Risk
2/24/2012
12:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Do Not Track: 7 Key Facts

Key provision in the Obama administration's new Consumer Privacy Bill of Rights has benefits and limitations. Check out some of the compromises.

Opting out of some forms of online behavioral tracking should soon get easier, now that a number of technology and advertising firms have agreed to abide by a browser-based Do Not Track button.

That announcement came Thursday, in conjunction with the Obama administration announcing its proposal for a Consumer Privacy Bill of Rights.

After three years of advertisers battling Do Not Track, their shift represents a "win," said security and privacy researcher Christopher Soghoian in a blog post. Notably, the Do Not Track initiative has been backed by Google, Microsoft, and Yahoo, as well as the Digital Advertising Alliance (DAA), which counts almost 90% of the firms that engage in online behavioral tracking as members.

But questions remain. In an election year, pushing legislation to enforce Do Not Track would be difficult, according to Justin Brookman, the director for the non-profit civil liberties group Center for Democracy and Technology's Project on Consumer Privacy. Accordingly, the White House is encouraging online advertisers to agree to its new consumer privacy framework. Such an agreement would allow the Federal Trade Commission to then monitor and enforce compliance.

[ When it comes to privacy, we're our own worst enemy. See Google's Privacy Invasion: It's Your Fault. ]

In other words, as it now stands, the Do Not Track proposal only goes so far, and has been built on some compromises. Here's why:

1. Demonstrating Do-Not-Track Desire Easy

How did Do Not Track come about? Soghoian said that he and Mozilla's Sid Stamm created a prototype in 2009 as a Firefox add-on, which added these two headers to outgoing HTTP requests: "X-Behavioral-Ad-Opt-Out: 1" and "X-Do-Not-Track: 1." Simple, right?

2. Advertisers Prefer Tracking

While signaling intentions sounds straightforward, how those intentions can and should be interpreted is open to debate. Or as Mike Zaneis, senior VP of industry trade group the Interactive Advertising Bureau, has put it, "It's like sending a smoke signal in the middle of Manhattan; it might draw a lot of attention, but no one knows how to read the message."

3. What's Coming: Browser Opt-Outs

Thanks to growing criticism of online tracking, the DAA said it will now encourage all companies engaged in online behavioral advertising to commit to the new Do Not Track principles, which include informing consumers about how their data is being collected, as well as how they can opt out. At the same time, however, the group has also promised to educate consumers about how online tracking helps support "the free content, products, and services you use online."

4. Browsers Won't Be Tracked

While any step toward the advertising industry committing to some type of Do Not Track mechanism is welcome, it's only a first step. "The DAA members have committed to respect 'Do Not Track' instructions with respect to targeted advertising implemented through browser settings," said privacy expert and attorney Christopher Wolf of Hogan Lovells in a blog post.

5. Mobile Devices Can Still Be Tracked

Beyond browsers, tracking smartphone users--as practiced by the likes of Google--is a different story. Luckily, California officials have been working to get technology firms and advertising agencies to agree to curb such practices.

6. Browser Makers Must Work Out Details

While Do Not Track sounds great on paper, some pundits have warned that it's still up to browser makers to decide what a Do Not Track button will do. Mozilla, however, has said that it's "firmly committed" enabling users to opt out of whatever they want to opt out of. Google, meanwhile, said that its Chrome browser will "adopt a broadly consistent approach" to the Do Not Track proposals. Of course then it will still be up to consumers to actually press such a button.

7. Should You Trust A Browser Button?

Regardless of whether the online advertising industry's self-regulatory approach to allowing consumers to opt out of being tracked works or not, there are other steps that Internet users can take. Notably, numerous browser add-ons and features, such as Ghostery and Internet Explorer's TPL will help users see how they're being tracked, and block such behavior.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.