Risk
10/11/2012
01:55 PM
Connect Directly
RSS
E-Mail
50%
50%

Advertisers' 'Do Not Track' Protests Fail Smell Test

An almost comic war of words continues between advertisers and Microsoft regarding do not track technology in Internet Explorer 10. Funny thing: The only tracking option advertisers want is opt-out.

Have you heard the joke about the advertising trade body that offered consumers a choice about their online privacy?

It goes like this: Technology firms and online advertisers come together to design a way for consumers to opt out of being tracked online, via a simple Do Not Track (DNT) preference setting in Web browsers. Then Microsoft says that it will ship its latest browser, Internet Explorer 10, with the DNT flag activated by default. In other words, seems to go Microsoft's reasoning, why not let consumers instead choose whether they'd like to opt in to being tracked?

Only that's not the choice that advertisers had in mind. Cue the outrage, with the Association of National Advertisers (ANA) launching a concerted advertising campaign to denigrate Microsoft's pro-consumer privacy moves.

Unfortunately, the above is no joke, although the proceedings have taken on the appearance of a folly, with ANA president and CEO Bob Liodice warning in a statement that "Microsoft's decision undercuts the effectiveness of our brand owners' Internet advertising and undermines the industry's self-regulatory system."

[ Is consumer privacy an oxymoron? See Cyber Spying Justice: Unserved. ]

Featuring hot-button marketing speak, the ANA's statement also channels advertisers' "profound disappointment" over the "shocking departure" Microsoft has taken from the Digital Advertising Alliance (DAA) program that crafted DNT, which has seen the browser maker "unilaterally impose choices on the consumer" that "would threaten the vast array of free or low cost online offerings that define the consumer online experience." Furthermore, Microsoft had the gall to do so "before consumers even have the opportunity to determine whether it is of value to them."

The ANA's posturing fails to pass the consumer privacy smell test. For starters, if consumers haven't figured out what's valuable to them over the past 17-odd years of Internet use, then they're not going to start now. In addition, it's interesting that the only option advertisers want offered to consumers is the ability to opt out.

Despite the ANA's doomsday rant, good news is on hand for advertisers: The Digital Advertising Alliance now says it will exonerate any business that chooses to ignore the IE10 "do not track" flags. The reasoning goes like this: DNT is a standard developed by the self-regulated Digital Advertising Alliance, and per the standard, the feature must by default be deactivated. By ignoring that requirement, Microsoft's implementation of DNT doesn't count. Accordingly, anyone using a browser which ships with DNT set to "don't track me" by default can be tracked.

Could the reasoning here grow any more tortured? Some cultural references may help untangle the underlying logic: "The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland," writes ZDNet's Ed Bott. "These days, I'm not sure whether it's 1984 or Brazil."

Adding fuel to the fire is the developer of Apache HTTP, Roy Fielding, who also helped create the DNT standard. He's proposed a patch for Apache--which powers nearly two-thirds of the world's websites--that would make Apache websites ignore IE10 DNT settings altogether, as a way to "deal with user agents that deliberately violate open standards."

But, as one person commented on the related Apache patch proposal page, what happens when other browsers or websites take their own approach to DNT? "Who's going to maintain the list of 'violates Roy's vision' when he finds another windmill to tilt at?" he asked (thus helpfully adding Don Quixote to the list of applicable cultural references).

Of course the so-called DNT standard is part of a self-regulatory program, and thus more of a recommendation anyway, since legally it can't be enforced unless a business says it will abide by the standard in its website privacy policy. At that point, the Federal Trade Commission can ensure that the business does what it promises. But if the fundamental definition of DNT--in particular, if having opt-in DNT counts as DNT at all--is in dispute, good luck with enforcement.

All of this privacy posturing, of course, could be rectified via a simple step: creating clear, legally enforceable privacy rights for all consumers, such as the right to not be tracked. To be sure, laws are no panacea, since when it comes to Congress trying to tackle new types of technology, watch out.

Even so, some type of consumer privacy law would at least make related protections easily enforceable. Unfortunately, such moves won't happen anytime soon. Notably, the White House launched its Consumer Privacy Bill of Rights earlier this year--not after getting Congress to agree to give it the force of law, but instead as a recommended code of conduct, meaning the White House hopes that businesses will agree to abide by it.

As the DNT debate highlights, however, reaching an agreement on some of the underlying privacy principles--in today's self-regulatory environment--appears to remain a long shot. In the meantime, the cynical choice being offered to consumers seems less about privacy, and more about confusion.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kflint947
50%
50%
kflint947,
User Rank: Apprentice
10/15/2012 | 6:04:14 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
Sure, you can destroy the advertising based model for online content by removing behavioral and demographic targeting from the industry. But advertisers will pull their money out, and users will have to pay directly for the content they want. How many Informationweek.com visitors are willing to pay for this website as a subscription? I suspect that the results would be poor and layoffs would be quick. As an advertising industry professional I can tell you that none of this "tracking" data is even close to personally identifiable. It tells us just enough so that we can feel confident that our ads aren't reaching (and bothering) a person with no interest in or relevance to the advertiser's product.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/13/2012 | 12:08:18 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
The only way DNT can work is to have browsers actively reject ad and tracking cookies. But in the end even that is not working out. What ad networks need to understand is that they are much more successful if they stop alienating consumers and start generating some value.
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:44:35 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
I have set "donot track" in FF and Chrome, still see lot of cookies set by the stupid advt agencies. They already ignore the DNT flag, why bother talking about this? Only workaroud now is to use a 3rd party extension to block cookies from advt websites. It works well for me so far. I guess these guys will find a workaround for that too.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.