Absence of agreed ‘DNT’ definition means companies keep tracking us online

If, like a majority of web users in survey after survey, you have concerns about having your online activity tracked by advertisers, then you’ve turned on the “do not track” (DNT) feature of your browser, right?

Never heard of it? Then you’re like a majority of web users, unaware that it even exists. One 2012 study by University of California, Berkeley researchers revealed 87 per cent of their survey group on the issue, didn’t know what it was.

But many more do now, after Facebook controversially announced on its corporate blog in mid-June, that it intended to start tracking what its users do when they are on third-party sites – for example, when someone clicks on a link and heads to another website, or when someone clicks the Facebook "like" button embedded on another website.

Like Yahoo and Google before it, the social media giant said that, in doing so, it would explicitly ignore DNT (Do Not Track) requests.

The day after the blog post, the Digital Advertising Alliance (DAA), a big industry trade coalition, asked the standards body the World Wide Web Consortium (W3C) to drop efforts to create a technical standard for DNT. Several years of haggling and lobbying have so far failed to produce a clear definition of what "tracking" is.

"Policymakers, regulators, advocates and industry representatives have grappled with these types of policy issues for decades and continue to deliberate on these matters," DAA executive director Lou Mastria wrote in an open letter to the W3C.

And therein lies the difficulty.

"The problem is, the industry standards bodies haven't agreed on a definition. And in the absence of a single defining standard, [advertising groups and businesses] will keep gathering user data. But the reason there's no single definitive standard is that they keep lobbying against it," says Daragh O Brien, a director at information and data governance consultancy Castlebridge Associates.

With no apparent sense of irony, Mastria supported his argument by referencing exasperated comments by two privacy advocates involved in the W3C working group on the issue. Both made it clear they felt it was impossible to reach consensus because of the opposition of trade groups like the DAA.

Default setting

Ultan O’Carroll, assistant commissioner in Ireland’s Data Protection Commissioner’s Office, says the view of the office and the EU-wide Article 29 group – a coalition of data protection commissioners – is that the default in the absence of a standard should be to not collect data without explicit consent, and respect DNT when activated.

Most users of current versions of Internet Explorer are probably already using DNT, because Microsoft made it the defaultsetting in IE10, an interesting move by the company to compete on privacy, says O Brien.

O’Carroll says the Article 29 group, which is part of the W3C negotiations, sees DNT – once standardised – “as having great potential for giving explicit consent”.

“The advantage is, users can control it from their own desktop or device, without having to use a third party [browser] add-on. It has great advantages.”

Privacy advocates argue that DNT would thus make privacy regulations easier to comply with for advertisers. But first, a standard must be agreed, then policies hammered out around the standard.

Technically, the way in which many companies currently undertake third-party tracking may fall foul of existing EU opt-in privacy standards for web cookies – data placed on a user’s computer that enables some services to be activated, and activities to be tracked, argues O Brien.

Many advertisers believe the cookie rule applies only to the use of text-based cookies, but O Brien and O’Carroll both note that it actually refers to any data placed on a computer which then sends a call back to a server.

Third-party tracking often utilises a tracking pixel, rater than a text file, on the user’s computer, which then calls down advertisements or other data from a server.

However, because there’s no legal requirement to observe an internet user’s DNT settings, and no formal agreement on what DNT means, people can only block third-party tracking – which takes place on many websites and social media sites – by using add-ons like the Electronic Frontier Foundation’s Privacy Badger, or going through a clumsy process of opting out on the web pages of the organisations that do the tracking.

O’Brien reminds web users that if they are using sites that offer free services – even those, like Twitter, which currently promise not to use third party tracking – advertisements, tailored according to information from the site’s users, are what generate income for the site.

“The customer is still the product being sold.”

Privacy audits

Facebook, which until now had a policy of not doing third-party tracking, has said it will refer those people who wish to opt out of being tracked to the relevant websites of the tracking companies.

But this is unlikely to be an acceptable solution in Europe, which has tougher data protection laws that the US. The issue is likely to land, as have other Facebook privacy concerns, on the desk of the Irish Office of the Data Protection Commission. Facebook has already come under two high-profile privacy audits here, because its European headquarters is in Dublin.

Facebook has not yet rolled out third-party tracking to European users, says O’Carroll, something he doesn’t expect will happen until the end of the year, on a phased basis. And the way in which it is being done for US users will not be acceptable in the EU, he states.

“We’re looking for a lot more information from them, and are expecting quite a high bar to be maintained,” he says. “They have a lot of power and audience, and we expect them to have very clear information and tell users what they’re doing,” and offer opt-in, rather than opt-out, controls.

“We’re going to watch it carefully.”