Online advertising has never been more invasive or more inescapable. A single site or app might carry dozens of trackers, building a detailed profile of who you are and what you do online. After Cambridge Analytica and countless other data privacy scandals, the danger of those profiles is clear, but no one in the tech industry or in government seems to know what to about it.
Now, an old answer to that problem is making a surprise comeback, drawing on years of nearly discarded work. Today, DuckDuckGo CEO Gabriel Weinberg is mounting a new campaign to revive the Do Not Track standard, a privacy system first introduced 10 years ago and largely abandoned by the industry in the years since. Weinberg has developed a draft bill titled The Do-Not-Track Act of 2019, which is aimed at giving the Do Not Track standard a legal force it’s never had before. As he sees it, it’s the easiest single step to undo the tangle of online advertising.
“Do Not Track is one thing that you can do that will opt you out of all the tracking,” Weinberg says. “All that’s really left is to give it regulatory teeth.”
“Have the government establish what opting out of tracking really means.”
To be clear: it’s a long shot. Weinberg doesn’t have any lawmakers signed on yet, and bills like this have stalled in Congress many times before. As CEO of a privacy-first search engine, Weinberg has an obvious interest in disrupting the online tracking ecosystem. But his main goal in rolling out the bill is to revive interest in a privacy standard that most have given up as a dead letter. You can still set most modern browsers to Do Not Track, but websites largely ignore the setting, with no clear idea of how to follow it. But even though the signal has little practical value, Weinberg’s research suggests as many as one in four web-goers are still sending it by setting their browsers to Do Not Track. People are still opting out; we just don’t know what they’re opting out of.
For Weinberg, that’s where the government would come in. His bill would institute strict rules for how to treat users that use that opt-out setting, and clear penalties for sites and ad networks that don’t follow the rules. “What you need to do,” Weinberg says, “is have the government establish what opting out of tracking really means.”
Under the bill, all third-party tracking would default to off for any user sending the DNT signal. First-party tracking would also be limited to “what the user expects” to limit abuse from services like Facebook that are large enough to be a network unto themselves. There would also be built-in exceptions for network management and research functions, aimed at minimizing the disruption of the new measures.
If Weinberg’s push succeeds, it would be an unexpected revival for the Do Not Track standard. First introduced in 2009, the idea behind Do Not Track is simple: if you don’t want to be tracked by online ads, you should be able to say so, and websites should honor that preference. Modeled after the Do Not Call list for telemarketers, the idea soon narrowed down into a contract between browsers and websites. When contacting a web server to load a site, browsers would now include a snippet of code if the user had opted out of tracking. If a website saw that code as part of your request, they wouldn’t pull tracking information. It was as simple as that.
Crucially, the whole system was meant to be voluntary, with users, browsers, sites, and advertisers all opting into the standard on their own terms. It was a kind of grand bargain, a way of staving off the creepiness of web-tracking without losing that many ad dollars. Like most privacy settings, the assumption was not that many people would turn on Do Not Track, and having it there would make the whole system feel less invasive.
“This is a simpler option that we could pass today.”
Around 2012, everything fell apart. It’s hard to pinpoint a specific reason why, but the breaking point was when Internet Explorer decided to set Do Not Track as on by default, which ad networks took to be a violation of the agreement. Pretty soon, sites were altering DNT rules to explicitly ignore any requests made by Internet Explorer, the whole system splintered, and sites got a free pass to ignore it. A string of Do Not Track bills stalled out in 2011 and 2012, and privacy groups mostly moved on.
But after Cambridge Analytica and countless data scandals, Weinberg thinks the path is clearer than its been in years. Sen. Ron Wyden (D-OR) included similar language in a privacy bill in November, showing that some lawmakers are still interested in the standard. As more ambitious privacy rules lose momentum in Congress, Weinberg thinks Do Not Track could be an appetizer to more ambitious GDPR-style legislation down the road.
“This is a simpler option that we could pass today,” he says, “and doesn’t prevent a stronger privacy bill in the future.”
Not everyone’s convinced. Most of the groups involved in the initial push for Do Not Track have moved on to other projects, leaving no clear coalition to pick up the torch. World Privacy Forum director Pam Dixon, who was one of the masterminds of the initial standard, now thinks the focus on browser-based protections is too narrow. “I think that instead of pushing Do Not Track, it is better right now to focus on how we can set up a process for a fair and equitable and workable privacy standards setting methodology,” Dixon says. “DNT could be one of those, as well as hopefully hundreds of others.”
Still, Weinberg wants to be sure this new momentum behind privacy doesn’t go to waste. “There is, for the first time this year, a real notion that something could be done because the will of the people is there,” Weinberg says. “Everything follows from the will of the people, so the more people who talk about it to their senators and congressmen, the better.”