Why Do Not Track is destined to fail (DNT is DOA)

Privacy. It’s a good idea, right? But what the heck is it?

For quite some time, I was a paranoid nutjob about Google. It irritated the bejeezus out of me that I knew how diligently they tracked everything, aggregated everything, and could really identify me in a digital crowd. Eventually, I rationalized that it wasn’t really a big deal to me that Google knew when I was sick, when I needed repair for my VW (or that it knew what kind of VW I drove), or that it knew where I lived (the origin of many of my maps searches), where I was going (the restaurants, friends, or businesses I visit via Google Maps), what I read (Google Reader), and more. Yes, I was the frog in the boiling pot, comfy at the 190 degree mark as we approach a privacy boiling point and near “the creepy line” as Eric Schmidt might say. It’s gotten even better as Google beats their Google+ drum and works to more closely intertwine their properties, and what each of them knows about you, to refine their advertising.

There is a valiant effort that some are fighting for on the Internet today, a noble cause. The idea? “Do Not Track”, also sometimes referred to as “DNT”. Earlier today a study made the rounds that said most consumers have no idea what DNT is. No kidding. I’ve worked in/around the Internet and security for years, and I can’t define it – at least not as the name stands today. More importantly, I can tell you (and I’ve said for a while) that DNT can’t ever work. At least not the way a consumer would think it would.

Why? To begin with, the Web itself is stateless. HTTP, the protocol underlying the Web, has no idea who you are from pageview to pageview. The whole idea behind cookies (sometimes called “magic cookies” by some) as Netscape first created them was to try and glue some state to a stateless protocol/medium. By allowing sites to stick small nuggets of identifying info to your system, it allowed sites to identify you from page to page (so you can conduct e-commerce transactions like checkout) or from visit to visit (so you don’t have to log in every time. Handy, eh? If cookies were all there was to tracking anymore, we could just say “Do Not Track” by disabling cookies on a site-by-site basis, or disabling them altogether. But that’s not it anymore.

As the Internet moved from this wild and crazy world where people didn’t care about losing money to one where they at least needed to feign a business strategy, advertising (for better or worse) became a key mechanism to make revenue. Funny thing about ads, though. They suck as a money-making mechanism if they’re not targeted accurately. Google, criticized early on (ironically as Twitter is today) for not having a clear business plan, latched on to advertising and is inarguably an advertising, not a search company today. The data you provide to Google in your searches helps them tune the advertising. As does every visit you make to a site hosting Google Analytics. (You didn’t think Google gave that away to other Web sites in order to be altruistic, did you?) A benign little cookie or two helps Google track you as you skip across the Internet.

But this isn’t just Google. Everybody does it. Yahoo. Microsoft. Facebook. Adobe. Countless companies have tools to track you where you go. Think “tossing your cookies” will make you safe? Nope. Panopticlick, from the EFF should demonstrate how impossibly unique your system is among the millions it has tested. Trust me. You’re trackable, even if you opt out of cookies. Combine the identifiers that Panopticlick uses and your IP address (whether uniquely yours, that of your home network router, or your corporate edge) and there’s plenty to identify you.

It’s naive to ever refer to any effort to mediate privacy on the Internet as “do not track”. While we may be able to coerce some large Internet players into actually letting us opt out of tracking to a degree, it won’t happen everywhere, and it won’t ever be clear enough for a non-technical user to understand. This is the privacy equivalent of the dancing pigs problem. A novice user is not clear on what sites they should, or should not, enter personally identifiable information (PII) on, or why they should, or should not, let sites track their activity. With enough work, any site on the Internet (just like Facebook and Google) can tell whether or not you’re a dog (and more).

Rather than driving efforts like DNT, which fundamentally cannot occur (in the manner users think those words mean “do not track”), we’d do a lot better as an industry to drive standards that delineate what types of information a specific site or tracking engine like Google Analytics or Adobe’s Omniture products can collect on you. But even if you throw those back at users, they’ll be overwhelmed. Perhaps the best angle is to reinforce that no activity on the Internet is totally anonymous, and no matter how hard you try, you cannot ever completely prevent being tracked.