The major browser makers have now proposed three very different approaches to give users control over online tracking. Microsoft IE9‘s “Tracking Protection Lists” provide direct blocking of tracking interactions based on lists curated and hosted by independent companies. Mozilla’s Firefox gives the user an option to transmit a constant browser signal asking not to be tracked. Google’s Chrome relies on the current opt-out cookie framework, using a browser extension to make them permanent for companies adopting self-regulatory rules.
These approaches can be compared in light of five factors: Simplicity, Findability, Certainty, Durability and Versatility. Each browser’s approach supports these objectives in different ways, and are not technically inconsistent. In hybrid form, features from the Mozilla and Microsoft approaches can support a Do Not Track framework that provides meaningful user choices while still supporting the Web advertising economy.
The Do-Not-Track choice for Firefox appears in the “Advanced” tools menu (not the “Privacy” tab). In Chrome, you need to find their extension on the Chrome Extensions site. Neither of these can be initiated from a web interaction. Unless the option is presented at first install of the browser or startup for a new session, web users otherwise must become aware of them and seek them out.
Microsoft’s approach, by contrast, allows a choice to be made from within any webpage where a Tracking Protection List is hosted. List curators can host and promote their own approaches. This also allows the preference setting process to be available as part of the enhanced notice and choice framework being offered by the Digital Advertising Alliance. By making that connection, the tracking-control decision can be available in context of the ads and websites where tracking happens.
Simplicity matters for both web users and tracking companies.
For web users, simplicity can be measured by the number of clicks required; the number and complexity of choices offered; and the ongoing effort required to keep choices in place. None of the approaches makes the do-not-track the default setting, which would be the simplest for users but with significant disruption to the online ad economy.
Firefox’s choice is found is found in browser controls, which are opened with two clicks and requires one more click to make a selection. Because the choice applies to any tracking company (current and future), there is no updating required.
Microsoft’s choice is is made not in a browser, but from a link or button on a website. It requires two clicks, one to start the process and one to confirm. List updates are handled automatically in the background. The approach is more complex is the sense that consumers will have multiple choices from different providers; these may be offered or endorsed by familiar organizations, perhaps simplifying a user’s decision.
Chrome’s choice starts on the extension download page, and requires one confirming click. No restart of the browser is required and the choice is immediately effective. However, because the list is not automatically updated in the background, the user must approve an extension update each time a new company is added to the list.
For tracking companies, Microsoft’s basic approach is the simplest to implement; because it works in the browser, companies don’t need to do anything to effect an opt-out choice. More server-side work is required for the Firefox or Chrome approaches, where data collection and use practices are modified for opted-out users. To allow external verification, companies may need to segregate tracking and non-tracking actions on separate subdomains or paths, with separate cookies designated for each.
To the extent curators of Microsoft lists want to allow non-behavioral interactions, like the serving of contextual ads, there will be a burden on tracking companies to segregate these interactions. That could also require server changes and independent auditing.
Any Do-Not-Track approach requires a definition of “tracking” activity. Microsoft leaves this up to list curators. Firefox and Chrome depend on the tracking companies themselves to make this determination, presumably with guidance from industry organizations or regulators. In each case, certainty for web users depends on how well the standard is communicated at the point of choice.
However tracking may be defined, the approaches differ significantly as to the degree of certainty users have about whether their choices are respected. Microsoft’s approach provides the most certainty, by actually blocking browser interactions that can be used for tracking. The Firefox and Chrome approaches do not necessarily block the collection of behavioral information; they rely on tracking companies to see and honor the preference.
Under any approach, tracking companies may still want to collect ad-serving information (e.g. how many times an ad has been shown), but not behavioral data (e.g. which pages were visited). This information may be still associated with a unique cookie identifier. Tracking companies can label their tracking domains or cookies to provide assurance as to how they are used (e.g. those activities can be conducted only on “no-tracking.adcompany.com” and cookies can be labeled “no-tracking” in their name or text). This has the advantage of creating a more explicit promise from marketers to consumers as to what data may still be collected. Compliance can be tested externally through user panels (only “no-tracking” cookies should be seen when the user is opted-out), as well as independent audits of internal practices.
“Versatility” considers support for different user choices beyond a blanket preference against tracking. Actual experience on privacychoice.org shows that over 30% of consumers tend to make tracking choices that are more refined than a blanket blocking choice. If consumers can choose selectively to accept more responsible and accountable tracking, this will encourage better privacy practices. Versatile choices also allow websites and ad firms to make the case for more targeted marketing, and to connect it to free content and services.
Microsoft’s framework is the only one designed to provide both “Allow” and “Disallow” choices. The Firefox and Chrome approaches could be supplemented with customized choices that override a global do-not-track selection. A user could expressly allow targeting by specific companies or kinds of companies, or potentially only on specific websites, with this selection indicated by an overriding cookie.
All three approaches give users “set and forget” choices, which endure even when browser histories are cleared. This corrects a major flaw in the current notice-and-choice framework.
However, durability depends not only on the permanence of settings, but also on how effectively a global choice continues to work as tracking companies come and go. IE9 calls on curators to update Tracking Protection Lists, which means the user doesn’t need to do anything; but this creates a dependency on the curator to keep things up to date.
Chrome handles this by pushing extension updates as new tracking companies join the self-regulatory program. Because Firefox enables a global mandate, no updating or curation by the user is necessary.
An Ideal Approach
Each browser’s approach to Do-Not-Track has strengths, weaknesses and dependencies. An ideal approach could combine the best attributes of the Microsoft and Firefox approaches:
- A binary, global do-not-track signal which must be respected as to activities commonly defined as “tracking.” This provides simplicity and durability for the broadest set of web users, provided that “tracking” can be appropriately defined.
- Settings to control tracking interactions directly in the browser. This provides certainty that choices are honored, with less dependency on server-side compliance.
- The ability for any selection to be made in an web interaction, rather than within the browser setting menus. This makes choices findable in a context where users can best understand their purpose and effect.
- Choices to selectively allow or disallow tracking at the company or website level, as a complement to global settings. This provides versatile choices to afford web users the greatest benefit from their online profile and encourages value exchange with web providers.
- Independent audits of tracking practices which cannot be externally verified. This allows marketers to continue to use non-behavioral data without compromising certainty for consumers.