Neelie KROES
Vice-President of the European Commission

Navigation path

Why we need a sound Do-Not–Track standard for privacy online

This really is privacy and data protection week! In Brussels there is the Computers, Privacy & Data Protection conference and the Commission is soon adopting its proposal for a reform of the European Data Protection legal framework (which I wrote about here). So today, a blog on how I want to ensure privacy and user control when you're browsing online: in particular, a standard known as "do not track" (DNT) that I hope will have a big role to play for the future of online privacy. First a bit of background: what is "do not track", and why is it so important? You might be familiar with the EU's e-Privacy directive. It was amended in 2009 and was to be implemented in national law by May last year. Some have termed it the “Cookie directive”. But in reality it goes beyond cookies, it's a directive to protect us against all kinds of malware and spyware, to ensure the confidentiality of your electronic communications, and to outlaw automated unsolicited marketing phone calls and spam without the consent of the receiver. The part which relates to cookies - Article 5(3) - means that providers need to obtain your consent to place or access cookies or other information on your computer or smartphone unless it is strictly necessary for a service you have already asked for. So if you log in to a web service, the cookie that remembers that you are logged in is fine – and indeed this makes our lives a whole lot easier online. But a cookie that is used to build a profile of what you are doing online is less OK: it might mean that your web surfing over time (searches, web pages visited, the content viewed, etc.) is tracked, for example in order to match ads against your interests as determined from the profile. The use of such cookies requires your consent. Applying this in practice is not easy. Not all Member States have yet transposed the e-Privacy directive into national laws, despite the May 2011 deadline to do so. And while some of the national authorities responsible for enforcing the rules have already provided guidance, others haven’t. So there are different interpretations, sometimes, or even confusion about what the rules mean and how to comply with them. How can we address this problem? The industry has set up a self-regulatory initiative on online behavioural advertising.  However, European data protection authorities have recently confirmed my view that this code alone, while certainly contributing a lot to transparency, will not solve the issue, being inherently limited. Others have started to offer various tools or services they say help businesses to comply with e-Privacy obligations on cookies (just to pick some random examples: here, here or here). While it is not for me to endorse any particular tool or service, I applaud this overall development, which is bringing some genuine innovation; but it still leaves something to be desired because not all such tools are based on the same interpretation of the law and, more importantly, the diversity of resulting approaches taken by websites could confuse users. Enter do-not-track (DNT). A global DNT standard would describe the technical details of a “signal” that users can send, to providers, via their online equipment, including their web browser. The signal indicates their preferences regarding tracking. For example, if I wanted to help advertisers send me more relevant ads I would signal that being tracked is OK with me. On the other side the standard would also set out how providers need to react to the signal, i.e. make clear what DNT users will expect to happen. This would help businesses because they could read the signal and thus know whether they have the users’ consent or not. Current browser settings don't allow for this – as they do not systematically communicate to the provider what the user has decided. That's like just throwing junk mail in the bin – when what you should be doing is letting the sender know that you don't want any more. But the important thing is that it makes it clear and simple for companies to comply with the law – and to send a straightforward signal to users that their company is compliant and trustworthy. Plus, it makes it easy for consumers to let providers know what they want – and take control over what gets known and recorded about them by others online. Even better, once the standard is out there, tool makers can dream up new ways to make the use of DNT yet more simple, easy and intuitive to understand, e.g. in a web browser or on your phone. There could also be new certification schemes that make it easier for companies to differentiate themselves and for users to deal with those that respect their privacy preferences. Back in June I called on the industry and stakeholders to get to the table and agree a standard for do-not-track within a year. The work started shortly after - and so far seems to be going well; I will be getting an update shortly, when we are hosting a meeting of the W3C’s "Tracking Protection Working Group" in Brussels. This is important because I am not pushing for any DNT standard, but for a standard that I could endorse, for a standard that is rich enough, in substance, to signal that users' right to online privacy is respected by companies who implement it. This is not a simple task, in particular as the underlying legal privacy frameworks differ across jurisdictions, and I am happy to see that the W3C has assembled an impressive group of experts to get it done. With this in mind, I am convinced that DNT can become a very successful standard, along with the other standards that have made the web what it is today: global, open and interoperable and in keeping with the generative end-to-end principle that has made the web such a phenomenal success. This is about empowering the citizen, by putting control in the hands of the user in a way that is fair and transparent. Along with us at the Commission and in Member State authorities, our colleagues in the United States also continue to take a keen interest in the work. Authorities on both sides of the Atlantic need to be vigilant that the effort is not derailed by special interests who may see short-term commercial advantages in preserving the current — but unsatisfactory — status quo. So I look forward to news about a rich and sound DNT standard that really makes it easy to comply with privacy laws – a standard that everyone wants to use and is able to use. That will be in the interests of all consumers, and all businesses that want consumers to trust them.
Tags
Categories

