Do Not Track (will be its own undoing)

There’s something called “Do Not Track” or DNT for short. Your can send this message to webservers, and it indicates that you don’t want to be “tracked” — whatever that might mean.

This is all fine as long as everyone is free to completely ignore it and continue on with business as usual. However, the FTC has issued some guidelines for Do Not Track, and laws are brewing that threaten to make these guidelines into legal requirements.

The FTC proposal defines the intended “Do Not Track” policy effect in just a few simple words:

Do Not Track should prohibit all data collection, retention, and use.
–Page 5

That is, of course, totally impossible. Data collection, retention, and use is precisely what it means to run a business online. So an exception is allowed: Specifically, “Exceptions are warranted when narrowly tailored to legitimate commercial interests that substantially outweigh privacy and enforcement interests.”

Ideally, as the spirit of the movement is concerned, “tracking” is what they call it when a business remembers something about you, and uses that memory in some future business interaction. So “don’t track me” would essentially mean, “Forget I was ever here.”

Here’s where it starts to get depressing

So, In the very best of scenarios, a DNT visitor would merely be a low-value user, one for which the company’s preferred set of practices are not allowed. Companies would establish a tracking-free data flow for these second-class users, one which allows just enough tracking to prevent fraud, locate errors, and optimize server workloads; but not quite enough tracking optimize recommendations, improve search accuracy, or increase content relevance. Inbound data would have to be segregated as “Normal” data and and “DNT-encumbered” data. Use and retention of DNT-encumbered data is allowed if, and only if, “tailored to legitimate commercial interests that substantially outweigh privacy and enforcement interests.”

Establishing such an alternate data flow would be daunting and expensive to say the least. But normally big changes like this are tied to some business justification. The cost must be offset by a theoretical increase in profit. But in this case, the very purpose of DNT is to prevent the company from monetizing that visit. In other words: the companies would be asked to spend time and money to cater to those few visitors who explicitly want to avoid generating revenue. Companies would have to spend money to make less.

This is a hard sell. The incentives simply don’t line up. By participating, companies stand only to lose. Indeed, the FTC admits that companies would not adopt such a policy without being forced to do so:

Given the diversity of online business models and businesses Do Not Track would affect, and given the consensus-based nature of the relevant trade associations, we believe voluntary comprehensive adoption will not occur.
-Page 13

And if volunteer participation is a bitter prospect, legislation doesn’t sweeten the deal at all. It just makes the bad parts worse. In the face of legislation, DNT-encumbered data isn’t just low-value, it’s now also potentially dangerous. When handing DNT-encumbered data, companies would now have to worry about legal repercussions if by some mistake that data gets mixed with the “normal” data stream.

Opting Out

If DNT never becomes law, then this argument is moot. DNT is dead before it begins.

But if DNT does become law, then laws will reflect the FTC’s timelines, not the readiness of online businesses. Furthermore, even companies that have DNT policies will be vulnerable to legal action if their policy is not “sufficiently compliant,” or if slip-ups occur. So the most sensible course of action for any and every business or site can only be to simply “opt out” of the entire DNT concept as a whole. This is surprisingly simple.

Companies can apply a tiny change to their site that requires users to turn off the DNT header before continuing. This takes no more than 10 minutes to set up, and it guarantees compliance by avoiding the problem entirely. The solution looks like this:

RewriteEngine On
RewriteRule dnt.html - [L]
RewriteCond %{HTTP:DNT} =1
RewriteRule .* /dnt.html [L]

That’s literally all there is to it. As for the DNT error page, you can expect the text to read something like this:

Error: Your browser is sending a Do Not Track header
While Foo Industries does not track users and will never sell your personal information, due to unfortunate complications with the laws surrounding “Do Not Track”, we can’t display this page to users who have this header set. In order to access this site, please follow the directions below to turn off this setting….

And done. Very few users will actually see this message, and they will only see it once. Problem solved, and business continues as usual. Within a year, DNT usage drops to zero.

This might sound odd; rejecting visitors due to a simple configuration preference. Presumably sites would want to increase traffic as much as possible. But in this special case, the traffic they exclude are visitors who not only refuse to participate in monetization, but who also who may bring legal action against the site owner if the special treatment is not satisfactory. In other words, these visitors are exceptionally expensive visitors to serve with little return, giving little incentive for site owners to serve them at all. Like a EULA, DNT-blocking protects the company against unnecessary lawsuits at very low cost.

In other words, Do Not Track is doomed no matter how the enforcement shakes out.

Leave a Comment