Internet

Timothy Lee on the FTC's Do Not Track Regulations: "The devil is in the details of what it means to track you."

|

At a Senate Commerce Committee hearing on Wednesday, the Obama administration announced its support for broad online privacy legislation to be enforced through the Federal Trade Commission. At the same hearing, FTC chief Jon Liebowitz made the case for creating—perhaps through federal mandates—a "Do Not Track" protocol to allow web users to opt out of certain types of online ad tracking.

But writing and enforcing a Do Not Track rule may not be a straightforward affair. Earlier today, I spoke with Cato Institute adjunct scholar Timothy Lee about the reasoning behind the FTC's proposal, why people think online ad tracking is creepy, and why creating a Do Not Track rule could be more complicated than its backers seem to think.

Peter Suderman: The FTC says that they're trying to help people who are online protect their own personal privacy. Can you just tell us what the specific problem is that the FTC sees—what it's trying to solve?

Timothy Lee: That's a good question. It's actually one of the open questions about this debate. I think people have a vague sense that it's bad for companies to be following them online—which just means having a database where the company knows someone went to CNN, went to Google, went to Amazon, can see what pages someone was on, that sort of thing. There's a relatively wide consensus that there's something kind of creepy about that. But there's not been not a lot of really good thought about why that's creepy, why we actually object to it, and what we would like to have be different to make it not creepy. 

PS: FTC is pushing something called Do Not Track, where the basic idea is that anyone browsing the Internet can choose to opt out of certain types of online tracking. Can you explain more about what that is and how it might work?

TL: The technical mechanism is pretty well defined. Whenever you access a website, your browser sends a request that has what are called headers, and one of the headers you can send is a little thing that says "do not track," and it's either on or off. If the server sees do not track is on, under regulations that might be enacted by Congress or the FTC, the server would be required to not track you—whatever that means. The devil is in the details of what it means to track you.

PS: How does Congress or the FTC actually decide what constitutes not tracking?

TL: There are a number of proposals out there. But it's really not clear. The paradigmatic case that they're upset about is behavioral advertising. This is primarily targeted at companies who follow you around online. They know which websites you've gone to, and based on your profile they serve you ads that they think are better targeted because they know your browsing behavior. 

It is important to distinguish this from contextual advertising which is advertising that just looks at the content of the page you're on, but not the previous page you were on. With the behavioral advertising, what I think is the goal is to give users a way to opt out of that, in a user-friendly way.

PS: So contextual advertising would not be affected by the regulation?

TL: That's right. The goal is to create regulations about behavioral advertising, which is advertising where you're targeted based on previous browsing. 

But if you talk to people who are for this idea, most of them say this isn't just about behavioral advertising. That's what has everybody's attention, but there is a general sense that there are other things that companies do, might be doing now or be doing in the future, that have the same character of having a third party track you across sites. Their goal is to have a general regulations that address all those types of tracking.

PS: Is there really a problem with targeted advertising and the tracking that goes along with it, with websites gathering information from visitors, because to me I look at this like sites being like good salesmen. You know, they look at the info that they can see about me, and they tailor their suggestions accordingly. When I run into a salesman in a store what I actually want is for him to work is to find what's best for me.

TL: That's absolutely one of the legitimate objections to this idea. It's not clear that consumers don't want this kind of targeted advertising. Certainly the contextual advertising—which is a little bit less targeted but still targeted—I think there's pretty clearly a benefit to both users and companies. Users see fewer ads, and companies get higher click-through rates. In theory I don't see why the same argument couldn't apply for behavioral advertising.

I think the primary thing that people are worried about is the sort of loss of anonymity. This is something libertarians should be genuinely sympathetic to. One concern obviously is that once [online advertising firm] DoubleClick or some company has this massive dossier on every website you've accessed, the government can go to that and say "Hey, we want all your records on this individual." And the more comprehensive those records are, the more useful they are to the government. So maybe a better approach is to have better protections against being required to give information to the government.

PS: Is this at all like the Do Not Call list, where marketers can't cold call your phone if you put your phone number on a list? The name is similar. Is it also similar in the way it's going to work?

TL: It's really not. So obviously Do Not Call is the most successful government program in history in terms of popularity and political support. And so there were early proposals that involved just some kind of list, where you put your name or IP address on some list. But the actual mechanism is very different. There is no list. There is no set registry of people you aren't allowed to track.

PS: The FTC has said that it wants the Do Not Track regime to be "effective and enforceable." Are there going to be penalties for websites that don't play along, or perhaps just have technical troubles? It seems like this could get very complicated.

TL: At least for web browsing, I think the technical mechanism is straightforward. The kind of concerns you raise are really important on the server side, where especially if you don't have a real clear definition of what counts as tracking, then you have the question: Well, how do we know if companies are being engaging in quote-unquote tracking. That's not something you can tell from the client side. It's something you can only tell by knowing what's going on behind the scenes.

You could perhaps have some regime where the FTC audits source code, or you could have some sort of transparency mandate to go along with the regulation. But I these are the big questions. How do you define what counts as tracking? And how do you verify that the companies are actually following the rules? 

Part of the difficulty is that there are a lot of very small companies that are web start ups, that are developing interesting new products. So I think it's important to think about whether this rule is going to be simple enough that these kind of companies comply with this, and probably more importantly, are there interesting and useful business models that we would be inadvertently foreclosing by having overly broad definitions. 

