HTTP Headers the Way to Implement FTC 'Do Not Track' Controls: Researchers

Academic researchers think the best way to implement the "Do Not Track" controls proposed by the FTC is by using the HTTP headers.

While there are several potential methods to implementing the Federal Trade Commission's proposed "Do Not Track" mechanism, the most effective method is to have the browser append "Do Not Track" to its header messages, according to several software developers.

The consensus seems to be to require browsers to append a string to the HTTP header. The HTTP header is already sent out with every Web request, as when a user clicks on a link, types in a URL in the Web browser or when objects, ads and scripts embedded on the page load.

Chris Soghoian, a security researcher at Indiana University, said there is "little disagreement in technical circles" that the best approach is to "add few extra lines of code" to the headers. Soghoian also created Taco, a free Firefox and Internet Explorer plug-in that removes tracking programs from the user's computer.

Under the mechanism, user would use a standard interface, such as a settings page, to opt out, which would made the browser append a string, such as "X-Do-Not-Track" to the HTTP header, said Soghoian.

"We're talking about a simple 10 lines of code to add to a Web browser," Soghoian said.

Arvind Narayan, a researcher at Stanford University, wrote on his blog that this approach is "fairly straightforward" and "trivial to implement" for each of the major Web browsers, noting that there already exists a Universal Behavioral Advertising Opt-out plug-in for Mozilla's Firefox browser.

According to the plug-in's page, it currently doesn't do anything, because no advertisers currently recognize it. According to Nayaran, that is the actual challenge, since advertisers will have to respect the user's preference, and there has to be some enforcement.

The header approach would be a "binary flag" where the browser could turn it on for every HTTP connection, to only third party sites, or to a set of user-defined sites, said Harlan Yu, of the Center for Information Technology Policy at Princeton University.

Yu said it might be difficult for browsers to differentiate between useful third-party services, such as embedded videos, and ad networks, when appending the no-track string to the header.

Nayaran is one of the principal researchers behind the Center for Internet and Society's Do Not Track prototype using this approach.

During a Future of Privacy Forum panel discussion on Dec. 1, Soghoian recommended against opt-out cookies because they can get deleted with the other cookies.

There have been other methods tried in the past. The National Advertising Initiative created a registry of advertising networks that track what users do online and generate profiles that can be used to deliver targeted advertisements. Users can opt-out of targeted advertising by member networks by going to the NAI site. The system was criticized as ineffective (NAI's site has not been updated in more than a year) and buggy by Soghoian in the past.

Narayan also criticized the centralization required to maintain the registry and a "level of consumer vigilance" that is "unreasonable to expect," to make sure the domain list is up-to-date.

According to Jonathan Mayer of the Center for Internet and Society at Stanford University, Do Not Track shouldn't be a blocking utility, since that would require "perpetual development" and "user vigilance." Furthermore, there is frequent turnover of tracking networks and new methods evolve rapidly, according to Mayer.

The FTC does not support a list analogous to the Do Not Call registry for phone numbers, and there are "various shortcomings" with that approach, namely that it would be "needlessly complicated," according to Narayanan. The lack of universal user identifiers that can tie Web activity to an individual, such as a phone number, makes the list impossible, he said. Creating a mandatory global identifier "exacerbates" the very problem, he added.

Microsoft, Mozilla and Google have said they would continue to work with the FTC to address the privacy concerns outlined in the report. The companies have already been experimenting with various private browsing tools in their browsers.