Do Not Track Gets Thumbs Down from EUBy: Richard Beaumont | Thursday, June 12, 2014 | Tagged: Do Not Track, Article29 WP, Cookie Law | Leave Comment
Efforts to create a standard for Do Not Track (DNT) browser requests have been going on for many years now, but just as the technical issues look like coming to an end, the real questions about its effectiveness for privacy are as unresolved as ever.
The DNT technical standard – that defines what messages pass between browser and server, and what they mean, is out for a public consultation, after the committee who have spend 4 years and more creating it put out a final call.
The Article 29 Working Party (WP29) – the influential body made up from representatives of the EU Data Protection Authorities, has sent a letter under that consultation that basically says as far as they are concerned, it has been a waste of time.
When the EU cookie law was written up, it included a clause, known as Recital 66, specifically written in anticipation of the DNT standard, which was then in its early stages. It says:
Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.
Which basically means that compliance could be achieved through something like a DNT mechanism, as long as it is aligned with the consent requirements of the cookie law.
In their letter, the WP29, expressed concerns over a number of points of the specification, but ultimately it boils down to the fact that compliance with DNT as it is defined in the standard, does not meet the requirements of the cookie directive.
For my money the key reason for this is that DNT on its own has no effect, can be easily ignored without the user being made aware of it, and leaves the website in final control of how it responds. As the letter states:
“..the Working Party would like to note that, in order to put the user back into control, any tool for managing consent should be implemented at the user agent level.”
The ‘user agent’ here is tech-speak for the browser.
Ultimately this means the website must act on the DNT request in order to comply with the cookie rules – but because there is too much room for misinterpretation of the preference being expressed, a DNT-standards compliant response, is no guarantee of cookie law compliance.
This leaves website owners exactly where they are now – they have to implement a mechanism to respond to a consent preference. The hope expressed in Recital 66 – that a consistent mechanism for compliance could be achieved through changes to a small number of browsers, rather than in-consistent changes to a large number of websites, will not be fulfilled by the DNT standard.
This fact will not surprise anyone following the progress of DNT. It has been fraught with difficulties and intractable differences of opinion. Hardly surprising when a stronger standard would have created a threat to the core business model of a powerful lobby group, the online advertisers doing the majority of tracking. Questions about the long term viability or desirability of that model have been ignored or swept under the carpet. How much longer can that continue?