[This story was originally posted on Gizmodo by Kashmir Hill]
When you go into the privacy settings on your browser, there’s a little option there to turn on the “Do Not Track” function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she’s never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use “Do Not Track” to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We’ve got bad news for those millions of privacy-minded people, though: “Do Not Track” is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.
“Do Not Track,” as it was first imagined a decade ago by consumer advocates, was going to be a “Do Not Call” list for the internet, helping to free people from annoying targeted ads and creepy data collection. But only a handful of sites respect the request, the most prominent of which are Pinterest and Medium. (Pinterest won’t use offsite data to target ads to a visitor who’s elected not to be tracked, while Medium won’t send their data to third parties.) The vast majority of sites, including this one, ignore it.
Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn’t respect DNT, it does “provide multiple ways for people to control how we use their data for advertising.” (That is of course only true so far as it goes, as there’s some data about themselves users can’t access.) From the department of irony, Google’s Chrome browser offers users the ability to turn off tracking, but Google itself doesn’t honor the request, a fact Google added to its support page some time in the last year. A Google spokesperson says Chome lets users “control their cookies” and that they can also “opt out of personalized ads via Ad Settings and the AdChoices industry program” which results in a user not having “ads targeted based on inferred interests, and their user identifier will be redacted from the real-time bid request.”
There are other options for people bothered by invasive ads, such as an obscure opt-out offered by an alliance of online advertising companies, but that only stops advertising companies from targeting you based on what they know about you, not from collecting information about you as you browse the web, and if a person who opts out clears their cookies—a good periodic privacy practice—it clears the opt-outs too, which is why technologists suggested the DNT signal as an easier, clearer way of stopping tracking online.
“It is, in many respects, a failed experiment,” said Jonathan Mayer, an assistant computer science professor at Princeton University. “There’s a question of whether it’s time to declare failure, move on, and withdraw the feature from web browsers.”
That’s a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place.
Why do we have this meaningless option in browsers? The main reason why Do Not Track, or DNT, as insiders call it, became a useless tool is that the government refused to step in and give it any kind of legal authority. If a telemarketer violates the Do Not Call list, they can be fined up to $16,000 per violation. There is no penalty for ignoring Do Not Track.
In 2010, the Federal Trade Commission endorsed the idea of Do Not Track, but rather than mandating its creation, the Obama administration encouraged industry to figure out how it should work via a “multistakeholder process” that was overseen by W3C, an international non-governmental organization that develops technical standards for the web. It wound up being an absolutely terrible idea.
Technologists quickly came up with the code necessary to say “Don’t track me,” by having the browser send out a “DNT:1" signal along with other metadata, such as what machine the browser is using and what font is being displayed. It was a tool similar to “robots.txt,” which can be inserted into the HTML of a web page to tell search engines not to index that page so it won’t show up in search results. The “stakeholders” involved in the DNT standard-setting process—mainly privacy advocates, technologists, and online advertisers—couldn’t, though, come to an agreement about what a website should actually do in response to the request. (The W3C did come up with a recommendation about what websites and third parties should do when a browser sends the signal—namely, don’t collect their personal data, or de-identify it if you have to—but the people that do the data collection never accepted it as a standard.)
“Do Not Track could have succeeded only if there had been some incentive for the ad tech industry to reach a consensus with privacy advocates and other stakeholders—some reason why a failure to reach a negotiated agreement would be a worse outcome for the industry,” said Arvind Narayanan, a professor at Princeton University who was one of the technologists at the table. “Around 2011, the threat of federal legislation brought them to the negotiating table. But gradually, that threat disappeared. The prolonged negotiations, in fact, proved useful to the industry to create the illusion of a voluntary self-regulatory process, seemingly preempting the need for regulation.”
It is, in many respects, a failed experiment.
The biggest obstacle was advertisers who didn’t want to give up delicious data and revenue streams; they insisted that DNT would “kill online growth” and stymied the process. (You can chart the death of Do Not Track by the declining number of emails sent around on the W3C list-serv.) By the time the debate was winding down at the end of 2013, it wasn’t even about not tracking people, just not targeting them, meaning trackers could still collect the data but couldn’t use it to show people intrusive ads based on what they’d collected. The inability to reach a compromise on what DNT should be led sites like Reddit to declare “there is no accepted standard for how a website should respond to [the Do Not Track] signal, [so] we do not take any action in response to this signal.”
