Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Internet

03 Dec 2010

Do-not-track: still not a great idea Internet

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe.

There's two fundamental reasons that do-not-track is not like do-not-call, identity and auditing. For do-not-call, your identity is your phone number. That works well because the set of numbers is fixed and they change slowly. On the Internet, there's no analogous identity for your browser. The closest thing is an IP address, but all the computers in a household typically share one IP, and in some areas (such as where I live) an entire neighborhood can share a small set of IPs. In August I concluded that the least bad approach was not to try to identify the browser, but to add a flag sent along with each HTTP web request saying that this is a do-not-track request. Looking at the trade press, as well as at the FTC's report, everyone else came to the same conclusion. That's technically straightforward in principle, although it will take a while for the Internet Engineering Task Force, which maintains the HTTP spec, to work out the details, in particular whether it's yes/no or more complex.

This brings us to the next problem with do-not-track--deciding what it means. (This area is treated well in the FTC report, although their recommentations aren't very satisfactory.) The kinds of tracking that happen on the Internet range from very benign to really creepy. At the benign end, if you've bought books from Amazon, when you return to the Amazon site, they'll suggest other books similar to what you've bought. That's relatively benign because it's all within one known organization (what the FTC calls first party marketing) and it's obvious what's going on. At the creepy end, ISPs can use deep packet inspection (DPI) to spy on the contents of all the web traffic to or from your home, figure out what sort of sites you are visiting, and sell that info to marketers. That's incredibly intrusive, since most people (perhaps unwisely) don't expect strangers to be tracking their browsing habits. So to be useful, a do-not-track needs some way to say that the benign stuff is OK, the creepy stuff is not, and perhaps have some way to tell it where you draw the line.

The other difference between do-not-call and do-not-track is auditing, telling whether companies are following the law. With do-not-call, it's pretty simple: if someone makes a sales call to my home phone on the do-not-call list, they've broken the law, unless they can show that they fall into one of a small set of exceptions. With do-not-track, you can't tell. Some tracking uses browser cookies, which are reasonably easy to check, but there's a lot of other harder to recognize techniques, with the worst being DPI which happens entirely at the ISP, invisible to the user. You can sort of guess based on the kinds of marketing shoved at you, but in practice you have to depend on the sites you visit and your ISP doing what you've asked them to, rarely something you can depend on.

I can't help but notice that this whole do-not-track argument is unique to the US. In Canada, the EU, Australia, New Zealand, and every other developed country, they have privacy laws that say that companies can't keep files of personal information without the explicit consent of the subjects. They don't need do-not-track, because tracking without permission is illegal. This flips the process around so that users can give tracking permission just to organizations if they want to. The US is painfully far behind in personal privacy, and although do-not-track is a band-aid, our overall lack of privacy protection is the real problem.

posted at: 22:26 :: permanent link to this entry :: 4 comments
posted at: 22:26 :: permanent link to this entry :: 4 comments

comments...        (Jump to the end to add your own comment)

Do-Not-Track laws in Canada, the EU and elsewhere probably don't protect them from tracking any more than CAN-SPAM protects us from spam. It's a futile gesture. The only solutions to tracking, if any, will be technical ones.

(by Larry Seltzer 04 Dec 2010 20:53)

Larry, The I-CAN-SPAM act was specifically passed so that marketers can spam. If the law was an opt-in law which permits individuals to take action (ie. the California law, TCPA), that would eliminate much of the tracking -- If liability was imposed upon not only on the trackers, but the people who use the tracking information.

(by Bill Silverstein 19 Dec 2010 12:56)

Actually, we should think about a "dot-not-track" law in Europe, because we are starting to have DPI and such tracking done, on behalf of the copyright protection, against p2p, etc.

For instance, in France, laws like HADOPI are making all our effort—such as the CNIL institution—become useless. It has been shown many times that tracking was always used in an "evil" way and broken all privacy of the users.

(by avetis.kazarian 23 Dec 2010 07:22)

Internet and law is a complicated subject, since it's often inter-national and not intra-national. For example, tracking me within the EU might be illegal, but Google servers could still me tracking me from the US. An example: if I from Sweden buy a product from the US and the retailer runs of with my money (scam/phishing), should a lawsuit be under Swedish or US-law? Answer is US.

I don't like the idea of do-not-track since it doesn't sound reasonable to me. HTTP/Apache logs contain who you are (IP) and where you are (page) at a given time. Using these logs you can then compile how you were browsing. However, all of this data is unusable since the IP in itself does not show who I am.

The problem is not what is being collected and how you are being tracked, it's when companies such as Google and Facebook starts to identify you.

I'm, hand down, pro-tracking. I want to be able to know, as a domain-owner and a blogger, how my readers find and navigate my site. That doesn't mean I want to know WHO they are except from what country they're from.

Google is big enough to actually identify individuals, which is scary. Knowing that Google also disregards privacy makes the whole thing worse (collecting personal information by snooping WiFi using StreetView-cars). What's more scary is that Facebook actually KNOWS who you are. Combine these two, and advertisers don't need anything else.

So instead of a do-not-track-law, we should get a do-not-share-info-law. As long as it's not identifiable it's okay (i.e. amazon recommending books, Last.Fm recommending songs), but when it's identifiable it starts getting not-okay.

DPI is also not okay since it's like opening your in- and out-going mail (regular mail) and looking what's inside.

(by Oscar 06 Jan 2011 16:07)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Remembering JD Falk - 10 years later
223 days ago

A keen grasp of the obvious
New Hope for the Dead
465 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.