Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:55 PM

Advertisers' 'Do Not Track' Protests Fail Smell Test

An almost comic war of words continues between advertisers and Microsoft regarding do not track technology in Internet Explorer 10. Funny thing: The only tracking option advertisers want is opt-out.

Have you heard the joke about the advertising trade body that offered consumers a choice about their online privacy?

It goes like this: Technology firms and online advertisers come together to design a way for consumers to opt out of being tracked online, via a simple Do Not Track (DNT) preference setting in Web browsers. Then Microsoft says that it will ship its latest browser, Internet Explorer 10, with the DNT flag activated by default. In other words, seems to go Microsoft's reasoning, why not let consumers instead choose whether they'd like to opt in to being tracked?

Only that's not the choice that advertisers had in mind. Cue the outrage, with the Association of National Advertisers (ANA) launching a concerted advertising campaign to denigrate Microsoft's pro-consumer privacy moves.

Unfortunately, the above is no joke, although the proceedings have taken on the appearance of a folly, with ANA president and CEO Bob Liodice warning in a statement that "Microsoft's decision undercuts the effectiveness of our brand owners' Internet advertising and undermines the industry's self-regulatory system."

[ Is consumer privacy an oxymoron? See Cyber Spying Justice: Unserved. ]

Featuring hot-button marketing speak, the ANA's statement also channels advertisers' "profound disappointment" over the "shocking departure" Microsoft has taken from the Digital Advertising Alliance (DAA) program that crafted DNT, which has seen the browser maker "unilaterally impose choices on the consumer" that "would threaten the vast array of free or low cost online offerings that define the consumer online experience." Furthermore, Microsoft had the gall to do so "before consumers even have the opportunity to determine whether it is of value to them."

The ANA's posturing fails to pass the consumer privacy smell test. For starters, if consumers haven't figured out what's valuable to them over the past 17-odd years of Internet use, then they're not going to start now. In addition, it's interesting that the only option advertisers want offered to consumers is the ability to opt out.

Despite the ANA's doomsday rant, good news is on hand for advertisers: The Digital Advertising Alliance now says it will exonerate any business that chooses to ignore the IE10 "do not track" flags. The reasoning goes like this: DNT is a standard developed by the self-regulated Digital Advertising Alliance, and per the standard, the feature must by default be deactivated. By ignoring that requirement, Microsoft's implementation of DNT doesn't count. Accordingly, anyone using a browser which ships with DNT set to "don't track me" by default can be tracked.

Could the reasoning here grow any more tortured? Some cultural references may help untangle the underlying logic: "The debate over the Do Not Track standard has officially moved beyond Alice in Wonderland," writes ZDNet's Ed Bott. "These days, I'm not sure whether it's 1984 or Brazil."

Adding fuel to the fire is the developer of Apache HTTP, Roy Fielding, who also helped create the DNT standard. He's proposed a patch for Apache--which powers nearly two-thirds of the world's websites--that would make Apache websites ignore IE10 DNT settings altogether, as a way to "deal with user agents that deliberately violate open standards."

But, as one person commented on the related Apache patch proposal page, what happens when other browsers or websites take their own approach to DNT? "Who's going to maintain the list of 'violates Roy's vision' when he finds another windmill to tilt at?" he asked (thus helpfully adding Don Quixote to the list of applicable cultural references).

Of course the so-called DNT standard is part of a self-regulatory program, and thus more of a recommendation anyway, since legally it can't be enforced unless a business says it will abide by the standard in its website privacy policy. At that point, the Federal Trade Commission can ensure that the business does what it promises. But if the fundamental definition of DNT--in particular, if having opt-in DNT counts as DNT at all--is in dispute, good luck with enforcement.

All of this privacy posturing, of course, could be rectified via a simple step: creating clear, legally enforceable privacy rights for all consumers, such as the right to not be tracked. To be sure, laws are no panacea, since when it comes to Congress trying to tackle new types of technology, watch out.

Even so, some type of consumer privacy law would at least make related protections easily enforceable. Unfortunately, such moves won't happen anytime soon. Notably, the White House launched its Consumer Privacy Bill of Rights earlier this year--not after getting Congress to agree to give it the force of law, but instead as a recommended code of conduct, meaning the White House hopes that businesses will agree to abide by it.

As the DNT debate highlights, however, reaching an agreement on some of the underlying privacy principles--in today's self-regulatory environment--appears to remain a long shot. In the meantime, the cynical choice being offered to consumers seems less about privacy, and more about confusion.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/15/2012 | 6:04:14 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
Sure, you can destroy the advertising based model for online content by removing behavioral and demographic targeting from the industry. But advertisers will pull their money out, and users will have to pay directly for the content they want. How many Informationweek.com visitors are willing to pay for this website as a subscription? I suspect that the results would be poor and layoffs would be quick. As an advertising industry professional I can tell you that none of this "tracking" data is even close to personally identifiable. It tells us just enough so that we can feel confident that our ads aren't reaching (and bothering) a person with no interest in or relevance to the advertiser's product.
User Rank: Ninja
10/13/2012 | 12:08:18 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
The only way DNT can work is to have browsers actively reject ad and tracking cookies. But in the end even that is not working out. What ad networks need to understand is that they are much more successful if they stop alienating consumers and start generating some value.
User Rank: Apprentice
10/12/2012 | 5:44:35 PM
re: Advertisers' 'Do Not Track' Protests Fail Smell Test
I have set "donot track" in FF and Chrome, still see lot of cookies set by the stupid advt agencies. They already ignore the DNT flag, why bother talking about this? Only workaroud now is to use a 3rd party extension to block cookies from advt websites. It works well for me so far. I guess these guys will find a workaround for that too.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.
PUBLISHED: 2021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
PUBLISHED: 2021-05-07
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
PUBLISHED: 2021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.