When tech policy meets tech - is it too soon to turn the page on Do Not Track?
In 2009, as people grew concerned over the pervasiveness of web tracking, the idea of adding Do Not Track (DNT) to browsers gained traction across the web. By enabling the setting, the browser attaches “DNT: 1” to a web request, effectively telling the site that user does not wish to be tracked.
Initially the concept was applauded for solving the pernicious problem of invisible online tracking. All the major web browsers added DNT setting to their configuration. It was on the radar of FTC, and the Electronic Frontier Foundation created a semi-standardized approach.
But there was a catch: DNT is a voluntary agreement. The user needs to trust that the site she visits honors the setting. And at first, some sites, like Twitter, did. But if the site chooses not to honor the setting, there is no punishment, no regulatory backing to enforce the standard.
In the 10 years since DNT was initially proposed, DNT has been heading towards the history book of failed technical ideals. In 2019 the World Wide Web Consortium (W3C) discontinued work of Tracking Preferences Expression, the successor of DNT. Sites (including Twitter) reversed their stance. DNT was rightly criticized as doing essentially nothing, gradually losing the favor of the public opinion.
But DNT is having a renaissance of sorts, after it caught the interest of regulators in Europe. In January 2017, the European Commission announced an initiative to update the ePrivacy Regulation, a proposal that would upgrade a 15-year-old directive dealing with privacy protections and how users consent to being tracked by cookies (websites served to citizens of the European Union require asking for consent for the use of cookies.).
The process of creating EU regulations is complex, involving the European Parliament and the Council of European Union and the 2017 proposal had its issues. It did not, for example, include any form of automatic or universally standardized mechanisms for users to consent to being tracked. Without a universal standard, there would remain a patchwork of varying pop-ups that polluted the user’s web browsing experience. (In May 2018, when the EU enacted the General Data Protection Regulation, the problem with popups was reinforced, which in retrospect was easy to predict.) Among the goals of the new ePrivacy Regulation was exactly cleaning up this mess by requiring some sort of standardized and automatic process, transparent to users. So in 2017 the European Parliament pushed hard towards making the browser mechanisms for user privacy preferences and consent expressions legally binding, and it issued a report that explicitly endorsed Do Not Track settings as a way of expressing consent. Ten years after the original proposal, DNT suddenly became integral in the debate around regulating privacy protection in the biggest economy in the world.
Today it may appear that from a purely technical standpoint, DNT is redundant. The default settings of major web browser vendors like Apple Safari and Mozilla Firefox actively fight tracking. And in a further twist, Apple decided to remove the DNT function from Safari 12.1, citing “fingerprinting risk.” Fingerprinting allows a site to identify a user based traits specific to their devices or browser, and as Apple tries to argue, DNT could be one more setting used to track you. While (as Firefox’s telemetry data suggest) the particular fingerprinting risk cited by Apple is rather extremely low, the message risks demonizing DNT.
DNT has suffered from user’s misunderstanding of how it works. People don’t seem to know that DNT doesn’t make you invisible; it merely informs websites that you would prefer not to be tracked. But just because its purpose might be misunderstood doesn’t mean DNT should go away (research indicates that people don’t fully comprehend what “private browsing modes” do either; for example that they don’t mask their location or IP address). DNT could have great value if it has regulatory backing.
Admittedly, crafting policy and enforcing regulatory action are long processes, and can be influenced in favor or against some particular views or ways of thinking. But there is a growing appetite for this kind of regulation. We see it in the European Union: it adopted the world’s most comprehensive and strongest privacy regulation framework, the General Data Protection Regulation, and now the EU is considering a regulatory solution that could rely on Do Not Track. And even though, in 2018 and 2019, the Council of the European Union is moving against the positive privacy changes in ePrivacy and he much needed update to the regulation is postponed, when conversations around the proposal resume, they will take place in a reality where aggressive tracker blocking is already the de facto technically-enforced default. It seems consent will remain an important regulatory concept in the months and years to come.
Which is why giving up on DNT in this particular moment - especially by actors as influential and decisive in the privacy debate as Apple - is not the signal we now need. Regulatory changes are finally on the table, and DNT could be a much-needed solution for how to enforce these rules.
Technologists often complain about the relative slowness of the regulatory process, especially as compared to how fast technology develops. So it’s especially perplexing that tech companies and enthusiasts would rescind a technical proposal that could finally function the way it was supposed to all along. It doesn’t seem like the right time to turn the setting off completely.
This opinion article appeared in Wired (28/2/19).
Feedback welcome at me@lukaszolejnik.com.