Forgot your password?
typodupeerror
Privacy The Internet Technology Your Rights Online

FTC Proposes Do Not Track List For the Web 173

Posted by samzenpus
from the don't-follow dept.
An anonymous reader writes "The Federal Trade Commission proposed allowing consumers to opt out of having their online activities tracked on Wednesday as part of the agency's preliminary report on consumer privacy. FTC chairman Jon Leibowitz said he would prefer for the makers of popular web browsers to come up with a setting on their own that would allow consumers to opt out of having their browsing and search habits tracked."
This discussion has been archived. No new comments can be posted.

FTC Proposes Do Not Track List For the Web

Comments Filter:
  • Booooo!! (Score:5, Insightful)

    by mweather (1089505) on Wednesday December 01, 2010 @04:08PM (#34408944)
    It should be opt-in.
    • It should be opt-in.

      Yes, it should. But that doesn't matter, because:

      1. It's unenforceable.
      2. The Republicans would never allow it, since:
        a. It's proposed by Obama's people, and
        b. It might restrict some business' God-given right to make a profit.

      • by Z00L00K (682162)

        And the worst problem is that even if the browser is "immune" to tracking features the plugins needed to view many web sites - like Flash, PDF or SilverLight also have to be "immunized".

        And to make sure that the user are traceable many sites checks thoroughly that the data they write isn't easy to remove.

        So if anything - go after the web sites that tracks users instead.

        • by Pharmboy (216950)

          So if anything - go after the web sites that tracks users instead.

          What if the site is being hosted in China? My guess is that if you are up to no good, or doing unethical things, you move offshore. Just like they route telemarketing calls through the Bahamas, etc. because the No Call List doesn't apply to foreign nations.

          I think the real solution is to have government not get involved and individuals need to instead create methods to block being tracked, preferably open source. I don't want to depend on

    • Isn't tracking done via cookies and those permanent flash cookies (LSO)? That's easily stopped with Better Privacy + No Script + Cookie Monster Firefox Plugins. No on can stop IP based tracking and whatever tracking each website does with its customers.
  • Standard GUI? (Score:5, Insightful)

    by ivucica (1001089) on Wednesday December 01, 2010 @04:09PM (#34408976) Homepage
    I'm all for a standard GUI for doing so, but the "other side" (those who do the tracking) must also cooperate by actually observing the setting (no matter how it should be delivered to them; perhaps via HTTP header). If observing it would be mandatory, then hooray; otherwise, meh.
  • by Anonymous Coward on Wednesday December 01, 2010 @04:09PM (#34408978)
    spammers! Brilliant, thank you FTC!
    • by ivucica (1001089)
      Didn't read TFA, but maybe it's not a list. An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.
      • Didn't read TFA, but maybe it's not a list. An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.

        Setting the evil bit, huh?

      • by 0123456 (636235)

        An HTTP header announcing the preference for not being tracked would do the trick, as long as the other party were obliged to actually listen to your setting.

        But in the real world such a header would just become another bit to go into your 'unique fingerprint' for the advertisers. And it would mean that advertisers would be even more eager to send you crap.

        • by blueg3 (192743)

          As long as the real world consists only of companies that don't mind lawsuits and FTC investigations and fines.

          Sure, there are plenty of such companies, mostly not in the U.S. But the only thing enforcing the Do Not Call list is the legal repercussions for ignoring it, and it's pretty effective.

        • by vux984 (928602)

          But in the real world such a header would just become another bit to go into your 'unique fingerprint' for the advertisers.

          In the real world, the big fish such as Google/Microsoft/Facebook etc would generally honor it, because they will get investigated, caught, and fined heavily if they don't.

          The law is effective at restricting law abiding citizens and organizations. And that's precisely what we need here.

          • by Belial6 (794905)
            Exactly, right now tracking is ubiquitus. The value/destructiveness of tracking does not increase linearly with added trackers. One site tracking you is just running it's own site. Two sites sharing tracking are not much of a problem. As the number of sites increase, it becomes a real problem. If cross site tracking were illegal, you would still get a few sites doing it, but the would be few and far between, and thus not a problem. As with any conspiracy, the bigger it is the harder it is to keep con
      • by Spazmania (174582)

        Right... So as a guy running a web server I'm supposed to "forget" about you probing my server trying to break in because you have the "Don't track me" header set.

