Why A “Do Not Track” Flag Cannot Possibly Work
The advertising industry has created a private mass-surveillance nightmare on the web, in addition to the government spooks. One resurfacing suggestion to solve this has been a “no surveillance please” option, known as the “Do Not Track” flag. Such a flag, even if legally mandated, cannot possibly work. Here’s why.
Privacy remains a paramount topic on anything Internet-related. One problem that keeps resurfacing is that individuals can be easily tracked as they’re moving between websites to build profiles of them, until the point where they’re completely identitied at the individual level. When this happens en masse, it’s effectively another form of mass surveillance, but one invented and performed by the private sector.
Advertisers were one of the first actors to track individuals in this way, with DoubleClick being an infamous actor in this field, and where they would be laying a puzzle for every individual in the worst cloak-and-dagger style: if you submitted an email address there, they would remember it; a phone number here, a first name there. Your identity would gradually be completed by small bits and pieces that you gave away to what seemed to be completely different entities.
In this way, every website you visited would know exactly who you were as soon as you landed on it. It was a Big Brother nightmare, but created by the advertising industry. To solve this, a “Do Not Track” flag has been repeatedly suggested, where you would simply request of the websites you visit to not track and identify you.
The problem is that nobody on the Internet is required to honor any request, and that this is by design. This can be trivially observed with requests going in the other direction: anybody running an adblocker when surfing knows that they don’t actually have to see the requested webpage in the way that the server asks it to be displayed – you can display the parts you want of the page and happily ignore the rest, not even showing unwanted parts (like advertisements). This is the case with pretty much every Internet protocol, and this is by design.
Just as your web browser is free to ignore what the server asks for, such
as displaying ads on a web page, any webserver is always also free to ignore what the web browser asks for. Therefore, a “do not track” flag cannot possibly work, because the Internet was not designed to honor that kind of forced behavior, and cannot be amended to have it without making a whole new Internet.
So the huge surveillance problem created by the advertising industry cannot be solved by regulation, and ironically, this is most easily illustrated by techniques to shut out advertisements and the advertising industry altogether from people’s Internet experience.
The problem boils down to this: there isn’t, and cannot possibly be, a legal requirement for any computer to do what you want it to. (Anybody who has ever worked with a computer would recognize the impossibility of this.)
In summary, you cannot ask somebody else to take responsibility for your privacy, and transmitting a “Do Not Track” flag as part of your commnication with web servers would be just such a question. The Internet wasn’t designed that way, on purpose.
Therefore, this column ends on a very familiar note:
Privacy remains your own responsibility.
Comments are closed.
2 Comments
So how should the problem of advertising surveillance be solved?
Paid content?
Paid services?
Other ideas?
Advertising without surveillance is not going to work.
I suspect it may be appreciated by the lawyers for a different reason.
In Canada, having a password on your phone is an indication that you have a “reasonable expectation of privacy”, and it can’t be searched without a warrant specifically stating what the police expect to find, and why. An ethical* policeman or security service will honor it, and seek a warrant.
The same applies to a robots.txt file: the site does not grant permission to search engines to index the site, while it does permit individuals to access it.
Similarly, a do not track flag will tell everyone that you do not wish to be stalked, and ethical advertisers might honour it. Police and security services will be on notice that you have an expectation of privacy in the particular web interaction, and will then need to make a case that their warrantless snooping is lawful in Canada.
The risk, of course, is that if “do not track” is the default, failure to set it may indicate that you actively do not care about the privacy of a web transaction.
It’s always a good idea for you to say “not allowed, go away”, even if it’s a no-trespassing sign on a glass door. It remains your responsibility to protect your privacy, including joining class-action suits where applicable and telling the spies to go away..
–dave
[* It is not obvious if my country’s security services are ethical. There is some evidence that my police force is, in the form of multi-page applications for search warrants for the local mayor’s driver and/or drug-dealer]