Hello, Brett McDowell here:
Mozilla went on the record over the weekend with their specific proposal for how to implement Do-Not-Track (DNT) mechanisms via HTTP-header (with the goal to enable users to opt-out of Online Behavioral Advertising (OBA) at internet-scale, if they wish). Here are the relevant links:
Privacy Positioning Blog Post (Alex Fowler):
Firefox Technical Proposal Blog Post (Sid Stamm):
Proposal Itself (header implementation):
Proposal Itself (UI implementation):
Technical Analysis of Do-Not-Track proposals (Mike Hanson):
Mike Hanson's blog post is the best analysis on the topic I've seen so far, but it still fails to call-out anti-fraud tracking explicitly as a behavior that should not be interfered with by DNT. He lists: advertising, personalization, and metrics as functions DNT should avoid interfering with, but given the nature of the Mozilla DNT proposal, sites still have to implement an interoperable OBA opt-out mechanism to avoid even that level of interference. Will every browser vendor have their own interface we have to interoperate with to avoid having all "3rd-party tracking" -- which of course doesn't actually mean 3rd-party, but simply means "from domains other than the one in the location bar" -- blocked by their browser?
I continue to be disappointed by the Do-Not-Track discussion as captured by the media and blogosphere for its continued disregard for the security considerations of this new header. Our concern is not about some geeky, low-level afterthought. We are talking about a fundamental negative consequence on internet security brought about by an industry-wide knee-jerk reaction to the FTC that is currently poised to remove mission-critical consumer protection mechanisms (commonly used by sites that require user authentication, including but not limited to financial services and commerce) if security considerations remain in the shadows of this policy debate much longer. The internet community must come together and explicitly carve-out anti-fraud tracking as a behavior to sustain, if not embolden, in the post-DNT world.
Carving-out first-party tracking is a reasonable step that I don't intend to criticize, but it's a blunt instrument that is insufficient for the task. Anti-Fraud tracking is not always exclusively conducted via first-party cookies, nor is OBA exclusively negated by blocking 3rd-party cookies (as Mike Hanson points out in his post). Whatever DNT turns out to be, it must be based on a use-and-obligations model, i.e. a mechanism that triggers the required obligation for the specific use being addressed by the mechanism, which is OBA in this case. I'm pleased to see Mozilla headed in that direction, but there is still a long way to go before we've got this right.
The core issue is introduced in this sentence from Mike Hanson's post:
"I propose that the user's intent can be captured in a simple rule: If the Do-Not-Track header is present, and the site has a "tracking opt-out" mechanism, the mechanism should be activated. If the site does not have an explicit opt-out mechanism, the user should experience only content from their first-party relationship with the page being viewed."
I interpret the intent of that to mean:
- Sites must implement an interface between the HTTP "DNT" Header and their current opt-out mechanisms
- This implementation must be interoperable across all browsers and sites
- If anything goes wrong and the browser cannot interpret the confirmation from the site that it has implemented it's OBA opt-out mechanism in compliance with the DNT header setting in the browser, then the browser will initiate the "more harmful than helpful" behavior of blocking all but obvious domain-based, first-party content and tracking mechanisms.
Step 3 highlights the nest of issues we need to resolve if we want to ensure the post-DNT-web is better at protecting personal information from unauthorized disclosure than the web we have today.
Because this is a tractable problem, we are not against the DNT movement per se. We are against DNT gone wrong. What we need now is an all-hands standardization effort inclusive of the many proposals, all the various influencers, under a collaborative framework with a proven track record of facilitating timely compromise on thorny standardization issues, to bang out a rough consensus set of policies and protocols for DNT. This is not a call to stop the DNT effort, but to elevate DNT out of the noise of media coverage and into serious analysis and standardization work... before it's too late to get it right.
Good comments, Brett - I'll make sure to bring up anti-fraud in a followup post. Can you recommend a good background page I could link to?
- Mike Hanson
Posted by: Michaelrhanson | January 25, 2011 at 10:45 AM
@MichaelHanson Sure thing. In fact I'm going to work on a follow-up post that goes into some examples of what would be "lost" to us as anti-fraud measures if only "first-party" cookies etc. were allowed by the browser. I won't be able to disclose everything, but a few key examples should be possible. You are not the only person who has asked for detailed examples :-)
Posted by: Brett McDowell | January 25, 2011 at 01:03 PM