Risk
4/25/2013
01:07 PM
50%
50%

California Proposes 'Do Not Track' Honesty Checker

After DNT standards development stalls, legislators and advertisers seek new path forward on browser privacy.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Memo from California legislators to website owners: Tell us if you're honoring the Do Not Track (DNT) flag in people's browsers.

That's the intent of AB 370, a bill introduced earlier this year by Al Muratsuchi, a former state prosecutor who was elected to the California Assembly in November 2012.

"This bill would require an operator to disclose whether or not it honors a request from a consumer to disable online tracking," reads the draft legislation. "The bill would also require an operator to disclose if it does not allow third parties to conduct online tracking on the commercial Web site or online service."

[ Employee surveillance can be a slippery slope. Read Watching Workers: Where's The Line? ]

The proposed legislation sounds a rare note of clarity in the contentious debate surrounding do-not-track proposals, asking website operators simply: Do you honor consumers' do-not-track requests?

Working with the World Wide Web (W3C) Consortium, the advertising industry, browser developers and privacy advocates were already supposed to have developed a global Do Not Track standard, as was proposed last year in President Obama's Consumer Privacy Bill of Rights.

But the DNT standards work stalled in November 2012, prompting advertisers and marketers to focus again on self-regulation, after Microsoft enabled DNT by default in Internet Explorer 10. The Association of National Advertisers (ANA) reacted with outrage, as did some technology backers of the developing DNT standard, with the ANA's president and CEO playing the emotional card and expressing his "profound disappointment" at Microsoft's move.

Advertisers' subsequent inability to seal a DNT deal, however, didn't endear them to some members of the Senate Commerce Committee, which Wednesday held "a status update on the development of voluntary do-not-track standards."

Luigi Mastria, managing director of the Digital Advertising Alliance (DAA), told the committee that his group, in conjunction with numerous other advertising and marketing industry groups, had already created "a one-button choice mechanism to stop the collection and use of Web viewing data" for consumers. The advertising industry has long argued against DNT, saying that it would compromise the ability of sites to offer content to consumers without making them pay for it.

But Sen. Jay Rockefeller (D-WV), the committee chairman, said the one-button choice mechanism wasn't enough, and called on all players to honor the DNT standards work to which they'd committed. "It's now April 2013 and consumers are still waiting for these do-not-track standards," Rockefeller said, reported USA Today. "I believe these companies are dragging their feet."

Rockefeller, who's due to retire from Congress at the end of 2014, in February introduced the Do-Not-Track Online Act of 2013. He introduced an earlier version of the bill two years ago but didn't push the bill through the Senate after the advertising industry said it would develop a DNT standard.

Rockefeller's bill calls for the development of a DNT standard and penalties for any businesses that don't abide by it. "I do not believe that companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins," he said at the committee hearing, reported Associated Press.

But not everyone thinks that a legal solution would work. "Generally speaking, when it comes to privacy protection, we should avoid placing excessive faith in schemes like Do Not Track because they could fail, just as previous techno-fixes failed to keep pace with fast-moving developments in this space," Adam Thierer, senior research fellow at the Mercatus Center at George Mason University, told the committee. Instead, he noted that concerned consumers can already safeguard their privacy using a number of free tools, including HTTPS Everywhere and VPN services.

"If our fear is that consumers lack enough information to make smart privacy choices, then let's work harder to educate them while pushing for greater transparency about online data collection practices," said Thierer. "Finally, we should remember that not everyone shares the same privacy sensitivities and that citizens also care about other values, such as cost, convenience, and choice."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PrideLand
50%
50%
PrideLand,
User Rank: Apprentice
4/26/2013 | 6:00:36 PM
re: California Proposes 'Do Not Track' Honesty Checker
I am a "concerned consumer", but I have never heard of "HTTPS Everywhere" or
"VPN Services", so his argument fails. He also needs to explain why consumers should have to go through a lot of research to figure out how to protect their privacy when it should be a given unless the opt out for a trusted source.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.