How the New ‘Do Not Track’ Standard Isn’t Quite Enough

Electronic Frontier Foundation new Do Not Track policy


If you’re serious about protecting your privacy online, you probably already know that unless you go to some pretty extreme lengths, at least some of your web activity is being tracked everyday. Even if you use your browser’s “Do Not Track” setting, many advertisers ignore your preference and secretly track you anyway. So the Electronic Frontier Foundation has announced a new “Do Not Track” standard that aims to both better protect you from sites that try to follow and record your Internet activity and incentivize advertisers and other data-collecting companies to respect your choice not to be tracked online.

Owen Williams reports for The Next Web that the Do Not Track setting — which was first proposed in 2009 and has since been added to all major browsers, plus the iOS and FirefoxOS mobile operating systems — sends a notification to websites, signaling to them that you want to opt out of tracking and asking them to disable it. But, as the EFF’s announcement of the new standard notes, tracking is common and typically occurs without your knowledge or consent, even if you’ve turned on Do Not Track. “You can see evidence of this when ads appear around the Web that are eerily based upon your past browsing habits,” the EFF explains. “Meanwhile, the underlying records and profiles of your online activity are distributed between a vast network of advertising exchanges, data brokers, and tracking companies.”

The new Do Not Track standard is a document that sites can post, affirming that they support the Do Not Track feature and that they will respect the choice of users who opt in, and explaining what data the service will track if users don’t turn on Do Not Track. The standard asks sites to ensure that any third party scripts — like advertisements, widgets, and analytics — are also held to the Do Not Track policy and don’t collect data on the user.  But even a solid new Do Not Track policy isn’t enough to protect you by itself. As the coalition behind the standard explains, you should still use privacy software to keep your activity private — especially before adoption of the new policy reaches critical mass.

The new policy standard is the result of a coalition between the EFF, privacy company Disconnect, publishing site Medium, analytics service Mixpanel, ad and tracker-blocker AdBlock, and private search engine DuckDuckGo. EFF chief computer scientist Peter Eckersley said in the group’s statement that the new standard will give users “a clear opt-out from stealthy online tracking and the exploitation of their reading history.” The new Do Not Track standard isn’t an ad or tracker blocker, but would work in tandem with such privacy software.

As the EFF explains in a guide for consumers, the new Do Not Track standard is based on the idea that using the web, including viewing online ads, shouldn’t come at the cost of privacy. Tracking systems use cookies, beacons, browser and device fingerprints, and unique identifiers to watch our online activities. “Frequently, evading this type of tracking means blocking online advertisements entirely,” the group explains. “That’s because ads are often designed to collect user data for billing and other purposes. And it’s not just ads: many embedded page elements such as social network ‘like’ buttons will track user data when the element is first loaded, even if the user never clicks on that button or embed.”

Disconnect chief executive Casey Oppenheim said in the group’s statement that “The failure of the ad industry and privacy groups to reach a compromise on DNT has led to a viral surge in ad blocking, massive losses for Internet companies dependent on ad revenue, and increasingly malicious methods of tracking users and surfacing advertisements online.” So the new Do Not Track standard would both protect consumers’ right to privacy, and incentivize advertisers to respect users’ choice, “paving a path that allows privacy and advertising to coexist.”

Jacob Kastrenakes reports for The Verge that the EFF doesn’t explain why the new standard is stronger than other Do Not Track policies, but it does suggest that it’s best used in conjunction with privacy software. The groups behind the standard hope that it’s easier to adopt, and the new policy says that companies can choose where they support it. So a company could, for instance, support Do Not Track on its main domain, but decline to support it while offering services to third parties.

While all major browsers enable users to send Do Not Track requests, Kastrenakes notes that the remaining problem is that there are no clear guidelines on what a website should do when it receives the request. The new policy is an important first step toward solving that limitation, but the policy would need wide adoption for users to know what they’re really getting when they use a site that says it respects their Do Not Track requests. In the meantime, you still need to use software to protect your privacy online; even a strong new Do Not Track policy isn’t enough for you to rely on when it comes to the tracking that’s become ubiquitous across the Internet.

More from Gear & Style Cheat Sheet: