January 31, 2012 | Jim Killock

Protecting Internet users from tracking and profiling

For three days last week, a group of technicians and lawyers at W3C – the World Wide Web Consortium, headed by Sir Tim Berners-Lee – has debated how to protect user privacy from ‘third party’ tracking websites.

The meetings started with an introduction from European Commission Neelie Kroes, emphasizing the need for companies to sort this out and imposing a deadline of June; and the Federal Trade Commissioner making similar demands. Clearly the stakes are high, and governments are losing patience. Europe wants users to be able to consent if they are tracked: the FTC wants meaningful choice (see their white paper).

Data protection authorities were represented throughout by the presence of the Article 29 Working Group, and the Chief Technology Officer of the FTC stayed in the meetings throughout. There was a clear message: we are watching you and want you to negotiate something that protect end user privacy.

The technicians came from browser manufacturers, like Opera, Mozilla, Apple and Microsoft; and from advertising companies, including Yahoo! and Google. The Internet Advertising Bureau and other organizations were also there.

The basic problem comes from the way that web pages today often place adverts, cookies, widgets, like buttons and iframes from “third parties”. The result is that you, as a user, ask for these pieces of content, who then gain information about you. They discover that you visited that page, and your IP address, browser, and lots more besides.

Through unique identifiers, like cookies, they can build a picture of the websites you visit. This happens to the vast majority – millions – of web users everyday, without them really knowing what is going on.

Two technologies are under discussion at W3C to address this outrage. The first, proposed by Microsoft, is the “Tracking Protection List”: a list of domains that you, the user, choose to block or allow. This means you, with a little guidance, can completely block companies’ web content and stop them hovering up information about you. The disadvantage, though, is that lists are rarely comprehensive, need updating, and need to be chosen by the user. Privacy International backed TPLs this week by publishing lists of sites you might wish to block.

The second technology, proposed by Mozilla and supported by EFF, is called “Do Not Track”. It is a signal that you can send to all websites. They are then meant to tell you that they will respect your wishes, and third party sites should stop their tracking, and perhaps minimize the data logs they keep.

This has the advantage of being easier to set, and could easily be much more widely used than “Tracking Protection Lists”. The disadvantage is twofold. Firstly, you must trust the “third party” website to respect your wishes. Secondly, W3C must agree to a meaningful specification for “Do Not Track”, which does more than ban them companies from using data for profiling individual users while collection continues uninterrupted. After all, if someone can still track you from the raw data files, how useful a protection would a “DNT” signal be?

A big difficulty lies is current company practice, which many of the companies at the table will wish to preserve, to avoid high costs, both in re-engineering and potentially in being forced to serve lower value, non-targeted advertising to a significant percentage of users.

The second, more nuanced difficulty, is the need to log user requests sent to a web server for genuinely unavoidable reasons such as security or performance.

W3C need to consider very carefully what information might be retained, why, and what it might be used for. Otherwise a DNT could be more or less redundant: the information could be retained, and while you may not be actively tracked, all your web habits could easily be re-identified with you. Although the information may not be processed and used, many of the risks would remain, such as leaks, law enforcement misuse through future re-identification.

However, if a balance can be created, then perhaps DNT can satisfy users with meaningful, if not absolute, privacy. Combined with audits and tracking protection lists, it could provide much greater control and protection than users currently have today.

Jonathan Mayer from Stanford and Tom Lowenthal from Mozilla deserve particular mention for leading the fight for DNT and meaningful privacy. They have plenty of allies, especially among the browser manufacturers, and civil society folk. But the battle is far from won: the devil really does lie in the detail.