Online Tracking Trouble


At a Senate Commerce Committee hearing in March, the Obama administration announced its support for broad online privacy legislation to be enforced by the Federal Trade Commission (FTC). At the same hearing, FTC chief Jon Liebowitz made the case for creating, perhaps through federal mandates, a "do not track" protocol that would allow Web users to opt out of certain types of online ad tracking.

Timothy Lee is an adjunct scholar at the Cato Institute and a Ph.D. candidate in computer science at Princeton Univer-sity, where his doctoral adviser consults with the FTC. He argues that writing and enforcing a "do not track" rule may not be a straightforward affair. Associate Editor Peter Suderman spoke with Lee in March.

Q: The FTC says it's trying to help Web users protect their personal privacy. What specific problem is the FTC trying to solve?

A: That's one of the open questions about this debate. I think people have a vague sense that it's bad for companies to be following them online, which just means having a database where the company knows someone went to CNN, went to Google, went to Amazon, can see what pages someone was on, that sort of thing. There's a relatively wide consensus that there's something kind of creepy about that. But there's not been a lot of really good thought about why that's creepy, why we object to it, and what we would like to be different to make it not creepy.

Q: How would a "do not track" system work?

A: The technical mechanism is pretty well defined. Whenever you access a website, your browser sends a request that has what are called headers, and one of the headers you can send is a little thing that says "do not track." It's either on or off. If the server sees "do not track" is on, the server would be required to not track you—whatever that means. The devil is in the details of what it means to track you.

Q: How does Congress or the FTC decide what constitutes tracking?

A: There are a number of proposals out there. But it's really not clear. The paradigmatic case that they're upset about is behavioral advertising. This [effort] is primarily targeted at companies who follow you around online. But if you talk to people who are for this idea, most of them say this isn't just about behavioral advertising. Their goal is to have a general regulation that addresses many types of tracking.

Q: Is there really a problem with targeted advertising and the tracking that goes along with it, with websites gathering information from visitors? When I run into a salesman in a store, I want him to find what's best for me.

A: That's one of the legitimate objections to this idea. It's not clear that consumers don't want this kind of targeted advertising. The primary thing that people are worried about is the loss of anonymity.

This is something libertarians should be genuinely sympathetic to. One concern is that once [the online advertising firm] DoubleClick or some company has a massive dossier on every website you've accessed, the government can say, "Hey, we want all your records on this individual." The more comprehensive those records are, the more useful they are to the government. So maybe a better approach is to have better protections against being required to give information to the government.