Category Archives: Uncategorized

Do Not Track (will be its own undoing)

There’s something called “Do Not Track” or DNT for short. Your can send this message to webservers, and it indicates that you don’t want to be “tracked” — whatever that might mean.

This is all fine as long as everyone is free to completely ignore it and continue on with business as usual. However, the FTC has issued some guidelines for Do Not Track, and laws are brewing that threaten to make these guidelines into legal requirements.

The FTC proposal defines the intended “Do Not Track” policy effect in just a few simple words:

Do Not Track should prohibit all data collection, retention, and use.
–Page 5

That is, of course, totally impossible. Data collection, retention, and use is precisely what it means to run a business online. So an exception is allowed: Specifically, “Exceptions are warranted when narrowly tailored to legitimate commercial interests that substantially outweigh privacy and enforcement interests.”

Ideally, as the spirit of the movement is concerned, “tracking” is what they call it when a business remembers something about you, and uses that memory in some future business interaction. So “don’t track me” would essentially mean, “Forget I was ever here.”

Here’s where it starts to get depressing

So, In the very best of scenarios, a DNT visitor would merely be a low-value user, one for which the company’s preferred set of practices are not allowed. Companies would establish a tracking-free data flow for these second-class users, one which allows just enough tracking to prevent fraud, locate errors, and optimize server workloads; but not quite enough tracking optimize recommendations, improve search accuracy, or increase content relevance. Inbound data would have to be segregated as “Normal” data and and “DNT-encumbered” data. Use and retention of DNT-encumbered data is allowed if, and only if, “tailored to legitimate commercial interests that substantially outweigh privacy and enforcement interests.”

Establishing such an alternate data flow would be daunting and expensive to say the least. But normally big changes like this are tied to some business justification. The cost must be offset by a theoretical increase in profit. But in this case, the very purpose of DNT is to prevent the company from monetizing that visit. In other words: the companies would be asked to spend time and money to cater to those few visitors who explicitly want to avoid generating revenue. Companies would have to spend money to make less.

This is a hard sell. The incentives simply don’t line up. By participating, companies stand only to lose. Indeed, the FTC admits that companies would not adopt such a policy without being forced to do so:

Given the diversity of online business models and businesses Do Not Track would affect, and given the consensus-based nature of the relevant trade associations, we believe voluntary comprehensive adoption will not occur.
-Page 13

And if volunteer participation is a bitter prospect, legislation doesn’t sweeten the deal at all. It just makes the bad parts worse. In the face of legislation, DNT-encumbered data isn’t just low-value, it’s now also potentially dangerous. When handing DNT-encumbered data, companies would now have to worry about legal repercussions if by some mistake that data gets mixed with the “normal” data stream.

Opting Out

If DNT never becomes law, then this argument is moot. DNT is dead before it begins.

But if DNT does become law, then laws will reflect the FTC’s timelines, not the readiness of online businesses. Furthermore, even companies that have DNT policies will be vulnerable to legal action if their policy is not “sufficiently compliant,” or if slip-ups occur. So the most sensible course of action for any and every business or site can only be to simply “opt out” of the entire DNT concept as a whole. This is surprisingly simple.

Companies can apply a tiny change to their site that requires users to turn off the DNT header before continuing. This takes no more than 10 minutes to set up, and it guarantees compliance by avoiding the problem entirely. The solution looks like this:

RewriteEngine On
RewriteRule dnt.html - [L]
RewriteCond %{HTTP:DNT} =1
RewriteRule .* /dnt.html [L]

That’s literally all there is to it. As for the DNT error page, you can expect the text to read something like this:

Error: Your browser is sending a Do Not Track header
While Foo Industries does not track users and will never sell your personal information, due to unfortunate complications with the laws surrounding “Do Not Track”, we can’t display this page to users who have this header set. In order to access this site, please follow the directions below to turn off this setting….

And done. Very few users will actually see this message, and they will only see it once. Problem solved, and business continues as usual. Within a year, DNT usage drops to zero.

This might sound odd; rejecting visitors due to a simple configuration preference. Presumably sites would want to increase traffic as much as possible. But in this special case, the traffic they exclude are visitors who not only refuse to participate in monetization, but who also who may bring legal action against the site owner if the special treatment is not satisfactory. In other words, these visitors are exceptionally expensive visitors to serve with little return, giving little incentive for site owners to serve them at all. Like a EULA, DNT-blocking protects the company against unnecessary lawsuits at very low cost.

