Timothy Lee on the FTC's Do Not Track Regulations: "The devil is in the details of what it means to track you."


At a Senate Commerce Committee hearing on Wednesday, the Obama administration announced its support for broad online privacy legislation to be enforced through the Federal Trade Commission. At the same hearing, FTC chief Jon Liebowitz made the case for creating—perhaps through federal mandates—a "Do Not Track" protocol to allow web users to opt out of certain types of online ad tracking.

But writing and enforcing a Do Not Track rule may not be a straightforward affair. Earlier today, I spoke with Cato Institute adjunct scholar Timothy Lee about the reasoning behind the FTC's proposal, why people think online ad tracking is creepy, and why creating a Do Not Track rule could be more complicated than its backers seem to think.

Peter Suderman: The FTC says that they're trying to help people who are online protect their own personal privacy. Can you just tell us what the specific problem is that the FTC sees—what it's trying to solve?

Timothy Lee: That's a good question. It's actually one of the open questions about this debate. I think people have a vague sense that it's bad for companies to be following them online—which just means having a database where the company knows someone went to CNN, went to Google, went to Amazon, can see what pages someone was on, that sort of thing. There's a relatively wide consensus that there's something kind of creepy about that. But there's not been not a lot of really good thought about why that's creepy, why we actually object to it, and what we would like to have be different to make it not creepy. 

PS: FTC is pushing something called Do Not Track, where the basic idea is that anyone browsing the Internet can choose to opt out of certain types of online tracking. Can you explain more about what that is and how it might work?

TL: The technical mechanism is pretty well defined. Whenever you access a website, your browser sends a request that has what are called headers, and one of the headers you can send is a little thing that says "do not track," and it's either on or off. If the server sees do not track is on, under regulations that might be enacted by Congress or the FTC, the server would be required to not track you—whatever that means. The devil is in the details of what it means to track you.

PS: How does Congress or the FTC actually decide what constitutes not tracking?

TL: There are a number of proposals out there. But it's really not clear. The paradigmatic case that they're upset about is behavioral advertising. This is primarily targeted at companies who follow you around online. They know which websites you've gone to, and based on your profile they serve you ads that they think are better targeted because they know your browsing behavior. 

It is important to distinguish this from contextual advertising which is advertising that just looks at the content of the page you're on, but not the previous page you were on. With the behavioral advertising, what I think is the goal is to give users a way to opt out of that, in a user-friendly way.

PS: So contextual advertising would not be affected by the regulation?

TL: That's right. The goal is to create regulations about behavioral advertising, which is advertising where you're targeted based on previous browsing. 

But if you talk to people who are for this idea, most of them say this isn't just about behavioral advertising. That's what has everybody's attention, but there is a general sense that there are other things that companies do, might be doing now or be doing in the future, that have the same character of having a third party track you across sites. Their goal is to have a general regulations that address all those types of tracking.

PS: Is there really a problem with targeted advertising and the tracking that goes along with it, with websites gathering information from visitors, because to me I look at this like sites being like good salesmen. You know, they look at the info that they can see about me, and they tailor their suggestions accordingly. When I run into a salesman in a store what I actually want is for him to work is to find what's best for me.

TL: That's absolutely one of the legitimate objections to this idea. It's not clear that consumers don't want this kind of targeted advertising. Certainly the contextual advertising—which is a little bit less targeted but still targeted—I think there's pretty clearly a benefit to both users and companies. Users see fewer ads, and companies get higher click-through rates. In theory I don't see why the same argument couldn't apply for behavioral advertising.

I think the primary thing that people are worried about is the sort of loss of anonymity. This is something libertarians should be genuinely sympathetic to. One concern obviously is that once [online advertising firm] DoubleClick or some company has this massive dossier on every website you've accessed, the government can go to that and say "Hey, we want all your records on this individual." And the more comprehensive those records are, the more useful they are to the government. So maybe a better approach is to have better protections against being required to give information to the government.

PS: Is this at all like the Do Not Call list, where marketers can't cold call your phone if you put your phone number on a list? The name is similar. Is it also similar in the way it's going to work?

TL: It's really not. So obviously Do Not Call is the most successful government program in history in terms of popularity and political support. And so there were early proposals that involved just some kind of list, where you put your name or IP address on some list. But the actual mechanism is very different. There is no list. There is no set registry of people you aren't allowed to track.

PS: The FTC has said that it wants the Do Not Track regime to be "effective and enforceable." Are there going to be penalties for websites that don't play along, or perhaps just have technical troubles? It seems like this could get very complicated.

TL: At least for web browsing, I think the technical mechanism is straightforward. The kind of concerns you raise are really important on the server side, where especially if you don't have a real clear definition of what counts as tracking, then you have the question: Well, how do we know if companies are being engaging in quote-unquote tracking. That's not something you can tell from the client side. It's something you can only tell by knowing what's going on behind the scenes.

You could perhaps have some regime where the FTC audits source code, or you could have some sort of transparency mandate to go along with the regulation. But I these are the big questions. How do you define what counts as tracking? And how do you verify that the companies are actually following the rules? 

Part of the difficulty is that there are a lot of very small companies that are web start ups, that are developing interesting new products. So I think it's important to think about whether this rule is going to be simple enough that these kind of companies comply with this, and probably more importantly, are there interesting and useful business models that we would be inadvertently foreclosing by having overly broad definitions. 

PS: So there's a potential chilling effect on web businesses where there could be potentially valuable products that might not be available thanks to regulation like Do Not Track? 

TL: I think that's true. Obviously it depends on your definition. But given that we can't predict the future, there is a danger that in the future someone will come up with a business idea would be useful that consumers would like, but it's not allowed, or is in a legal gray area with Do Not Track regulations.