No Silver Bullet for Online Behavioral Tracking Concerns

The proposals to address privacy concerns tied to online behavioral tracking each face their challenges.

In the movie "Minority Report," the characters inhabit a world where billboard advertisements call out their names and tailor their pitches to the individuals walking by. A far cry, to be sure, from the targeting advertising seen in the streets, subways and shopping centers of the physical world we know today, but not so much in the virtual one.

The use of behavioral tracking by online advertisers has become a common practice. It is also something that has drawn the ire of privacy advocates for years. But while the recent endorsement of a "Do Not Track" mechanism by the U.S. Federal Trade Commission has re-focused attention on the issue and sparked browser vendors to put forward some solutions, each has its shortcomings.

Mozilla, for example, proposed a "Do Not Track" HTTP header that will be transmitted with every page view or click in Firefox. When it is enabled, the HTTP header sends a signal to Web sites that the user does not want to be tracked by third-parties. However, this approach requires buy-in from the sites themselves, a challenge Mozilla acknowledged when it announced its proposal Jan. 23.

In a blog post on the subject, Michael Hanson, a principal engineer at Mozilla Labs, noted the header would have no effect until sites have an incentive to adopt it, and would not prevent malicious or covert tracking.

"The header clearly doesn't prevent all possibly privacy harms, since the browser is still potentially sending all the information that would be required to track the user," he wrote. "What a Do-Not-Track header would do, however, is create a clear statement of user intent -- or, in more traditional words, a paper trail. In actual practice, a Do-Not-Track header would be a piece of a consumer protection scheme. By creating a paper trail of user intent, it could allow a regulatory body to investigate claims of improper data usage."

"If a firm was found to track users in spite of the presence of affirmative Do-Not-Track headers, and after a reasonable length of time for implementation had elapsed, a stronger case could be made that they were infringing their user's privacy," he continued. "This obviously does not work for sites that are willing to ignore user intent or break laws - stronger technical countermeasures will be necessary in those cases."

A day after Mozilla revealed its proposal, Google announced the availability of an extension for Google Chrome called "Keep My Opt-Outs," which preserves users' opt-out cookies even if users clear cookies from their browsers. But that too comes with its challenges, noted Electronic Frontier Foundation activist Rainey Reitman.

"The ... Chrome extension announced by Google [Jan. 24] is an attempt to address that last problem," blogged Reitman, who endorsed Mozilla's HTTP header proposal. "In that respect it is similar to the TACO Firefox Extension, though it doesn't set any opt-out cookies for companies that are not NAI [National Advertising Initiative] members. It also doesn't fix the other fundamental problems with the NAI's approach: complexity, the lack of a clear signal that can be observed and interpreted by any website, and allowing fake opt-outs that only protect you from targeted advertising but don't prevent any tracking."

In their approach to the issue, Microsoft added what it calls a "Tracking Protection List" (TPL) to Internet Explorer 9 (IE9). The TPL contains Web addresses the browser will only visit if the user directly visits them by clicking on a link or typing in the address. The TPL would be empty by default, and can also be populated to include a list of "OK to Call" sites. That option however requires users to create the lists, which could be cause be challenging for those not tech savvy enough to configure or maintain it.

All these approaches address a similar technical issue related to global opt-outs and cookies, but all have their shortcoming as well - many of which are "related to the overarching problem that most consumers, even if they're aware of the issue, generally lack the incentive to invest in learning about and taking active control of their online privacy," noted Gartner analyst Andrew Frank.

The backlash against behavioral tracking may have a chilling effect on targeting advertising, he said, particularly if it forces users into a permanent, across-the-board choice of track or don't track.

"I think it's reasonable to expect that a user, in revealing the fact that they're in-market for a certain product or service - such as a vacation, a car or a new home - or generally interested in a category such as fashion or movies, will be happier receiving ads based on their expressed interests," Frank said. "On the other hand, users do need to be protected from privacy hazards such as the inappropriate disclosure of sensitive personal information in areas like health and personal finance."

In his blog post announcing Mozilla's proposal, Alex Fowler, the company's technology and privacy officer, wrote that the company is committed to working with the technical community as well as sites and advertisers to address the challenges that exist.

"It's important to reiterate that while our initial proposal does not represent a complete solution, this is one step of many for us to see if the header approach can work and confirm that it will provide our users a more nuanced, persistent tool for communicating privacy choices on the web," he wrote.