Tracking not allowed (unless you’re Google) - How the industry took control of a new privacy role
Tracking not allowed (unless you’re Google)
How the industry took control of a new privacy role—and how policymakers can take it back.
By ALLEN GRUNES 10/01/15 07:29 AM EDT
As more of our lives take place online, privacy has become a huge national concern: one survey last year found that more than 90 percent of Americans feel they’ve lost control over how their personal information is collected and used on the Internet. And a sizeable majority wants government to help them get control back by regulating what online companies are doing with their data.
Though most people don’t realize it, such an effort is already underway. Largely behind the scenes, a small group at the Internet’s main standards body has been asked by the Federal Trade Commission to craft a new “Do Not Track” policy for online data, similar to the “Do Not Call” registry that helped reduce the nuisance of telemarketers.
Since 2011, the group has been working on recommendations for a simple mechanism for consumers to express their privacy preferences to the broad range of companies that now get access to their data. But what started as a group effort by technology companies and privacy experts to craft a new type of consumer protection has quietly changed, and today has morphed into a committee where a few of the most powerful Internet firms are deciding on the rules of the game.
In July the group finally posted a draft of their proposed Do Not Track standard; the public comment period ends next Wednesday, Oct. 7. A look at the details of the draft reveals that the proposed rule will apply to everyone—everyone, that is, except the companies that already collect most of the personal data on the Internet, and which helped write the rule.
Clearly, that’s not a bad outcome for the Internet giants like Google and Facebook: exempt themselves, and cement their status as the world’s largest collectors of user information online. But this is a far cry from what the FTC intended the process to do. What started as a tool intended to increase consumer protection now looks more like a way for the big players to limit competition. But the rule still isn’t final, and a closer look at what’s actually happening with the standard gives us a chance to fix it—and even imagine a fairer new version that would protect both consumers and competition.
THE “DO NOT TRACK” program started with a good idea. In 2007, several consumer advocacy groups approached the FTC and asked it to create a national Do Not Track list. Done right, the thinking went, Do Not Track could be simple: once you added yourself to the list, Internet companies would have to abide by your data preferences. The consumer advocates started with the premise that, in the words of a former FTC leader, “Internet businesses are not free to help themselves to the resources of a consumer’s computer.”
In 2010, the FTC issued a staff report endorsing a mechanism to give consumers choice in online tracking. The FTC’s goal, then and later, was to allow consumers to decide “whether to allow the collection and use of data regarding their online searching and browsing activities.” The FTC decided that the most practical method would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser. The setting was nicknamed “Do Not Track.”
How would it work in practice? It seemed to make sense to have industry help figure it out: technological change happens quickly, and there was no sense in the FTC creating a Do Not Track requirement that would be obsolete by the time it was announced. The FTC endorsed the notion of having industry create a new Do Not Track standard, and the World-Wide Web Consortium—the influential standards body at the heart of the Web—set up a working group to get it done.
Unfortunately, the W3C’s effort quickly degenerated. A string of high-profile privacy experts and other participants stepped back from the working group. The group established and then ignored countless deadlines, with one key figure describing the mess as an agonizing series of fruitless meetings and emails: “We first met to discuss Do Not Track over 2 years ago. We have now held 10 in-person meetings and 78 conference calls. We have exchanged 7,148 emails. And those boggling figures reflect just the official fora. The group remains at an impasse.” By October 2013, prominent privacy and consumer advocates had lost confidence in the process and suggested that the working group be disbanded.
Most industry watchers wrote it off as a failure and walked away. But not everyone. The Internet giants with the largest stake in the final outcome—including companies like Google, Yahoo, Facebook, and Comcast, which collect the vast majority of user data—stayed in the meetings, and pushed ahead. They positioned their own representatives in leadership roles.
Now the process is finally reaching its conclusion. In July, the Tracking Protection Working Group quietly posted a statement on its website announcing that it had reached “Last Call,” triggering a comment period before the standard’s major features will be finalized. There was good reason for them to bury the news: Under the proposed standard, some of the Internet’s largest purveyors of personal data would be granted wide latitude to ignore any “Do Not Track” signal on their own sites and across the Internet.
Here’s how the rule would work. The proposed Do Not Track standard distinguishes between “first parties,” companies with a consumer-facing online presence, and “third parties,” companies that facilitate online ads displayed on other companies’ websites and online applications. If a user navigates to a website, the site itself is a first party; given the broad definition of first party, so is the user’s Internet browser and even the users’ ISP. If a user has activated “Do Not Track,” the proposed rule would allow first parties to continue tracking their online activity and other personal data, but would ban third parties from doing the same.
This distinction makes sense in the world of telemarketing; it means that the phone company can use your information to help deliver service, but blocks marketers from using it to sell you things. The problem is that the Internet is different: many of the largest Internet giants are both first and third parties, collecting the data on the technological front end, and then using it for their own business purposes later. And the proposed rule would exempt their entire operations from “Do Not Track.” So, when a user activates the Do Not Track signal, if he or she enters a query into the Google search engine, signs onto to Gmail, or uses Google Chrome or Android, he or she will still be allowing Google to gather information and use it to deliver targeted ads.
From the perspective of the world’s largest Internet companies (and advertising companies), the main function of the new standard won’t be to limit data collection: it will be to limit the ability of any potential rivals to collect comparable data. What started as consumer protection has ended up a barrier to competition—a moat protecting the very companies that gather the most user data on the Internet.
THE ALTERNATIVE IS to take another road. The FTC originally issued the call for a Do Not Track regime, and it now needs to reassert itself in the process to ensure the project it started does not end up undermining both consumer privacy and the online advertising competition that is critical to the health of the Internet.
Thankfully, there are a few promising signs that this rethink may be happening. Just this week, speaking to the online advertising community, FTC Commissioner Julie Brill criticized the process for languishing, and called for “robust and innovative tools to address this demand in a sophisticated way. Not to find ways around consumer choice, but to provide consumers with something they clearly want: to see advertising that respects their privacy and that they can trust."
A bigger step would be for Congress to pass a bill that would bridge the gap between the privacy community and the legitimate concerns of advertisers who keep the Internet humming. In her speech, the FTC commissioner pointed to the rise of ad blockers—which prevent many advertisers from collecting data, but in an ad-hoc way—as a powerful incentive to craft such a standard that is simple and comprehensive.
There are important interests to balance here. On one side, consumers deserve protection and more transparency about how their data is being used; at the same time, data-fueled advertising is a big part of the model that keeps the economic engine of the Internet humming, and allows all of us to access free content and tools.
What we can’t do is let the biggest players write the rules alone. Google and Facebook are among the largest vacuum cleaners of data (Google has more data than the NSA) and, through acquisitions, are also the largest pipelines for online advertising. Their gatekeeper status makes the issue of a fair and independent Do Not Track even more critical.
It’s easy to see this as a choice between consumer protection and competition, but that’s a false divide. Giving consumers more choice about their privacy could actually help a new kind of “privacy competition” develop. And a standard that doesn’t unfairly close the gates on smaller competitors would also help advertising competition increase. A decisive and evenhanded new standard would help catalyze this revolution, not limit it.
Allen Grunes is a former attorney with the Department of Justice’s Antitrust Division and co-founder of the Washington, D.C.-based Data Competition Institute.