Yesterday I attended the first day of the face-to-face meeting of the W3C Tracking Protection Working Group (do-not-track for short) in Brussels. This was first time I’ve attended. While I certainly understood that the intent of this group is to balance the privacy rights of users with the needs of business, I was nevertheless taken aback at how far the scale tips in favor of business.
The key idea of do-no-track is simple: If a user opts-in to do-not-track, his or her browser sends a signal to the website that the user does not want to be tracked. The main debate in the working group surrounds the question of what the website and its advertising partners can and cannot do upon receiving this bit. My take-away from the meeting is that do-not-track pretty much means that they can track you just enough to serve the purposes of sending you non-behavioral ads, but no more. You might ask, if ads are non-behavioral, why is tracking necessary at all? Part of the answer is “frequency capping”. An advertiser only wants a given user to see an ad so many times, even on different websites. So the ad network needs to keep track of “you” (your cookie) to insure this. Another part of the answer is to defend against click fraud.
Given that the room had a number of privacy advocates present, I was surprised that nobody pushed back on this, suggesting instead that if you can’t do even non-behavioral advertising without tracking, then just maybe you shouldn’t send ads at all. But maybe this was hashed out and rejected in earlier meetings.
Bottom line: do-not-track does not mean no tracking. It should be renamed “do-not-target”. If you don’t want to be tracked, you need to protect yourself by blocking tracking cookies at the browser. If you use Microsoft IE9, you can do this by turning on the Tracking Protection List feature. If you use a different browser, you can install one of the several browser extensions that block tracking cookies: AdBlockPlus, Ghostery, or Abine, to name three.