Hi, Andy Steingruebl and Bil Corry here:
Our friends at Mozilla have been hard at work creating a Do-Not-Track behavioral advertising opt-out mechanism, which shipped with the recently-released Firefox 4. A stated goal for Mozilla’s Do-Not-Track mechanism is as follows:
This header is intended to be a signal equivalent to the presence of an opt-out cookie. We believe only a small number of changes from websites and advertisers are necessary to switch from looking for opt-out cookies to looking for the header.
Yesterday, Mozilla reported that the AP News Registry service implemented their Do-Not-Track mechanism in just a few hours with a single engineer, which appears to confirm Mozilla’s assertion that this feature is a relatively easy one for websites with an existing opt-out cookie mechanism.
While we applaud Mozilla and the Associated Press for their hard work on this issue, we are concerned that this frames the Do-Not-Track discussion around replacing existing opt-out cookie solutions. Admittedly, Mozilla does acknowledge that this is not a complete solution, and indeed, it is our belief that online privacy needs a much more thorough discussion with all stakeholders.
We recently submitted a position paper to the upcoming W3C Workshop on Web Tracking and User Privacy; we argue that it is premature to push technical mechanisms for controlling privacy before having a more substantial discussion with all stakeholders to define a complementary policy framework. Clearly online privacy extends beyond just an alternative opt-out cookie mechanism, but how far? What does it look like? Should public regulation also be included? What is the definition of “tracking”? The answers to those and many other questions will then determine what a technical solution will look like, which may be entirely different than any technical solution currently being proposed.
We strongly believe an online privacy system needs to be developed, but strongly disagree with the current effort to define a technical solution before a policy framework with stakeholders has been developed.
You may view our position paper here:
http://www.thesecuritypractice.com/the_security_practice/papers/W3C-WhereIsTheFramework.pdf
We welcome your feedback.
Comments
You can follow this conversation by subscribing to the comment feed for this post.