        We already have such a setting. Tools->Options->Privacy->Uncheck "Accept cookies." Some web sites work with it unchecked. Some don't. Make your choice whether you want their content.

        • by vux984 (928602)

          We already have such a setting. Tools->Options->Privacy->Uncheck "Accept cookies." Some web sites work with it unchecked. Some don't. Make your choice whether you want their content.

          Its pretty trivial to track you even if you have cookies unchecked.

          • We already have such a setting. Tools->Options->Privacy->Uncheck "Accept cookies." Some web sites work with it unchecked. Some don't. Make your choice whether you want their content.

            Its pretty trivial to track you even if you have cookies unchecked.

            You'd also have to disable:
            -Javascript: (which can retrieve typing cadence via AJAX)
            -Images
            -Plugins: (like Flash, Java, et al.)

            Sounds like a pretty exciting internet at that point. You might as well be browsing in a text-only browser like Lynx. And even if you follow all of the steps above, you can still be tracked pretty effectively by the specific configuration of your browser.

            Now, that being said, I'm still in favor of tracking (to an extent). It's an important part of product development (amongst o

          • by Spazmania (174582)

            Barring plugins with cookie-like features and actual tracking software you've elected to install, it's actually pretty hard to separate out your traffic from everybody else's.

            You can keep track of a linear session by passing state in the URL but you lose it as soon as the guy goes somewhere else and comes back. You can do some fuzzy matching based on behavioral patterns but it takes a lot of computing power and the confidence drops off quickly.

            Worked in the biz for a little while. The core data came from fo

        • by ivucica (1001089)
          A lot of legit apps would not work. Logging in would not work on a lot of the web, for example. I really care about my email.

          And your straw man argument sucks. Having a log that is cleaned after 24h, after establishing that a user at some IP is not doing anything suspicious, is one thing. Tracking the user in order to identify behavioral patterns is another.
          • by cskrat (921721)

            Would adding a drop rule in iptables count as not honoring this 24h cleaning time that you speak of? Technically that would be a permanent record of someone that "opted out" of leaving any kind of record.

          • by Spazmania (174582)

            Make that 30 days if you want network security folk not to laugh at you. 365 if you want any support from law enforcement. Better yet, change your focus to a "do not sell list" where passing a standardized header serves as legal notice that the receiving server is forbidden from sharing any information about the transaction with a third party, specifically or in aggregate. You won't get that either, but at least your only opposition would be from marketing folk.

  • Because all those "remove me from your mailing list" options have worked so well...
    • Re:*sigh* (Score:5, Informative)

      by TheRealFixer (552803) on Wednesday December 01, 2010 @04:17PM (#34409106)
      In my personal experience, the FTC's Do Not Call list has actually worked pretty well. I used to get considerable numbers of telemarketing calls every night, but about 6 months after adding all my numbers to the list, they've almost completely stopped. And on the very, very rare occasion that I do get one, a quick mention that this number is on the Federal Do Not Call list sends them into a near panic state, scrambling to hang up.
      • I'll second this. In addition, the Direct Marketing Association and pre-approved credit card opt-outs have worked very well. I get almost zero junk mail. See this for details: World Privacy Forum's Top Ten Opt Outs [worldprivacyforum.org]
      • by Stellian (673475)

        In my personal experience, the FTC's Do Not Call list has actually worked pretty well.

        That's because a personal phone call from a live human costs alot and anyone who uses this method must target it's customer base very well to be cost-effective. In turn, it's almost certainly a US business, operating on US soil, and care about the FTC. If they violate the DNC list, you incur a high cost, and are likely to do something about it, like report them.

        No so on the Internets. Tracking is 100% automatic, and non-intrusive. Only a minority of the sites doing the tracking are from your country (this i

      • by tverbeek (457094)

        What's different about this is that telemarketers who call you already know who you are: they have your phone number. The only way a web site would be able to comply with a Do No Track database is for you to identify yourself unambiguously to them, information they do not have, and which would not be safe to hand over, unsecured, to any web site that asks for it.

      • by erroneus (253617)

        Allow me to just "me too" on your comment.

        What happens is that once a person does an "opt-out" there are some teeth in the recourse that an individual can take.

