Risk
10/11/2012
01:55 PM
50%
50%

Advertisers' 'Do Not Track' Protests Fail Smell Test

An almost comic war of words continues between advertisers and Microsoft regarding do not track technology in Internet Explorer 10. Funny thing: The only tracking option advertisers want is opt-out.

Have you heard the joke about the advertising trade body that offered consumers a choice about their online privacy?

It goes like this: Technology firms and online advertisers come together to design a way for consumers to opt out of being tracked online, via a simple Do Not Track (DNT) preference setting in Web browsers. Then Microsoft says that it will ship its latest browser, Internet Explorer 10, with the DNT flag activated by default. In other words, seems to go Microsoft's reasoning, why not let consumers instead choose whether they'd like to opt in to being tracked?

Only that's not the choice that advertisers had in mind. Cue the outrage, with the Association of National Advertisers (ANA) launching a concerted advertising campaign to denigrate Microsoft's pro-consumer privacy moves.

Unfortunately, the above is no joke, although the proceedings have taken on the appearance of a folly, with ANA president and CEO Bob Liodice warning in a statement that "Microsoft's decision undercuts the effectiveness of our brand owners' Internet advertising and undermines the industry's self-regulatory system."

[ Is consumer privacy an oxymoron? See Cyber Spying Justice: Unserved. ]

Featuring hot-button marketing speak, the ANA's statement also channels advertisers' "profound disappointment" over the "shocking departure" Microsoft has taken from the Digital Advertising Alliance (DAA) program that crafted DNT, which has seen the browser maker "unilaterally impose choices on the consumer" that "would threaten the vast array of free or low cost online offerings that define the consumer online experience." Furthermore, Microsoft had the gall to do so "before consumers even have the opportunity to determine whether it is of value to them."

The ANA's posturing fails to pass the consumer privacy smell test. For starters, if consumers haven't figured out what's valuable to them over the past 17-odd years of Internet use, then they're not going to start now. In addition, it's interesting that the only option advertisers want offered to consumers is the ability to opt out.

Despite the ANA's doomsday rant, good news is on hand for advertisers: The Digital Advertising Alliance now says it will exonerate any business that chooses to ignore the IE10 "do not track" flags. The reasoning goes like this: DNT is a standard developed by the self-regulated Digital Advertising Alliance, and per the standard, the feature must by default be deactivated. By ignoring that requirement, Microsoft's implementation of DNT doesn't count. Accordingly, anyone using a browser which ships with DNT set to "don't track me" by default can be tracked.

Could the reasoning here grow any more tortured? Some cultural references may help untangle the underlying logic: "The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland," writes ZDNet's Ed Bott. "These days, I'm not sure whether it's 1984 or Brazil."

Adding fuel to the fire is the developer of Apache HTTP, Roy Fielding, who also helped create the DNT standard. He's proposed a patch for Apache--which powers nearly two-thirds of the world's websites--that would make Apache websites ignore IE10 DNT settings altogether, as a way to "deal with user agents that deliberately violate open standards."

But, as one person commented on the related Apache patch proposal page, what happens when other browsers or websites take their own approach to DNT? "Who's going to maintain the list of 'violates Roy's vision' when he finds another windmill to tilt at?" he asked (thus helpfully adding Don Quixote to the list of applicable cultural references).

Of course the so-called DNT standard is part of a self-regulatory program, and thus more of a recommendation anyway, since legally it can't be enforced unless a business says it will abide by the standard in its website privacy policy. At that point, the Federal Trade Commission can ensure that the business does what it promises. But if the fundamental definition of DNT--in particular, if having opt-in DNT counts as DNT at all--is in dispute, good luck with enforcement.

All of this privacy posturing, of course, could be rectified via a simple step: creating clear, legally enforceable privacy rights for all consumers, such as the right to not be tracked. To be sure, laws are no panacea, since when it comes to Congress trying to tackle new types of technology, watch out.

Even so, some type of consumer privacy law would at least make related protections easily enforceable. Unfortunately, such moves won't happen anytime soon. Notably, the White House launched its Consumer Privacy Bill of Rights earlier this year--not after getting Congress to agree to give it the force of law, but instead as a recommended code of conduct, meaning the White House hopes that businesses will agree to abide by it.

As the DNT debate highlights, however, reaching an agreement on some of the underlying privacy principles--in today's self-regulatory environment--appears to remain a long shot. In the meantime, the cynical choice being offered to consumers seems less about privacy, and more about confusion.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kflint947
50%
50%
kflint947,
User Rank: Apprentice
10/15/2012 | 6:04:14 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
Sure, you can destroy the advertising based model for online content by removing behavioral and demographic targeting from the industry. But advertisers will pull their money out, and users will have to pay directly for the content they want. How many Informationweek.com visitors are willing to pay for this website as a subscription? I suspect that the results would be poor and layoffs would be quick. As an advertising industry professional I can tell you that none of this "tracking" data is even close to personally identifiable. It tells us just enough so that we can feel confident that our ads aren't reaching (and bothering) a person with no interest in or relevance to the advertiser's product.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/13/2012 | 12:08:18 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
The only way DNT can work is to have browsers actively reject ad and tracking cookies. But in the end even that is not working out. What ad networks need to understand is that they are much more successful if they stop alienating consumers and start generating some value.
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:44:35 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
I have set "donot track" in FF and Chrome, still see lot of cookies set by the stupid advt agencies. They already ignore the DNT flag, why bother talking about this? Only workaroud now is to use a 3rd party extension to block cookies from advt websites. It works well for me so far. I guess these guys will find a workaround for that too.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?