Demystifying “Do Not Track”

The Federal Trade Commission wants to see a “Do Not Track” button on every web browser by the end of 2012. Tuck professor M. Eric Johnson explains what that will likely mean.

Share to Facebook Share to Twitter Share to LinkedIn Share via Email Share

A person’s right to privacy is firmly enshrined in the United States Constitution and nearly 100 years of Supreme Court precedent. There’s only one problem: It doesn’t restrict corporations from peering into your life. As for the Internet, “It’s like the Wild West out there,” says M. Eric Johnson, the Benjamin Ames Kimball Professor of the Science of Administration at Tuck and the Director of Tuck's Glassmeyer/McNamee Center for Digital Strategies.

Businesses have been leveraging valuable customer data for decades, starting with credit card companies selling your personal data and buying habits in anonymous forms to the highest bidder. Data gathering has only become more intense and lucrative with the rise of the Internet. You don’t even need to buy something online to create a data trail; just looking at a web page or clicking on an advertisement is enough. Companies gather that data and then use it serve up other advertisements targeted especially to you, or to develop new products and services.

So far, the public has mostly been OK with sharing information about online behavior. But that sentiment is shifting as consumers become more aware of ever-present surveillance, like when iPhone users discovered that Apple was tracking their whereabouts through the cell phone networks. And recently Facebook and Google have agreed to reform their privacy practices to be less deceptive. Because of these high-profile mistakes, online privacy is becoming a concern for consumers and the government alike. “Slowly, the water’s getting hotter,” Johnson says.

The latest evidence is the news that the Federal Trade Commission has asked Congress to enact legislation regulating data brokers. It has also asked technology and advertising companies to install a “Do Not Track” mechanism in web browsers that would allow consumers to choose not to have their online activity watched and shared. After more than a year of fighting such a feature, Google, Yahoo, and other major Internet companies have agreed to support it.

But between social media, mobile networks, “freemium” services like Google Mail, and “cookies”—the little bits of data stored on your computer when you visit a website—online privacy is a big, complicated problem. “Do Not Track,” it turns out, targets only a tiny segment of the issue.

We sat down with Johnson to parse fact from fiction.

The popular press has compared “Do Not Track” to the Do Not Call registry. Is that a good way to think about this?

The analogy is very poor. Do Not Call is simply saying, Don’t call me at home. “Do Not Track” is a much bigger deal. You’re saying to firms, Don’t collect any data on me, and don’t use it in any way to develop a better product or service.

Last year, Microsoft released Internet Explorer 8 with a feature that allowed users to block websites and advertisements from specific sources. Was that an early effort at “Do Not Track”?

In a way, yes, because using that feature—which is complicated and not designed for the casual user—blocks specific advertisers’ servers from touching your computer. But not many people use it, and the default setting is to share everything.

How is “Do Not Track” different?

The FTC is trying to broker an agreement with the Digital Advertising Alliance whereby if a user clicks a “Do Not Track” button on their browser, what would happen is that ads wouldn’t be blocked from your browser, but it would send the server of the ad a message saying you’re on the “Do Not Track” list. If the advertiser sees an HTML header that said this user is on the list, it wouldn’t take the information and use it, sell it, etc. That’s the bottom line here.

Why is the FTC going the route of a voluntary agreement, rather than an official regulation?

It’s trying to have the industry come up with the solution itself. And, for enforcement, there’s this veiled threat of regulatory action for fraudulent practices.

What’s been the reaction from privacy advocates?

The skeptics are all saying, “Right, all these web marketers are suddenly going to stop using our data just because someone clicks a button.” There’s deep and systemic skepticism among the privacy advocates, but they’re happy for progress because right now it’s just open season.

Would the “Do Not Track” feature apply to Facebook and Google?

Interestingly enough, this has nothing to do with companies you have relationships with already. It has nothing to do with the fact that you use Google Mail and Google Docs and it’s mining your mail and documents to dish up better ads to you. That’s a relationship you already have with Google, and in many ways is the underpinning of the “freemium” model—my data for your cool apps.

Does “Do Not Track” represent a threat to the e-commerce and online advertising industries?

Yes and no. There’s a whole industry of companies—Experian, Acxiom, LexisNexis—that survive on data from people with whom they have no relationship. This data is getting richer and richer as we spend more time on the web, and if those companies can’t get it, they will suffer. But on the other hand, maybe there are these companies you don’t have relationships with and they’re taking your data and you hate them for it. Yet, they are serving up and paying for ads that support content you like to read on the New York Times, for example. It is all interlinked.

Is online privacy something you personally worry about?

I like the ability to wipe out cookies. And, for my own security, I’ve never been a one-browser user. There’s a benefit to using different browsers for different things. But I won’t put a lot of energy into it. I know people who will, but I am not that paranoid. Most of the time, I’m happy to serve up my data for cool apps.