Academic researchers think the best way to implement the "Do Not Track" controls proposed by the FTC is by using the HTTP headers.
While there are several potential methods to implementing the Federal Trade
Commission's proposed "Do Not Track
" mechanism, the most effective method is to
have the browser append "Do Not Track" to its header messages, according to
several software developers.
The consensus seems to be to require browsers to append a string to the
HTTP header. The HTTP header is already sent out with every Web request, as
when a user clicks on a link, types in a URL in the Web browser or when
objects, ads and scripts embedded on the page load.
Chris Soghoian, a security researcher at Indiana University, said there
is "little disagreement in technical circles" that the best approach is to "add
few extra lines of code" to the headers. Soghoian also created Taco, a free
Firefox and Internet Explorer plug-in that removes tracking programs from the
Under the mechanism, user would use a standard interface, such as a
settings page, to opt out, which would made the browser append a string, such
as "X-Do-Not-Track" to the HTTP header, said Soghoian.
"We're talking about a simple 10 lines of code to add to a Web
browser," Soghoian said.
Arvind Narayan, a researcher at Stanford University, wrote on his blog
that this approach is "fairly straightforward" and "trivial to implement" for
each of the major Web browsers, noting that there already exists a Universal
Behavioral Advertising Opt-out plug-in for Mozilla's Firefox browser.
According to the plug-in's page, it currently doesn't do anything,
because no advertisers currently recognize it. According to Nayaran, that is
the actual challenge, since advertisers will have to respect the user's
preference, and there has to be some enforcement.
The header approach would be a "binary flag" where the browser could
turn it on for every HTTP connection, to only third party sites, or to a set
of user-defined sites, said Harlan Yu, of the Center for Information Technology
Policy at Princeton University.
Yu said it might be difficult for browsers to differentiate between
useful third-party services, such as embedded videos, and ad networks, when
appending the no-track string to the header.
Nayaran is one of the principal researchers behind the Center for
Internet and Society's Do Not Track prototype
using this approach.
During a Future of Privacy Forum panel discussion on Dec. 1, Soghoian
recommended against opt-out cookies because they can get deleted with the other
There have been other methods tried in the past. The National
Advertising Initiative created a registry of advertising networks that track
what users do online and generate profiles that can be used to deliver targeted
advertisements. Users can opt-out of targeted advertising by member networks by
going to the NAI site. The system was criticized as ineffective (NAI's site has
not been updated in more than a year) and buggy by Soghoian in the past.
Narayan also criticized the centralization required to maintain the
registry and a "level of consumer vigilance" that is "unreasonable to expect,"
to make sure the domain list is up-to-date.
According to Jonathan Mayer of the Center for Internet and Society at Stanford University, Do
Not Track shouldn't be a blocking utility, since that would require "perpetual development"
and "user vigilance." Furthermore, there
is frequent turnover of tracking networks and new methods evolve rapidly,
according to Mayer.
The FTC does not support a list analogous to the Do Not Call registry
for phone numbers, and there are "various shortcomings" with that approach,
namely that it would be "needlessly complicated," according to Narayanan. The
lack of universal user identifiers that can tie Web activity to an individual,
such as a phone number, makes the list impossible, he said. Creating a mandatory
global identifier "exacerbates" the very problem, he added.
Microsoft, Mozilla and Google have said they would continue to work
with the FTC to address the privacy concerns
outlined in the report. The companies have already been experimenting with
various private browsing tools in their browsers.