Slashdot Mirror
FTC Proposes Do Not Track List For the Web
An anonymous reader writes "The Federal Trade Commission proposed allowing consumers to opt out of having their online activities tracked on Wednesday as part of the agency's preliminary report on consumer privacy. FTC chairman Jon Leibowitz said he would prefer for the makers of popular web browsers to come up with a setting on their own that would allow consumers to opt out of having their browsing and search habits tracked."
It should be opt-in.
Shouldn't that be opt-in?
I'm all for a standard GUI for doing so, but the "other side" (those who do the tracking) must also cooperate by actually observing the setting (no matter how it should be delivered to them; perhaps via HTTP header). If observing it would be mandatory, then hooray; otherwise, meh.
spammers! Brilliant, thank you FTC!
Because all those "remove me from your mailing list" options have worked so well...
I'd be interested to see if this is even possible. From what I understand, which is somewhat limited, it is virtually impossible to completely wipe browser information as it is sometimes required to act a certain way when interfacing with a website. can someone prove me wrong? any suggestion to applications or add-ins for browsers would be sweet too.
the TSA should implement a "do not molest" list.
Do you even lift?
These aren't the 'roids you're looking for.
incognito mode? everything else is tracked by the websites?
The Do-not-call list provided exceptions for politicians and non profits. Will we just see currently existing unscrupulous entities just create associated 501c3's to get around the tracking block? Just like there is a loophole for the do not call list, there will be one for this. Assuming, of course, it ever comes into being.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
Can I completely opt out of being tracked by the government for associating with known felons (reading slashdot for instance).
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
P3P
"... web browsers to come up with an setting on their own that would allow consumers to opt out of having their browsing and search habits tracked"
Firefox already did this. It's called the extension mechanism. (Chrome didn't: theirs runs after download, which means it's useless for privacy).
If you *really* care a lot, the above plus an anonymous proxy.
Anyone who cares can already opt out of being tracked. The last thing I want is the govt damaging my ability to do this out of some bureaucratic misguided attempt to "protect me". I can already protect my privacy - the only possible outcome of this is that they damage my ability to do that, because protecting my privacy *from them* is not what they mean.
I'm all for this, I think it would be wonderful and beautiful to just change a setting in my browser and never have to question whether I'm being surveiled or not. It'll never work though. Corporations want what they want, and they'll find a way to track you regardless. I don't even think that making it illegal to track people's online habits would really stop them. The federal "Do not call" list only works up to a point, if someone doesn't give a shit about the law and thinks they can get away with it, they'll ring you up anyway.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Lets face it, the local do not call registers barely work. I manage to report about 8 companies a year to our Telecommunications Industry Ombudsman and the Australian Competition and Consumer Commission about calls I get to our number. The fines are usually quite hefty especially for repeat offenders. Somehow I doubt that companies will bow down and obey instructions from an international company who's laws don't govern them.
My brain's a little slow today... how would this work? How would this be enforced? Since when can websites tell exactly who we are (which I am assuming will be required to verify that the user is or is not on the list)?
Most of the time the US government wants to tell us how to do things and in doing so they prefer to limit our options. "We'll do it for you... and you'll like it or else" tends to be their mantra.
I wonder why in this the case the head of the FTC would rather the private sector (the browser makers) be the ones to add functionality to thwart the tracking... could it be they would only gain power over the advertisers (which is WAY smaller than the general population - so why bother?)
If they actually cared, then why not set up a simple list like the "do not call" list and require anyone that wants to track to go there and get approved. Then allow opt-outs through some channel. Then, anyone caught still tracking after that point is in federal trouble - as opposed to browser makers have to code around the tracking violators.
My present is the activity I am currently engaged in with the purpose of turning the future into a better past.
I have a land line (it comes over my cable connection) because we only have one mobile phone and use the 400 minutes as our long distance service thus it's cheaper for us to have family call us on the land line. Aside from the handful of calls we get from family the rest of the time it's from scammers "trying to lower your interest rate on your credit card," who hang up when you press them for who they are or companies who do not follow the DNC list.
