Risk
12/1/2010
06:56 PM
Connect Directly
RSS
E-Mail
50%
50%

FTC Proposes 'Do Not Track' Option For Internet

Web users could use a browser button to stop organizations from tracking their viewing habits, under the Federal Trade Commission proposal.

The Federal Trade Commission has made a potentially far-reaching proposal that would give web users the option of shielding personal information from advertisers, retailers and other companies while browsing the Internet.

The FTC gave its blessing to the so-called "Do Not Track" approach in a proposed framework for consumer privacy released Wednesday. The proposal would apply to all commercial organizations that collect or use data that can be linked to a specific consumer, computer or other device.

The commission favored giving consumers a simple mechanism for disallowing data gathering. To do that, the FTC recommended adding a button to browsers that would activate technology to prevent people from being tracked or receiving targeted advertising. The proposal would be an alternative to current browser privacy settings, which a recent study by Stanford University and Carnegie Mellon found inadequate to shield people's viewing habits.

The need for such simplicity stems from the fact that the voluntary approach -- in which organizations set their own privacy policies and notify consumers of the rules in advance of collecting information -- has failed. "Specifically, the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand," the FTC report said.

The Future of Privacy Forum, a Washington, D.C.-based think tank, agreed with the FTC and praised the report. "Today's FTC report identifies the most pressing privacy issues facing consumers today," the group said in a statement. "They correctly recognize that the current framework needs to be updated to reflect consumers' ongoing concerns about how their data is being collected and used."

The commission's proposed privacy framework would have companies build consumer privacy protection into every stage of development of products and services. In addition, organizations would offer a clearly defined no-tracking option at the time a consumer is making a decision that would set data gathering in motion. Finally, companies would increase transparency of their data practices through clearer, shorter and more standardized privacy notices and by providing access to consumer data they maintain. If a company planned to use data for something other than its originally stated purpose, then consumers would have to agree to the new use in advance.

Advertisers have been adamantly against government-imposed privacy regulations, preferring a self-regulatory approach instead. In an appearance this year before the House Subcommittee on Commerce, Trade and Consumer Protection, Mike Zaneis, VP of public policy for the Interactive Advertising Bureau, argued that the industry "has a long and successful history of protecting consumers' privacy rights through effective self-regulation."

"Given the free content and services that consumers enjoy because of advertising revenue, it is imperative that any new laws be carefully tailored," Zaneis said.

Shar VanBoskirk, analyst for Forrester Research, said the firm's studies have shown that consumers are generally willing to share information with marketers if there's a valuable payback for doing so. Consumers are more concerned about the lack of control they have over their data, and VanBoskirk said she doesn't have a lot of faith that legislation would effectively address those concerns.

"Consumers need education to understand how their data is used, when data sharing has a benefit for them, where their data goes, who knows what about them, and then how to elect out of data sharing if they choose," VanBoskirk said in an e-mail sent to InformationWeek.

The FTC does not have the authority to require companies to follow its framework, much of which would require an act of Congress. The House Subcommittee on Commerce, Trade and Consumer Protection is scheduled to consider on Thursday the feasibility of a universal method for opting out of being tracked online, according to The New York Times.

SEE ALSO:

Web Browser Privacy Settings Flawed

The Massachusetts Data Privacy Law Debacle

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio