The online ad industry's attempts to come up with a new do-not-track tool -- which would allow people to opt out, once and for all, from behavioral targeting -- might be doomed absent new laws. That's according to Carnegie Mellon University computer science professor Lorrie Faith Cranor.
"The problem with self-regulatory privacy standards seems to be that the industry considers them entirely optional, and no regulator has yet stepped in to say otherwise," she says in a lengthy blog post addressing prior industry-wide privacy initiatives.
Cranor herself has long attempted to develop mechanisms to automate privacy. Notably, she was among the experts who helped create the Platform for Privacy Preferences, or P3P. The idea behind P3P -- now, all but defunct -- was that sites would post privacy policies and Web browsers would then "read" those policies and decide whether to block cookies on those sites. That determination would hinge on how users had configured their browsers' privacy settings.
But, as Cranor reported in 2010, P3P doesn't function as intended because publishers don't submit accurate information. Instead, many publishers submit code that more or less tricks the Internet Explorer browser into allowing their cookies.
Why did the initiative fail? Cranor's theory is that companies had no good reason to comply. "Arguably, the largest barrier to P3P adoption has not been problems with the P3P vocabulary or difficulties with the technical mechanisms, but rather lack of incentives to adopt," Cranor says in an article slated for publication in the Journal on Telecommunications and High Technology Law.
In many ways, the P3P effort was a precursor to the current attempt to develop a browser-based do-not-track header. That effort has stalled in recent months, as the various participants -- online ad companies, computer scientists, privacy advocates, etc. -- have been unable to agree on key terms, including what type of "tracking" should stop when consumers activate the headers. (Currently, consumers can opt out of behavioral advertising by clicking on links within privacy policies, or located on sites run by industry groups. But those opt-outs are cookie-based -- which means they're deleted when people erase their cookies.)
Cranor repeated some of her concerns today at the Federal Trade Commission's privacy workshop. Do-not-track is a "nice idea," Cranor said this morning. But, she added, "It would be nice to have some legal weight behind these things."
Do Not Track is useless unless virtually all sites work when cookies are blocked. Currently many don't - and they fail in unannounced and unpredictable ways when you try to e.g. buy stuff - making "Do Not Track" equivalent to "break the Internet". Any law seriously enforcing the policy would have to address this issue and criminalise bugs, which seems a step too far.
Thank you, Professor Cranor. I've said all along that voluntary do-not-track is a joke hoisted upon the masses by the ad industries to make it appear they're doing something. The very fact that it's "voluntary" means they're free to ignore it. Until there is legislation with fines and other legal redress to force adoption and implementation, do-not-track is a sham.