For most users, this will represent a very minor irritation, or might trigger a momentary question about why would a website bother to ask for permission about cookies. Most of us woud click OK without thinking, and get on with our web browsing.
The existence of this kind of permission request is the tip of a large and complicated iceberg that has profound regulatory and commercial implications for the business of online publishing and advertising. This post will try to describe that iceberg and unpack some of those implications
In the UK interpretation of the Directive, there has been some interesting developments around what is actually required for a user to be deemed to have given their consent. The website of the Information Commissioner’s Office, the very body charged with enforcing regulation such as the EU Directive in the UK, has in January this year changed its own mechanism around gaining user consent to now use an opt-out mechanism:
and in doing so, has triggered some hilarious quintessentially British criticism from industry observers.
The ICO notes in its guidance for recognition of implied consent, the possibility that browser settings may in future provide robust mechanisms where consumer consent can be conveyed to publisher sites and networks.
Although not specifically referenced in the Directive or in the UK Regulations, it appears clear that a key mechanism intended to deliver this kind of browser-configurable consent indicator is the Do Not Track (DNT) initiative, a proposal first put forward in 2007 whereby users could configure their web browsers to include custom http headers that would indicate to a publisher site that the user does not wish his or her online activity to be monitored beyond the minimum requirement for the site to satisfy their request for web content.
The core idea in Do Not Track is to provide a reliable browser-based mechanism that would allow a user to indicate to publisher sites whether they prefer anonymity, which requires no tracking at all, or customisation of content which must be supported by some degree of tracking.
Actual observance and execution of the Do Not Track request relies entirely on the publisher site, and is a kind of honour system, similar to the robots exclusion standard where site owners can optionally include a ‘robots.txt’ file in their site hierarchy, with directions that govern the activity of compliant webcrawlers and other web robots to index none, or some of the website. There is no guarantee or mechanism to ensure that any web crawler will actually comply with the robots.txt directions, although major search engines do comply.
Unfortunately for users, there is little incentive for a publisher to honour Do Not Track requests. Publishers are facing growing commercial pressures to wring revenue out of their web publishing operations, and user tracking and behavioural targeting of advertising represent revenue opportunity. And there is as yet very consistency around how a user can request not to be tracked, very little consensus around what it actually means not to be tracked, and practically no regulatory enforcement of such requests.
A fascinating aside is the story of the Internet Exploreer 10 default DNT setting controversy. In June 2012, Microsoft announced that IE 10 would by default be set to include a Do Not Track header in every http request. The US Digital Advertising Alliance coalition raised a complaint that by turning the Do Not Track setting on by default, IE was eliminating consumer choice, and the advertising industry therefore had no obligation to honour the DNC request. Shortly after this announcement, one of the authors of the DNC standard submitted a software patch to the open source Apache web server – the most popular webserver platform in the world – with the effect of ignoring all DNC request from IE 10 browsers. The logic was that by removing user choice from the setting, Microsoft was subverting the intent of DNC and allowing publishers and advertisers to wilfully ignore DNC requests, supporting a presumed underlying intent to appear to support user privacy while actually pursuing its own interests. This Apache change has since been reversed.
Since 2007 when Do Not Track was first proposed, the routine application of usage tracking techniques across the internet has exploded.
Many online users are aware to some degree that websites are able to deliver editorial content and advertising that is influenced by their previous online behaviour such as web searching and site browsing.
However, most users remain unaware of the extent to which their every click on every website is captured and used to build user profiles which are then used to fuel complex online advertising processes where automated systems bid for the right to deliver specific advertising messages into individual slots on specific pages of online sites so that they will be seen by specific users who have displayed characteristics deemed desirable by the advertisers.
Try installing the Collusion browser plugin for Firefox or Chrome, or at least take a minute to view the online demo. Or check out the TrackerMap from Evidon. You will be amazed, and quite probably horrified at how many additional sites capture and store information about your browsing as you go about your normal activities online.
To privacy advocates, this is a dystopian scenario; to many in the online advertising industry, it is The Future. To web users and publishers, it is a battleground, fraught with conflicting interests and agendas. In the absence of clear guidelines or regulation, tracking technology continues to develop, and ordinary users remain badly under informed about the nature and extent of the tracking they are subject to.
In 2011 the W3C launched the Tracking Protection Working Group, with a charter to “improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements.” and to “standardize the technology and meaning of Do Not Track, and of Tracking Selection Lists”.
After two solid years of work in this forum, there is not only very little consensus on how a privacy option should be enabled in web browsers, and what kinds of usage data should remain collectable when privacy signalling is activated, but a fundamental schism appears to now be emerging between the privacy and behavioural advertising camps.
In a recent interview with AdExchanger, Jonathan Mayer, one of the W3C Tracking Protection Working Group members described the standoff as one where advertising industry intransigence is preventing consensus on common-sense understanding of the definition of Do Not Track:
One thing advocates long stood by is if a user says “Do not track me,” that should mean you’ll get rid of the unique ID identifier cookie if you’re a third party in the business of advertising or collecting user data. The advertising industry has said “No, we need to keep these cookies for certain users like market research, product improvement, etc”. It’s hard to come up with something that doesn’t count as market research or product improvement.
In an attempt to short circuit what appears to be an interminable debate on intent and delivery of DNT, Mozilla now appears to have adopted a strategy to pre-emptively deploy technology solutions that will further the privacy agenda regardless of industry recognition or honouring of DNT user intent.
Although it is not the only technique for tracking user behaviour, cookies are by far the most popular, and so-called 3rd party cookies in particular are the most contentious.
Third party cookies are set from domains that the browser has not actually visited, unless the user has previously visited that 3rd party site. The kinds of domains the user only get to know about through tools like Collusion and TrackerMap.
In February 2013 Mozilla announced its intent to block the setting of 3rd party cookies in its Firefox web browser. And in a rare case of direct technical follow through from policy makers, Jonathan Mayer himself wrote the code that will execute on this intent, now included in an alpha release of Firefox 22. With 23% of online browsing, this change to Firefox will have significant impact on behaviourally targeted advertising.
Mozilla’s new stance aligns with Apple’s existing stance for its Safari browser which also has DNT and 3rd party cookie prevention enabled by default. Internet Explorer has varying permissions based on a separate W3C standard called P3P, which has long been criticised as overly complicated and ultimately ineffective. Google’s Chrome web browser allows all cookies.
Cynics might argue that Mozilla and Apple have little at stake in this argument, since Mozilla does not directly benefit from online advertising, and Apple has its own separate ad targeting mechanisms that do not depend on cookies. Microsoft is backing away from the adserving game with the completion its sale of its Atlas ad server platform to Facebook, and so is no longer directly exposed to online ad industry revenues.
Google is now the only major browser developer that also has significant skin in the online advertising market, so it is perhaps unsurprising that Chrome is late to the DNC and 3rd party cookie party.
Remember also that Google is the main financier for Mozilla, providing the vast bulk of Mozilla revenues in return for Google Search being configured as the default search for the Firefox browser. Industry observers will watch with great interest what happens in 2015 when the current deal expires.
What happens from here will be fascinating. Will we see behavioural targeting revenue growth take a serious hit with 3rd party cookies becoming far less reliable as tracking tools? Will we see non-cookie based unique IDs and tracking methods, which in general are perceived as being intrusive and undesirable, becoming more prevalent? Will we see publishers respond with increasing use of paywalls in attempts to monetise their content in other ways?
Watch this space for more as this drama unfolds.