Q&A: How "Do Not Track" is more fig leaf than privacy tool
As Google finally unveils a Do Not Track feature for Chrome, it remains flawed in execution
Google today quietly slipped a Do Not Track (DNT) tool into its Chrome browser, becoming the last mainstream browser to do so.
However, the landscape for blocking behavioural advertising through such browser tools remains complicated, as advertising networks try to stave off the potentially costly effects of making it easier for people to opt out of behavioural tracking.
As it stands, all browser DNT tools are turned off by default, and advertising companies regularly ignore the requests not to track.
We spoke to privacy campaigner and University of East Anglia Law School lecturer Paul Bernal about the struggle to make DNT effective.
Q. The idea of DNT has been around a while – what's taking so long and how does it work?
A. The most direct starting point was the Phorm case. The reactions people had in Europe were legal, which brought about the cookie directive, and at the same time the reactions in the US were more self-regulatory, and DNT is driven by the industry. It's more driven by the advertisers than the browsers, but it's supposed to be co-operation between the two.
The essential idea is that the browser makers come up with a common system that will put in to page headers a system that says either “I want to be tracked” or “I don't want to be tracked” - and the advertising industry will write their pages in such a way that they obey those instructions. The instructions are built into the browser, set by the user, and advertisers agree to follow those instructions.
Q. That's unless they decide not to – as Yahoo did recently.
A. The bottom line with this is... is it by default that you do allow tracking or you don't allow tracking? At the moment, the industry very much wants a default that you do allow tracking. They know that most people never change the default, and if they keep it that way then they still get much of the data they need, because they're as much interested in general data to build up patterns as they are in specific data from one individual.
This all came to a head – they've been discussing it for a long time and it's still not been agreed – when Microsoft announced that in the new version of Internet Explorer [IE 10] it would leave DNT on by default.
As a result of that, the industry started panicking and said "if Microsoft does do that we will ignore the settings". They said they didn't believe that having it on by default was appropriate.
Yahoo's argument is that a default setting shouldn't bind them to respecting the DNT request because if it's a default setting it doesn't involve active choice.
Q. Yahoo said it thought people wanted personalisation - do you not think that's the case?
A. There are two underlying arguments that they make all the time. Advertising networks say that behavioural tracking is the only way the web can survive in its current free model, which is an argument with very little evidence either way. Academic studies show that when people know about tracking they turn it off, but the advertisers point to surveys that show users like to have adverts tailored – it all depends how you ask the question.
Many people thought that DNT was really a fig leaf, the industry paying lip service to the idea that people wanted privacy but they really only wanted to sign up to it if they knew that people would still allow themselves to be tracked - where it's off by default. When people started saying it should be on by default, companies started lobbying against it and then decided they were going to ignore it.
Q. Any other issues throwing a spanner in the works?
A. There's a big question of whether it will finally mean "do not track" or whether it means "do not target". People assume it means "do not track", which means they wouldn't track you and collect behavioural data. However, in practice it looks likely to mean "do not target", which means they would continue to gather data, but wouldn't use it to target you with advertisements while you are online. Privacy people like me think that Do Not Track should mean "Do Not Track".
There's the possibility to sell the data on to someone else, and in the US where a lot of this debate goes on they don't have data protection laws that prevent the selling of profile data. European rules might make a difference there, but they are not in force and are very much being opposed.