Opt-in is no red herring…

Briefly, very briefly, Microsoft looked like being surprising but serious ‘good-guys’ in relation in Internet privacy. They announced that Internet Explorer 10 would be launched with ‘do not track’ set as ‘on’ by default. That is, that out of the box (or more likely when downloaded), Internet Explorer would be set to prevent tracking by behavioural advertisers. When I read the story, I was shocked, momentarily delighted, and then instantly cynical… and the cynic ended up being right, because within a week, and before it was launched, action was taken to stop it happening.

As Wired reported it, the new draft of the Do Not Track specification, less than a week after Microsoft’s announcement, required that the system be set to ‘opt-out’, rather than ‘opt-in’: users must make a specific decision NOT to be tracked, rather than a specific decision to allow tracking. The idea of Microsoft as heroes of privacy died a quick and sadly unsurprising death…..

Why did this happen?

…and why does it matter? Well, I’ve banged on a large number of times about the importance of ‘opt-in’ – partly because I’m in general an ‘autonomy’ person, who likes the idea of us having as much freedom of action as I can, and partly because I understand the importance of defaults. Defaults matter. They really matter. From a philosophical perspective they matter because they suggest (and even sometimes set) the norms of the society. Is our ‘norm’ that we’re happy to be tracked and surveilled? That’s what setting the default to ‘opt-out’ means. It means that ‘normal’ people don’t mind being tracked, it’s only extremists and privacy geeks that care, and they’ll find their way to turn the tracking off. I don’t know about the rest of you, but that’s a norm I don’t want to accept!

More importantly, perhaps, they matter  for a simple, practical reason: because the majority of people don’t ever bother to change their settings – so what they’re given to start with it what they’ll stick with. The internet advertisers know that, and know that very well, which is why Microsoft’s initial announcement must have sent shivers down their spines – and why they made sure that it was quickly and relatively quietly killed. They don’t want ‘normal’ people to avoid being tracked – or even to think about whether they’re being tracked, or at the implications of their being tracked.

Opt-in is NOT a red herring

At a few conferences recently I’ve been told that opt-in is a red herring, that it doesn’t matter, and that only old fuddy-duddies who really don’t ‘get it’ still care about it. At a Westminster e-Forum, the panel basically refused to answer my question about it, and tried to get the audience to laugh rather than respond. There have been good pieces written about the down side of opt-in – most notably ‘opt-in dystopias’ by Lundbad and Masiello (which you can find here), and it cannot be denied that opt-in is far from a panacea. We all know that when given terms and conditions we generally just scroll through them without reading them and just click ‘OK’ when we’re asked.

That, however, does not mean that we should abandon the idea of opt-in: it just means that we should be more intelligent and flexible about it. Find a way that emphasises the important bits about something rather than giving us page after page after page of mind-numbing legalese. Use the interactive and user-friendly nature of modern software to make the process work better – rather than make it work so badly that people ignore it.

The advertisers and others who want to track us understand this very well – and they’re almost certainly delighted that to an extent they’ve managed to shift the discussion away from the opt-in/opt-out agenda, that they’ve managed, to a great extent, to pull the wool over the eyes over even some very experienced and quite expert privacy activists into accepting their own agenda. We should not let this happen.

Defaults matter. Opt-in matters. This little story with Internet Explorer shows that the advertisers know this. Those of us working in the privacy field should remember it too.

11 thoughts on “Opt-in is no red herring…

  1. Let me explain ..Micro$oft is one of the largest (if not the largest) behavioural tracking companies. They cannot launch a product that bluntly blocks all competitors in the field, especially in the EU.. so, they are providing the customer with the option instead – the result will be, of course, that the licensee will be filed by M$ and M$ only. Oh the bliss..

    1. Of course one should never trust Micro$oft without a long, hard look, but as I understand it, the way DNT is intended to work, you can’t choose which advertisers can track you and which can’t – at least not with the default as it was going to be set. Microsoft might well have planned it to block their competitors, but by doing so they would have blocked their own tracking too….

