FTC Privacy Plan Includes 'Do Not Track' Browser Option
The Federal Trade Commission on Wednesday unveiled an online privacy proposal that includes a "do not track" suggestion for browsers that would prevent them from collecting a Web user's online history.
The Federal Trade Commission on Wednesday unveiled an online privacy proposal that includes a "do not track" suggestion for browsers that would prevent them from collecting a Web user's online history.
The "do not track" option would be similar to the agency's "do not call" list. Just like a consumer can choose not to receive calls from telemarketers, they could choose not to be tracked on the Web. As a result, their Web-surfing history would not be sent to third-party sites and their activity would not be used to serve up targeted advertisements, among other things.
At this point, the proposal is just a suggestion. The FTC is asking stakeholders to comment on this and other facets of the plan by January, and the agency will release a final proposal sometime next year.
"We don't have regulatory authority; what we're doing is offering best practices to companies and guidance to lawmakers," FTC Chairman Jon Leibowitz said during a Wednesday call with reporters.
Leibowitz said that companies like Google, Microsoft, and Apple have experimented with "do not track" technologies, and urged them to push forward.
In a Wednesday blog post, Microsoft pointed to the InPrivate Browsing option introduced with Internet Explorer 8, which allows users to surf without being tracked.
"Internet Explorer 9 will continue this focus and leadership on enabling our customers' choice and control with respect to their online privacy," wrote Brendon Lynch, Microsoft's chief privacy officer. "We appreciate the Federal Trade Commission's efforts to advance consumer privacy protections and welcome the opportunity to review the FTC's Privacy Report."
Google Chrome also has its Incognito private browsing mode, while Firefox has Private Browsing. Leibowitz was asked about these features, specifically about Chrome's Incognito mode. He said it is a "good innovation" but the FTC is looking for "a little more ubiquity."
On "do not track," a Google spokeswoman said the "FTC raises some interesting ideas, and we look forward to learning more about what Do Not Track could look like."
On the entire report, Google said it agreed that "people should be able to understand what information they share and how it's used. That's why we simplified our privacy policies earlier this year, offer control through our privacy tools, and explain our approach to privacy in plain language and through YouTube videos in our Privacy Center."
In a blog post on the report, Mozilla didn't specifically mention the "do not track" browser option, but said it was "encouraged by what we've seen so far."
"The FTC should also be commended for continuing its efforts to seek a comprehensive proposal rather than focusing only on one aspect of the issue," wrote Harvey Anderson, Mozilla's general counsel. "Over the next month, we'll examine the questions and proposal in more detail and take advantage of this opportunity to share our experience, concerns, and views on the proposed framework."
The FTC also called out Adobe because the cookies gathered by Flash are apparently collected regardless of the browser's settings.
"Adobe would support and participate in any industry initiative to foster clear, meaningful, and persistent choice regarding online tracking for purposes that are not obvious in context or commonly accepted," Adobe said in a statement. "This includes the 'tracking' of user preferences by third parties for advertising purposes using local storage capabilities (such as Flash Local Shared Objects, often referred to as 'Flash cookies' in the public and confused with Web browser cookies), which were not designed for this purpose. Adobe has repeatedly stated publicly that we condemn such practices because they clearly circumvent the user's expressed choice."
Flash Player 10.1 supports private browsing, and "Adobe is also working with the browser manufacturers to better coordinate local storage management with browser privacy management settings," the company said. Google Chrome, for example, currently provides access to Flash Player local storage settings from within the browser's privacy controls.
"Adobe anticipates that future versions of the browsers will include the ability for users to clear their local storage data directly through the browser privacy management interface," Adobe concluded.
"Do not track" is just one component of a plan that "proposes a new framework for consumer privacy," Leibowitz said. "The FTC wants to ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation, and consumer choice."
Leibowitz argued that most data collection online is invisible to the average consumer. Some companies do not disclose their data collection processes, while those that do often have long, incomprehensible privacy agreements that consumers don't read or understand, he said.
Going forward, companies need to "bake privacy protections into their operations," Leibowitz said. They should collect data "only if they have a legitimate business reason for doing so." Privacy choices, meanwhile, should be presented in a simpler, more streamlined way, he said. Companies shouldn't have to seek consent to share your address with shipping companies that deliver their products, for example, but if data is being shared with marketers or data miners, consumers should be informed.
Leibowitz pointed to EchoMetrix, a company whose Sentry software allows parents to monitor their children's online activities. Sentry, however, tracked those children's online activities and sold the information to third-party marketers. A vague reference to this policy was 30 paragraphs into multi-page end user license agreement.
As a result, the FTC on Tuesday announced a settlement with EchoMetrix whereby the company will no longer use or share the information it gathered via Sentry. It must also destroy the data EchoMetrix transferred to its marketer database.
"Despite some good actors, self-regulation of privacy has not worked adequately … for American consumers," Leibowitz said. "The industry as a whole needs to do a far better job. We're going to take action against companies across the line … especially when children and teens are involved."
Despite his skepticism of self-regulation, Leibowitz is open to suggestions from industry, though "a legislative solution will surely be needed if industry doesn't step up to the plate," he said. At this point, however, the FTC wants to hear from the public, and will reserve final judgment until all comments have been submitted, he said.
Many in industry have shunned a legislative solution because they claim it will hurt innovation, an assertion with which Leibowitz did not agree.
"I just fundamentally disagree with the notion that we're creating barriers to entry," he said. "I think there are a few … Washington folks [who are] doing what they're supposed to be doing – perpetuating that myth - but we have 5-0 vote at the commission [on this report], and if we thought we were creating barriers to entry, we'd have a 0 to 5 vote."
The FTC will be on Twitter starting at 3pm EST to answer questions about the report.
Update: The FTC on the "do not track" browser plan, but a security expert from Symantec was skeptical that it would work.
Editor's Note: This story was updated at 430pm Eastern time with comment from Adobe, again at 6pm with Google's comments, and on Thursday with Mozilla's thoughts.