Web standards body proposes universal 'do not track' system

Out-Law News | 15 Nov 2011 | 4:11 pm | 3 min. read

The body responsible for making sure components of the world wide web work together has published plans to help create a universal 'do not track' mechanism in web browsers that would give users control of their privacy settings across all sites.

The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, has outlined how publishers must treat users who demand that their online activity not be tracked.

Under the 'do not track' (DNT) system web publishers will have to avoid using data about use of a site in deciding what content or adverts to show the user.

The W3C's proposals, which are currently at draft stage, could meet demands made by the European Commissioner for the Digital Agenda, Neelie Kroes. In June, Kroes called for a DNT standard which would allow individuals to know what companies commit to if they honour the standard and to know exactly what compliant companies do with the information they gather through tracking.

"If the operator of a first party domain receives a request to which a DNT header is attached, that operator must not transmit behavioural tracking data in identifiable form about that user to a third party with the intention or knowledge that the third party shall store and use the data in a way that links that data to other information about a specific person or device, unless that operator has received the affirmative, informed consent to be tracked and such consent has not been subsequently rescinded," said a draft of the standard being worked on by the W3C.

Sites will be able to request of users that the DNT mechanism is suspended only in relation to that particular site but must respect the user's wishes if they refuse, the draft said. This can only be done by separate "affirmative, informed consent", it said.

Under the plans, publishers would not be able to use previously-gathered information about visitors if, on subsequent visits, they are using a browser with DNT settings activated.

The specific DNT standards have still to be finalised, but the W3C said that it may require "compliant servers [to] provide a machine-readable site-wide policy that indicates how they honour DNT, what sites are considered the same brand, and links to resources for providing site-specific exceptions to DNT or editing collected tracking data".

If publishers do continue to monitor the behaviour of users despite active DNT settings they will have to inform them. In some circumstances a "tracking response header" could appear that informs users who have enabled DNT when their online activity is continuing to be tracked, W3C said.

"Users expect to be able to see whether a DNT [request] header is accepted, rejected, or sent into the void ... The [returned] header could say 'I see that you say DNT, but I am tracking you for the following reasons'." the draft plans said.

Websites and third-parties, such as advertisers, often like to record users' online interaction in order to serve personalised content, such as adverts, based on that recorded information. Websites can use a number of methods to collect user-specific data, including through the use of 'cookies' - small text files that remember users' activity on websites. Operators sometimes pass on information stored in cookies to advertisers in order that they can serve behavioural adverts based on users' activity and apparent interests.

Standards are agreed technical specifications to ensure that a single technology is used across an industry, often with the goal of achieving interoperability of products regardless of the manufacturer.

"The goal of this protocol is to allow a user to express their personal preference regarding cross-site tracking to each server and web application that they communicate with via HTTP, thereby allowing each server to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy both parties," the W3C's draft proposal said.

"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control," it said.

W3C said it hopes its DNT standards will be in operation from the middle of next year and that they will provide an "exceedingly straightforward" way for internet users to control their privacy.

"Using the internet by definition involves the exchange of data across servers; the web cannot exist without it," W3C's draft proposals for compliance said.

"In addition, commerce and the commercialization of content on the web often involves personalization of both content and advertising by websites, their advertisers, and their partners. Given the realities of this environment, this standard seeks to provide an exceedingly straightforward way for users to gain transparency and control over data usage and the personalization of content and advertising on the web," it said.