Why "Do Not Track" Does Not Mean Do Not Track

All week, Microsoft and Mozilla have been trading punches over something called "Do Not Track," a browser setting that's supposed to be the next big thing in online privacy. Here's what it is and why it matters.

"Do Not Track" is having a busy week.

It started life as a joint project between Mozilla, Stanford and the World Wide Web Consortium, envisioned as a simple browser setting that would stop advertisers and marketers from following people around on the web. At the end of May, everyone else was safely ignoring it, but last Friday, Microsoft became the world's least likely privacy advocate by unveiling Internet Explorer 10 as the the first browser to turn on Do Not Track as a default for all users. Privacy professionals got surprised, advertisers got mad, and yesterday a trio of DNT advocates unveiled a new proposal saying basically, "no, you're not allowed to do that."

In short, it's been a confusing few days for anyone who cares about online privacy, and at this point, almost no one knows what the hell is going on. But I do! And I'm going to explain it all right now.

So what does "Do Not Track" do?

It puts a DNT flag in your HTTP header — like wearing a big sandwich board that says "don't track me." The W3C is still deciding exactly what "tracking" means in DNT, but it'll probably end up focussing on third-party cookies (the kind that follow you from site to site).

Does that stop people from tracking me?

Not really. Which is weird, given that it's called "Do Not Track." As Andrew Lewman, Executive Director of the Tor Project (an online privacy tool), put it to us this way: "The problem is that you're sending all of your information to the sites anyway." It's a handshake agreement, but sites are free to just ignore the flag or limit the warning to whatever kinds of tracking they decide they can do without. You'd be better off with a cookie blocker.

Then why do people care about it?

It's more of a longterm political movement, along the lines of the Do Not Call list for telemarketing. The point is to shame websites into not tracking people, which is why it's so important that people consciously opt-in (and why IE just got a slap on the wrist). But all the agreements are still settling in, so it probably won't have any force for at least a few more years.

So it will stop tracking eventually?

Probably not. It's a good first step, but online tracking is a lot more sophisticated than telemarketing, so there are lots of other ways for sites to follow you around. The biggest one is social tracking, which feeds Facebook info every time you visit a site with a Like button. Instead of leaving a data packet on your computer, Facebook can use iframes to keep tabs on all the Like buttons on the web, and make a note every time your IP address loads one up. Facebook's collecting the data instead of Amazon, but the net result is the same.

So what can I actually do to keep from being tracked?

Nothing? If you want to block social tracking, you'll be cutting off Like buttons, Facebook comments, and the whole social layer that's made the web so interesting for the past few years. We've already got the means to do this (ahem), but nobody does. Alternatively, you could just not go on the internet, but if you're reading this site, that ship has probably sailed.

The only airtight solutions are things like the Tor Network, which needs thousands of computers around the world to enable something as simple as web browsing. But that's the nuclear option of online privacy, unwieldy for everyday use. And the moment you dip a toe into the social web — looking at a friend's Facebook page or even buying something on Amazon — the whole thing falls apart.

Skip to footer