Do Not Track me online, please
This week’s CBC tech column is all about the Do Not Track feature baked into today’s release of Firefox 4, and last week’s Internet Explorer 9. Column is online at cbc.ca/tech, and posted below for posterity.
If you’re looking for the links I mentioned on the radio, here they are:
Browsers:
Do Not Track browser add-ons:
Other anti-tracking add-ons:
===
Almost everywhere go online, you’re being watched. From news sites (like this one), to Facebook, to YouTube, your online behaviour is being tracked, often without your knowledge or consent.
In response, two of the biggest web browsers are throwing their weight behind a new anti-tracking mechanism.
Both Microsoft’s Internet Explorer 9 (launched March 14), and Mozilla’s Firefox 4 (slated for release on March 22) support Do Not Track, a proposed internet standard that puts the privacy onus on website trackers and advertisers.
Why use Do Not Track? Let’s first put on our tinfoil hats and pretend that I have a heart condition.
Let’s say I spend the whole afternoon researching heart medication online. Then, later in the day, I try to get a quote for medical insurance. Could my potential insurer know how I spent my afternoon online?
According to Jonathan Mayer, a security researcher at the Stanford Law School Centre for Internet and Society, “There is absolutely no technical reason they wouldn’t have access to that. And that’s a real concern.”
Mayer is also one of the authors of the Do Not Track standards proposal.
The situation I just described isn’t some made-up example. Right now, in Britain, the website of the National Health Service contains trackers – small bits of code, often invisible – from Facebook, Google and others.
Here in Canada, the Health Canada website contains tracking code from Google that logs the length and frequency of my visits, my geographic location, and other details. The question is, Do you really want a third party knowing that you visited an infopage on syphilis?
Profiling
The concern here isn’t so much about collecting one or two pieces of information, but rather, about persistent tracking of your online behaviour across time and across different sites. Essentially, profiling.
The other concern is transparency. Or, rather, lack of transparency.
Most people don’t know that this kind of tracking is even happening. Many top websites (CBC.ca included) contain tracking code that quietly watches you in the background while you’re visiting their site. Sites also commonly leave behind cookies, which can also be used to track you across multiple websites.
Here in Canada, we have data privacy laws that require both knowledge and consent in order to collect personal information. Privacy advocates are concerned that current tracking methods collect personal information without either.
For his part, Stanford’s Mayer characterizes your online behaviour as intimate. “If someone asks, ‘Could I take a look at your browsing history?’ I would imagine that your answer would be, ‘No, of course not.'
“And yet that’s essentially what we have as an everyday business practice on the web.”
Pretty please
The Do Not Track technology attempts to address the privacy issues surrounding third-party web tracking. This is how it works.
Right now, every time you go to a website, your browser says something like, “Hello, YouTube, please show me a video.”
If you turn on these new Do Not Track features, your web browser still makes that request. But it also adds, “and by the way, you know how you ordinarily track me? Don’t do that, please.”
In that sense, it’s a bit like the National Do Not Call registry for telemarketers, but with two important differences: there’s no centralized list and, for now, there’s nothing that compels websites to honour your opt-out request.
By turning on Do Not Track, you’re simply communicating your preference not to be tracked. The system puts the onus on trackers, and right now, it’s a bit of an honour system.
Unlike the National Do Not Call Registry, there are no fines or disincentives for companies or advertisers that track you against your wishes.
Government action?
So the question is, should we have regulations that would force websites and advertisers to heed your request not to be tracked?
In the U.S., both the Federal Trade Commission and the Obama administration are pushing for Do Not Track legislation that would compel organizations and advertisers to respect the opt-out mechanisms.
Here in Canada, Privacy Commissioner Jennifer Stoddart has acknowledged the issues surrounding online tracking in a 2010 report.
When asked specifically about Do Not Track, her office responded: “We are following with interest the U.S. Federal Trade Commission’s proposal for a Do Not Track mechanism. Our Office has concerns about the lack of visibility with respect to online tracking, profiling and targeting. If people don’t know about such practices, they can’t take steps to limit tracking.”
This response highlights one of the main barriers to adoption for Do Not Track: lack of awareness.
What’s more, even though Firefox and Internet Explorer both support this Do Not Track mechanism, it’s not turned on by default. Users have to know it exists, and know how to turn it on.
The other challenge is that what we’re talking about today is part of a much larger online privacy movement that includes a wide array of technologies. In addition to the Do Not Track technology, Microsoft and Google have their own anti-tracking approaches and technologies, including block lists and cookie-based opt-out mechanisms.
Though technically simple concepts, these can be confusing for users.
If you’re still wearing your tinfoil hat, you may be wondering what can I do right now.
Do Not Track is currently supported by Internet Explorer 9 and Firefox 4. You can also add Do Not Track functionality to other browsers with plug-ins and add-ons.
And, as many websites do not currently support Do Not Track, it may also be worth investigating other anti-tracking plug-ins such as AdBlock Plus or Ghostery.