These companies know they have little chance of being prosecuted under the law so I end up with numerous phone calls and fights with supervisors of these companies to not call me again. Yet they keep trying to sell newspaper subscriptions and rug cleanings to me.
So after three phone calls from one company I finally get enough information to file a complaint with the FCC. I submit that complaint and it's rejected three different times for lack of information. While the FCC agent attempts to be helpful the entire process is cumbersome and difficult. I lack any confidence the calls will stop or the company will pay and even if they do the fine will be minimal and they'll just consider it the cost of doing business.
---
So back to this particular new trend. Yeah, great, no more tracking online. It's a lot easier for me to block that stuff online while still enjoying a relatively easy browsing experience than it is for me to stop calls from ringing my phone which would include turning the ringer off (no, I'm not paying for call block or caller ID).
If the government wants to do this, and I'd love them to, they need to ensure that the laws, policies and enforcement are viable and actually benefit people rather than creating a whole new useless bureaucracy which spends money and doesn't accomplish a damn thing.
Liberte, Egalite, Fraternite!
The enlightened TrisexualPuppy rings the bells of excellence. Throw the dog a modpoint!
Besides the simple fact that there currently isn't a good way to implement an opt-out database (yet) and doing so on a national level between several websites would be a nearly impossible nightmare, you also have to consider the fact that:
1) There is no good way to enforce this as the legal boundaries end at our borders. There wouldn't be much to stop offshore data collection.
2) The most harmful types of data collection are those people that do it for malicious purposes like phishing. I really don't think a US law is going to stop them anyways.
-also-
3) What constitutes "tracking?" There are web aps and addons that track your usage of a page for simple things like counting the number of visitors, or much more complex things like demographic account collection to tune web ads to best suit you. There are also versions that do this that don't permanently record your information and just go on a session-by-session basis. If you even have the capability of differentiating what tracking is occurring (which is nearly impossible in the first place) where does the line get drawn?
Well, back to rejecting software patent applications.
So how exactly are websites going to keep track of who has opted out of being tracked?
"To affirm that you do not consent to appearing in a list, please add your name to this list."
DRM: Terminator crops for your mind!
The major players will just create entities outside of the FTC's jurisdiction; what the hell is the FTC going to do?
Surf behind a proxy or a large NAT, and use your browser's "incogneto" or "private browsing" mode frequently.
-A
You have to register yourself on a big public list in order to prevent websites from tracking you.
I swear to God...I swear to God! That is NOT how you treat your human!
So I get to trade being tracked by people that want to sell me cookware for being tracked by the federal government?
Why don't they want me to opt out on Thursday ?
I came here to say this. Me: "Don't track me." Them: "Thanks for visiting our website! In order to know whether or not we should track you, please tell us who you are." In order for this to work, the web would have to abandon any pretense of anonymity. Which do you think is the lesser of two evils? I know where my vote goes.
I'm not saying that tracking you on the web isn't offensive, just that it's fundamentally different than calling you specifically and wasting your time, or sending you junk mail. If we're going to address web tracking, why not address all the ways that marketers gather data on people? A big one is stores tracking what you buy, even if you don't use one of their loyalty cards, because they can track based on your credit/debit card number.
This "opt out" crap is why I deleted my Facebook account.
Make it "opt in" so I don't have to deal with all the BS involved with opting out.
So basically we can opt not to be tracked by the companies who actually decide to follow an optional opt-out list? Doesn't that mean I'm only opting out of the companies I'm least bothered about? Worse, make being a (relative) good-guy even less profitable?
Without legislative backing it's at best toothless and at worst counter-productive.
Even legislative backing may be prone to unintended consequences as companies leave for less regulated shores. However I'd expect there would be more of a positive influence as the field is levelled at least among the US companies, and US websites can be made liable for their advertiser.