PS: So there's a potential chilling effect on web businesses where there could be potentially valuable products that might not be available thanks to regulation like Do Not Track? 

TL: I think that's true. Obviously it depends on your definition. But given that we can't predict the future, there is a danger that in the future someone will come up with a business idea would be useful that consumers would like, but it's not allowed, or is in a legal gray area with Do Not Track regulations. 

NEXT: The Bureau of Prisons Tries Some New Tricks

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. At least they admit there’s a legit argument for not wanting companies to have a massive file about my browsing habits. It’s creepy in the way that it would be creepy if a research consultant from some company followed me around everywhere to see what stores I went into.

    That having been said, being creepy is not being illegal, and just about any rule set up by gov’t can only mean trouble down the road when it (inevitably) begins to get abused. There should be private companies offering products which you can install which block the ability of websites to track you. I’m sure things like that already exist, if there’s consumer demand for privacy.

    1. Generally speaking, when talking about PCs and internet browsing they rarely know it’s “you”. They know that someone at IP 21.17.253.42 has been to a given website, and then with a series of cookies and cache files on your harddrive (which you can clear) they will target advertising to you based on stuff you’ve searched on or looked at recently. There are many numbers of technical ways to get around this. When companies do know it’s “you”, that has largely come about with sites that partner with sites like Facebook, where you’ve already told the internet “Hey, this is ME!!!” and then through crosslinking you sometimes go to a site which says “Hi, JIM” with your little facebook info up in the upper right hand corner. This is why I don’t have a facebook account with “me” on it.

      It does admittedly change a bit with the new revolution in smart phones, however. Your phone can more readily be linked to “you” specifically than even your own PC at home. There’s no technological reason that when your phone visits or performs some network traffic, that the website/service through sharing agreements couldn’t identify you as YOU via linking to your T-Mobile or Verizon account information. This is definitely creepy and I don’t have a ready answer as to how consumers will be protected.

      But the same unintended consequences of government action apply.

      I’d rather just be vigilant, cautious and use my own methods to monitor my own activity and know what I’m sending, to whom and when, then have some bureaucrat with spiffy matching binders do it for me.

  2. I’m sure Do Not Track is going to be every bit as popular as Do Not Call. How many of us find that when we are just sitting down to supper we get interrupted by a pop-up ad. It’s annoying.

    1. Who still has a home phone?

  3. So there’s a potential chilling effect on web businesses where there could be potentially valuable products that might not be available thanks to regulation like Do Not Track?

    Please name or characterize such a product. I believe the concern is that small companies may somehow be unable to comply with, um, weird regulations; but I’m not understanding that from a technical standpoint.

    1. If you define “do not track” in the broadest possible terms, then it’s reasonable that the very definition of “targeted advertising” could be killed, or largely crippled.

      1. With all due respect, how did companies do business before “targeted advertising”?

        1. I’m not sure what your point is. How did companies do business before the telephone, the internet, or email?

          I was merely trying to answer your question. If [guys I’ve never met before or vote for] define “Do not track” in the broadest possible sense, it’s possible that the notion of targeted advertising over the web may be over.

          You may not think much of, agree with, or like targeted advertising, but a lot of companies and a lot of people have a stake in it.

          1. Sorry, Paul. That comment was made — I mean, I made that comment — in haste, and it sounded meaner than I intended. I agree with your points.

            1. No apology necessary. It it’s not Lord of the Flies around here, I’m not I’d know what to do anyway.

              1. ** begins to dance and his laughter becomes a bloodthirsty snarling **

  4. Logistically, this sounds almost impossible to manage the way things work today. Bet it gets killed in Congress.

    1. It is impossible. But never underestimate the government to legislate or ban something through sheer force of will.

      1. With costs to be passed on to consumers. At what point will the friction placed on our economy by our parasitic and overbearing government be enough to kill it?

        1. Decades after we’re North Korea. Decades.

  5. JB Angelina is the best Angelina.

  6. I wonder if Do Not Track is just the camel’s nose under the server’s tent, and will wind up giving the government all kinds of access to the internet, and all kinds of control over how it works.

    But that’s just paranoid li’l ol’ me.

    1. I wonder if Do Not Track is just the camel’s nose under the server’s tent

      Why would they bother… Net Neutrality is the camel taking a dump on the middle of the tent floor.

  7. If you want to see what the marketers think of you, go to the BlueKai Consumer Registry page. http://tags.bluekai.com/registry

    This regulation won’t stop pop ups or ads. It will make the ads you get less likely to be relevant and thus less valuable to marketers. Revenue for content providers will decrease and irrelevant ads will increase.

    There are already private companies working this out, like Evidon. The cookies that identify you are scrubbed of any personal data.

    I work in the online advertising industry at a small company (

  8. SPAM – now that’s an problem the government can solve. If little old me can find these people, then surely the government can find and prosecute them into stopping their predatory practices….. Orvis or Amazon, I’m not so worried about. Good grief.

  9. Let’s be honest. The reason people are worried about online tracking is because they are worried that someone out there knows what sort of kinky pr0n that they are into.

    No one cares if their browsing history to Amazon, Drudge and Reason are tracked. They are terrified that someday they are going to get an e-mail telling them that they had better click on 1000 ads today or their wife will find out all about those videos at youporn.com.

  10. I’m sure Do Not Track is going to be every bit as popular as Do Not Call-s

Please to post comments

Comments are closed.