Risk
10/11/2012
01:55 PM
50%
50%

Advertisers' 'Do Not Track' Protests Fail Smell Test

An almost comic war of words continues between advertisers and Microsoft regarding do not track technology in Internet Explorer 10. Funny thing: The only tracking option advertisers want is opt-out.

Have you heard the joke about the advertising trade body that offered consumers a choice about their online privacy?

It goes like this: Technology firms and online advertisers come together to design a way for consumers to opt out of being tracked online, via a simple Do Not Track (DNT) preference setting in Web browsers. Then Microsoft says that it will ship its latest browser, Internet Explorer 10, with the DNT flag activated by default. In other words, seems to go Microsoft's reasoning, why not let consumers instead choose whether they'd like to opt in to being tracked?

Only that's not the choice that advertisers had in mind. Cue the outrage, with the Association of National Advertisers (ANA) launching a concerted advertising campaign to denigrate Microsoft's pro-consumer privacy moves.

Unfortunately, the above is no joke, although the proceedings have taken on the appearance of a folly, with ANA president and CEO Bob Liodice warning in a statement that "Microsoft's decision undercuts the effectiveness of our brand owners' Internet advertising and undermines the industry's self-regulatory system."

[ Is consumer privacy an oxymoron? See Cyber Spying Justice: Unserved. ]

Featuring hot-button marketing speak, the ANA's statement also channels advertisers' "profound disappointment" over the "shocking departure" Microsoft has taken from the Digital Advertising Alliance (DAA) program that crafted DNT, which has seen the browser maker "unilaterally impose choices on the consumer" that "would threaten the vast array of free or low cost online offerings that define the consumer online experience." Furthermore, Microsoft had the gall to do so "before consumers even have the opportunity to determine whether it is of value to them."

The ANA's posturing fails to pass the consumer privacy smell test. For starters, if consumers haven't figured out what's valuable to them over the past 17-odd years of Internet use, then they're not going to start now. In addition, it's interesting that the only option advertisers want offered to consumers is the ability to opt out.

Despite the ANA's doomsday rant, good news is on hand for advertisers: The Digital Advertising Alliance now says it will exonerate any business that chooses to ignore the IE10 "do not track" flags. The reasoning goes like this: DNT is a standard developed by the self-regulated Digital Advertising Alliance, and per the standard, the feature must by default be deactivated. By ignoring that requirement, Microsoft's implementation of DNT doesn't count. Accordingly, anyone using a browser which ships with DNT set to "don't track me" by default can be tracked.

Could the reasoning here grow any more tortured? Some cultural references may help untangle the underlying logic: "The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland," writes ZDNet's Ed Bott. "These days, I'm not sure whether it's 1984 or Brazil."

Adding fuel to the fire is the developer of Apache HTTP, Roy Fielding, who also helped create the DNT standard. He's proposed a patch for Apache--which powers nearly two-thirds of the world's websites--that would make Apache websites ignore IE10 DNT settings altogether, as a way to "deal with user agents that deliberately violate open standards."

But, as one person commented on the related Apache patch proposal page, what happens when other browsers or websites take their own approach to DNT? "Who's going to maintain the list of 'violates Roy's vision' when he finds another windmill to tilt at?" he asked (thus helpfully adding Don Quixote to the list of applicable cultural references).

Of course the so-called DNT standard is part of a self-regulatory program, and thus more of a recommendation anyway, since legally it can't be enforced unless a business says it will abide by the standard in its website privacy policy. At that point, the Federal Trade Commission can ensure that the business does what it promises. But if the fundamental definition of DNT--in particular, if having opt-in DNT counts as DNT at all--is in dispute, good luck with enforcement.

All of this privacy posturing, of course, could be rectified via a simple step: creating clear, legally enforceable privacy rights for all consumers, such as the right to not be tracked. To be sure, laws are no panacea, since when it comes to Congress trying to tackle new types of technology, watch out.

Even so, some type of consumer privacy law would at least make related protections easily enforceable. Unfortunately, such moves won't happen anytime soon. Notably, the White House launched its Consumer Privacy Bill of Rights earlier this year--not after getting Congress to agree to give it the force of law, but instead as a recommended code of conduct, meaning the White House hopes that businesses will agree to abide by it.

As the DNT debate highlights, however, reaching an agreement on some of the underlying privacy principles--in today's self-regulatory environment--appears to remain a long shot. In the meantime, the cynical choice being offered to consumers seems less about privacy, and more about confusion.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kflint947
50%
50%
kflint947,
User Rank: Apprentice
10/15/2012 | 6:04:14 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
Sure, you can destroy the advertising based model for online content by removing behavioral and demographic targeting from the industry. But advertisers will pull their money out, and users will have to pay directly for the content they want. How many Informationweek.com visitors are willing to pay for this website as a subscription? I suspect that the results would be poor and layoffs would be quick. As an advertising industry professional I can tell you that none of this "tracking" data is even close to personally identifiable. It tells us just enough so that we can feel confident that our ads aren't reaching (and bothering) a person with no interest in or relevance to the advertiser's product.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/13/2012 | 12:08:18 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
The only way DNT can work is to have browsers actively reject ad and tracking cookies. But in the end even that is not working out. What ad networks need to understand is that they are much more successful if they stop alienating consumers and start generating some value.
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:44:35 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
I have set "donot track" in FF and Chrome, still see lot of cookies set by the stupid advt agencies. They already ignore the DNT flag, why bother talking about this? Only workaroud now is to use a 3rd party extension to block cookies from advt websites. It works well for me so far. I guess these guys will find a workaround for that too.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.