Do Not Track FTC Comment: What It Means, How to Enforce It, and More

Original at the Stanford Center for Internet and Society.

Last Friday we submitted a comment to the FTC articulating our vision for Do Not Track. We expanded on a number of views already expressed on this blog: Do Not Track is about much more than behavioral advertising, an HTTP header is the right implementation, and Do Not Track is no threat to ad-supported businesses. Here are the new highlights. (For a fuller exposition of each, please see our comment.)

… 

Minor Updates to the Do Not Track Header

Original at the Stanford Center for Internet and Society.

We’re pleased to announce we’re beginning work on an IETF Internet-Draft for the Do Not Track header. We look forward to incorporating broad feedback.

In anticipation of the first version of the Internet-Draft, we’re making a few minor updates to the header. The reference implementations at DoNotTrack.Us will be revised shortly.

Dropping “X-“

Since Do Not Track is entering a standardization process, convention dictates dropping the prefix “X-“.

Abbreviating “DNT”

In keeping with header naming best practices, and to conserve network resources, we’re shortening the name.

Adding a “0” Value

There’s an important policy distinction between users who consent to third-party tracking and users who haven’t expressed a preference. To clarify this difference, the header now has three states:

“DNT: 1” – The user opts out of third-party tracking.

“DNT: 0” – The user consents to third-party tracking.

[No Header] – The user has not expressed a preference about third-party tracking.

Do Not Track Is No Threat to Ad-Supported Businesses

Original at the Stanford Center for Internet and Society.

“If you remove tracking, you remove advertisers.” “Stop [data] sharing and you put a stop to the Internet as we know it.” “Thousands of small websites may disappear.” “Would you like to pay $20 a month for Facebook?” A spate of such recent commentaries have speculated that Do Not Track could hobble advertising-supported businesses. Here’s why it won’t.

… 

Ending the Web Privacy Stalemate – DoNotTrack.Us

Original at the Stanford Center for Internet and Society.

The web privacy debate is stuck. Privacy proponents decry the diffusion of behavioral advertising and tracking services (1, 2, 3); industry coalitions respond by expounding the merits of personalized content and advertising revenue (1, 2). But for the average user, the arguments are academic: there is no viable technology for opting out of web tracking. A registry of tracking services, like privacy advocates proposed years ago, is cumbersome and unmanageable. Fiddling with cookies, as many advertising networks and anti-regulation advocates recommend, is an incomplete and temporary fix; both Google and NAI (an advertising industry association) have already moved away from opt-out cookies.

Do Not Track ends this standoff. It provides a web tracking opt-out that is user-friendly, effective, and completely interoperable with the existing web. The technology is simple: whenever your web browser makes a request, it includes an opt-out preference. It’s then up to advertisers and tracking services to honor that preference – voluntarily, by industry self-regulation, or by law.

Arvind Narayanan and I have been researching Do Not Track for several months, and are pleased to now introduce DoNotTrack.Us, a compilation of what we’ve learned. The resource explains Do Not Track, provides prototype implementations, and answers some common questions. We’ll be updating it in the coming months with new findings and responses to feedback.

Excited as we are about the Do Not Track technology, it is but a first step. Important substantive policy questions remain open: What tracking should be impermissible? When a user visits a site, what constitutes a third party? We look forward to collaborating with advertising networks, NGO’s, regulators, lawmakers, and other stakeholders in answering these crucial questions.

There’s anonymity on the Internet. Get over it.

Original at Freedom to Tinker.

In a recent interview prominent antivirus developer Eugene Kaspersky decried the role of anonymity in cybercrime. This is not a new claim – it is touched on in the Commission on Cybersecurity for the 44th Presidency Report and Cybersecurity Act of 2009, among others – but it misses the mark. Any Internet design would allow anonymity. What renders our Internet vulnerable is primarily weakness of software security and authentication, not anonymity.

…