Hiding In Plain Sight - The Browser Do Not Tracker Header

While the compliance and tentative enforcement of ' the cookie law' continues, change is also continuing in a related online privacy issue: the web browser 'Do Not Track' settings.

On the face of it, Do Not Track ('DNT') is a simple concept.  It is a proposed web standard by which a user sets a flag (or header) that their web browser sends to websites when the browser requests data.  This flag has three settings - DNT:1 (a wish to not be tracked); DNT:0 (consent to be tracked); and a third 'null' setting (the absence of either DNT:1 or DNT:0).  On its face, this just represents a technical setting which can be used to express a user's wish, with no inherent legal (and some would argue, moral) requirement to be respected or adhered to.

Confused? You Should be

The new European privacy regulation at regulation 6(3A) specifically sets out that a user amending or setting a control on the internet browser is able to constitute consent. The DNT flag therefore seems like an ideal candidate for showing the consent required to store data on user's computers under the Privacy Regulations.  For years the advertising industry has argued that a user is perfectly able to opt of cookies out by turning them off in their browser, and that the user's decision not to do this constitutes implied consent for any website to place cookies on their computer. This opinion has however been squarely rejected by a central body of European privacy regulators – the Article 29 Working Party –– who produce non-binding opinions on such matters.  In their view, websites can only assume that a browser accepting cookies represents informed consent if there is a sufficient proportion of internet users with the technical knowledge of how cookies work and what they are used for.  In the opinion of the European working party, this was not the case as of Dec 2011.  In May 2012, the that consent might be inferred from a series of actions that in isolation do not constitute a direct expression of a user's thoughts, but went on to say that most browsers (as of May) were not sophisticated enough to assume that browser settings signify consent.

From this jumble, we can however take away that European regulatory clarity for browser based consent to cookies and tracking requires an opt-in browser setting indicating user consent to be tracked.  Applying this to the draft DNT standard, a web browser indicating DNT:1 could indicated user consent as long as DNT:1 is not the default setting.  DNT:1 is however likely to be the default setting in the final specifications. To understand why, we need to review the history of the DNT standard.

A camel is a horse designed by committee

DNT began as an American initiative at the US Federal Trade Commission in response to US consumer advocacy groups.  From 2007, the interested parties (the FTC, web browser authors, consumer rights groups and advertising networks) began discussing the proposed header, with advertising networks agreeing involvement only on the condition that DNT:1 was not activated by default.  Consumer rights groups compromised - an opt-in DNT:1 header is preferable to no header - and so the DNT drafting committee moved forwards on the basis of DNT:1 being opt-in.  The default would be DNT:0, and the advertising networks would revoke their support if the DNT:1 ever became default.

The years rolled on, data breaches occurred, and European privacy requirements became more stringent and prevalent.  Privacy hawks and consumer rights groups continued to hope that DNT:1 might become the default header.  The idea of a 'default' DNT header is subtle however.  There are the DNT committee specifications, and there is the actual header which browser authors implement by default.  For years, most browser authors have viewed standards compliance as a 'wish list', rather than a requirement.  When push comes to shove, each browser author can create its browser as it chooses, whether in compliance with 'standards' or not.

In June this year Microsoft did exactly this.  It announced that it would enable DNT:1 as the default setting in the upcoming Internet Explorer 10.  This of course created a strong backlash.  Advertising networks claimed this would be a non-standard implementation and so would not reflect user choice, so should (and would) be ignored.  Industry cynics claimed this was a way for MS to embarrass Google, as Google would have to respect such a flag (impacting on its behavioural advertising business), or ignore it (with associated regulatory and reputational consequences).

The Emperor's Clothes

In my view the most interesting reaction came from a member of the DNT committee who proposed a 'patch' to the Apache web server (the most commonly used web server) to ignore any such DNT:1 headers which come from Internet Explorer 10.  Just this week, Yahoo took a similar approach indicating that it would not respect IE10 DNT headers. This is where the collaborative nature of DNT is revealed.  Without any legal teeth, DNT:1 is merely a polite request for legitimate websites not to track you.  The only compulsion for a website to respect it is a moral one, which will only be taken if the website feels that the header genuinely reflects user wishes.  Of course, unscrupulous, incompetent, and predatory websites will track users regardless of the DNT header, meaning that the DNT header gives the illusion of protection, but in fact reduces it.

Further complications arise the more one considers what 'tracking' actually is.  There are many reasonable interpretations as to what user DNT:1 might allow, or prohibit – detail far beyond the scope of this article.  While European regulators may have a view on this, it is unlikely to align with the FTC's view, and will not align with the view of the advertising networks (some of which feel it will mean 'stop showing targeted adverts', rather than 'stop collecting data').  Each legislative body might give a different meaning to each DNT header in their territory – and so we still have jurisdictional confusion for an international problem.

This leaves proponents of a default DNT:1 stuck between a rock and a hard place.  A voluntary standard that asks too much will be ignored, and therefore be inconsequential.  'Non-standard' browsers are being ignored.  The current lack of a standard means true consent is difficult to express.  Pushing forwards too hard might result in no progress at all.

Agreeing to disagree

All parties involved in the current DNT debate seems to agree that DNT should reflect user intent, and there is a moral obligation for websites to respect that user intent.  Advertising networks however tend to argue that onus is on the user to express a wish for privacy over personalisation.  Consumer rights groups and European regulators argue that the onus is on the user to express a wish for personalisation over privacy.  Those with a preference for generalisation might also say that the advertising networks reflect a generally American pro-commerce view, whereas the consumer rights groups reflect a generally European pro-data-subject view.

Part of this difference is self-interest, part of it is cultural.  Part of it however relates to how a DNT header would be used today.  In Europe, there is a clear legislative framework for DNT to slot into – it could be used (with the right default setting) to indicate consent for placing cookies and tracking users as is required under certain European community laws.  In America, there is no such legislative framework to lend DNT weight.  An American member of the DNT specification committee has explained that "many people are simply not willing to engage in a process of 'let's define what regulators should enforce' in the absence of context".  This might explain why DNT:0 as default is a condition of advertising network support, and also the prevailing view in America.

The current situation

At the time of writing, all major browsers now have a DNT header included in their latest version.  Only IE10 implements DNT:1 as the default header however this is being pointedly ignored by various web services.  The DNT specification for that header is still however being drafted and debated, with over 100 issues remaining, and a timetabled recommendation for April 2013.  The DNT header will continue to morph over the coming months.  With some hope, the DNT header will align with legislation so it can be used as a reliable indicator of user wishes.  The extent to which the DNT specification might meet legislation, or legislation might meet the DNT specifications remains to be seen.  If the former, alignment of technology and European law is a real possibility for 2013.  If the latter, we could be in for a wait.  Hope springs eternal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.