A Second Life for the ‘Do Not Track’ Setting—With Teeth

Credit to Author: Lukasz Olejnik| Date: Thu, 28 Feb 2019 13:00:00 +0000

In 2009, as people grew concerned about the pervasiveness of web tracking, the idea of adding a Do Not Track (DNT) setting to browsers gained traction across the web. By enabling it, the browser attaches “DNT: 1” to a web request, effectively telling websites that the user does not wish to be tracked.

Initially, the concept was applauded for solving the pernicious problem of invisible online tracking. All the major web browsers added the DNT setting to their configuration. It was on the radar of the Federal Trade Commission, and the Electronic Frontier Foundation created a semi-standardized approach.

Lukasz Olejnik is an independent security and privacy researcher and advisor, W3C TAG member, and research associate at the Center for Technology and Global Affairs at Oxford University.

But there was a catch: DNT is a voluntary agreement. Users need to trust that the sites they visit honor the setting. And at first some sites, like Twitter, did. But if a site chooses not to honor the setting, there is no punishment and no regulatory backing to enforce the standard.

In the 10 years since DNT was initially proposed, it's been heading toward the history book of failed technical ideals. In 2019 the World Wide Web Consortium (W3C) discontinued work of Tracking Preferences Expression, the successor of DNT. Sites, including Twitter, reversed their stance. DNT was rightly criticized for doing essentially nothing, gradually losing the favor of public opinion.

But now DNT is having a renaissance of sorts, after it caught the interest of regulators in Europe. In January 2017 the European Commission announced an initiative to update the ePrivacy Regulation, a proposal that would revisit a 15-year-old directive dealing with privacy protections and how users consent to being tracked by cookies (websites served to citizens of the European Union are required to ask for consent for the use of cookies).

The process of creating EU regulations is complex, involving the European Parliament and the Council of European Union, and the 2017 proposal had its issues. It did not, for example, include any form of automatic or universally standardized mechanisms for users to consent to being tracked. Without a universal standard, the patchwork of varying pop-ups that polluted a user’s web browsing experience would remain in effect. (In May 2018, when the EU enacted the General Data Protection Regulation, the problem with pop-ups was reinforced, which in retrospect was easy to predict.) Among the goals of the new ePrivacy Regulation was cleaning up this exact mess by requiring some sort of standardized and automatic process that is transparent to users. So in 2017, the European Parliament pushed hard toward making the browser mechanisms for user privacy preferences and consent expressions legally binding, and it issued a report that explicitly endorsed Do Not Track settings as a way of expressing consent. Ten years after the original proposal, DNT suddenly became integral in the debate over regulating privacy protection in the biggest economy in the world.

From a purely technical standpoint, DNT is somewhat redundant. The default settings of major web browser vendors like Apple Safari and Mozilla Firefox actively fight tracking. And, in a further twist, Apple decided to remove the DNT function from Safari 12.1, citing “fingerprinting risk.” Fingerprinting allows a site to identify a user based on traits specific to their devices or browser, and as Apple tried to argue, DNT could be one more setting used to track you. While the particular fingerprinting risk cited by Apple is extremely low (as Firefox’s telemetry data suggest), the message risks demonizing DNT.

DNT has suffered from users' misunderstanding of how it works. People don’t seem to know that DNT doesn’t make you invisible; it merely informs websites that you would prefer not to be tracked. But just because its purpose might be misunderstood doesn’t mean DNT should go away. (Research indicates that people don’t fully comprehend what “private browsing modes” do either; for example, they don’t mask your location or IP address.) DNT could have great value if it has regulatory backing.

Admittedly, crafting policy and enforcing regulatory action are long processes, and can be influenced in favor of or against some particular views. But there is a growing appetite for this kind of regulation. Just look at the European Union: It adopted the world’s most comprehensive and strongest privacy regulation framework, the General Data Protection Regulation, and now the EU is considering a regulatory solution that could rely on Do Not Track. And even though, in 2018 and 2019, the Council of the European Union is moving against the positive privacy changes in ePrivacy, and the much needed update to the regulation is postponed, when conversations around the proposal resume they will take place in a reality where aggressive tracker blocking is already the de facto technically enforced default. It seems that consent will remain an important regulatory concept in the months and years to come.

Which is why giving up on DNT at this particular moment—especially by actors as influential and decisive in the privacy debate as Apple—is not the signal we now need. Regulatory changes are finally on the table, and DNT could be a much needed solution for how to enforce these rules.

Technologists often complain about the relative slowness of the regulatory process, especially as compared to how fast technology develops. So it’s especially perplexing that tech companies and enthusiasts would rescind a technical proposal that could finally function the way it was supposed to all along. It doesn’t seem like the time to turn the setting off completely.

WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here. Submit an op-ed at opinion@wired.com

https://www.wired.com/category/security/feed/