        The trouble I have is that you would first have to make yourself trackable in order to opt out. We also need to stipulate what things can and cannot be used in tracking to make such a law workable. As we know, there are a LOT of sneaky ways to track users. We need to also limit how people are tracked. Also, we need to have proof positive that we

      • "a quick mention that this number is on the Federal Do Not Call list sends them into a near panic state, scrambling to hang up"

        Really? I've telemarketed before in my dark past. When people told me they were on the do not call list I would say 'I don't care' and would go into the pitch. Then they'd hang up on me. It was just fun when people thought they could thwart me by being smarmy or clever. I hated my job and all those who I had to deal with on the phone. So anybody who tried stuff like the 'do not call

      • Actually, the FTC 's Do Not Call list made things much worse for me. I never got calls even before because I was on the Direct Mail Association's do not call list. Ever since the FTC Do Not Call low was passed, I've been getting calls from politicians, pollsters, charities, etc. Namely all the groups that were exempted from the law and just use it as a Please Call Me Repeatedly list.

  • the TSA should implement a "do not molest" list.
  • The Do-not-call list provided exceptions for politicians and non profits. Will we just see currently existing unscrupulous entities just create associated 501c3's to get around the tracking block? Just like there is a loophole for the do not call list, there will be one for this. Assuming, of course, it ever comes into being.
    • Of course. It also seems to me that in order to know who not to track, some tracking has to be done...perhaps better protections for anonymity is the trick, rather than a regulated list.
  • It's called P3P (Score:5, Informative)

    by mysidia (191772) on Wednesday December 01, 2010 @04:14PM (#34409078)

    P3P [w3.org]

    The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

  • I'm all for this, I think it would be wonderful and beautiful to just change a setting in my browser and never have to question whether I'm being surveiled or not. It'll never work though. Corporations want what they want, and they'll find a way to track you regardless. I don't even think that making it illegal to track people's online habits would really stop them. The federal "Do not call" list only works up to a point, if someone doesn't give a shit about the law and thinks they can get away with it, the
    • by Blakey Rat (99501)

      I'm all for this, I think it would be wonderful and beautiful to just change a setting in my browser and never have to question whether I'm being surveiled or not.

      You mean like the "block third-party cookies" option that's been in every browser for almost a decade? That setting?

  • Lets face it, the local do not call registers barely work. I manage to report about 8 companies a year to our Telecommunications Industry Ombudsman and the Australian Competition and Consumer Commission about calls I get to our number. The fines are usually quite hefty especially for repeat offenders. Somehow I doubt that companies will bow down and obey instructions from an international company who's laws don't govern them.
    • by FooAtWFU (699187)
      Koreans typically don't tend to care quite as much about tracking Americans' browsing to advertise at them. Most websites most Americans visit are owned and operated by American companies, as it turns out.
    • by drinkypoo (153816)

      The do not call list works GREAT, but only if you block all calls without caller ID information. Most of the people who will spam you with valid caller ID info will make an effort not to call you back if you are on the list and you tell them so, especially if you announce to them that you are reporting them for the call, and then DO SO. There's a webform, it's not tricky.

  • how would it work (Score:5, Insightful)

    by penguinbroker (1000903) on Wednesday December 01, 2010 @04:20PM (#34409156)
    My brain's a little slow today... how would this work? How would this be enforced? Since when can websites tell exactly who we are (which I am assuming will be required to verify that the user is or is not on the list)?
    • by vlm (69642)

      My brain's a little slow today... how would this work?

      There are two answers, work as in successfully meet objectives, and work as in good enough for govt work.

      The work as in meet objectives, would be package a browser addon basically privoxy aka www.privoxy.org, or mandate the installation of something like privoxy with all browser installations. If the EU can demand winders not ship with "X" maybe the FTC can demand winders ship with a working privoxy install.

      The work as in good enough for govt work, would be add a line to the browser string, "please dont tr

      • I understand the concept of browsing without being tracked. My question is how to enforce a 'do not track' list. Which is distinctly different from a 'do not track' browser feature.
      • Thanks for the explanation anyway though.
    • by blair1q (305137)

      More to the point, how am I supposed to know when someone is violating it?

