After opting out, I went back to Collusion to see if companies were still tracking me. I found that many, many companies appeared to be logging data for me. According to Mozilla, the current version of Collusion does not allow me to see precisely what companies are still tracking, but Stanford researchers using Collusion found that at least some companies continue to collect data. All that I had "opted out" of was receiving targeted ads, not data collection. There is no way, through the companies' own self-regulatory apparatus, to stop being tracked online. None.
After those Stanford researchers posted their results to a university blog, they received a sharp response from the NAI's then-chief, Chuck Curran.
In essence, Curran argued that users do not have the right to *not* be tracked. "We've long recognized that consumers should be provided a choice about whether data about their likely interests can be used to make their ads more relevant," he wrote. "But the NAI code also recognizes that companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a user's online behavior."
Companies "need to continue to collect data," but that contrasts directly with users desire "not to be tracked." The only right that online advertisers are willing to give users is the ability not to have ads served to them based on their web histories. Curran himself admits this: "There is a vital distinction between limiting the use of online data for ad targeting, and banning data collection outright."
But based on the scant survey and anecdotal data that we have available, when users opt out preventing data collection is *precisely* what they are after.
In preliminary results from a survey conducted last year, Aleecia McDonald, a fellow at Stanford Center for Internet and Society, found that users expected a lot more from the current set of tools than those tools deliver. The largest percentage of her survey group (34 percent) who looked at the NAI's opt-out page thought that it was "a website that lets you tell companies not to collect data about you." For browser-based "Do Not Track" tools, a full 61 percent of respondents expected that if they clicked such a button, no data would be collected about them.
Do Not Track tools have become a major point of contention. The idea is that if you enable one in your browser, when you arrive at The New York Times, you send a herald out ahead of you that says, "Do not collect data about me." Members of the NAI have agreed, in principle, to follow the DNT provisions, but now the debate has shifted to the details.
There is a fascinating scrum over what "Do Not Track" tools should do and what orders websites will have to respect from users. The Digital Advertising Alliance (of which the NAI is a part), the Federal Trade Commission, W3C, the Internet Advertising Bureau (also part of the DAA), and privacy researchers at academic institutions are all involved. In November, the DAA put out a new set of principles that contain some good ideas like the prohibition of "collection, use or transfer of Internet surfing data across Websites for determination of a consumer's eligibility for employment, credit standing, healthcare treatment and insurance."
This week, the White House seemed to side with privacy advocates who want to limit collection, not just uses. Its Consumer Privacy Bill of Rights pushes companies to allow users to "exercise control over what personal data companies collect from them and how they use it." The DAA heralded its own participation in the White House process, though even it noted this is the beginning of a long journey.
There has been a clear and real philosophical difference between the advertisers and regulators representing web users. On the one hand, as Stanford privacy researcher Jonathan Mayer put it, "Many stakeholders on online privacy, including U.S. and EU regulators, have repeatedly emphasized that effective consumer control necessitates restrictions on the collection of information, not just prohibitions on specific uses of information." But advertisers want to keep collecting as much data as they can as long as they promise to not to use it to target advertising. That's why the NAI opt-out program works like it does.
Let's not linger too long on the technical implementation here: there may be some topics around which compromises can be found. Some definition of "Do Not Track" that suits industry and privacy people may be crafted. Various issues related to differences between first and third-party cookies may be resolved. But the battle over data collection and ad targeting goes much deeper than the tactical, technical issues that dominate the discussion.
Let's assume good faith on behalf of advertising companies and confront the core issue head on: Should users be able to stop data collection, even if companies aren't doing anything "bad" with it? Should that be a right as the White House contends, and more importantly, why?
Companies' ability to track people online has significantly outpaced the cultural norms and expectations of privacy. This is not because online companies are worse than their offline counterparts, but rather because what they can do is so, so different. We don't have a language for talking about how these companies function or how our society should deal with them.
The word you hear over and over and over is that targeted ads can be "creepy." It even crops up in the academic literature, despite its vague meaning in this context. My intuition is that we use the word "creepy" precisely because it is an indeterminate word. It connotes that tingling-back-of-the-neck feeling, but not necessarily more than that. The creepy feeling is a sign to pay attention to a possibly harmful phenomenon. But we can't sort our feelings into categories -- dangerous or harmless -- because we don't actually know what's going to happen with all the data that's being collected.