To Track or Not to Track? That’s Actually Not the Question.

A subcommittee of the House Committee on Energy and Commerce held a hearing last week to consider a proposal, floated in a recent Federal Trade Commission report, for “Do Not Track” legislation aimed at giving Web users greater control over how information about their online activities is collected and used by sites and advertisers. The name is a deliberate reference to the wildly popular “Do Not Call” list, a sort of virtual “No Tresspassing” sign for the telephone, which has spared scores of Americans the annoyance of telemarketers pitching FABULOUS DEALS! and LOW INTEREST RATES! during dinner. Subcommittee Chair Bobby Rush repeatedly invoked the Do Not Call program’s success in his opening remarks. And under the headline “Don’t Track technology is simple, experts say” USA Today declared that a “Do Not Track” policy for the Internet would be even “simpler and more powerful than Do Not Call.”

But as technology researcher Harlan Yu has argued, it’s actually a good deal less simple than it sounds—and the analogy to “Do Not Call” may obscure more than it illuminates. The experts consulted by USA Today are right that a Do Not Track policy would, in one respect, be technically simpler to implement than Do Not Call. It would not be necessary—or, indeed feasible—to have some kind of centrally administered list of people who have opted out of tracking. Instead, the idea seems to be that browsers could incorporate a “Do Not Track” mode which, when activated by users, would send a legally enforceable signal to deactivate tracking in the header of all communications, which would be automatically recognized by sites and ad networks.

What’s not so simple—as the FTC official who testified at last week’s hearing acknowledged—is determining exactly what “tracking” means, who is obligated to listen to the Do Not Track request, and what compliance with it entails. The appeal of a legally enforceable Do Not Track header is that it targets a functional class of behavior rather than any particular technological tracking mechanism, with the goal of ending the “arms race” that characterizes individual efforts by users to safeguard their privacy. So as users learn that they can delete tracking cookies, or block cookies from ad networks using their browser’s privacy settings, the advertisers turn to Flash cookies. When users figure that out, the trackers turn to system fingerprinting or history sniffing. How much simpler for users to simply be able to know they can demand not to be tracked without worrying about whether they’ve anticipated the latest clever method.

There’s the rub, though: There are many different kinds of information sites collect when interacting with users—much of which can be used for tracking, but which is also necessary for other purposes. So, for instance, IP addresses are not a particularly good way of tracking users for behavioral marketing purposes—on many networks they’re dynamically assigned and change frequently, and a single IP may actually represent many different computers and users behind a NAT firewall. Nevertheless, they often will be relatively persistently identified with a particular user—yet it would be utterly infeasible to suggest that sites be forbidden from maintaining their own server logs, including visitor IPs, for any connection that includes a Do Not Track header. Similarly, while sites can collect information about a user’s system configuration for the purpose of “fingerprinting” and tracking, there are lots of other reasons to collect that data—providing browser or OS-specific functionality or a smoother user experience, diagnosing bugs, and so on.

A browser-embedded header may be technically simpler than a government-administered “Do Not Call” list, but “Do Not Call” is conceptually much simpler: A marketer either places an unsolicited call to a particular number, or it doesn’t. When it comes to the information generated by the interaction between a user and a Website, the datastream may be binary, but the question of whether someone is being “tracked” or not is anything but. And as the “arms race” alluded to above shows, it’s not always going to be clear in advance which kinds of information will facilitate tracking. And of course, users will find it useful and convenient to permit the collection of certain types of information even as they prohibit others, making it desirable, as the FTC’s David Vladeck put it in his testimony, for Do Not Track to enable “granular control” by users, rather than a simple on-off switch. But the more types of data collection and sharing need to be controlled—including new types that become prevalent as technology evolves—the more elusive the clarity and simplicity promised by Do Not Track (relative to mechanism-specific self help) becomes.

Maybe there’s a solution to these difficulties—it would be premature to declare it hopeless a priori without seeing a proposed standard. But while the Internet is global, the reach of the FTC is confined to the United States. Even if the arms race could be halted within those borders, many users would frequently—and probably unwittingly—visit sites that are based abroad, or include content from third-party sites that are. (Expect that to increase if legislation gives those foreign ad networks a competitive advantage.) If the sense of security provided by Do Not Track therefore proves to be largely illusory, a more openly acknowledged arms race might be preferable.