      I can tell when someone fails to use the do-not-call registry or ignores a do-not-email checkbox setting, but tracking me as I browse is a passive activity. Am I supposed to search through my cookies? And how will I know the tracking cookies from the session and configuration persistence cookies?

      Take the person who proposed this and send them to Pakistan to look for the tallest man there. Doesn't seem like there are enough people do

  • by garcia (6573) on Wednesday December 01, 2010 @04:23PM (#34409222) Homepage

    I have a land line (it comes over my cable connection) because we only have one mobile phone and use the 400 minutes as our long distance service thus it's cheaper for us to have family call us on the land line. Aside from the handful of calls we get from family the rest of the time it's from scammers "trying to lower your interest rate on your credit card," who hang up when you press them for who they are or companies who do not follow the DNC list.

    These companies know they have little chance of being prosecuted under the law so I end up with numerous phone calls and fights with supervisors of these companies to not call me again. Yet they keep trying to sell newspaper subscriptions and rug cleanings to me.

    So after three phone calls from one company I finally get enough information to file a complaint with the FCC. I submit that complaint and it's rejected three different times for lack of information. While the FCC agent attempts to be helpful the entire process is cumbersome and difficult. I lack any confidence the calls will stop or the company will pay and even if they do the fine will be minimal and they'll just consider it the cost of doing business.

    ---

    So back to this particular new trend. Yeah, great, no more tracking online. It's a lot easier for me to block that stuff online while still enjoying a relatively easy browsing experience than it is for me to stop calls from ringing my phone which would include turning the ringer off (no, I'm not paying for call block or caller ID).

    If the government wants to do this, and I'd love them to, they need to ensure that the laws, policies and enforcement are viable and actually benefit people rather than creating a whole new useless bureaucracy which spends money and doesn't accomplish a damn thing.

    • by UID30 (176734)
      I signed up for the nat'l do not call list when i canceled my land line service from at&t. :P
  • by CaptainPatent (1087643) on Wednesday December 01, 2010 @04:31PM (#34409346) Journal
    Besides the simple fact that there currently isn't a good way to implement an opt-out database (yet) and doing so on a national level between several websites would be a nearly impossible nightmare, you also have to consider the fact that:

    1) There is no good way to enforce this as the legal boundaries end at our borders. There wouldn't be much to stop offshore data collection.

    2) The most harmful types of data collection are those people that do it for malicious purposes like phishing. I really don't think a US law is going to stop them anyways.

    -also-
    3) What constitutes "tracking?" There are web aps and addons that track your usage of a page for simple things like counting the number of visitors, or much more complex things like demographic account collection to tune web ads to best suit you. There are also versions that do this that don't permanently record your information and just go on a session-by-session basis. If you even have the capability of differentiating what tracking is occurring (which is nearly impossible in the first place) where does the line get drawn?
    • P.S. - the short version of this story should be:

      "Politicians with little knowledge of computers are talking about the internet again."
      • by Floody (153869)

        P.S. - the short version of this story should be:

        "Politicians with little knowledge of computers are talking about the internet again."

        I don't expect the FTC chairman to be tech savvy, but there isn't anyone at the FTC that can tell him what is and isn't technically feasible?

    • I've never had a mod point to give, but I wish I could for you.

      Canada's Do Not Call list has already proven to be a treasure trove for data mining by the U.S. and others. For $50 you can get more reliable information than on a $3000 e-mail address list. http://en.wikipedia.org/wiki/National_Do_Not_Call_List#Criticism [wikipedia.org]

      The one thing a government can do is provide a framework for people to complain when other people don't do what they're supposed to.
      How's that been working out, historically? Anyone with an o

  • So how exactly are websites going to keep track of who has opted out of being tracked?

    "To affirm that you do not consent to appearing in a list, please add your name to this list."

    • by Nevo (690791)
      I came here to say this. Me: "Don't track me." Them: "Thanks for visiting our website! In order to know whether or not we should track you, please tell us who you are." In order for this to work, the web would have to abandon any pretense of anonymity. Which do you think is the lesser of two evils? I know where my vote goes.
      • by spazdor (902907)

        Yeah. I can't think of a way to make this system work, except using a database which would constitute the kind of personally-identified tracking system that it seeks to prevent. In order to get website maintainers to comply with these rules, the government would have to provide them with exactly that data which they're being forbidden to collect, and then, I don't know - put them on the honour system, make them pinky-swear not to use it for anything but the intended purpose? Is that the plan?

