Is it Time for ‘Do Not Track’?

Josh Hawley, the freshman Republican Senator from Missouri has introduced legislation that would allow consumers to opt out of being tracked on the web. He envisions this as the first major step towards Internet privacy legislation.

You may recall a voluntary version of do not track rules in the US about a decade ago. Many web sites had a Do Not Track button and some big companies like Twitter honored the consumer request to not be tracked. But over time, since there were no penalties for tracking, most web companies began tracking customers and the Do Not Track buttons disappeared from web sites. There are still a few web businesses like Mozilla that offer some protection through their browser. A lot of people now use ad blockers which can cut down on some tracking cookies, but which don’t really stop much of the tracking.

It’s not surprising that the voluntary methods got nowhere since there are gigantic dollars involved now in web advertising. It was recently announced by IAB and PwC that the digital advertising market hit $107.5 billion in 2018, up from $88.3 billion in 2017. Web and cellphones advertising is becoming the preferred way to reach younger consumers. The online advertising market is heavily reliant on targeted advertising that is aimed directly at the most likely consumers for any particular ad – and that requires tracking customers to build profiles of each one of us.

Sen. Hawley proposes the establishment of a ‘Do Not Track’ list that would be the equivalent of the FCC’s ‘Do Not Call’ list. There would be substantial fines for companies that violate the list. The bill suggests fines that create a major incentive to comply – it suggests the minimum fine should be $100,000 with the maximum fine being as much as $1,000 per day per person who is improperly tracked.

There are currently no rules governing how Internet companies track us. Without rules, the big web companies basically track everything they can about us. There are a number of practices that Sen. Hawley points out as being particularly troublesome:
• Google has admitted that Android phones track users even when customers turn off location tracking.
• Facebook tracks people who aren’t part of its platform and creates ‘shadow profiles’ of non-Facebook consumers.
• It’s a widespread industry practice to place cookies and other tracking tools on web site visitors as a way to track customer web browsing. Such data is widely traded on the open data market.

The European Union has struggled with the same problem and introduced an updated version of similar rules that went into effect in May 2018. That legislation gives consumers the chance to opt out of cookies and tracking on every web site visited. Companies that violate the EU rules can be fined the greater of 4% of worldwide revenues from the previous year or 20 million euros.

Interestingly, a lot of consumers won’t opt out of the tracking. I have a friend that employs a staff of programmers in their early 20s and they like the convenience of being tracked. They enjoy having specialized ads aimed directly at them and they think that enhances their web experience. This younger generation grew up with the web and they buy into the idea that the online world is not private. There are certainly older consumers who also like to get relevant web advertising. The purpose of the proposed legislation is not to end the tracking of customers, but rather to allow people to opt out. Perhaps over time, most people will value the benefits of being tracked more than their privacy. Web sites are certainly going to offer inducements to customers who agree to be tracked.

This legislation is only the first step towards a comprehensive set of privacy rules. For example, there are numerous other ways that information is gathered about us, like with the IoT devices in our homes. Many merchants and credit card companies are selling information about our buying habits.  Limiting privacy rules to opting out of web sites is a start, but data gathering from numerous sources is becoming an industry unto itself.

Some Regulatory Shorts

FCC_New_LogoAs to be expected our regulators stay busy regulating. Not all of their decisions have widespread impact, but it’s always worth keeping an eye on what’s going on.

WiFi Blocking: The FCC continues to come down on hard on those in the hospitality industry that would stop people from using their own hot spots in or near hotels or other gathering places. You might recall, last year the FCC fined Marriott for blocking access to guests using their cellphones for WiFi. Marriott is one of those chains that charges extra for WiFi and so they were operating jammers that interfered with the ability of a smart phone to act as a hotspot.

The FCC continued with that theme and recently fined M.C. Dean $718,000 for blocking WiFi at the Baltimore Convention Center. They also fined Hilton Worldwide $25,000 for “apparent obstruction of an investigation” in the case. In August the FCC fined Smart City Holdings $750,000 for using technology at 28 convention centers that blocked cellphone and wireless routers from acting as hotspots.

As somebody who travels and who generally finds hotel WiFi to be inadequate, this is a welcome move. But it’s even more so for groups that rent space in a convention center. Some of those locations charge 6 digits for use of a convention center’s WiFi system, and the FCC is telling the hospitality industry that it is never okay to block WiFi.

Do Not Track Requests: The FCC voted earlier this month to not require web sites to honor Do Not Track requests. The group Consumer Watchdog had petitioned the FCC asking them to force companies to honor such requests. Today web sites can voluntarily honor privacy requests, but only a handful of large web sites do so. The group had hoped that since the FCC had elected to regulate privacy practices for ISPs as part of the net neutrality rules that they might carry this forward to the web.

