OK I admit it: it’s hard for me to believe that Microsoft truly doesn’t understand the ad industry. But it’s also clear that their non-advertising Windows division rules the roost, so it’s also very possible that Microsoft actually doesn’t understand the ad industry. On Thursday August 9th, Microsoft reaffirmed its decision to include the Do-Not-Track (DNT) flag on by default in the new IE10, saying, “further research has shown that consumers support this decision.”
The problem with this statement—and with the policy Microsoft is pursuing—is that consumers have absolutely no idea what DNT actually means. If you ask an average Internet user about DNT, she will tell you that it prevents her from being tracked online. Of course, she would be wrong. I was in a board meeting last week listening to a legal expert on privacy make this exact same mistake, saying DNT being on by default “would prevent most consumers from ever seeing online behavioral ads and the informational and opt-out options provided by the DAA.” Again, wrong. DNT doesn’t prevent nor actually guarantee a consumer anything unless a publisher serving content recognizes the setting, and then acts on it. Thus, Microsoft’s policy of having DNT on by default promises to further muddy an already confusing privacy environment because consumers will believe tracking is not taking place when it most certainly is.
There are further problems with DNT. The advertising industry came together to create self-regulatory principles where all participants agreed to recognize DNT, but that was a policy designed to recognize active consumer choice. The problem is, when a browser chooses DNT=ON for the user and suggests that that they should feel safer because of this choice, it is actually harmful. While many of the already "good guys" who follow self regulations might follow this setting, the "bad guys" who don't follow self regulation certainly WON'T, rendering users more susceptible to the bad guys because their safety is now a façade.
Perhaps even more harmful to consumers, DNT is a blunt instrument that doesn’t allow you or me to have choice over which of our preferred vendors are able to serve us offers we might actually find valuable. For example, if you were a frequent visitor to Amazon and they had a 50% deal on a product you loved, if DNT was turned on, you wouldn’t receive that offer as you surfed the web. That’s a bummer for everyone who wants privacy but also values a good experience online.
To be fair, DNT as it currently exists doesn’t make sense for Microsoft. But, then again, it also doesn’t make sense for the industry overall either. The right approach is one that isn’t based on a hand raise and a “pretty please don’t track me,” but an active and impenetrable shield to prevent tracking when this is the consumer’s desire. Towards this end, I believe there is a simple and straightforward solution.
The browser should ship with DNT off but with all third-party cookies off by default for all cookie domain owners who don’t pass an ongoing self-regulatory compliance review. This will shift the onus of privacy compliance to those who want to track in order to deliver benefits to consumers with full transparency and control; which are the ultimate goals of the self-regulatory principles. The vendors would have to apply to be tested for compliance, and will have to submit to ongoing audits. Those who pass the test would be federated to the browser as “OK” for tracking by default. Those who fail or don’t get explicitly approved will be “OFF” for tracking by default. The browser will ship with the settings but the user will then have the ability to change their settings if they want less privacy (i.e. all third parties on by default) or more privacy (i.e. all third parties off by default even if they pass the compliance tests).
Some will argue: “who” should be the owner of this federated list? I think it could be both for- and non-profit companies and organizations -- BPA, TRUSTe, Evidon, BBB, and DAA all come to mind as possibilities. Interestingly, there’s actually a precedent for this. ReturnPath is a company that creates and federates “whitelists” of domains to ISPs and other email filtering organization for email CAN-SPAM compliance. This proven model would work extremely well in the online advertising industry, as it would solve the concerns of all parties. Consumers would actually be protected and feel confident that their data isn’t being misused. Advertisers who do things the right way in a transparent and controlled environment get to target ads and create good offers for consumers in a privacy-centric way. And ultimately, we all get to feel good that we’re creating an Internet that can continue to grow, and innovate without harming or confusing the consumers whom we’re trying to protect.
Microsoft has it wrong. Let’s solve this right as an industry once and for all.