Late last week FTC Commissioner Rosch penned a column in which he repeated a number of hackneyed criticisms of Do Not Track. Senators McCaskill and Pryor articulated similar concerns at a recent hearing. This piece sequentially deconstructs Rosch's column and replies to each of his substantive critiques.
I also have serious questions about the various do-not-track proposals. In my concurring statement to the preliminary staff report, I said I would support a do-not-track mechanism if it were "technically feasible." By that I meant that it needed to have a number of attributes that had not yet been demonstrated. That is still true, in my judgment.
Do Not Track raises issues of both technology and policy; it is essential to draw a sharp dividing line between the two. The concerns that Commissioner Rosch expresses relate to business impact. There is now widespread consensus that Do Not Track, implemented as an HTTP header, is "technically feasible."
First, there are a number of consequences if a consumer adopts a do-not-track mechanism. To begin with, a consumer may sacrifice being served relevant advertising.
Users who enable Do Not Track will still see relevant advertising—just not based on their browsing history on other sites. Contextual advertising and non-tracking forms of interest-targeted advertising are unaffected.
On a related note, there is academic research suggesting that in order to compensate for the loss of the ability to track consumer behavior and the associated ability to serve relevant advertising, advertisers may need to turn to advertising that is more "obtrusive" in order to attract consumers' attention.
While a number of pundits have claimed Do Not Track will lead to more obtrusive advertising, I am unaware of any academic research on this point. Given layout constraints and the limited consumer tolerance for advertising, it is difficult to believe many sites will add additional advertising for Do Not Track users. And if sites could add more advertising, why wouldn't they already?
Consumers may also lose the free content they have taken for granted. Not only could consumers potentially lose access to free content on specific websites, I fear that the aggregate effect of widespread adoption by consumers of overly broad do-not-track mechanisms might be the reduction of free content, free applications and innovation across the entire internet economy.
On the contrary, there is substantial reason to believe Do Not Track is no threat to ad-supported businesses. This conclusion is bolstered by the news that thirty online advertising firms are willing to implement Do Not Track.
Beyond that, consumers may forgo the reported ability to earn commissions from "selling" the right to track their behavior or allow the use of their personal information.
Do Not Track allows users to veto third-party tracking; third parties are welcome to respond by offering cash-for-data deals. One of the advantages of Do Not Track is that it creates a market mechanism for negotiating over privacy preferences.
I also wonder whether an overly broad do-not-track mechanism would deprive consumers of some beneficial tracking, such as tracking performed to prevent fraud, to avoid being served the same advertising, or to conduct analytics that foster innovation.
The Do Not Track Internet-Draft accommodates fraud prevention, advertising frequency capping, and aggregate analytics.
Concerns have been raised that do-not-track mechanisms also may have the unintended consequence of blocking tailored content, in addition to advertising.
Do Not Track would not affect first-party personalization (e.g. New York Times recommended reading). It would disallow third-party tailored content, but of course a user could opt back into tracking and personalization by services she trusts.
Second, another issue is potential consumer confusion about the terminology "do not track." As some have pointed out, there is no consensus on what "tracking" means. In fact, I don't know precisely what it means.
Like any technical standard, Do Not Track will go through a number of draft iterations. The standards process provides a clear path to achieving a final, consensus definition of Do Not Track.
Some tracking, for purposes unrelated to behavioral advertising, may always occur. When consumers are offered a do-not-track option, they may misunderstand the limited scope of that choice; and, in some instances, calling a mechanism "do not track" could arguably be deceptive.
Just like Do Not Call, Do Not Track will necessarily have certain exceptions that do not completely align with consumer expectations. First, this is no basis for rebuffing the approach in its entirety. Do Not Call remains immensely popular despite not covering political and non-profit entities. Second, browser vendors are already taking steps to improve their privacy user interfaces. Mozilla has retained Aleecia McDonald, a leading scholar on user-friendly privacy, to consult on its Do Not Track implementation.
Third, I am concerned that the recent rush to adopt untested do-not-track mechanisms might be based, in part, on a reluctance to take on the harder task of examining more-nuanced methods of providing consumers with choice. It is always easier to just say "no" with a blunt instrument, rather than to take the time and effort to consider all of the ramifications of the different alternatives.
A common misconception of Do Not Track is that it is a one-size-fits-all choice. This isn't the case: as I noted in a thought piece for Yale Law's recent symposium on online advertising, nuanced privacy mechanisms can and should be built on top of Do Not Track.
Finally, the implementation of do-not-track mechanisms must not jeopardize competition by injuring potential competitors. I am concerned that some firms with a monopoly or near-monopoly on a relevant market may use do-not-track mechanisms to cripple competitors from constraining their power.
More specifically, the browser market is heavily concentrated. Most -- though not all -- firms in the browser market operate for profit and those firms monetize some of their other businesses by advertising. There is nothing wrong with that as such. But we need to know: 1.) whether any of those firms enjoy monopoly or near-monopoly power in any online advertising market; 2.) whether there is any difference between the advertising in which those firms are invested (including the various kinds and combinations) and the advertising portfolio of competitors that may make the latter more vulnerable in the event do-not-track mechanisms are installed; and 3.) whether there is any other way that a firm that dominates the market may be able to disadvantage a rival if do-not-track mechanisms are adopted.
Here's the concern I believe Commissioner Rosch is attempting to convey: Google, one of the major browser vendors, earns most of its revenue from search advertising and other first-party advertising. If Google were to adopt Do Not Track, it would harm competitors supported by third-party advertising more than it would harm itself. And so Google has an incentive to push Do Not Track in Chrome.
I believe this concern is unfounded. First, as noted above, <a data-cke-saved-href="<a href=" href="%3Ca%20href=" http:="" cyberlaw.stanford.edu="" node="" 6592"="">Do Not Track will not significantly impact advertising revenues for websites. Second, third-party advertising comprises an increasing share of Google's revenue. Even if Do Not Track would significantly impact third-party advertising revenue, Google would not have an incentive to press its adoption unless it could gain a significant business advantage over its competitors that offset those losses—and there's no reason to believe it could. Third, the concern is largely moot: Google has yet to implement Do Not Track in Chrome, let alone encourage the feature's adoption.