On the whole though I think it's best left to a technology driven response to consumer demand. Like say, Ad Block, NoScript, Ghostery, Better Privacy... Admittedly it is a bit of a nuisance that there isn't one that combines the best of these, but at least they're largely opt-in (if using available lists).
More to the point perhaps, if every interweb newbie out there is blocking tracking (where I gather most of the ad-money is derived) then who's going to fund all the websites I'm freeloading on?
I suspect this list would also be used be used by various agencies to flag people who are engaged in "undesireable" activity. "Only those with something to hide will be using the Do Not Track" feature.
*sigh*
This all at the same time that they are requiring ISP's to keep 2 year records of IP logs.
So how does this new "Do Not Track" bill merge with the other bill. I presume that everyone will just sign up under the 2 year bill and say "we need to keep records" and are thus exempt from the DoNotTrack feature.
The Internet Stopping Adults Facilitating the Exploitation of Today's Youth (SAFETY) Act of 2009 also known as H.R. 1076 and S.436 would require providers of "electronic communication or remote computing services" to "retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."[22]
Just another ruse in the shape of "privacy". All of the laws do not protect us from the one entity that we should *really* fear with regard to the privacy.... the government.
Yeah. I can't think of a way to make this system work, except using a database which would constitute the kind of personally-identified tracking system that it seeks to prevent. In order to get website maintainers to comply with these rules, the government would have to provide them with exactly that data which they're being forbidden to collect, and then, I don't know - put them on the honour system, make them pinky-swear not to use it for anything but the intended purpose? Is that the plan?
DRM: Terminator crops for your mind!
Grow some balls, man!
I don't want to be tracked. Unfortunately i don't like where this is going either. This isn't like a do not call list where you can register a distinct end point and prove that someone called you when you were clearly on the list. The tracking isn't based on a hard identification. It's a fuzzy id. They are trying to aggregate actions made by some checksum built out of whatever info you can get from a client of a web app. How can either side prove that you are or are not that checksum?
What exactly are we proposing? A law stating that you can't save publicly observable data about the users of your site? What goes on the do not track list? How is this enforced? Regular raids that compare data to some master database of browser configurations? That still puts me in the same situation of having to tell some government body what software i'm running at any time. If i'm one of the really paranoid users, i'm probably going to try to obfuscate my signature anyway so when i suspect someone might be tracking me in a non personally identifiable way, how can i prove it.
I'd rather see legislation around what kind of information is required to gain access to my finances. For example: a checksum of browser plugins and my name should not be enough to get a credit card.
AdBlock?
This could be just as effective as the evil bit. It seems to be based on the same ideals.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
How do we know that some reasonably intelligent marketing pusbag won't find a way to use the FTC's "Do Not Track" list in a manner contrary to its stated intent?
I write sci-fi for metalheads
A while back I worked on what was going to be a local newspaper's first website, so I got to learn a bit about their business. Their 'dirty little secret' was that, while the newspaper could rightly say that their free paper reached over 95% of all households in the county, and that the actual readership was quite high (IIRC something like 70%), they _never_ publicized the probability that an ad on Page X would be seen by anybody. The probability was very close to zero, except for certain specialties like the front of the weekly car ads section, and parts of the classifieds. They actually had some numbers, such as what percentage of households actually opened the paper, actually looked at the first page of the sport section, etc. But none of that was given to the advertisers.
Web tracking has changed the old saying "I know I'm wasting 1/2 of my advertising money - I just don't know which half!", possibly forever.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
I think this is a great proposal as with all tracking tools whether by google, yahoo, doublick, youtube, the list goes on....it is imperative that a) we be accorded a way to avoid being tracked, and b) by doing so will lighten the traffic on the web immensely!!!, as such bandwidth to track what everyone is doing must cost some petabytes in bandwidth for both ISPs and also big tracking cos (like google)
Imagine if google had half their users lock in a flag stating no tracking for me.....they would have much less data to store and
analyze, and also a lot less bandwidth used up....might make the internet much less taxing to surf again.
What about the other days of the week?
I cant see this ever working, in fact the very act of opting out of tracking makes you more easily trackable.
