Why an FTC 'Do Not Track' list is a bad idea
WASHINGTON--A first principle of Internet regulation is that what's routinely done in the offline world should be OK when done online. A second principle is that if a company discloses that it's going to do something like review your search history when displaying ads, and then follows through, that should be permitted.
Keep these principles in mind when evaluating some of the overheated proposals bubbling up during the Federal Trade Commission's two-day meeting this week about online privacy.
Here are two ideas that have been floated:
Creating a "Do Not Track" list. The proposal from groups agitating for more government regulation (click for PDF of the proposal) says that Congress should create a committee (that these same groups would be members of). They want the FTC to create a national Do Not Track list, and advertising companies that set cookies would be "required" by law to give the FTC the addresses of their servers. Browser plug-ins--perhaps to be created by the feds--would block ad servers on that list.
A formal investigation. The Center for Digital Democracy and the U.S. Public Interest Research Group are lobbying the FTC to investigate Google, Microsoft, AOL, and Yahoo's data collection practices. They want a new FTC task force created (PDF), an inquiry into target marketing by Facebook and MySpace.com, and a look at "the role of behavioral targeting and online advertising in the promotion and sales of sub-prime mortgages."
But is asking for new Internet advertising regulations truly wise--or even necessary?
The pro-regulation lobbyists and activists are most upset about behavioral advertising, meaning computer-generated ads that are based on pages a visitor previously viewed. Someone who spends a lot of time reading a newspaper's Asia travel articles may see ads for trips to China even when perusing sports scores. Quelle horreur!
Yes, this is the unmitigated privacy Chernobyl that the U.S. government is being asked to protect America from.
Let's go back to these first principles. Although the term is new, storefront businesses have used behavioral advertising for thousands of years. If you went to your neighborhood butcher a century ago, he'd know what cuts of meat your behavior indicated you like and offer relevant suggestions. If a nearby bookstore owner knew your behavioral profile meant you prefer a certain type of fiction, you'd probably be delighted if he offered a relevant suggestion.
That type of real-world behavioral marketing can even be more intrusive than its Internet counterpart. Humans gossip; ad servers don't.
But let's say for the sake of argument that Web sites may collect more information about you than a traditional bookstore owner does. Clicks can be recorded, shopping cart additions and deletions can be noted, and so on.
That brings me back to the second principle of Internet regulation: Privacy practices that are disclosed should be permitted. Take a look at Amazon.com's policy, which is far more clear than it was years ago. Yahoo's privacy policy is also perfectly straightforward:
When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests... Yahoo! uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.
Nobody's holding a gun to Internet users' heads and forcing them to visit Amazon or Yahoo. They do it because they trust those companies to take reasonable steps to protect their privacy. To insist that the feds must step in because a few vocal lobbyists and activists don't like those steps should be insulting to Americans: it suggests that they're too simpleminded to make their own decisions about what's best for them and their families. (It's similar in principle to price regulation, when special-interest lobbyists insist that prices are too high or too low and must be altered by legislative fiat.)
What makes this an even sillier debate is that there already are a wealth of ways to accomplish "Do Not Track" without the feds. This is the third principle of Internet regulation: If technology exists to solve a perceived problem, it's probably better to encourage its use rather than ask federal agencies for more regulations or demand that the techno half-wits in Congress draft a new law. (Remember, Ted "Tubes" Stevens was for years the senator in charge of writing Internet regulations. And he's still the senior Republican on that committee.)
If you don't want 24/7 Real Media or Doubleclick to be able to identify when you visit one Web site and then another, it takes only a few seconds to block their cookies. Firefox offers an excellent way to refuse cookies from individual sites. The Adblock Plus plug-in even lets you avoid ads. AOL now lets you opt out of "tracking cookies" and the Network Advertising Initiative has long allowed users to opt-out of targeted advertising from companies including 24/7 and DoubleClick.
If the lobbyists and activists behind the "Do Not Track" list--including the Consumer Federation of America, the Center for Democracy and Technology, and the World Privacy Forum--want to create a browser plug-in that tracks advertising-related servers and automatically blocks them, they should. They don't need to beg the FTC or Congress to do it for them. And it would likely be far faster (and the outcome better) than asking Sen. Stevens and the rest of official Washington to regulate companies doing business on the Internet.