But the FCC declined to make such a ruling. They said that they are not in the business of regulating ‘edge providers’, meaning the companies that offer web content. I keep an eye on privacy and use web sites that don’t track people whenever I can like the Duck Duck Go search engine. But I am leery about the FCC getting into the business of regulating the behavior of web service providers. When you look at some of the consequences of such actions it’s not necessarily good for anybody. Even in England, which we always assume is a lot like us, the government has proscribed a large list of web content that is off limits unless people opt into them. I personally am glad the FCC doesn’t want to cross that line. I think back to all of the wasted effort they spent on the ‘seven dirty words’ on TV and radio and don’t think we need a repeat of that.

The FCC and Privacy. In what seems like an extreme order, the FCC just fined Cox Communications $595,000 for a security breach that exposed the records of 61 customers. That’s almost $10,000 per customer.

This is the first such privacy ruling by the FCC since this was always under the purview of the Federal Trade Commission until the FCC asserted primary responsibility for regulating ISPs as common carriers. I find the order to be puzzling. The breach was apparently due to a hacker. Cox self-reported the breach and said that they had processes in place that found the breach quickly and that limited it from happening to a larger number of customers. To me that sounds like what companies are supposed to do and I’m not sure that any company these days can be completed immune from hackers. I know we won’t know the details of exactly what Cox did wrong, but it doesn’t feel like this is a case where the punishment fits the crime.

One only has compare this to the way that the very massive data breaches have been handled for companies like Target, J.P. Morgan Chase and a number of other banks, and even from several branches of the federal government. None of them got significant fines and the general thinking is that the market itself provides a lot of punishment in lost business and in the cost of dealing with the data breach. The size of the FCC fine seems out of line, and because of that every ISP ought to be reviewing the way you store and protect customer data. You can’t afford not to, and perhaps that is the message the FCC was making.

 

A New ‘Do Not Track’ Policy

EFFThe Electronic Frontier Foundation (EFF) released a new version of ‘Do Not Track’ which is supposed to provide stronger protection for Internet users. This is something that consumer advocates have been pushing for a long time, so the question is: what does this new standard provide for the average Internet user?

To confuse matters a bit, the EFF is not the only group working on this issue. The W3C group that controls the standards for most Internet protocols is also working on its own version of Do Not Track. But regardless of which of these efforts becomes the new standard there are serious questions about how effective this might be in the marketplace.

Neither of these groups can impose Do Not Track rules on Internet companies, and so compliance with any new standard is voluntary and one has to wonder who is going to implement it. There is a current Do Not Track standard that very few in the industry are following. For instance, the search engine I normally use, DuckDuckGo, follows the current standard and doesn’t track what people search for on the web. You can count on two hands the other companies that currently publicly agree not to track their users.

This is another one of the big tug-of-wars going on in the industry. There are a lot of people who don’t like the idea of web companies tracking their every move and then selling that data to others. A lot of people find targeted ads creepy and feel like the big web companies are spying on them.

And to a large degree they are. Companies like Google and Facebook and many others make a lot of money from advertising and from selling data about their customers to others. These companies feel that if you come to their site that you have waived privacy for what you do on their platform. Big data is perhaps the biggest money maker on the web, and having flocks of people opt out of being tracked would significantly reduce revenues for a lot of web companies.

Here are a few of the major points of the new policy. Honoring a DNT request means:

  • Not collecting information from the user and not placing tracking cookies except with specific permission;
  • Not retaining details of the interaction with the user except in those few cases where data retention is required by law;
  • Information needed to complete a transaction, such as address or credit card number are only retained until the transaction is complete;
  • Users can be given the option to have web sites remember their data. This might be convenient for places where somebody shops regularly;
  • While these rules aren’t binding, existing law says that if a company says they will not track you they must live up to that commitment.

It will be interesting to see if this new round of Do Not Track gets any more industry buy-in than the last version. There certainly is a significant portion of Internet users who would opt out of being tracked if that was possible. However, there is a good chance that a lot of the industry will only give lip service to any voluntary guidelines. They might not send specific ads to somebody who says they don’t want to be tracked but would likely otherwise track them like everybody else.

It would require a change of law to make this mandatory. There certainly are a number of consumer privacy laws that have been enacted, such as the laws that protect medical records. It probably requires an action by Congress to make these protections mandatory. I find it unlikely that big companies like Facebook and Google and many others are going to voluntarily offer this to users. Offering it costs money and the loss of adverting and data revenues would cause a big hit to the bottom line of these companies. They are already seeing big hits from ad blocking revenues and this could be even a bigger hit.

To some degree consumers who really care about their privacy have options. They can use web sites today that promise to not track them. But almost all ecommerce is tracked and today there are not many places you can go on the web that aren’t tracked. Certainly almost all social media sites are tracked. I know I get anywhere from 50 to 200 tracking cookies on my computer each day from fairly light browsing, so there are a lot of companies out there trying to find out more about us.