[This is a cross-post from my colleague Jon Fox of CALPIRG's blog. This week, the papers are reporting that Chairman Jay Rockefeller (WV) of the Senate Commerce Committee will soon schedule hearings on his proposal, S. 418, the Do Not Track Online Act of 2013. Below, Jon discusses the bill and related issues.]
By Jon Fox, CALPIRG Consumer Advocate
In the early 19th century, savvy American bar owners offered a “free lunch” to draw patrons in for a drink. While many enjoyed washing down a free sandwich of cured meats with a beer, Americans quickly learned that there is no such thing as a free lunch. Today the global internet community is learning that lesson all over again: this time the price is corporate tracking of online activities and interests.
The price consumers pay to access most online content is the tracking of their every click on the World Wide Web by data miners and ad networks. Consumer and privacy advocates are seeking to address such online tracking through Do-Not-Track regulation.
Recently West Virginia’s Senator John D. Rockefeller, Chairman of the U.S. Senate Commerce Committee, proposed the Do-Not-Track Online Act of 2013. The bill would require the Federal Trade Commission (FTC) to establish standards allowing internet users to set their web browsers to tell websites, advertising networks, data brokers and other online entities that they do not want to be tracked online for commercial data mining. The bill would also instruct the FTC to draft rules to enforce users’ requests to opt out of such tracking. The bill largely follows the recommendations of a recent FTC Report, which stated that the commission seeks “implementation of an easy-to-use, persistent, and effective Do Not Track system.”
Senator Rockefeller proposed a similar bill two years ago, yet did not pursue it after industry groups pledged to develop voluntarily mechanisms to honor user’s browser-based Do-Not-Track flags. Since then negations to set universal Do-Not-Track standards as part of the World Wide Web Consortium (W3C) fell through and little progress has been made towards self regulation. While some companies have decided to move ahead themselves, consensus and clarity around Do-Not-Track standards is still needed since the absence of network-wide standards on how to treat Do-Not-Track requests and what sort of behavior constitutes tracking, jeopardizes the effectiveness of all Do-Not-Track requests.
Despite the public’s desire to have more control over when and how their online activity is tracked, media and technology industry leaders have so far failed to reach agreement on establishing Do-Not-Track mechanisms. Indeed, some have even ratcheted up their opposition. Last month a leading industry lobbyist called Mozilla Firefox’s debut of its own browser-based Do-Not-Track control “a nuclear first strike” against his industry, even though Apple’s Safari browser has long had an even stronger Do-Not-Track mechanism in place.
It is time for lawmakers to debate and pass robust Do-Not-Track legislation to protect consumers. The Rockefeller proposal offers a good start toward that debate.
How we got here: Free cookies
Free services are a major driving force behind the world wide popularity of the Internet. From the beginning, Google, Facebook, and Twitter drew new customers in with their free offers, and users quickly signed up. Some internet services successfully transitioned to paid premium service packages once users familiarized themselves with the product, but those are the exception. For the most part, the core of the online experience is free. Or is it?
The answer to that question is in the details, or rather in the data. Terms of service agreements are written to make it seem like consumers willingly made a Faustian deal to enjoy all the internet has to offer for free and in return online companies monitor and track consumers online. For the most part tracking is done through browser cookies sent while the user is on a website and stored on their computer.
Cookies were originally designed to help websites “remember” us on our next visit, speeding up the browsing experience and making it more enjoyable. Since then tracking cookies, and especially third-party tracking cookies, have become more sophisticated and compile a record of individuals' browsing histories, online interactions, movements, and interests. Although services like Ghostery and DoNotTrackPlus reveal the long lists of third parties tracking you, most users have little idea that this monitoring is taking place in the background, and have even less control over what data is collected or how it is used.
Unknown third-party companies collect user data from tracking cookies and then sell it to other online businesses. This data is often used to provide consumers with a “tailored” web experience matching their interests and past behavior online. While most internet users are not familiar with the technical details, by now most aren’t surprised to see ads for sunscreen in their Gmail after receiving a hotel confirmation for a beach vacation.
We are told that targeted ads do no harm and allow us to continue to enjoy free online services. For most, a few “targeted” ads seem like a small price for all the awesomeness the internet has to offer. But as anybody who has one too many beers can tell you – there is no such thing as a free lunch.
The costs of a personalized web
We pay for targeted ads in various ways. First, companies pay millions to collect user information and then buy targeted ads, an expense that is ultimately passed on to consumers in higher prices. Second, basic economic principles dictate that consumers pay more when companies know more about how much they are willing to spend, past shopping behavior, and personal circumstances. While it seems logical that repeat customers should get better deals, on the web they often fair worse, based on the use of secret predictive profiles generated from your cookie crumbs. Tracking cookies allow online marketers to create “buckets” for customers meeting various criteria, offering each a different price for the same products.
The Wall Street Journal found that popular retailers, including Staples, Discover Financial Services, Rosetta Stone Inc. and Home Depot Inc., adjusted prices on product offers based on a range of characteristics that could be learned about the user. For example, if a man googles “last minute Valentines gift” and then reaches a florists’ website he may see different pricing than another who simply googled “florist delivery.” Online marketers can sniff out the desperation, and can adjust prices upwards for those rushing to save a relationship.
We are told that giving up a little bit of privacy is the only way users can continue to enjoy the level of internet services we are accustomed to. But online tracking isn’t done to create a better user experience: it is done for profit. The collection and sale of user data is a growing business, placing consumer privacy and finances at risk. Congress needs to act and pass robust Do Not Track legislation. Senator Rockefeller’s Do-Not-Track Online Act of 2013 is a good place to start. Yet whatever legislation is enacted should provide for both a consumer right of action and FTC enforcement powers to protect consumers.