[Full disclosure: I'm speaking at the FTC's event on Thursday and Friday in Washington.]
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan.
I don't even let the kids into my computer--and I know them. Why would I allow the government in?
Exactly right Pete!
If privacy activists/pressure groups would spend half as much energy (and donor money) on educating the "browser illiterate" (as to how easy it is to purge all tracking info) than they do on advocating the heavy hammer of the state they would accomplish much more much sooner.
My suspicion, however, is that helping the "browser illiterate" isn't really their motivation. Slamming business is.
How would you feel if they send couple of videographers to follow you for rest of your life and record your entire life ( for ex: when you bathe and what kind of soap you use etc), so they can provide you with better recommendations next time you are in the store?
The reality is 99.99% of users do not read the fine print - and thus FTC needs to step in take steps to prevent this abuse by Google etc.
What abuse? This is a serious question. From my perspective the major search companies have substantially _improved_ their privacy practices in the last six months. What exactly are you talking about? (Hand-waving and generalities don't count.)
Because cookies are very unreliable, few sites rely exclusively on them for interresting (to the user) purpose, so there is no downside to throwing away the cookie jar and making long term tracking impossible, and if advertizers insist a bit too much we have ad removal tools such as Adaware.
focus was on marketing when I thought it would be about the
protection of employees from the monitoring ability of the
company they work for. I thought perhaps it was, if a company
decided to track the Internet activity of its own employees, that a
suggested "do not track" list might be applied to the more
personal information sites those employees visit, such as those
regarding their personal medical, legal and professional
consultations, or perhaps dating sites. While regularly the
specific information on these different kinds of sites should have
security protecting it, the employees may want the very visiting
of the overall Web site to be private, such as to not give the
impression, whether true or false, of an association with a
particular medical condition, a lawsuit decision, the seeking of a
different job or the decision to unionize, for example. Despite
your article's not wanting government intrusion into the
assembled lists of the data-gathering companies, what about
classifying the sites I am referring to as sites that would not
appear on any tracked list, whether of a telemarketer or the
company owning the Web set-up that is being used? Perhaps
knowing what kinds of books and movies people like is useful to
marketers and even helps them to help the person visiting the
sites, but how does access to someone's more personal
information benefit anyone?
The idea that an ad-block system be developed and supported implies that building and supporting such an ad-block system were technically possible. That means ad systems have to stop finding fighting browser & plug-in workarounds. The constant tug of war has been going on for years with pop up blockers, ad-block plugins, etc. Advertiser finds a new way to show ads, someone finds a way to avoid seeing them, rinse & repeat.
If they really want to stop being tracked, mandate that can't break such privacy protection systems. In other words a DMCA on behalf of the consumer's privacy. Good luck on that!
thanks
But the solution you seem to prefer is the precautionary principle applied to Internet advertising, which is too heavy a club for this purpose.
There's a complex and impressive legal framework already in place to govern Internet advertising practices, which are controlled by common law, contract law, state AG enforcement, class action threats, FTC enforcement, and other state causes of action. Let's at least make sure we exhaust those before calling for Yet Another New Internet Law.
People may gossip, but wise merchants know better? and even when merchants gossip, it's just that ? gossip, unsubstantiated talk. Ad servers don't gossip, they tell the truth at all times to everyone, and everyone believes what they say because they collect facts about individual's web usage. I'll take a gossipy merchant would might, at least, have the common decency to be embarrassed when confronted with an invasion of privacy. The machine was designed for exactly that purpose and does what it does without the slightest chance of remorse or regret.
Behavioral advertising on the web takes the divulging of private information to a whole new and utterly abhorrent level. For example, if I look at one site, or even a dozen sites, on one specific topic ? let's use you example of reading about travel to Asia ? who, besides myself, is to say that I actually have an interest in that topic and would "appreciate" seeing advertisements related to it? Maybe I was doing some research for a friend, or maybe I was just casually surfing and the subject caught my fancy for 10 minutes. The point is, when I move on to other sites I don't need or want what I was looking at 10 minutes, two hours, or twelve days ago to follow me around. I consider that a horrific abuse of my privacy, yes, perhaps even an "unmitigated privacy Chernobyl".
