Do Not Track standards do not coalesce
The advertising industry is in a huff over Mozilla’s plans to support "The Cookie Clearinghouse" at the Center for Internet and Society (CIS) at Stanford Law School. The Cookie Clearinghouse starts with some browser behavior changes and adds what Mozilla’s Brendan Eich describes as both block and allow-lists of sites and a mechanism for managing exceptions to them. What would be blocked? Third-party tracking cookies.
The advertising industry is displeased, as it has been in the past when its abilities to track users are impeded.
As Eich says, it will be months before this hits the release versions of Firefox but there certainly seems to be a lot of indignation out there at how much business would be lost by the Doubleclicks of the world and other sites that people don’t visit, but which visit them. That’s how third party cookies work.
And yet, something seems so familiar to me about the whole "Cookie Clearinghouse" thing… It sounds so much like…. Like Internet Explorer 9.
[cue harp strum…]
Take yourself back to March, 2011 and the release of IE9. Microsoft says it will support the silly and pointless Do Not Track header, but it also announces support for Tracking Protection Lists, which are pretty much the same thing. Not exactly the same thing, but they have the same goal and share much of the same methodology.
In IE9 or IE10 (or, presumably, IE11) hit the gear icon then "Safety" and then "Tracking Protection…"
Tracking Protection Lists (TPLs) are lists, provided perhaps by Microsoft but mainly by third parties, of domains which should not be allowed to send tracking cookies. Here is a sample section from the TRUSTe TPL:
(Yes, wordpress.org. I guess people use it to store malicious cookies.)
Like The Cookie Clearinghouse, TPLs can also whitelist a domain (with a "+d" instead of "-d"). There are several in the TRUSTe list.
Incidentally, Microsoft submitted TPLs as a standard to the W3C in early 2011. It resubmitted it to the W3C Tracking Protection Working Group, which owns the Do Not Track HTTP header.
Unlike TPLs, the Cookie Clearinghouse has no implementation definition at all. The group is leaving all that up to the browser vendors. But TPL would be one way to do it, which means that Internet Explorer is pretty much set up for it already.
The Cookie Clearinghouse starts with a series of behavioral rules for user agents before black or whitelists are applied:
If a user visits a website, set the cookies from that site.
- If a user visits a website, set the cookies from that site.
- If a user does not visit a website, do not set the cookies from that site.
- If a site is trying to save a DAA opt out cookie, set the opt out cookie from that site.
- If a user consents to setting a cookie, set the cookie.
The first two rules are how Apple’s Safari behaves now, which is to say that it blocks third-party cookies. Rule 3 is a Google Chrome behavior and I can make a vague guess at what it is, but I’m not sure. Rule 4, it says, "is in keeping with requirements under European laws".
I spoke to Andy Sudbury, Chief Technical Officer at Abine, a privacy services company that was one of the first out of the gate with a TPL.
He told me: "Fundamentally, what the Cookie Clearinghouse is doing is a good thing. It’s very important to have groups working on different ways for people to protect their privacy".
Sudbury is certainly right about this. The Stanford people are obviously smart and true believers and it’s entirely possible something useful could come out of it.
"Unfortunately, cookies are just one part of the privacy problem and, in fact, declining part of it". As Sudbury explains, cookies -- especially third party tracking cookies -- have such high profile and such a bad name, they’re starting to get blocked more broadly -- such as Safari’s third party cookie blocking behavior, soon to be followed by Mozilla, and hopefully even more so through implementations of the Cookie Clearinghouse’s lists. Even Tony Soprano was scared of cookies.
Tracking nowadays goes far beyond cookies and extricating yourself from it is no simple matter. For instance, you may not want all the implications of every "Like" button you click on Facebook, but does that mean you should block all requests to facebook.com?
There are products and services which attempt to block tracking in a more comprehensive and intelligent way, including Abine’s own DoNotTrackMe.
Now of course it’s fair to say that nothing became of TPLs when Microsoft released them. They may be an excellent technique, but nobody would know about it because Microsoft barely gets any interest from the press for Internet Explorer in spite of retaining huge market share.
Why not? Why didn’t the advertising industry scream to AdAge that their business models were threatened? Because Internet Explorer, popular as it is, is also uncool. I’ll wager if you took a survey of "industry influencers" perhaps 10 percent of them use IE on a regular basis. (I use it, but only as a secondary or tertiary browser; my main browser is still Chrome.)
It's certainly far more comprehensive and effective than the Do Not Track HTTP header, the main focus of the W3C Tracking Protection Working Group. That was a simple request by the user’s browser to the web site not to track. The working group has been working on this seemingly simple task for over 2 years and is on the verge of giving up. This is why you’re seeing proposals like Cookie Clearinghouse now. It’s balkanization.
There is one major problem that the Cookie Clearinghouse just glosses over: The system requires maintenance of the white and blacklists. There is a section on its web page where it indicates that it will be taking this function on for itself and providing for ad networks to file challenges and I have the feeling that it doesn't know what it's getting itself into. The advertisers will be all over it like flies on….well, you know.
This is where Microsoft did it right. Allow third parties to provide the lists, allow users to make their own (not that many people would actually do that), and open up the standard. Too bad nobody paid attention.