  • You have to register yourself on a big public list in order to prevent websites from tracking you.

    • by Yvan256 (722131)

      If you have to register yourself via a website, then the joke circle will be complete.

  • So I get to trade being tracked by people that want to sell me cookware for being tracked by the federal government?
  • A do not track list is quite different than a do not call list. The latter is about companies calling you, wasting your time and phone minutes when you're not interested. Gathering demographics doesn't waste your time. Put another way, you have no way of knowing whether the no track list is even being followed, whereas you can easily tell if the do not call list is being followed, because you get annoying calls.

    I'm not saying that tracking you on the web isn't offensive, just that it's fundamentally diffe

  • So basically we can opt not to be tracked by the companies who actually decide to follow an optional opt-out list? Doesn't that mean I'm only opting out of the companies I'm least bothered about? Worse, make being a (relative) good-guy even less profitable?

    Without legislative backing it's at best toothless and at worst counter-productive.

    Even legislative backing may be prone to unintended consequences as companies leave for less regulated shores. However I'd expect there would be more of a positive influen

  • by RichMan (8097) on Wednesday December 01, 2010 @04:47PM (#34409602)

    I suspect this list would also be used be used by various agencies to flag people who are engaged in "undesireable" activity. "Only those with something to hide will be using the Do Not Track" feature.

    *sigh*

    This all at the same time that they are requiring ISP's to keep 2 year records of IP logs.

    So how does this new "Do Not Track" bill merge with the other bill. I presume that everyone will just sign up under the 2 year bill and say "we need to keep records" and are thus exempt from the DoNotTrack feature.

    The Internet Stopping Adults Facilitating the Exploitation of Today's Youth (SAFETY) Act of 2009 also known as H.R. 1076 and S.436 would require providers of "electronic communication or remote computing services" to "retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."[22]

  • I don't want to be tracked. Unfortunately i don't like where this is going either. This isn't like a do not call list where you can register a distinct end point and prove that someone called you when you were clearly on the list. The tracking isn't based on a hard identification. It's a fuzzy id. They are trying to aggregate actions made by some checksum built out of whatever info you can get from a client of a web app. How can either side prove that you are or are not that checksum?

    What exactly are we
  • How do we know that some reasonably intelligent marketing pusbag won't find a way to use the FTC's "Do Not Track" list in a manner contrary to its stated intent?
  • I cant see this ever working, in fact the very act of opting out of tracking makes you more easily trackable.
  • While it's entirely possible for something like this to happen and the FTC to use large fines to make US companies avoid some tracking, tracking provides LARGE benefits to businesses.

    I'd immediately expect many ad networks to host their ads from oversees so they could claim not to be under the jurisdiction of this law. How will the FTC stop that? And what if Google Ireland decides to host all the Google ads? Are you going to go after the parent company?

    This is a nice idea that seems completely unenforceab

  • Can we enforce it against the NSA?

    -molo

  • Riiiiiight. Sure.

    This feigned concern about online privacy is just a political chain that policitians and government bodies yank in order to appear to care about individual rights.

    There is nothing that the State craves more than to track every move of every citizen.

  • To make this work, wouldn't people have to be on a system where they'd lose their anonymity online? How else could they guarantee who's on a "do not track me" list without knowing who you were when you were online?
  • The Feds should allow us to sign up for a few more lists:

    • The Do Not Grope List
    • The Do Not Erode My Civil Liberties List
    • The Do Not Remove My Constitutional Rights List
    • The Do Not Assume I Believe Your Security Theater List
    • The Do Not Think I'm Unamerican For Signing Up For Those Lists List

    We could all then, of course, profit!

  • Okay, so it probably isn't quite as accurate, but how would this play against the things that webmasters need but which can also be used for tracking - i.e. Apache log files and the like? I can do all sorts of path following and user tracking with logs if I wanted, just by analysing the log files from a normal server. It won't be quite as accurate as something tracked with a cookie, but then even cookies aren't bullet-proof.

    Either they've overlooked log files, or they're going to need some really weird stan

Often statistics are used as a drunken man uses lampposts -- for support rather than illumination.

Working...