You say that no one holds a gun to users heads and forces them to go to sites like Yahoo! or Amazon. That's true in a literal sense, but patently false in any reasonable sense. Why must I be required to check my rights to privacy at the door for the convenience of doing things online? When I visit a local merchant, he or she usually seems satisfied that I spend my money with them. Online business should feel the same.
You also say that we visit these sites because we trust the online businesses to take "reasonable steps" to protect our privacy. In this you are mistaken; we visit those sites because we want to take advantage of the convenience they offer and hope, against hope, that our privacy won't be abused too badly (we already know that our privacy will be abused in some way, it is, after all, online).
Something must be done to stop the abuse of privacy online. I'm not fond of government regulation of anything, but if it takes the government stepping in to get something done... I'm for it.
I've been using PGP since the early 1990s and have written a bunch of FAQs about protecting yourself from search engines. I gave a speech to journalists last month about protecting their privacy and their source's privacy through encryption, etc. I don't have a landline and use a PO Box for postal mail. I'm probably more of a privacy fanatic than you are.
But just because I personally don't like Internet advertising does not mean I think it should be regulated (or, more precisely, the benefits of regulating outweigh the costs).
You seem to be doing a lot of hand-waving, like saying of all Internet sites: "We already know that our privacy will be abused in some way, it is, after all, online." How so? What does Google do that's "abusive?" Amazon? CNET?
If you really think Internet ads are a "horrific abuse of your privacy," block them, block their cookies, block their servers. But don't try to force your own personal preferences through the U.S. government on people that might actually like getting relevant ads.
It's a little more work, true, but (a) there's nothing stopping someone from creating a Firefox plugin to automate it and (b) it avoids some of the overregulatory problems caused by the Feds getting involved.
There's no Federal Bureau of Discount Card Regulation. So why have a Federal Bureau of Internet Advertising Regulation?
* = By avoided I mean the cookies can be deleted or the discount card can be avoided and the purchase made with cash for a probably-untraceable transaction.
Here is something I don't understand about the rest of some of you though. Why would you be offended that your "privacy" is being invaded by a machine, which does not care one way or the other about who you are or what you look for. In addition, how self-centered do you have to be to think that the people who run these companies are really paying attention to you personally? They just care about your data in relation to everyone else. They also don't care about anything as long as "you" (and by that I mean the millions of users) see their ads or the ads of those that hired them or payed them to place the ads. If you are somehow worried about the feds getting a hold on this information by forcing the compliance of the companies then you fear too much for when that day comes there shall be a great uproar along with it that would cause congress to do something. Just so you're aware though, the NSA already has that capability without even needing to go to these companies.
So here is some advice: Let us programmers worry about making the technology smarter so that you see things that you not only want to see but that you didn't even know you wanted to see; and should you here word of the government trying to get the information from these companies, then you can do something and write your congress-men/women in protest of such an act rather than sitting back and saying "well my word doesn't matter either way." or to get off the subject "What's one vote gonna matter?" . . .
Saying there's a privacy invasion when a machine reviews your data is like saying there's a privacy invasion when your dog sees you naked.
Our email is entered by computers and forwarded by computers and routed by computers and spam-filtered by computers and saved by computers and backed up by computers. A computer is nothing but a series of switches: like a thermostat but far more complex. Is it a privacy invasion for a thermostat to "know" that you like your home temperature to be 81 degrees?
My intuition says that the privacy violation happens when: #1. A human reviews the data or the data are exposed to a human. #2. The computer does not follow the rules a human promised it would. There might be a possible #3, which is a computer building a dossier for human perusal, but I think that's a special case of #1.
"If you are somehow worried (writes gatesunder) about the feds getting a hold on this information by forcing the compliance of the companies then you fear too much for when that day comes there shall be a great uproar along with it that would cause congress to do something"
Such gung-ho self-assurance can only come from someone who is incredibly naive. Remember the US Administration, under Bush is now nearly there in pushing through a bill in Congress, providing retrospective absolution to Telecom companies who shared their data with NSA without due process, and which actions were in violation of constitutional provisions.
*Etherspirit
Did you miss when I was advocating technical solutions for ad/server-blocking, something that companies hardly like very much? And I do support a neutral Internet; we'd probably only disagree about the best way to accomplish it.
