A do-not-track list? It's a start

The FTC's proposal is a potentially useful improvement in our woefully inadequate online privacy

Published December 2, 2010 5:40PM (EST)

Rear view of a young man working of a laptop
Rear view of a young man working of a laptop

Americans have become so numb to the relentless erosion of our privacy that we tend to view even small advances with skepticism, if not outright cynicism. Such is the case with yesterday's Federal Trade Commission proposal for a "do not track" system, whereby people could tell online marketers that they don't want their online activities to be captured and used by websites or online advertising firms.

The FTC's report is just that: a document with no regulatory power. But FTC Chairman Jon Leibowitz told reporters in a conference call that the commission will urge Congress to act if the industry doesn't "step to the plate." I take the need for congressional action as a given, since the online industry's self-regulation has ranged from weak to bogus.

What's best about the FTC's approach is its recognition of reality. It calls for a multilayered approach to enhancing privacy. One piece is to encourage websites and services to build in privacy protection from the ground up. This is laughable, given the industry's record of bolting privacy on later, if at all, not to mention the currently enormous economic incentives to abuse it.

Another principle is transparency: Tell us, in clear language, what you're tracking and how you're doing it. Privacy policies on most websites and services take hundreds to thousands of words, in the densest legalese, to tell us we have no privacy and that's tough. In today's world, sorry to say, clarity would only mean language like this: "We can do pretty much whatever we choose with your data, and you can take us or leave us." Not good enough, either.

The best principle is countermeasures, technical and, perhaps, regulatory. I use a variety of protective plug-ins for my Firefox browser. But I'm under no illusion: The technologists who create the privacy-invading tools are better funded and just as smart as the protectors -- and so far, they're winning the arms race. I would pay for a browser that really, truly blocked the spies or fed bogus data back to them. What I don't know is whether there's a sufficiently large market to support it.

A do-not-track list is a mostly regulatory approach. Saying we want it is a lot easier than making it happen in a way that works as intended and doesn't create massive new privacy problems. For one thing, contrary to some of the commentary about the proposal, it wouldn't be precisely analogous to the hugely popular "Do Not Call Registry" that has greatly reduced those annoying dinnertime phone calls from people pitching crappy products, loser stocks and beachfront property in Kansas. The online tracking, in theory, is designed in part to help marketers pitch us products and services we might actually want, based on what we do online. In a system that worked to preserve real privacy, which the current one does not, that would be the opposite of annoying.

There are many reasons to question whether a do-not-track system could even work as intended. For one thing, as privacy expert Lauren Weinstein has noted, we'd have to create some kind of unique identifier to notify the marketers and digital trackers. Wouldn't this become a ripe target for abuse?

For another, many people are still getting junk phone calls, albeit at a reduced rate, and the callers are using digital technology to disguise their origins; over time they could well make the registry a nice idea that ultimately failed. If we know anything about the people creating the online spying tools, it's that they are ingenious and resourceful. Mere laws and regulations won't end the abuses.

Online tracking, even if the trackers have good intentions, is so worrisome in part because we don't generally have much knowledge of what's happening to us -- and because the online spies are going way beyond the bland assurances we've heard in the past. For example, few people would object to having a news website track what we do on that site. If the New York Times knows what I've read on nytimes.com, it can do a better job of showing me material I might want to see there.

The tracking gets offensive when it crosses boundaries -- and it almost always does these days. As Ed Felten, the Princeton computer scientist who just joined the FTC as chief technologist, explained at Wednesday's event, the potential for harm soars when online trackers create a centralized database, "connecting the dots between consumers' activities at different times and places to build up a profile of what a person has been doing."

The tracking companies, as noted, are clever. Yesterday's Wall Street Journal article on device "fingerprinting" -- essentially creating unique identifiers that can't be removed -- was another example of why we should not trust the tracking companies' bland assurances that they have only our best interests in mind.

The Journal has taken the journalistic lead in looking at this matter. While its seemingly endless series about online privacy has had some glaring flaws -- not least of which the newspaper's too-hysterical tone and tendency to conflate the big abuses with the small ones -- it's also educated me (and I try to, uh, track this stuff) about things I didn't know, such as the fingerprinting advances.

The Journal, which does its own share of online tracking, has another horse in this race, of course. It charges for much of what we can read there, via a paywall that is one of the news industry's only successful such initiatives. Its corporate parent, Rupert Murdoch's News Corp., is pushing its other properties in that direction, with initially pathetic results. Murdoch, meanwhile, has been in full-rant mode for several years about what he sees as the need to end the era of "giving away" the news, or at least trying to pay for online news via advertisements only. So when you read the Journal's series, make sure you have that perspective on its own corporate interests.

But we should recognize a reality in any do-not-track world: To the extent that online spying has been a revenue source for companies providing products (including news) and services, the loss of that revenue will mean A) website investors will get less return on their money; B) we'll get less of what they've been providing us; C) sites will find new ways to attract online advertising that's less targeted to individuals, which would mean more irrelevant ads; or D) we'll pay more directly for what is subsidized today -- most likely some combination of all of those options.

Option D is OK with me. I pay now for the Journal's website and several others (such as Consumer Reports), and would be willing to pay for some others, ideally in a bundle of top-quality information services. I'd expect lots of activity in that vein if real privacy measures ever take hold, but I don't dispute the widely held belief that most people have come to take "free" -- a word that should almost always be enclosed in quotes -- for granted and would be, at best, reluctant to pay directly for what they use.

All I know for sure is that the online trackers are expanding in their invasiveness and creepiness. It's time we pushed back, and hard.

* * *

Some folks did push back, and are continuing to do so, in another privacy attack that got tons of press last week. I'm referring to fliers' outrage at the federal government's deployment of "porno-scanners" in airports, and the deep groping techniques Transportation Security Administration personnel impose on fliers who decline to go through the scanners.

Traditional media latched onto a specific protest movement, in which fliers were urged to refuse to go through the scanners the day before Thanksgiving, the busiest day of the year in most airports. When that ill-advised protest predictably flopped, some media reports declared that Americans didn't care all that much about the invasive nature of the new rules, or not enough, at any rate, to make much of a fuss. And a variety of commentators -- most from traditional media -- lectured the people who had had enough of government encroachments on privacy, or at least this one. "Grow up," they said, as if they were grown-ups and the rest of us were wayward children who needed to be reminded of our place.

We're not kids, and we're not going to let this go. Not only is the effectiveness of these scanners questionable -- and the safety of the newer X-ray machines in sufficient doubt to avoid them -- but the groping is plainly designed, in part, as punishment for people who dare to say no to the scanners.

Once upon a time, journalists challenged government to prove its worth. Today, too many journalists bow and scrape to keep their access to the rich, powerful and influential people who run this country. With too few exceptions, especially in Washington, they want to be members of the club, and their work tends to show it.

By Dan Gillmor

A longtime participant in the tech and media worlds, Dan Gillmor is director of the Knight Center for Digital Media Entrepreneurship at Arizona State University's Walter Cronkite School of Journalism & Mass Communication. Follow Dan on Twitter: @dangillmor. More about Dan here.

MORE FROM Dan Gillmor

Related Topics ------------------------------------------