
Online Privacy Is Poised for Regulatory Showdown - robg
http://www.nytimes.com/2010/11/10/business/media/10privacy.html?hp
======
randomwalker
I'm one of the main people involved in hammering out the tech issues in Do Not
Track, along with my colleague Jonathan Mayer at Stanford. We work closely
with the EFF's Lee Tien quoted in the article. See my post
<http://33bits.org/2010/09/20/do-not-track-explained/> for some background;
we've also set up <http://donottrack.us/> as a sort of clearinghouse.

I'd be happy to answer any questions.

------
ramanujan
A decentralized, opt-in version of randomwalker's donottrack proposal
(<http://donottrack.us/>) would allow users to balance privacy vs. benefits.

Opt-out sites would be more private, but would offer less in the way of
features, functionality, and personalization (both directly and indirectly
because of the massive hit to monetization).

In particular, I don't think many people realize just how many features on the
modern web are enabled by anonymized analysis of large scale logs. A short
list:

1\. UI optimization via event logging 2\. Features like priority inbox in
Gmail 3\. Bubble up in search rankings 4\. A/B testing 5\. Google Analytics
(determining backlinks to your site) 6\. Disqus login for blog commenting 7.

While the proposal is about opting out of "third party web tracking", it is
not obvious what a third party is. Is a YUI, Google Analytics, or Facebook
Connect plugin which I chose to integrate into my site "third party code"?
What if I have a business account with something like Crazyegg.com -- can I
put their JS heatmap tracking in my webpage to figure out what buttons my
users are getting confused by?

If this is complex for hackers, do you trust the government that thinks the
internet is a series of tubes to get this right?

Finally, there is one throwaway sentence in the article which deserves
underlining:

    
    
      It also wants to ensure that any restrictions do not impede law enforcement and national security efforts.
    

Translation: the government will want Google and others to track you anyway,
so that they can find you. So this is sort of reversed: true privacy
legislation would mean the guys with guns wouldn't be able to track you. I'm a
lot more scared of them than the guys trying to sell you "one weird old belly
trick".

~~~
ramanujan2
Darned noprocrast meant I can't edit this comment from my normal account. So
here is a better formatted version:

\------------

A decentralized, opt-in version of randomwalker's well thought out donottrack
proposal (<http://donottrack.us/>) would allow users to balance privacy vs.
benefits. Including "X-Do-Not-Track" in an HTTP header is an excellent idea;
including it in a piece of legislation is much less so.

Opt-out sites would be more private, but would offer less in the way of
features, functionality, and personalization (both directly and indirectly
because of the massive hit to monetization). Specifically, I don't think many
people realize just how many features on the modern web are enabled by
tracking of some kind or the other. A short list:

1\. UI optimization via event logging

2\. Features like priority inbox in Gmail

3\. Bubble up in search rankings

4\. A/B testing

5\. Google Analytics (determining backlinks to your site)

6\. Disqus login for blog commenting

7\. Google Maps or location based service integration

While the proposal is about opting out of "third party web tracking", it is
not obvious what a third party is. Is a Google Analytics or Facebook Connect
plugin which I chose to integrate into my site "third party code"? What if I
have a business account with something like Crazyegg.com -- can I put their JS
heatmap tracking in my webpage to figure out what buttons my users are getting
confused by?

And if this is complex for hackers, do you trust the government that thinks
the internet is a series of tubes to get this right?

Moreover, there is one throwaway sentence in the article which deserves
underlining:

    
    
      It also wants to ensure that any restrictions do not impede law enforcement and national security efforts.
    

Translation: the government will want Google and others to track you anyway,
so that they can find you when they want. So this is sort of reversed: true
privacy legislation would mean the guys with guns wouldn't be able to track
you. I'm a lot more scared of them than the guys trying to sell you "one weird
old belly trick".

Remember that the government which is now talking about protecting your
privacy is the same one which is making the very pilots themselves go through
backscatter stations on the way to their planes, the same government that
forced phone companies to tap your phones and forced Google to give them your
email 9000 times per year.

In my humble opinion, the solution to this kind of thing is not to throw up
our hands and pray for this latest batch of Congresscritters to deliver us
from evil, but for someone to build a private browser, with something like a
built-in accessible Tor, which _provides a better experience_ for those people
who value privacy over functionality.

~~~
randomwalker
OK, I see that by opt-in you mean something else entirely, i.e., a
technological solution instead of a legislative one. I think the tracking vs.
anti-tracking arms race is skewed hopelessly in favor of the advertisers, but
I'm not going to get into that here.

ETA: However there is one thing you say that is easily refuted -- having a DNT
header without legislation to back it up is useless, because nobody has the
slightest incentive to respect it.

~~~
ramanujan2
> having a DNT header without legislation to back it up is useless

:) Well, your website appears to be agnostic on the question! To quote
donottrack.us:

> Compliance with Do Not Track could be purely voluntary, enforced by industry
> self-regulation, or mandated by state or federal law. We do not take a
> position on these alternatives.

In all seriousness, I do understand the difference between your individual
position (i.e. pro-government) and the project's position, but unless Dr.
Mayer has a substantially different opinion (which he may), there probably
won't be a huge difference between the project & the individuals.

Which is fine.

I think the larger point is that it's a LOT more important for the government
to _actually_ stop tracking us than for it to beat up on entrepreneurs with
yet more new picayune rules and regulations, especially given the current
economic climate.

Current ways in which the government tracks us:

1\. Social Security Card

2\. Selective Service Act

3\. Driver's License

4\. Tax Returns

5\. Bank Accounts and Funds Transfers

6\. Do Not Fly List

One could go on in this vein. A hypothetical brown immigrant entrepreneur who
flies a lot and isn't that enthusiastic about potentially being drafted to
kill random people in Afghanistan has enough problems with government tracking
as it is!

In other words: this bill does nothing to address the problem of having
hundreds of millions of peoples' personal information in the databases of a
bankrupt, militaristic government.

Who is being keelhauled for leaking Eliot Spitzer's peccadilloes or Joe the
Plumber's unpaid plumbing license? Those kinds of abuses of government
databases are a much bigger problem than the comparative ephemera of targeted
advertising. The FBI's Carnivore is a lot worse than Amazon's recommendation
engine, and by failing to address that directly -- indeed by assuring the
government that it will retain backdoors for "national security purposes" --
the FTC push prioritizes all the wrong things.

Because if "national security" means that I must surrender my shampoo to the
kindly TSA agent in broad daylight, it can mean whatever the government wants
it to mean.

And I might also point out that the self-same politicians who are drafting
this law were among the heaviest users of Rapleaf, and hence are quite likely
to carve out "political speech" exemptions for their own tracking campaigns.

------
robwgibbons
I understand how this might be a threat to some online networks and
advertising services, but I for one am happy there will be an official Do Not
Track list.

~~~
randomwalker
Do Not Track is great, but a Do Not Track "list" would be rather self-
defeating. Please see my post <http://33bits.org/2010/09/20/do-not-track-
explained/> for how DNT will work.

