As of September 2011, the W3C Tracking Protection Working Group has taken up Recommendation-track work. The formation fo that Working Group is a direct result from this workshop.
Almost a hundred participants — representing academia, government, advertising companies, browser vendors and major Web sites — converged on Princeton, New Jersey, hosted by the Center for Information Technology Policy, to discuss recent specific proposals to protect user privacy from ubiquitous Web tracking. In response to recent implementations from browser vendors, a member submission from Microsoft and political pressures from North America and Europe, our goal was to explore Recommendation-track standards for tracking protection at the W3C. More broadly, participants considered pressing privacy issues and debated the proper approaches to address them within technology, standards and law.
Summary and Next Steps
Discussion focused most on the meaning, implementation and enforcement of an expressed Do Not Track preference, though Tracking Protection Lists and other mechanisms were also debated.
Among the diverse group of participants few points went uncontested. Nonetheless, some areas of consensus emerged:
- Participants agreed that time was of the essence in moving forward with standardization of Do Not Track preference expression technology.
- Regarding the applicable definition of tracking, there were no show-stopping objections to a broad definition of tracking with exceptions for certain common practices.
- There was general support for an Interest Group in the W3C to consider privacy issues on the Web on an ongoing basis.
The chairs have concluded that the W3C should pursue chartering a general Interest Group to consider ongoing Web privacy issues and a Working Group to standardize technologies and explore policy definitions of tracking.
Areas of Discussion
Goals and Scope
Workshop participants first considered the goals of tracking protection and the scope that Do Not Track (DNT) and other mechanisms should cover, a theme that would recur throughout the two days. Presented research on user expectations of tracking and "Do Not Track" (Aleecia McDonald presented compelling data (slides), with hopefully more to come) showed a disconnect between users' understanding and both the current state of technology and proposed mechanisms for tracking protection. Discussion highlighted the challenge of educating users about ongoing tracking and providing transparency and control.
The second set of panelists debated what should or should not qualify as tracking that users should be able to opt out of. Francis Larkin of Facebook argued for parties with existing relationships with the user (as in the case of social widgets and the Facebook "Like" button) to be exempt. Andy Steingruebl of PayPal (slides) emphasized the need for detailed logging for the purpose of fraud prevention. MeMe Jacobs Rasmussen of Adobe (slides) also brought up the issue of 1st vs. 3rd parties, arguing that 3rd parties contracted to collect data for 1st party purposes (as in analytics) should be understood as 1st parties to the user. In discussion of each of these cases, the question of user expectations loomed large: which existing tracking practices do (or should) users expect, understand and appreciate?
Alex Fowler (slides) explained the reasoning behind, and some preliminary results from, implementing the Do Not Track HTTP header in Firefox 4. He emphasized not taking an anti-advertising stance and enabling communication between the advertiser and the end user. Fowler was also able to report on some implementation experience: 30 lines of code for implementation in Firefox 4, and at least the Associated Press and Chitika have started to recognize the header on the server side. Adrian Bateman (slides) presented the reasoning behind Microsoft's Tracking Protection Lists, emphasizing balance, choice (including an ecosystem of different blocking lists) and innovation. Jonathan Mayer (slides) argued against the necessity of a DOM equivalent to the DNT HTTP header. John Morris (slides) responded to some common past arguments against user privacy preference expression technologies (lack of self-enforcement; difficult UI; blaming the browser; false sense of security; no certain success) in support of a Do Not Track expression mechanism and potentially similar future mechanisms.
Multiple participants (from BlueKai, Datran Media, the Software and Information Industry Association and Yahoo!) argued for a mechanism that would interoperate with behavioral advertising self-regulatory programs and allow for communication between the site and the user about why tracking was happening and its economic consequences.
Finally, the workshop group discussed several issues of granularity. Frederick Hirsch (slides) discussed DAP's work on representing more than just binary preferences (as in Privacy Rulesets) as something to consider in defining a wire format. Harlan Yu (slides) discussed the possibility of an HTTP response header as an "ack" from the server that the preference was received and either followed or not, which inspired some debate about whether such a response would make compliance and enforcement easier or more difficult.
Craig Wills of WPI (slides) presented cases to consider where first parties facilitated leakage of personal information to third parties. Jens Grossklags from Penn State (slides) presented related economics research on how consumers make decisions about informational trade-offs. Thomas Lowenthal of CITP argued that browsers could in some cases improve privacy without requiring user education (with sensible defaults, for example).
Friday morning's first panel, starting with Ian Fette from the Google Chrome team, emphasized the importance of the user experience and user interface to any privacy-preserving technology in this area. Serge Egelman from NIST (slides) discussed the importance of empirical research for developing user interfaces and user interface design patterns that help users understand the implications of their actions: like showing sample details rather than just high-level categories in permissions interfaces. Yang Wang from CMU proposed an empirical study comparing different Do Not Track tools and interfaces and how users understand them. Vincent Toubiana (slides) showed a proposal based on AdNostic that could allow users to block tracking based on certain categories.
In discussing standardization of user experience, a common view was that it was difficult or even counter-productive to standardize the user interface. Nevertheless, there was advice that thinking about the implementation of UI and UX in a working group would be valuable: Lorrie Cranor reported that some implementations of P3P had copied and pasted text from the spec that had not been intended for end-user consumption and so guidelines on interface implementation would be helpful. Bryan Sullivan (AT&T) pointed the group to work done at WAC and the DAP WG on defining permissions that users may accept.