  2. Have to agree with you. Opt-In is IMO the way to go. Defaults do matter and in this day and age “what’s wrong with doing the right thing when no one is looking”. And yet it seems that everyone just wants the status quo.

    1. The other thing about opt-in is that it means the trackers have to convince you that tracking you will benefit you in some way… and the best way to start that process is to make sure that it DOES benefit ppl. Does it? If so, then surely advertisers, as masters of communication and persuasion, should be able to convince us to opt in…

  3. The specification for DNT has always been about expressing a user’s choice, since long before the WG even started. The standards group formally made that decision in October. Any voluntary standard requires incentive for industry to adopt, and in this case the incentive is that the user has made a choice and nobody wants to upset the user. The entire design of this protocol depends on it being an explicit choice by the user. Sending “DNT: 1” in every message is just an extra eight bytes added to the trackable data — it does not improve privacy on its own. The only way that DNT can improve privacy is by convincing each service that it is in its own best interests to turn off tracking. Broken defaults do not improve privacy; they only hinder deployment.

    This does not in any way preclude opt-in. The default for tracking, when no header field is present, depends on the user’s context (like where they are browsing from, account settings, opt-out preferences, etc.). In Europe, for example, the default is opt-in before tracking. Setting defaults like that, for all users that happen to use the Web, is the job of representative governments, not self-selected privacy advocates and self-interested corporations.

    If opt-in is the default, then sending DNT is just a waste of bytes. In any case, it would never make sense to send the DNT header field when the user has not made an explicit choice, since the only thing the header field accomplishes is expressing a choice.

    1. Many thanks for that – you’re clearly far more expert than I am on the technical side of things. What you say does remind me, though, of all the inherent weaknesses of a voluntary rather than statutory regime (though statutory regimes have their own downsides!). I’m waiting (though not with bated breath) for the dust to settle on the reality of Do Not Track…

      …but none of that detracts from the primary points I was trying to make, about the power of defaults and the reason that opt-in isn’t a red herring. Those of us who advocate for privacy need to remember that…

    2. ‘the only thing the header field accomplishes is expressing a choice’ ..that is exactly what Paul is saying, and the default should be the choice of the user (how many users do you know that are willing to be tracked?).

      As for governments to decide, the whole personal tracking business (not including individual tracking or surveillance) was not developed by governments (taking advantage of the setup afterwards is another issue), it was developed by corps with targeted advertising in mind. I am however willing to accept that the way things have progressed the govs are in too deep to back down now. And this is where the law fits – or at least we’d like it to fit.

      Those extra bytes are completely useless anyway without the law obliging, at least, the private sector into complying with a general framework, they are a mere handshake if you may, they do not nullify any options of any script on the other side per se; they are powerless unless the script is given precise instructions by its maker to run a certain way post-handshake.

      Maybe my perception is distorted ..?

  4. Paul,
    Microsoft’s announcement has re-energised the debate about tracking. The behavioural advertising lobby have been shaken out their cozy state of triumphant smugness, and their outraged reaction to it has betrayed their true agenda. Their affected concern about choice is simply to protect their own preferred default.
    Of course the European approach of prior consent is far clearer and, because it is verifiable, more enforcable, but the legal and political establishment here seems to be determined to wimp out or undermine it.
    The problem is that doing something about secret tracking and trade in personal data requires an understanding of technology that the policy makers just do not have. The tracker lobby and their supporters have the technical knowledge but use it simply to protect the status quo and obscure the issue.
    Some technologists have used their knowledge to help the privacy cause but are routinely undermined and misrepresented, and in the finance and service sector dominated UK do not have the commercial weight to influence events.
    Good for Microsoft for tossing this brick in, we need a few waves, and it really does not matter what yet another confusing draft from the advertiser dominated W3C DNT committee says.

    1. Thanks Mike – I do hope the debate can be re-energised, because frankly I found it a bit depressing that some privacy advocates and academics had apparently accepted the shift towards opt-out, believing the ‘red herring argument’….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s