. It seems to me that until anthrax is
literally digitized and attachable to email, we’re not going to drive many people away from online commerce.
Argument 3: The data that people are providing are mostly harmless, and volunteered.
This to me is the biggest gap in understanding, and one that was not well-addressed by either side of the panel. For example, this morning, I provided my address to one Web vendor, told Google that I was taking a bus to the conference, and did some Web surfing on the bus. These data points are innocuous, right?
By themselves, yes. But compare my ZIP code to a demographic database, and you’ll start to narrow the probabilities of what kind of person I am. I’m the type of person who takes public transportation; you could probably easily learn from my Web browser history that I’ve never bought a car, or it might be a matter of public record that I’ve never had a driver’s license. And I’m the type of person who uses an Android smartphone, leases a 4G Clear MiFi hotspot, and carries an iPod touch. All of this data is flowing out through my Web browsers, purely because of my Internet usage.
Does that start to give you a sense of who I am? That’s from approximately an hour of online usage. Imagine what you could find out about me given a few weeks or months of collected data about the sites I visit and the vendors I patronize. The Do Not Track header is a step in the right direction; right now, we’re not leaving breadcrumb trails on the Web, we’re blasting whole loaves of challah from a howitzer.
The Do Not Track header relies on Web site providers to respect and comply with its instructions; that, to me, requires some regulatory bite behind it, as there’s very little incentive for companies to comply voluntarily, or even to agree on a standard, without the force of law behind it.
And because the Do Not Track system requires a Web server mechanism, there’s also an obvious route for the granularity that favors the advertisers: go to a Web site, such as Google’s, that needs to track you in order to customize your information, and it can ask you for permission to “whitelist” the site as trustworthy. Once you give such permission, the server can legitimately store profile information about you behind the scenes, but all other unauthorized sites would still be prevented from tracking you.
Unfortunately, the side opposed to legislation is entirely correct in not trusting the government to implement this properly, but not for the reasons they stated. It’s too easy for lobbying money to shift the argument in one direction or the other, or to create a law that is such a Hungarian goulash of conflicting interests that no one is served by the results. Other speakers at the conference were discussing current and future legislation in progress; if this is something that moves you, for or against, it’s a good time to get in touch with your Congressman, Senator, or Member of Parliament to let them know.
[Editor’s Note: Jeff Porten filed a number other stories from Computers, Freedom, and Privacy 2011 that we’ll be trickling out over time in the weekly email issues of TidBITS. If you’d like to read them while they’re still fresh, look for “CFP 2011: Teens and Data Retention” (15 June 2011), “CFP 2011: Arab Spring or Twitter Revolution?” (16 June 2011), and “CFP 2011: Shine On, You Crazy Senator!” (16 June 2011). -Adam]
While this Do Not Track proposals addresses websites, similar restrictions need to placed on ISPs like Verizon, AT&T, Comcast, etc. to prevent them from doing Deep Packet Examination on data traffic passing through their system and compiling the profiles you mentioned.
Nice summary of the different arguments at work in this debate. I've never heard the "12:00 flasher" term, but it's perfect. Personally, I took do not track into my own hands a while ago with browser add-ons, like privacysuite ( http://www.abine.com/apps.php ), because who knows how this whole mess will turn out. The anti-privacy lobby is strong.
There are two things that Internet users can do right now to prevent most of the tracking:
1. Monitor and block tracking cookies using Ghostery (http://www.ghostery.com/)
2. Sign-up for a public VPN service. I have used the excellent Witopia personalVPN (http://www.witopia.net/index.php/products/) for four years on my Macs, iPhone and iPad. VPN for OSX and iOS devices is less than $6/month; for Mac OS X it is less than $4/month.
Not only does using a VPN prevent your ISP from tracking and logging where you go on the Web, it also replaces your IP address with the VPN server's IP address that cannot be connected to your own IP address.
"Right now, we’re not leaving breadcrumb trails on the Web, we’re blasting whole loaves of challah from a howitzer."
All else aside: you deserve an award for this metaphor alone.
It's such a good mental image!
Adam's too modest to say so, but he deserves half-authorship on the metaphor. My original version wasn't nearly as good.
Jeff's original used the idea of the challah (braided loaves of a leavened bread) and I modified that with the concept of blasting them from a mortar. Then Jeff edited my change from mortar to howitzer, purely for the alliteration, since challah is pronounced with sort of a breathy H sound at the start.
We really should have play-by-play commentary on our editing process more often. :-)