Panels included discussion of both self-regulatory and regulatory compliance. Regarding self-regulation, Jules Polonetsky argued that because opt-out rates may be very small (compared, say, to the number of users that delete cookies) advertising businesses shouldn't fear a usable opt-out technology. Kevin Trilli from TrustE and Andy Kahl from Evidon, despite being market competitors, agreed on the importance of standardization and transparency in order to confirm to users when and how their data is being used; that use of transparency was also highlighted by Wendy Seltzer of CITP. Gil Resh of DoubleVerify argued for industry oversight status as a level of granularity for user choices.
One substantial question was whether a Do Not Track preference would opt-out of some collection practices in addition to opting out of use for behavioral advertising. Jonathan Mayer and Aleecia McDonald argued that users would be just as upset with their data still being collected after applying Do Not Track, while Polonetsky argued that collection of data for measurement of advertising was especially important to advertising and that prohibiting all collection would for that reason scare many in the industry. Kenya Chow and Nicholas Petersen from the Samuelson Law, Technology and Public Policy Clinic (slides) highlighted the dangers of "weasel words" or vague exceptions in self-regulatory language that could allow almost anything.
Ed Felten (slides) presented an overview of FTC's role and interest in Do Not Track, including the five desired properties of such a mechanism:
- Is it universal? Would it cover all trackers?
- Is it usable?
- Is it permanent? Does the opt-out expire?
- Does it cover all tracking technologies?
- Does it cover collection in addition to use?
The FTC has not yet taken a position on whether legislation is necessary, but Felten concluded that the FTC would be happy if multiple stakeholders came to an agreement on Do Not Track. Concerning self-regulation, the FTC might be one venue to receive reports of violations of a self-regulatory code of conduct.
Chris Soghoian (slides), formerly of the FTC, presented thoughts on potential security/fraud exceptions to DNT, arguing that in many cases fraud protection would mostly be covered by first-party interactions (like clicking on an ad) rather than third-party tracking across multiple Web sites. Soghoian argued that DNT should provide stronger protections than simply blocking third-party cookies in the way that Apple's browsers do by default. There was some debate over what level of collection or retention was necessary for impression fraud protection. Andrew Patrick from the Canadian Office of the Privacy Commissioner (slides) provided the provocative slide that current Web tracking was breaking the law in Canada and argued against letting trackers off the hook too easily. Rob van Eijk from the Dutch Data Protection Authority (slides) provided input on a potential new EU privacy directive and its relation to Web tracking.
Sue Glueck of Microsoft (slides) introduced standardization by polling the audience on how many technical people (lots) have been involved in policy issues within a technical standards body (many fewer). Glueck also asked whether the IETF's scope included this sort of policy work. Alex Fowler from Mozilla (slides) identified finding consensus, defining outcomes and enabling enforceability as advantages of standardization and proposed that standardization could be divided between IETF (HTTP DNT header and response) and W3C (TPLs and DNT DOM property). Fowler argued that the group of participants had the necessary expertise, but lacked the full range of necessary stakeholders including display advertising, for example, and offered that he could help contact those parties. Peter Saint-Andre gave an explanation of IETF's very open process based on rough consensus and running code and highlighted the similarities between IETF and W3C (including the people involved) and their positive relationship. Thomas Roessler (W3C) and Peter Saint-Andre (IETF) agreed that HTTP headers were an extension point that could be used by specifications defined outside of IETF and that IETF review of such work could be arranged.
Alex Fowler, Jonathan Mayer, John Morris and Wu Chou all suggested some kind of separation of the standardization workflow between TPLs and DNT. Vinay Goel (Yahoo!) and John Morris both suggested that defining the policy meaning of Do Not Track might best be done outside of a technical standards body. Hannes Tschofenig and Thomas Roessler gave examples of standards bodies providing guidance to government policy makers.
In the final session, participants openly discussed the next steps for this process, in terms of scope, timeline and direction.
Initially, regarding definitions of tracking, two "hum" polls were taken. Among three choices for tracking — all tracking; tracking for online behavioral advertising; or some middle ground broad definition with certain exceptions (as in CDT's or EFF's proposals) — participants were fairly evenly divided on which proposal they would prefer to start with. Among the same set of choices, participants were also asked which would be a non-starter: while there were objections to the broad definition and the OBA-only definition, no one responded that the CDT-style proposal was an unacceptable starting point.
There was general agreement that, given the level of interest, work needed to progress quickly, but there was disagreement on whether preliminary work needed to be done in weeks or months. Ashkan Soltani and Alissa Cooper made the point that the feasible length of the timeline depends on the breadth of the scope: a narrower technical proposal could be completed more quickly while a larger policy agreement would take longer.
It was suggested that a Do Not Track proposal needed to be completed very quickly in order to take advantage of the current US legislative session (Alissa Cooper and others) and to have an impact on the US Federal Trade Commission's final report to be published this year. There was also a concern that the window of legislative focus was narrow (one shot only for the next several years) and so proposals should be completely defined and broad in scope. There was some debate over whether a "beta" definition of tracking would be valuable (to have something done quickly and to guide existing implementations) or harmful (in changing underneath implementations).
Thomas Roessler emphasized the importance of developing a world-wide solution, given the relevant ongoing debate in Europe and other regions.
Karl Dubost (Opera) suggested that an Incubator Group could be formed to document existing work and definitions and decide on next steps and Bryan Sullivan thought a landscape document would be a good first step. There was pushback, however, on only developing an Incubator Group given time pressures and intensity of interest.
Regarding openness, Jeff Jaffe noted that invited experts could be (and have been) used to address the issue of participation and that W3C would work to include advertising and other stakeholders.
There was broad support, suggested by David Singer and echoed by others, for an Interest Group to consider privacy problems on an ongoing basis and spawn specific projects as necessary.