The state of 'Do Not Track' on the internet

Burning questions: Will the ambitious privacy standard for Web surfers be effective?

Users concerned with online privacy have been struggling for years to come up with a solution to being tracked on the Web. Such users either want to avoid irritating, targeted ads based on browsing history or are concerned about businesses having too much access to our personal information.

Historically, each new workaround to escape tracking online -- such as deleting cookies or enabling private browsing modes -- is met with new and more effective forms of tracking, such as the much-harder-to-delete flash cookies. The situation may be changing, however, with a new standard that has been making some significant headway in the past few months.

The Do Not Track standard, created by researchers at Stanford University, is a simple solution that has found its way into new and forthcoming browsers -- the recently released Mozilla Firefox 4 and the final version of Microsoft Internet Explorer 9, due out in soon. The promise of Do Not Track is the hope that users could opt out from all online tracking with one click. The concept has been under discussion in Congress and by the Federal Trade Commission.

How Does 'Do Not Track' Work?

By checking a box in either browser's preferences, Do Not Track adds a message to your http: headers confirming that you don't want to be tracked. (That checkbox will be available only in the final version of IE 9.) These headers are already sent with each request for information you make to any site, thus ensuring that any site that tracks you gets the message. The hope is that Do Not Track will let users quickly and easily opt out of all online tracking at once, instead of forcing them to find solutions for each type of tracking individually.

Unfortunately, it's not that simple. Do Not Track's current flaw is also what makes it so easy to use. Once you've flagged yourself as unwilling to be tracked, it is up to individual Websites to honor your request, and that creates quite a few problems. Hardly any site is complying with the Do Not Track requests -- but new federal legislation proposed in Congress in the wake of the FTC's call for a Do Not Track system promises to change all that. However, predictions abound that Do Not Track could have larger, undesirable consequences.

The End of the Free Web?

Advertising makes up a significant revenue stream for plenty of sites on the Internet that provide free content (including, and Do Not Track throws a serious monkey wrench into a certain type of targeted advertising. Exactly how serious a problem Do Not Track could cause depends on who you ask: Industry trade groups are very critical of Do Not Track legislation, and you'll find no shortage of doomsday scenarios suggesting that the passage of this type of legislation will destroy the advertising revenue that funds most free content online and put an end to the Internet as we know it.

The idea is that -- without the financial support provided by targeted advertisements -- ad-supported sites will no longer be able to sustain themselves, and that the buffet of free content that has been available to users online will therefore disappear.

While Do Not Track is likely to have some economic consequences, these predictions seem seriously overblown. Jonathan Mayer of Stanford Law School's Center for Internet and Society has suggested that Do Not Track's effect on advertising will likely be far smaller than predicted. The behavioral advertising that the Do Not Track law would affect constitutes only about 4 percent of advertising online, according to Mayer -- which makes the odds rather low that the content you like to read online would be targeted. In addition, if a site really depended on such behavioral advertising for a large proportion of its revenue, it would be relatively simple for the site to request, or even require, users to allow tracking before they entered the site.

Online tracking is an important tool for advertisers, but it's hardly the only one. Rainey Reitman, Activism Director for the Electronic Frontier Foundation, thinks Do Not Track might let users who are concerned with privacy but who want to support advertising-based sites have it both ways. "The way things are today, the only reasonable method a consumer has to protect her online privacy is to block most of the advertisements on the Internet," Reitman says. "Do Not Track offers a way for users to protect their privacy in a meaningful way without just blocking all advertisements."

Would Tracking Move Underground?

A second, less hyped concern with Do Not Track legislation is that we might be targeting the wrong people. As blogger Jared Newman noted in "Do-Not-Track in Chrome and Firefox: Different Approaches, Same Fatal Flaw," Do Not Track, even with legislation in place, affects only those sites that play by the rules. Users could end up punishing sites like Google that traffic solely in comparatively harmless advertising, while giving free rein to sites that have fewer scruples about using your online information.

This is a real concern with systems where compliance by trackers is voluntary. But it's also important to remember that Do Not Track doesn't exist in a vacuum. Microsoft, for instance, will package Do Not Track with a tracking protection list, a feature currently in the IE 9 beta that lets users manually exclude content from suspicious sites. These two solutions in IE 9 do a great job of complementing each other. While Do Not Track passively opts you out of most tracking, the protection list actively excludes those sites that don't play by the rules.

It's also important to remember that Do Not Track isn't an all or nothing solution. If you want to support more reputable sites that still engage in tracking, the standard lets users manually allow some sites to track them. So, if you feel that a site like Amazon or Google actually provides value to you when it tracks, you can let it do so without losing your protection against other sites.

What Will 'Do Not Track' Change for the User?

If we get national Do Not Track legislation, what changes are end users likely to experience? The EFF's Reitman says that most users probably won't notice much at first. "What you have to remember is that Web tracking as we know it today is insidious in large part because it's invisible. [...] So, just as the problem is in itself hard to spot, the solution will be subtle -- most people who enable Do Not Track won't notice a huge difference in their online reading experience."

Do Not Track is far from a perfect solution to online privacy, but it's an important step in the right direction for concerned Web users. When combined with other solutions -- like tracking protection lists -- it promises to help protect your privacy without seriously affecting your browsing online.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionapplicationsMicrosoftsecurityonline privacybrowserssoftwareInternet ExplorermozillaFirefox

More about Amazon Web ServicesBillEFFElectronic Frontier FoundationFederal Trade CommissionFTCGoogleMicrosoftMozillaNewmanStanford Law SchoolStanford University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Daw

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts