http://www.nytimes.com/2012/09/16/technology/in-microsofts-new-browser-the-privacy-light-is-already-on.html
September 15, 2012
When the Privacy Button Is Already Pressed
By NATASHA SINGER
IT could usher in a new era of online privacy. Or it might bowdlerize the Internet as we know it.
Then again, it might do almost nothing at all.
The item in question is Microsoft's latest version of its Internet Explorer browser, scheduled to be available to consumers in late October, packaged with Windows 8. The browser comes with an option called "do not track." It lets users indicate whether they'd like to see ads tailored to them by companies that track their online browsing histories -- or whether they'd rather not have their online activities tracked, recorded, analyzed and stored for marketing purposes.
Of course, browsers like Firefox from Mozilla, Safari from Apple and even an earlier version of Internet Explorer already offered this choice for people who expressed a preference. But Microsoft is going further -- by making privacy a more public issue. The new Internet Explorer 10 comes with the don't-track-me option automatically enabled, a fact that the software makes clear. During installation, a notice will appear giving users the choice to keep that preselected don't-track-me preference as is, or switch it off on a customization menu.
It's a radical move for a technology company, especially one like Microsoft, with an ad business of its own.
"No one says today, when a consumer first loads a product, 'Hey, by the way, there are some privacy choices you may want to consider,' " says Alex Fowler, the global privacy and policy leader at Mozilla. He believes that this may be the first time that privacy features so prominently "in the first-run experience of a consumer software product."
Right now, however, people who raise the do-not-track flag are making a mostly symbolic choice, having their browsers send out a preference signal. Web sites that receive the signal can honor it -- or simply disregard it.
Over the last few years, as tailored ads have become more personal and persistent -- often pursuing users around the Web with pitches for products they recently viewed but elected not to buy -- many consumers have sought ways to navigate an advertising system that can seem too close for comfort. To increase people's options, the Digital Advertising Alliance, an industry group, publicly introduced a self-regulatory program in 2010, and more recently an updated consumer site, youradchoices.com. It explains how behavioral advertising works and gives consumers the choice to opt out of the practice by the group's members.
But now major browsers are flexing their muscles with an alternate option, the do-not-track button, hoping to gain traction with consumers who want to manage their Internet experience on their own devices.
"There is vast consumer awareness and concern about privacy," says Fatemeh Khatibloo, a senior analyst in customer intelligence at Forrester Research. "If a browser can differentiate itself by saying 'we provide you better privacy tools,' I think they'll increase adoptions."
But the specter of people opting out of tracking en masse presents a serious risk for marketers.
Consumer data, marketers say, is the fuel that powers the Internet, driving ads that support free content and e-mail services, search engines and social networks. If millions of consumers opted out of behavior-based advertising, industry representatives argue, many ad-sponsored sites could shut down or put up pay walls for people who elect not to see the ads. Internet Explorer 10 is only heightening their concerns. Because consumers tend not to change preset technology options, advertisers worry that the browser could shift millions of people to the do-not-track category.
"That would drastically skew the economic model underlying the Internet," says Stuart Ingis, counsel to the Digital Advertising Alliance. "The choice is the Internet as we know it, or a much smaller, cannibalized Internet where you don't have the diversity."
Developers at Apache, a popular Web server, have also objected, saying that Microsoft's default setting may not convey a user's specific intent. They have introduced an update that may cause some sites to ignore what they view as a "presumptive" do-not-track flag.
Erica Harbison, a spokeswoman for Microsoft, said company executives were unavailable to comment for this column. She referred me to company blog posts on the topic.
At the moment, however, advertisers' concerns are mainly theoretical.
The do-not-track browser option is still an emerging concept. Last year, an international standards body called the W3C, or World Wide Web Consortium, created a working group to standardize the technology for do-not-track systems. But marketers and privacy advocates are at odds over even the definition of "do not track." Does it mean "do not show personalized ads to a particular user"? Or does it mean "do not collect information about a person's browsing history"? There is also disagreement over how sites should acknowledge and respond to the signal.
Still, the likelihood of millions of consumers choosing that option has provoked a fierce debate.
Industry representatives say privacy advocates have skewed the conversation from the outset, by using Big Brother-y terms like "do not track," when they view the choice for consumers as between seeing relevant ads or generic ads. They add that the process shouldn't scare consumers. To create interest-based ads, they say, ad networks and analytics companies assign people anonymous code numbers and simply record things like the sites they visit and the search terms they enter.
"Somebody knowing anonymously that a number that they can follow on the Web likes swimming, to me that is not a privacy breach," says Chris Mejia, director of the ad technology group at the Interactive Advertising Bureau, an industry association.
But Jonathan Mayer, a graduate student in computer science at Stanford who has studied online tracking, says there is cause for deeper concern. For him, the issue is not behavior-based ads, but the data-mining necessary to produce them.
For instance, Mr. Mayer says, consumers may not be aware that when they visit a site, dozens of entities, like analytics companies and data aggregators, may be operating on that page, collecting online information about them, and amassing those details for advertising purposes. Moreover, he says, those entities could potentially have access to screen names or e-mail addresses that might be used to re-identify people.
"Are you creeped out because you are seeing more relevant ads?" he says. "Or is the concern that some company you don't do business with and may not trust is learning an awful lot about you and using it to show you ads?"
Early last year, Mozilla introduced its do-not-track feature. Now, among the 450 million people who use its desktop browser, 11 percent have turned it on, Mr. Fowler says. Among people who use Firefox on Android phones, adoption is even higher: 18 percent.
"It is a huge number," he said. "If you're receiving millions of these signals every day, it reaches critical mass and they can't ignore it."
Indeed, while the working group is still sorting out the global standards for the system, a few major sites like Twitter have worked out their own arrangements with Mozilla to honor its do-not-track signal.
E-mail: slipstream@nytimes.com.