01:55 PM

Advertisers' 'Do Not Track' Protests Fail Smell Test

An almost comic war of words continues between advertisers and Microsoft regarding do not track technology in Internet Explorer 10. Funny thing: The only tracking option advertisers want is opt-out.

Have you heard the joke about the advertising trade body that offered consumers a choice about their online privacy?

It goes like this: Technology firms and online advertisers come together to design a way for consumers to opt out of being tracked online, via a simple Do Not Track (DNT) preference setting in Web browsers. Then Microsoft says that it will ship its latest browser, Internet Explorer 10, with the DNT flag activated by default. In other words, seems to go Microsoft's reasoning, why not let consumers instead choose whether they'd like to opt in to being tracked?

Only that's not the choice that advertisers had in mind. Cue the outrage, with the Association of National Advertisers (ANA) launching a concerted advertising campaign to denigrate Microsoft's pro-consumer privacy moves.

Unfortunately, the above is no joke, although the proceedings have taken on the appearance of a folly, with ANA president and CEO Bob Liodice warning in a statement that "Microsoft's decision undercuts the effectiveness of our brand owners' Internet advertising and undermines the industry's self-regulatory system."

[ Is consumer privacy an oxymoron? See Cyber Spying Justice: Unserved. ]

Featuring hot-button marketing speak, the ANA's statement also channels advertisers' "profound disappointment" over the "shocking departure" Microsoft has taken from the Digital Advertising Alliance (DAA) program that crafted DNT, which has seen the browser maker "unilaterally impose choices on the consumer" that "would threaten the vast array of free or low cost online offerings that define the consumer online experience." Furthermore, Microsoft had the gall to do so "before consumers even have the opportunity to determine whether it is of value to them."

The ANA's posturing fails to pass the consumer privacy smell test. For starters, if consumers haven't figured out what's valuable to them over the past 17-odd years of Internet use, then they're not going to start now. In addition, it's interesting that the only option advertisers want offered to consumers is the ability to opt out.

Despite the ANA's doomsday rant, good news is on hand for advertisers: The Digital Advertising Alliance now says it will exonerate any business that chooses to ignore the IE10 "do not track" flags. The reasoning goes like this: DNT is a standard developed by the self-regulated Digital Advertising Alliance, and per the standard, the feature must by default be deactivated. By ignoring that requirement, Microsoft's implementation of DNT doesn't count. Accordingly, anyone using a browser which ships with DNT set to "don't track me" by default can be tracked.

Could the reasoning here grow any more tortured? Some cultural references may help untangle the underlying logic: "The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland," writes ZDNet's Ed Bott. "These days, I'm not sure whether it's 1984 or Brazil."

Adding fuel to the fire is the developer of Apache HTTP, Roy Fielding, who also helped create the DNT standard. He's proposed a patch for Apache--which powers nearly two-thirds of the world's websites--that would make Apache websites ignore IE10 DNT settings altogether, as a way to "deal with user agents that deliberately violate open standards."

But, as one person commented on the related Apache patch proposal page, what happens when other browsers or websites take their own approach to DNT? "Who's going to maintain the list of 'violates Roy's vision' when he finds another windmill to tilt at?" he asked (thus helpfully adding Don Quixote to the list of applicable cultural references).

Of course the so-called DNT standard is part of a self-regulatory program, and thus more of a recommendation anyway, since legally it can't be enforced unless a business says it will abide by the standard in its website privacy policy. At that point, the Federal Trade Commission can ensure that the business does what it promises. But if the fundamental definition of DNT--in particular, if having opt-in DNT counts as DNT at all--is in dispute, good luck with enforcement.

All of this privacy posturing, of course, could be rectified via a simple step: creating clear, legally enforceable privacy rights for all consumers, such as the right to not be tracked. To be sure, laws are no panacea, since when it comes to Congress trying to tackle new types of technology, watch out.

Even so, some type of consumer privacy law would at least make related protections easily enforceable. Unfortunately, such moves won't happen anytime soon. Notably, the White House launched its Consumer Privacy Bill of Rights earlier this year--not after getting Congress to agree to give it the force of law, but instead as a recommended code of conduct, meaning the White House hopes that businesses will agree to abide by it.

As the DNT debate highlights, however, reaching an agreement on some of the underlying privacy principles--in today's self-regulatory environment--appears to remain a long shot. In the meantime, the cynical choice being offered to consumers seems less about privacy, and more about confusion.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/15/2012 | 6:04:14 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
Sure, you can destroy the advertising based model for online content by removing behavioral and demographic targeting from the industry. But advertisers will pull their money out, and users will have to pay directly for the content they want. How many Informationweek.com visitors are willing to pay for this website as a subscription? I suspect that the results would be poor and layoffs would be quick. As an advertising industry professional I can tell you that none of this "tracking" data is even close to personally identifiable. It tells us just enough so that we can feel confident that our ads aren't reaching (and bothering) a person with no interest in or relevance to the advertiser's product.
User Rank: Ninja
10/13/2012 | 12:08:18 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
The only way DNT can work is to have browsers actively reject ad and tracking cookies. But in the end even that is not working out. What ad networks need to understand is that they are much more successful if they stop alienating consumers and start generating some value.
Verdumont Monte
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:44:35 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
I have set "donot track" in FF and Chrome, still see lot of cookies set by the stupid advt agencies. They already ignore the DNT flag, why bother talking about this? Only workaroud now is to use a 3rd party extension to block cookies from advt websites. It works well for me so far. I guess these guys will find a workaround for that too.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.