To demonstrate their theoretical support for DNT—or from a more skeptical perspective, to garner some positive press—Google, Microsoft, Apple, Mozilla, and others started offering the “Do Not Track” option in their respective browsers, but absent a consensus around the actions required in response to the DNT:1 signal, these browsers are just screaming for privacy into a void.
“It’s really sad that companies are not listening to their users and put weak and misleading pretexts to not respect their choice of privacy,” said Andrés Arrieta, tech projects manager at the Electronic Frontier Foundation, who attempted in 2017 to breathe life back into Do Not Trackby establishing a new standard for what websites should do when they see someone send the DNT:1 signal. (Everyone ignored it.)
“It would have been better for the web if DNT had worked. It was the polite option: Users could signal their preferences and websites would honor those preferences,” said Mayer by phone. “The alternative is the non-polite option of ad-blocking and cookie blocking, which is the way the conversation is now moving. In a world without DNT, ad-blocking has taken off.”
13/ it could have been done the nice friendly way with an honest conversation between users and sites. But ad networks couldn't fathom jeopardizing revenue even a little. So now we have a legitimate arms race, and Firefox dropped a massive bomb. It's gonna be interesting.— Ben Adida (@benadida) August 31, 2018
Every year, more people turn on adblockers, much to websites’ chagrin, causing publishers to institute paywalls and use pop-up requests to beg people to turn the blockers off. (You can see the latter by browsing our sites here at Gizmodo Media Group). Apple and Mozilla are both building tools into their browsers to block third-party tracking; in Firefox’s case, it will be by default.
Dennis Buchheim, a senior vice president at online advertising group IAB’s Tech Lab, said in a statement that DNT, as designed, was too blunt an instrument and didn’t allow users to “exempt their trusted sites, effectively limiting users to all-or-nothing.” He calls Apple’s and Mozilla’s new anti-tracking offerings “a poor but logical evolution of the intentions of DNT” and hopes for a more “collaborative approach” that involves users telling sites one-by-one what tracking they’re willing to allow.
Meanwhile, tracking is becoming even more intrusive and spilling over into the real world, with phones emitting ultrasonic sounds and Google tracking Android users’ locations despite their stated preferences. By not giving people a real choice about whether they are willing to be tracked, the internet remains locked in an arms race over privacy, with new tools and methods constantly being created to try to subvert the desires of the party on the other side of the data divide. Meanwhile, lawmakers in D.C. continue their decades of empty talk about passing a federal privacy lawto regulate online data-brokering. If they finally succeed this year, the primary motivation is to overrule a robust privacy law recently passed in California, which is not the purest of motives.
Given that most people involved see Do Not Track as a failed experiment, what do we do with it now? At least one browser is considering getting rid of the option.
“Mozilla has been a strong supporter of the DNT concept but is disappointed by the low rate of adoption across the industry,” said Firefox product lead Peter Dolanjski in a statement sent via email. “That is why we have announced plans for a stronger set of default protections that do not depend on sites independently deciding whether to respect user intent. We will be evaluating what to do with the DNT setting as we implement these protections.”
Many of the technologists and privacy advocates who pushed for the Do Not Track option a decade ago admit that the setting could give users a false expectation of privacy, but they remain stubbornly attached to it.
“The flag gives websites a strong signal of the demand for privacy from their users,” said Narayanan by email.
Some think “Do Not Track” shouldn’t be abandoned because of the hope that it might one day finally be empowered to actually do something.
“We have seen strong Do Not Track adoption by users, rather than by companies, with millions of users’ privacy requests ignored,” said Aleecia McDonald, an assistant professor at Carnegie Mellon University, who helped oversee the DNT process. “The push for privacy in Europe could use Do Not Track as a technical mechanism, as could California’s new Consumer Privacy law.”
In other words, we have a tool that works for telling the internet that a person wants privacy. The problem is that the companies that dominate the internet are, for the most part, plugging their ears and saying, “Nah, nah, nah, nah, I don’t hear you, nah, nah, nah, nah, I don’t hear you,” and will continue to do so until the government forces them to take their fingers out of their ears.
Gabe Weinberg, the founder of the private search engine DuckDuckGo, which doesn’t track any of its users, may have framed it best. He thinks that unless a federal law that “gives some real regulatory teeth to Do Not Track” passes, the option “should be removed from all browsers because it is otherwise misleading, giving people a false sense of security.”
Until that happens, please know that if you turn on “Do Not Track,” it’s not doing anything to protect you unless you’re surfing Pinterest or reading Medium while logged out. It’s one thing to tell someone you want to be left alone, and another to get them to care.