Privacy: 'Do Not Track' Debate

What Are Implications of 'Do Not Track' as a Browser Default?

Microsoft's announcement that the next version of its web browser would feature "do not track" by default has revived this privacy debate. How should privacy professionals approach this discussion?

The "do not track" option is meant to allow consumers to opt out of being tracked by businesses as they surf the web. This privacy tool has businesses and politicians debating over how strict those controls should be.

And it remains unclear if certain tools, like website analytics, are factored into the mix of "do not track."

Trevor Hughes, president and CEO of the International Association of Privacy Professionals, says that the recent Microsoft announcement highlights that there are no rules that say it's deceptive or misleading to not pay attention to a "do not track" browser. "But the interesting thing about 'do not track' is, without an enforcement mechanism, it's a 'please do not track' indicator," he says in an interview with Information Security Media Group's Tom Field [transcript below].

With this uncertainty, it remains unclear how agencies such as the Federal Trade Commission will weigh in on companies that are found not paying attention to "do not track." "I'm not sure if there's any company out there that wants to be the test case for this," Hughes says.

Hughes suggests the following recommendations to ensure privacy officers are prepared for the "do not track" trend:

  • Be aware of what you're doing on your website. "This is just good privacy management," he says. "Being explicitly aware of the third parties that you have on your website ... that has to be job number one."
  • Document appropriately. Organizations need to ensure they're documenting what their site is doing and that everything exists within the privacy policy. "A very good defense is the hard work of analyzing what you're doing and presenting it well," Hughes explains.

In an interview about online privacy, Hughes discusses:

  • The potential impact of Microsoft's decision;
  • Arguments for and against "do not track";
  • The challenge "do not track" presents to privacy professionals.

Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as executive director of the IAPP, Hughes leads the world's largest association of privacy professionals.

Hughes has testified before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Privacy Law in Marketing" (CCH Wolters Kluwer, 2007).

'Do Not Track' Debate

TOM FIELD: I want to take you straight to the headlines because in the news is Microsoft, which says its next browser is going to have "do not track" as its default setting for users. How do you feel about this move by Microsoft to protect the user's privacy?

TREVOR HUGHES: The "do not track" initiative really is much bigger than just the Microsoft announcement and it's a fascinating case study in how privacy's playing out in the marketplace today. We see all sorts of things in the middle of this discussion. So let's start with the politics of it. The idea of "do not track" is in fact very political. "Do not track" as an idea was proposed by privacy advocates probably three-and-a-half years ago now and quickly picked up by congressmen, people on Capitol Hill and the Federal Trade Commission.

There has been some significant examination into the idea of "do not track." Fundamentally, what was proposed was a header that comes out from your browser that basically says, "Do not track me." From there and with a little bit of prodding from the FTC, the marketplace and some of the major browser manufacturers, Microsoft being one, but also Google and Mozilla with Firefox, Apple with Safari, have been looking at the idea of "do not track" and thinking about how to implement it within their browsers.

We've seen some different implementations. Firefox has indicated that they will support the "do not track" header and that it can be switched on inside their browser. Apple with Safari already had a situation where they were blocking third-party cookies in a default setting so Safari already had a pretty robust mechanism to manage privacy expectations. Then earlier this year, in fact just recently, Microsoft came out with a very significant announcement and that was, in the next version of their browser, Microsoft was going to be switching on the "do not track" header in the default, and we know from past user engagement with browsers that the default is enormously powerful. The vast majority of consumers will leave the defaults exactly where they start out. In other words, they won't touch the default so as a result for all of those consumers who use a Microsoft browser, eventually we would imagine that a significant majority of them will have this "do not track" header switched on.

But the interesting thing about "do not track" is, without an enforcement mechanism, it's a "Please, do not track" indicator. We don't know what the consequence of not paying attention to the "do not track" header may or may not be. So let me explain that.

