Risk
4/25/2013
01:07 PM
50%
50%

California Proposes 'Do Not Track' Honesty Checker

After DNT standards development stalls, legislators and advertisers seek new path forward on browser privacy.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Memo from California legislators to website owners: Tell us if you're honoring the Do Not Track (DNT) flag in people's browsers.

That's the intent of AB 370, a bill introduced earlier this year by Al Muratsuchi, a former state prosecutor who was elected to the California Assembly in November 2012.

"This bill would require an operator to disclose whether or not it honors a request from a consumer to disable online tracking," reads the draft legislation. "The bill would also require an operator to disclose if it does not allow third parties to conduct online tracking on the commercial Web site or online service."

[ Employee surveillance can be a slippery slope. Read Watching Workers: Where's The Line? ]

The proposed legislation sounds a rare note of clarity in the contentious debate surrounding do-not-track proposals, asking website operators simply: Do you honor consumers' do-not-track requests?

Working with the World Wide Web (W3C) Consortium, the advertising industry, browser developers and privacy advocates were already supposed to have developed a global Do Not Track standard, as was proposed last year in President Obama's Consumer Privacy Bill of Rights.

But the DNT standards work stalled in November 2012, prompting advertisers and marketers to focus again on self-regulation, after Microsoft enabled DNT by default in Internet Explorer 10. The Association of National Advertisers (ANA) reacted with outrage, as did some technology backers of the developing DNT standard, with the ANA's president and CEO playing the emotional card and expressing his "profound disappointment" at Microsoft's move.

Advertisers' subsequent inability to seal a DNT deal, however, didn't endear them to some members of the Senate Commerce Committee, which Wednesday held "a status update on the development of voluntary do-not-track standards."

Luigi Mastria, managing director of the Digital Advertising Alliance (DAA), told the committee that his group, in conjunction with numerous other advertising and marketing industry groups, had already created "a one-button choice mechanism to stop the collection and use of Web viewing data" for consumers. The advertising industry has long argued against DNT, saying that it would compromise the ability of sites to offer content to consumers without making them pay for it.

But Sen. Jay Rockefeller (D-WV), the committee chairman, said the one-button choice mechanism wasn't enough, and called on all players to honor the DNT standards work to which they'd committed. "It's now April 2013 and consumers are still waiting for these do-not-track standards," Rockefeller said, reported USA Today. "I believe these companies are dragging their feet."

Rockefeller, who's due to retire from Congress at the end of 2014, in February introduced the Do-Not-Track Online Act of 2013. He introduced an earlier version of the bill two years ago but didn't push the bill through the Senate after the advertising industry said it would develop a DNT standard.

Rockefeller's bill calls for the development of a DNT standard and penalties for any businesses that don't abide by it. "I do not believe that companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins," he said at the committee hearing, reported Associated Press.

But not everyone thinks that a legal solution would work. "Generally speaking, when it comes to privacy protection, we should avoid placing excessive faith in schemes like Do Not Track because they could fail, just as previous techno-fixes failed to keep pace with fast-moving developments in this space," Adam Thierer, senior research fellow at the Mercatus Center at George Mason University, told the committee. Instead, he noted that concerned consumers can already safeguard their privacy using a number of free tools, including HTTPS Everywhere and VPN services.

"If our fear is that consumers lack enough information to make smart privacy choices, then let's work harder to educate them while pushing for greater transparency about online data collection practices," said Thierer. "Finally, we should remember that not everyone shares the same privacy sensitivities and that citizens also care about other values, such as cost, convenience, and choice."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PrideLand
50%
50%
PrideLand,
User Rank: Apprentice
4/26/2013 | 6:00:36 PM
re: California Proposes 'Do Not Track' Honesty Checker
I am a "concerned consumer", but I have never heard of "HTTPS Everywhere" or
"VPN Services", so his argument fails. He also needs to explain why consumers should have to go through a lot of research to figure out how to protect their privacy when it should be a given unless the opt out for a trusted source.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.