Don’t Track Me! – Okay Maybe Just a Little

by Mike Borchardt, UMN Law Student, MJLST Managing Editor

Thumbnail-Michael-Borchardt.jpgRecent announcements from Microsoft have helped to underscore the current conflict between internet privacy advocates and businesses which rely on online tracking and advertising to generate revenues. Microsoft recently announced that “Do Not Track” settings will be enabled by default in the next version of their web browser, Internet Explorer 10 (IE 10).

As explained by Omer Tene and Jules Polonetsky in their article in the Minnesota Journal of Law, Science & Technology 13.1, “To Track or ‘Do not Track’: Advancing Transparency and Individual Control in Online Behavioral Advertising,” the amount and type of data web services and advertisers collect on users has developed as quickly as the internet itself. (For an excellent overview of various technologies used to track online behavior, and the variety of information they can obtain, see section II of their article). The success and ability of online services to supply their products free to users is heavily dependent on this data tracking and the advertising revenue it generates. Though many online services are dependent on this data collection in order to generate revenue, users and privacy advocates are suspicious about the amount of data being collected, how it is being used, and who has access.

And it is in response to this growing environment of unease concerning the amount and types of user data being collected that Microsoft has added these new Do Not Track features (All other major browsers are set to include do not track settings, with Google’s Chrome the last to announce them. These settings, however, will likely not be enabled by default. This, however, may not be the boon for user privacy that some have been hoping for. Do Not Track is a voluntary standard developed by the web industry; it relies on browser headings to tell advertisers not to track users (for a more in depth description of how this technology works, see pgs. 325-26 of Tene and Polonetsky’s article). This is where the problem arises-websites can ignore browser headings and track users anyway. Part of the Do Not Track standard developed by the industry is that users must opt in to Do Not Track-it cannot be enabled by default. In response to Microsoft’s default Do Not Track settings, Apache (the most common webserver application), has been updated to ignore do not track setting from IE 10 users. With one side claiming that “Microsoft deliberately violate[d] the standard,” and the other claiming that the industry is ignoring privacy for profit, the conflict over user data collection seems poised to continue.

A variety of alternatives to the industry implemented Do Not Track settings have been proposed. As the conflict continues, one of the most commonly proposed solutions is legislation. Privacy advocates and web companies, however, have very different views about what Do Not Track legislation should cover. (For differing viewpoints see “‘Do Not Track’ Internet spat risks legislative crackdown). Tene and Polonetsky argue that a value judgment must be made, that policymakers must evaluate whether the “information-for-value business model currently prevailing online” is socially acceptable or “a perverse monetization of users’ fundamental rights,” and create Do Not Track standards accordingly. Unfortunately, this choice between the generally free-to-use websites and web services users have come to expect on one hand, and personal privacy on the other, does not seem like much of a choice at all.

There are, however, alternatives to the standard Do Not Track proposals. One of the best is allowing the collection of user data to continue, but to legally limit the ways in which that data could be used. Tene and Polonetsky recommend a variety of policies that could be enacted which could help to assuage users’ privacy concerns, while allowing web services to continue generating targeted advertising revenue. Some of their proposals include limiting user data use to advertising and fraud prevention, preventing the use of data collected from children, anonymizing data as much as possible, limiting the retention of user data, limiting transmission of data to third parties, and clearly explaining to users what data is being collected about them and how it is being used. Many of these options have been proposed before, but used in conjunction they could provide an acceptable alternative to the strict Do Not Track approach proposed by privacy advocates, while still allowing the free-to-use, advertising-based web to thrive.