If I'm a Microsoft browser customer, I use the Microsoft browser on my desktop and it's switched on in the default and I go out and surf the web, some companies and some websites may pay attention to that; others may not. Right now, there's nothing to say that it's a deceptive or misleading business practice to not pay attention to that header. There's nothing that says that people have to abide by that header. So it may be that it's just a "Please, do not track" header. This creates an incredibly complex, if not confusing, set of circumstances for companies to try to deal with right now. It's tough enough managing third-party cookies being blocked by certain browsers, people dumping cookies on a regular basis. Now we throw into the mix the idea that we've got this indicator coming out of browsers saying, "Please don't track me," and we're not quite sure what it means and we're not quite sure what it will result in if we don't pay attention to it.

Arguments against 'Do Not Track'

FIELD: What do you see as some of the more popular arguments against "do not track?"

HUGHES: I think there are a number of arguments. So first of all, "do not track" is a response to some of the concerns associated with online behavioral advertising and privacy online, generally. But if we look at privacy online, we have to say that there are lots and lots of controls. Consumers have had many, many controls for many years. You can go into your browser, you can play with the settings and you can see cookies being set on your system. You have the ability to add plug-ins into your system that can give you greater levels of privacy. There's a lot of control and management out there. So in some ways, I think one of the concerns raised by industry is, "Gosh, don't we already have enough controls into this already heavily managed space?"

I think the other concerns associated with "do not track" though are, "Is this going to actually mean anything?" So back again to the idea of "please do not track," if consumers are sending out a message from their browser that says "do not track," we're going to be forced to ask a few questions if we're trying to respond to that header. Number one, what does track mean? Certainly I think that the expectation is it means online behavioral advertising, the idea of tracking web behavior across a number of websites and creating aggregate profiles for purposes of targeting ads. Certainly, I think that's in the mix, but what about general site analytics? Is that tracking? What about performance tools within a site, things that manage content or create dynamic pages so that you're not seeing the same article pop up over and over again on Huffington Post or New York Times or ESPN. There are a number of questions about what "track" means that we don't have the answers to.

Second, what does it mean when you do or do not pay attention to it, and can you create terms of service that trump a "do not track" header? For example, if someone comes to your website and they've got a "do not track" header on, can you immediately deliver back a pop-up that says, "Hey, we see that you have a 'do not track' header on, but we don't accept those headers on our website. So if you want to progress, you have to agree to our terms of service." We have a situation like that playing out with cookies in Europe right now where informed consent is required before setting cookies in Europe. And we don't know the answer when it comes to "do not track."

Then finally, we don't know what the FTC or other enforcement agencies are going to do. I'm not sure if there's any company out there that wants to be the test case for this. But how the FTC approaches the "do not track" header, they've certainly been big champions of this idea being implemented in the marketplace, but now that Microsoft has suggested that it will switch on in the default, what's the FTC going to do for that first big company that's found to not be paying attention to a "do not track" header. That's going to be a pretty groundbreaking case and we just don't know the answer to that right now.

Considerations for Privacy Officers

FIELD: If I'm a privacy officer and I don't want to be that test case, what are the considerations I ought to be mulling right now?

HUGHES: I think there are a few things. You want to make sure that you're very, very aware of what you're doing and what others are doing on your website. This is just good privacy management. Being explicitly aware of the third parties that you have active on your website, the practices that your organization itself is engaged in on your website, that has got to be job number one.

Job number two is making sure that you're documenting appropriately and they exist within your privacy policy and any other places that you're disclosing what you're doing in a clear and comprehensible way. A very, very good defense is the hard work of analyzing what you're doing and presenting it well. One of our members at one of our conferences said a couple of years ago that "hard work is good faith," and what he meant by that was if you do the heavy lifting, the compliance work, the analysis work upfront, even if you're found to have a violation later, that hard work will pay off because it demonstrates that you were trying to address the issue upfront and most enforcers, most regulators will look at that with a significant amount of sympathy. They're not trying to go after companies that are trying to do the right thing. They're trying to go after companies that are actively doing the wrong thing. So, some of that heavy lifting early on is certainly going to put you in good shape later.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.