HomeBlog PostDNT › Microsoft's privacy "enhancements" more complex than they first appear

Blog Post

Microsoft's privacy "enhancements" more complex than they first appear

Microsoft has just announced that the newest version of its popular browser, Internet Explorer 10, will come with the privacy friendly feature, "Do Not Track" already turned on by default.  Now since I've been pushing for Do Not Track implementation for at least the last two years, I should be rejoicing, right?

Would that life were so simple.  Microsoft's unilateral and surprising announcement has complex implications, some still unfolding.  Let me explain what's going on.

First, you need to know what Do Not Track is.  Simply, it is a mechanism for a browser to send a message telling a web site that you don't want your activities tracked as you surf the Web.  Firefox, the browser offered by the non-profit organization Mozilla, was the first to offer a way send the message.

But here's the rub.  Even though the Federal Trade Commission as called for the implementation of DNT, nobody has yet agreed what the obligations are when a website receives a DNT message. I've long argued we need to be crystal clear about that and we need legislation to give the FTC -- or some other regulatory agency -- specific authority to define DNT obligations and compliance.

The ever optimistic FTC is giving self-regulation a last chance yet again.

So right now the only meaningful game around when it comes to Do Not Track is group called the W3C (or World Wide Web Consortium). It's an Internet standards setting group that brings together a variety of stakeholders from different aspects of industry, academia, consumer groups and even regulators to work out appropriate Internet rules of the road by consensus. The W3C Tracking Protection Working Group is tackling the DNT issue.  It is seeking to define how, technically, the DNT message will be sent and what exactly the compliance obligations will be.

I'm a member of the group as a so-called "invited expert", which I think is pretty cool because I can't remember the last time anybody called me an expert at anything except when my then five-year-old daughter told a friend, "My Dad can fix anything." I digress. Back to the W3C.

Obviously reaching working group consensus is difficult with the diversity of backgrounds and views among the participants.  One area where one had more or less emerged was around the idea that Do Not Track had to represent a user's clear choice.  She or he had to choose to turn it on.

Sending the header DNT:1 means Do Not Track me. DNT: 0 means it's OK to track.  That also had to be selected by the user.  If the user did not choose, no header would be sent.

Here is something that's important to remember: The Internet is global; the W3C Do Not Track standard has to work in many different jurisdictions around the world.  Not sending a DNT header would have different implications in different jurisdictions because of a different regulatory framework, but DNT should be useful in all of them.

Default settings are powerful.  The fact is that most people don't change them.  If you want maximum participation in a 401 (k) plan, put all employees in it and let them opt out. If you want minimal participation make them opt in.

Privacy protection by default protects more people because they don't think about changing it.  Industry hates it.  Generally I am for it. However, I think the consensus that DNT must be turned on by the user is acceptable because it helps make the case that many other aspects of the protocol must be based on user expectations.  It was, as I understand it, a done deal and the Working Group had moved on to other divisive -- possibly insurmountable -- issues.

Then Microsoft announced IE 10 would ship with DNT turned on as the default.  How could this have happened when the software giant's representatives were at the bargaining table? Indeed the last meeting of the group was at Microsoft's Washington office.  I can only speculate that it's the classic left hand not knowing what right hand has been doing.  Microsoft is certainly big enough for that to happen.

There is also speculation that those in Microsoft who moved on DNT did it because they thought it would generate PR benefits and praise from the privacy community. A completely cynical view is that the decision potentially sticks it to arch rival Google, which has a much larger advertising operation.  Indeed, 98 percent of Google's revenue comes from ads.

So, the rest of industry is furious.  Some  working group participants don't even want the next meeting to be held at Microsoft offices in the Seattle area.  That's not a big deal, but this is:  There is growing sentiment emerging that if IE 10 ships with DNT turned on, the industry will simply ignore it. Industry must not have an excuse to ignore a DNT signal.

Buried in the controversy is another important issue.  Industry wants Do Not Track to mean "Do Not Target." Ads wouldn't be served based on your web surfing activities, but data would still be gathered. Real Do Not Track means Do Not Collect information about my surfing.

Microsoft has an advertising network, albeit minuscule when compared to the gargantuan reach of Google.  They've announced IE 10 will send DNT by default, but what will Microsoft ad network's response be when it gets a DNT message? Here's what Brendon Lynch,Chief Privacy Officer, said: "In February, Microsoft Advertising intends to treat the do-not-track browser signal as an opt-out of behavioral advertising under the Digital Advertising Alliance's self-regulatory program."

Great. Microsoft won't target, but they will still collect data. And they've (probably unintentionally) undermined the only group working to set a meaningful DNT standard. They are getting -- for the moment -- some good PR.

But here is what I'm worried about. There is a real danger that consumers will be caught between warring industry Goliaths. They never really wanted DNT anyway.  It's long past time to pass meaningful Do Not Track legislation that would enable real regulations.