From the Digital C-Suite

The Facade of Safety: Why Microsoft's Approach to DNT Is Harmful to Online Consumers and What to Do About It.


OK I admit it: it’s hard for me to believe that Microsoft truly doesn’t understand the ad industry.  But it’s also clear that their non-advertising Windows division rules the roost, so it’s also very possible that Microsoft actually doesn’t understand the ad industry.  On Thursday August 9th, Microsoft reaffirmed its decision to include the Do-Not-Track (DNT) flag on by default in the new IE10, saying, “further research has shown that consumers support this decision.” 

The problem with this statement—and with the policy Microsoft is pursuing—is that consumers have absolutely no idea what DNT actually means.  If you ask an average Internet user about DNT, she will tell you that it prevents her from being tracked online. Of course, she would be wrong.  I was in a board meeting last week listening to a legal expert on privacy make this exact same mistake, saying DNT being on by default “would prevent most consumers from ever seeing online behavioral ads and the informational and opt-out options provided by the DAA.”  Again, wrong.  DNT doesn’t prevent nor actually guarantee a consumer anything unless a publisher serving content recognizes the setting, and then acts on it.  Thus, Microsoft’s policy of having DNT on by default promises to further muddy an already confusing privacy environment because consumers will believe tracking is not taking place when it most certainly is.

There are further problems with DNT.  The advertising industry came together to create self-regulatory principles where all participants agreed to recognize DNT, but that was a policy designed to recognize active consumer choice.  The problem is, when a browser chooses DNT=ON for the user and suggests that that they should feel safer because of this choice, it is actually harmful.  While many of the already "good guys" who follow self regulations might follow this setting, the "bad guys" who don't follow self regulation certainly WON'T, rendering users more susceptible to the bad guys because their safety is now a façade.

Perhaps even more harmful to consumers, DNT is a blunt instrument that doesn’t allow you or me to have choice over which of our preferred vendors are able to serve us offers we might actually find valuable.  For example, if you were a frequent visitor to Amazon and they had a 50% deal on a product you loved, if DNT was turned on, you wouldn’t receive that offer as you surfed the web.  That’s a bummer for everyone who wants privacy but also values a good experience online.

To be fair, DNT as it currently exists doesn’t make sense for Microsoft. But, then again, it also doesn’t make sense for the industry overall either.  The right approach is one that isn’t based on a hand raise and a “pretty please don’t track me,” but an active and impenetrable shield to prevent tracking when this is the consumer’s desire.  Towards this end, I believe there is a simple and straightforward solution. 

The browser should ship with DNT off but with all third-party cookies off by default for all cookie domain owners who don’t pass an ongoing self-regulatory compliance review.   This will shift the onus of privacy compliance to those who want to track in order to deliver benefits to consumers with full transparency and control; which are the ultimate goals of the self-regulatory principles.  The vendors would have to apply to be tested for compliance, and will have to submit to ongoing audits.  Those who pass the test would be federated to the browser as “OK” for tracking by default.  Those who fail or don’t get explicitly approved will be “OFF” for tracking by default.  The browser will ship with the settings but the user will then have the ability to change their settings if they want less privacy (i.e. all third parties on by default) or more privacy (i.e. all third parties off by default even if they pass the compliance tests).

Some will argue: “who” should be the owner of this federated list?  I think it could be both for- and non-profit companies and organizations -- BPA, TRUSTe, Evidon, BBB, and DAA all come to mind as possibilities.  Interestingly, there’s actually a precedent for this.  ReturnPath is a company that creates and federates  “whitelists” of domains to ISPs and other email filtering organization for email CAN-SPAM compliance.   This proven model would work extremely well in the online advertising industry, as it would solve the concerns of all parties.  Consumers would actually be protected and feel confident that their data isn’t being misused.  Advertisers who do things the right way in a transparent and controlled environment get to target ads and create good offers for consumers in a privacy-centric way.  And ultimately, we all get to feel good that we’re creating an Internet that can continue to grow, and innovate without harming or confusing the consumers whom we’re trying to protect.

Microsoft has it wrong.  Let’s solve this right as an industry once and for all.



Comments for The Facade of Safety: Why Microsoft's Approach to DNT Is Harmful to Online Consumers and What to Do About It.

Name: Robert Repas
Time: Monday, September 10, 2012

As a consumer, I see no problems to me with the Microsoft browser shipping with DNT turned on. But I do see major problems in letting the fox guard the hen house: in other words, the so-called industry self-regulation. In my 6 decades on this planet I have rarely, if ever, seen any type of self-regulation work without an external penalty to enforce compliance. You state the reason yourself, "DNT doesn’t prevent nor actually guarantee a consumer anything unless a publisher serving content recognizes the setting, and then acts on it." Oh sure, everyone starts out supporting the philosophy of a self-regulatory rule. But it only takes one company to ignore the compact, and then everyone soon ignores it because to do otherwise puts them at a disadvantage. I am a strong advocate for such regulations that mandate DNT recognition, and penalties levied against those that ignore it.

Name: Andy Davies
Time: Monday, September 10, 2012

Let's face it the whole thing is a farce and while DNT doesn't carry any legal footing it's pretty much a waste of space as it's free to be ignored.

MS provided the most sensible default setting i.e. Do Not Track, all the ad-industry and others are doing by their grinding of teeth and complaining about MS is showing up how useless DNT was to start with.

Name: Ross Bradley
Time: Tuesday, September 11, 2012

Hi Russell. Interesting but you seem to be forgetting that [The FTC's] Jon Liebowitz praised Microsoft's new approach on Do Not Track and (I feel) that The FTC Commissioner is likely to be proven correct.

Many seem to be 'missing the point' of just where Microsoft (& in time, Google, Facebook and others) are likely to be coming from. - Is what I am clearly seeing.

I'm following closely what I feel becomes the merge of search and display along with the likelihood of a ONE marketplace (& a central, independent 'inter-connector') that may soon become a reality.

The login is the key, I feel - as it's the first party "cookie" with user's giving an automatic opt-in approval.

Just as (I can only imagine?) users give this same (1st party 'cookie' and access to their data) approval, when using the search engines!

Microsoft (with Bing) Google+ (the Google & other search engines), Facebook, Yahoo (via Bing) will all have this exclusive FIRST PARTY DATA to enable their own advertisers to target users in real time at that point of a search query either 'local' or, all over the web & across a one publisher base or, publishers within a one open marketplace.

Search targeting then becomes the ultimate opportunity for matching marketers with 'in market' users anonymously in what becomes a far more efficient, frictionless and with an elimination of click fraud, all based on a user's search intent query.

Re-targeting can then be anonymously had (finding users on landing pages) across this one marketplace. Is my feeling of what lies ahead.

An opinion.

Name: Russell Glass
Time: Tuesday, September 11, 2012

I agree fully with the comments that there should be government regulation around online privacy to give self-regulatory principles real teeth in enforcement (I've even written about it very publicly: However, DNT by browser default is not the right solution. I've presented a solution here that would provide real privacy for consumers and huge ramifications for industry misuse of the standard. If the government then codifies this approach, we're all better off!

Leave a comment

Welcome back!
Our B2B digital marketing content will be moving to the LinkedIn Marketing Solutions Blog.

Don’t miss a beat — sign up for the LMS blog now!