In other words, Do Not Track is doomed no matter how the enforcement shakes out.

Is Google Spying On Us All

Back in 2012, someone posted a question to the IT Security StackExchange site under the title: Is Google Spying On Us All? It contained exactly the sort of uninformed techno-panic that you’d expect from a question with that title. I normally just ignore this type of bait, but I had some time to kill and something to say.

The response below is based on my original answer to that question.

What Sort of Spying?

Advertisers use what information they have to guess what ads you will want to see. In Google’s case, your search history is the best indicator they have, but ad clicks and ad impressions are also considered. In Amazon’s case your purchase and product browsing history is their best indicator, and you’ll probably notice that their suggestions closely mirror your recent history.

My own search and browsing habits tend to favor highly technical content; servers, programming, malware, etc. The ads I see when browsing under that profile therefore tend to also favor technical content: colocation, hosting, software, etc. This is totally Fine By Me™.

When I watch TV, I have to endure a depressing amount of ads about feminine incontinence, retirement homes, and herpes medication. But on the Internet, the ads are all software and servers. Do I think that’s creepy? Hell no. The fewer herpes ads the better, in my opinion.

Control Your Privacy

To be clear: I’m a strong proponent of online privacy. However, I manage my online privacy by controlling the information I make available online. I don’t expect others to maintain my privacy for me; the concept doesn’t even make sense. If you don’t want them to know something, then don’t tell them.

Telling someone your secrets and then demanding that they forget is a recipe for disaster on numerous fronts. From a security standpoint even the idea is absolutely absurd. Privacy is something you create, not something you demand.

If I don’t want a search associated with me, I use a private browsing session. Sure, I could use a service that promises to not remember what I tell them, but I would be an idiot if I were to depend on that promise. Remember Hushmail? Still, I actually prefer to use a service that allows me to craft my own online preference profile so that they can filter out all the crap I clearly don’t want.

Is what Google does Legal?

So far yes. I would hope that it remains so, since the unintended consequences of adding related legislation would be so far reaching and unexpected that it would have devastating consequences for completely innocent Internet users and site operators. Internet regulation reliably makes things worse. So far we have yet to see a counter-example.

Does Google’s Policy Bother Me?

Of course not. If I buy an apple from a market, is it creepy for the vendor to ask me the next day whether I liked my apple? Do I think he’s spying on me? If I tell him I liked it, is it creepy for him to suggest that I buy more apples at a subsequent visit? No, of course not. It’s just good customer service.

If he tells the fruit vendor next door that he thinks I like apples, should that be illegal? Of course not: It’s his information to give, just like any conclusions I make about him are my information to share as I see fit.

Vendors online remember what we tell them just like vendors at your local market. My fruit vendor may remember that I visited his store even though I didn’t buy anything, and yet I don’t assume that he’s spying on me. I’m visiting him, not the other way around. Likewise, when I visit Google, I don’t think it’s spying for them to remember what I ask them.

Private By Association

The biggest problem with online privacy is the implicit and unstated belief that because I connect to the Internet from the privacy of my own home, anything I do on the Internet also happens in the privacy of my own home. This is lunacy. Everything you do on the Internet is absolutely public unless you can verifiably prove otherwise (which you can’t, by the way).

I’m sure you mother once told you to never put in writing anything that you wouldn’t want to see on the front page of the newspaper. It’s old advice that is just as relevant today as ever, and it most certainly applies to email, text messages, Twitter, Facebook, and anywhere else you can state your opinion.

But the same principle applies to your behavior. Everything you do on the Internet is communicated to parties unknown, parties with whom you have absolutely no logical reason to trust your secrets. Even in the privacy of your own home, online activity is public: all of it, always — unless you can prove otherwise.

Privacy must start and end with you. That’s why it’s called privacy.

Yes, you do have privacy. Privacy is not dead, nor is it in danger. But you have to make it yourself, as you always have. By exercising discretion, by watching what you say and what you do, you create your own privacy. If you expect others to do it for you then the extent of your privacy is limited only to the details that no one else finds interesting.