What he would have you to believe with his warm & cuddly analogies is that these Corporations are "Mom & Pop" operations who are just there to help you out. Nothing could be further from the truth. These are MEGA corporations who are doing their best to have you spend your dollar in just one place....where THEY want you to spend it !
Second, he is attempting to equate apples and Oranges. If these Corporations just used these cookies to track where you visited whilst on THEIR web sites, that would be one thing. ( Yano, the "he'd know what cuts of meat your behavior indicated you like and offer relevant suggestions" analogy). Fact is, these cookies track where you've been even if you haven't used their services in MONTHS. Now to put it in THAT light, how would you feel if the 'friendly, helpful, neighborhood butcher" stalked you whilst you went shopping in the next town over ? Cuz that's EXACTLY what these tracking cookies do !
Nice try, Declan ! How much did Yahoo & MSN pay ya for THAT 'opinion' ?
Anything that you permit a corporation to do, you are also permitting the government to do, if only at second hand. And with the fascist tendencies of the current government and media/military corporations, there is less and less difference between corporate actions and government actions.
Tech Meme sent me (and I imagine many others) here for better or worse. At first thought, I lamented the woes of algorithmic news aggregation. Your tone is inappropriately hostile and exaggeratory. I can't conclude that you're a maligned person only that you're article is the unfortunate result of the Cult of the Amateur. Your analysis does not search for the truth of the matter, but does underestimate privacy concerns. I quote
"The pro-regulation lobbyists and activists are most upset about behavioral advertising, meaning computer-generated ads that are based on pages a visitor previously viewed. Someone who spends a lot of time reading a newspaper's Asia travel articles may see ads for trips to China even when perusing sports scores. Quelle horreur!
Yes, this is the unmitigated privacy Chernobyl that the U.S. government is being asked to protect America from."
Could you not find a more relevant topic to consider? It was frightening to me how poorly you framed the concern. No one of course is concerned with seeing contexual ads? Who can argue with such a useful technology? What is of concern to me is that my surfing habits are being stored in a database to perhaps one day in less favorable political climates be used against me. Can I trust Google with my Doubleclick data? Yes, I feel that I can. But my Doubleclick data is not secure if the Federal government were to subpoena that Doubleclick data for whatever domestic surveillance project they would be working on at the time. "To trust the governemnt goes against both logic and history." This is why we investigate these matters and create government structures that protect us. Your added hyperbole only further errodes the credibility of your article.
I have to go get lunch with my friends. So I don't have time right now to finish my summary of the critiques.
Your analysis demonstrates poor understanding of the many differences between early 20th century and the early 21st century. The social graph is far more interesting than your article imagines.
Your gravest fallacy is that all parties are equal in the free market. Do you really believe that my grand mother is as technically savy in the ways of Google's privacy disclosure as Google is? How many consumers actually read disclosures? This is not only about the consumer could do (if they had much, much more time.) This is also about the behavoir they demonstrate time and time again. We create systems to protect us from the worst of human weakness: greed, hunger for power, misperception often times from lack of information and deeply held beliefs, and failure to communicate that often lead to war, exploitation.
You didn't explore the "formal investigation." Would you be opposed to learning how these databases function? I believe it is essential to the nature of our policy making? If Google has created something that the Feds (read Congress subpeanas, FTC investigations), can't tamper with perhaps we don't need certain protections. If Google and friends' databases are more governmentally exploitable (think at&t), we should be taking steps now to avoid a looming privacy crisis.
The title of your article is prescriptive without providing much evidence and poorer yet logic. You barely defeat the idea of a 'Do Not Track' list within the gentle confines of your altrusistic world. Perhaps there is a fundamental assumption that you miss. I believe that mankind is in an anarchistic state being defined scholarly as a state lacking leadership. It is a mind-experiment construct needed to analyse these things.
- Enough about privacy=yes
-
by melora-
November 2, 2007 6:55 PM PDT
- Right on, Declan. Empower people to make their own privacy choices, already! The people determined to protect us from revealing information about ourselves whether we want to or not need to manage their own cookies and realize that peoples' need to socialize and interact is important. Up with choices, down with e-babysitters for grownups.
-
Reply to this comment
-
See all 36 Comments >>