Opt in won't work. Not enough people will do it to keep contextual ads flowing. Opt out might work, but not one that is all-or-nothing. Tracking is done by the site you are visiting and across sites by the ad networks. The former is critical to make the site suck less. The latter is the problem people are concerned about. Products you look at on site A turn up as ads on site B. The online ad market is worth 10's of billions and is not going to be quieted easily. Ads in context work so much better, and are therefore worth much more. It is hard to fight the strong flow of money, especially when it has a chance of helping the economy. Admit it or not - advertising works.
While it's entirely possible for something like this to happen and the FTC to use large fines to make US companies avoid some tracking, tracking provides LARGE benefits to businesses.
I'd immediately expect many ad networks to host their ads from oversees so they could claim not to be under the jurisdiction of this law. How will the FTC stop that? And what if Google Ireland decides to host all the Google ads? Are you going to go after the parent company?
This is a nice idea that seems completely unenforceable.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Can we enforce it against the NSA?
-molo
Using your sig line to advertise for friends is lame.
Riiiiiight. Sure.
This feigned concern about online privacy is just a political chain that policitians and government bodies yank in order to appear to care about individual rights.
There is nothing that the State craves more than to track every move of every citizen.
To make this work, wouldn't people have to be on a system where they'd lose their anonymity online? How else could they guarantee who's on a "do not track me" list without knowing who you were when you were online?
Well, that and the ubiquitous clear cookies on exit.
The Feds should allow us to sign up for a few more lists:
We could all then, of course, profit!
'do not call' works because its meaning is clear and I can easily detect if it's violated (someone calls me, duh). But browsers cannot effectively 'stop' tracking unless they refuse to load URLs that appear 'personalized', change IP address very often, refuse cookies, and so on, and probably not even then. And if the site continues to manage to track me, and correlate that tracking with other activity, how do I know? Unless the data comes back to me, I probably don't.
Again, the US government agencies display how clueless they are. This is just like considering encryption software "munitions." If the USA bands it, then tracking will simply move off-shore to avoid the laws just like building of encryption software did and telephone marketers did.
I'd rather they allow tracking with opt-out that doesn't require the use of cookies and mandates expiration of all data captured after 12 months regardless of opt-in or opt-out status.
Except the government will give itself an exemption and track everyone.
All cookies are based on what you decide to accept/not accept.
Why do we need government regulation to solve a problem that's already been solved?
And the Google advertising bubble bursts.
Okay, so it probably isn't quite as accurate, but how would this play against the things that webmasters need but which can also be used for tracking - i.e. Apache log files and the like? I can do all sorts of path following and user tracking with logs if I wanted, just by analysing the log files from a normal server. It won't be quite as accurate as something tracked with a cookie, but then even cookies aren't bullet-proof.
Either they've overlooked log files, or they're going to need some really weird standard that gets tracked in a log file so that people can analyse them after the fact without analysing the people who don't want to be tracked...
If observing it would be mandatory [...]
Hi, I'm a non-US company. I'm going to track you american consumers, and there is nothing your government can do about it, unless it wants to violate my country's national sovereignty, which we know from the history it would neve---oh crap :\
Seriously, are you going to include this in extradition treaties?
Will this be as useful, as enforceable, and as successful as the "Do Not Call List"...
If so, I fail to see the point in such a creation.
I've been working on a FF plugin to address this problem. It's pretty simple. Basically unless you set it otherwise if the http request does not match the domain in the url address bar no cookie is sent. Again, unless you specify otherwise. The important tick is that the new cookie which comes in the response is saved by the plugin and used until you close that window after which its deleted. If enough people use the plugin it should result in a huge amount of semi-valid but ultimately useless tracking data reducing the SNR of their mining operations. Therefor, even people who don't use the plugin will get some protection from those who do. Once my finals are over I'm gonna dump a few weeks of dedicated dev time into this. Hopefully, I'll have it working by end of Feb.
Hm... title for a new Youtube video...
Don't track me, bro!