Why 'Do Not Track' Still Doesn't Cut It

On paper, the Obama administration's announcement of a proposed Consumer Privacy Bill of Rights sounds like a great idea. It calls for legislation that allows attorneys general and the Federal Trade Commission to enforce how end-user privacy is protected, and for consistent transparency in how personal data is collected and used online.

After "Do Not Call", and hot on the heels of yesterday's news about California pledging better privacy protection for users of mobile apps, here's "Do Not Track".

Again, it sounds like a great idea: Click a conspicuously visible button in your browser, and third parties are automatically blocked from harvesting unwanted information from your browsing habits. What's more, it wouldn't just be a good idea--it would be mandated and protected by law.

That's the theory, anyway. The practice might turn out to be far thornier. In truth, there is no agreement or rule on what the browser is supposed to do when the user clicks the magical Do Not Track button.

The quest for a universal Do Not Track (DNT) standard has worn on for some time now, with little more than a few competing ad hoc standards to show for it. It's always been possible for end users to purge tracking cookies, use proxies, or block data harvesting with third-party add-ons. But who wouldn't be happy with a single, centralized mechanism to allow users to opt out of online tracking? (Apart from advertisers, that is?)

The problem is figuring out what that one single mechanism is, getting everyone to use it, and making sure it isn't just going to be circumvented or broken.

One of the original DNT initiatives involved using a header, broadcast by the browser, to tell Web servers that the user in question doesn't want to be tracked. A version of this proposal was floated in 2009 (as described by security researcher Christopher Soghoian), but lacked support from the very people who needed most to implement it: the advertisers. The idea also suffered from one major loophole: the burden of support was on the server side, not the client. The server didn't have to honor the header, and there was no enforceable penalty for noncompliance.

Over time the idea of a universal DNT system returned with a vengeance. The problem was, again, how to implement it, since everyone seems to have wildly different ideas--all of which put the burden of support on different parties.