Comments

  • b. kantartzis's picture

    Dear Mrs Kroes, i fully support your opposition to the us soap and pipa acts. The main reasoning behind my support is follows . If the US goerment wants to control acess of internet content in their sovereignty that is their right(debatable but for the sake of argument please accept it ).  But  infrastructure that resides on us soil to control the internet access world wide to me is unacceptable. if  they want to procequte foreign citizens the existing legislation is adequate.  if the existing legal frame is not "fast enaught" to companies and media corporations of us interest let me ask the following question if i may. Suppose there is a case of piracy related to content of EU interests (european movie , song etc) in the states will the US goverment act with the same zele and pation? Respectfully Billy Kantartzis IT consultant
  • Pete's picture

    Shame on you. You failed to protect EC citizens from DPI surveillance (by Phorm, Experian Hitwise, Bluecoat, and others). Now you want EC citizens to be compelled to opt out of mass communications surveillance?
  • Carl-Christian Buhr's picture

    1. In fact the Commission took action to ensure privacy rules were enforced by EU Member States, e.g. with regard to Phorm's technology: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570. 2. Nobody is or will be "compelled" to opt-in or opt-out. This about ensuring transparency and giving choice and control to users.
  • Pete's picture

    @Carl-Christian Buhr No Carl... 1. The truth (and you know it) is that the European Commission and the UK Government have done nothing. In fact, the EC even dropped the case against the UK Government in recent days, without taking any action *what so ever* against the UK Government or British Telecom/Phorm. 2. DNT (do not track) is an opt out technology. DNT compels users to opt out of mass communications surveillance. If it was an opt in technology it would perhaps be called PTM (please track me) and users would set it to indicate their willingness to accept communications surveillance. But it isn't. regards Pete
  • David's picture

    I am broadly in favour of the DNT mechanism but it's implementation could seriously damage our ability to enjoy the variety of online content we do today. For many freely available sites advertising revenue is critical if DNT is implemented in such a way that the mass populous opts not to be tracked then many of these sites will either have to charge for the content or simply disappear. Another way to look at online profiling would be to think of it as providing relevant content to people. I think the average Internet user would prefer to see ads for things they may actually be interested in rather than random ads of little or no interest. There are certainly elements within the digital advertising community which require control. The elimination of malvertising would be welcomed by all I am sure but please remember that as an industry (and I confess to being part of it) we consist in the overwhelming majority of professional companies demanding a high standard of ourselves. Please bear that in mind and select a DNT solution which offers consumer protection without damaging content variety or an industry.
  • Mike's picture

    Dear mrs. Kroes, The standard is done: http://dnt.mozilla.org/ Also, please make this an opt-in thing, I don't want to have to opt-out. -M
  • Mike O'Neill's picture

    The W3C DNT standard ensures that, even after you have discovered how to set the DNT indication on your browser, the websites that want to track you can make your browser bombard you with requests to change your mind. Many people will get so fed up with this they will switch DNT off. This is beacuse the W3C committee is dominated by the commercial interests that profit from behavioral advertising. Mozilla gets 90% of its income from Google, Yahoo gets significant revenue from BA and increasingly also MS. The EU DP laws are far clearer and more workable than the commandeered DNT initiative. We Europeans do not need to pander to it.
  • cyberdoyle's picture

    RT @ruskin147: http://lew.io/headers.php Well @O2 promising to come back on whether it gives your number to every website you visit - but it worked for me Is that going on everywhere, bit scary if it is...
  • Marcus Stafford's picture

    DNT is a good idea but relies completely upon sites to comply.  The sort of companies who would wilfully invade someones privacy are unlikely to willingly conform to a DNT request. In fact they may make it difficult to use a site with DNT turned on by using popups, hidden content etc.
  • Anonymous's picture

    Do you have any video of that? I'd care to find out some additional information.
  • David's picture

    I agree that it should be more straightforward for users to initiate a private browser session in which every cookie-based website should ask permission to store the browser's data.
  • Matthew Kirsch's picture

    I have actually called for this in a law review article, and argued that a do-not-track is by far the most effective way to guarantee compliance with the various directives and constitution. http://jolt.richmond.edu/v18i1/article2.pdf
  • Ramūnas Bruzgys's picture

    Good job Matthew!
  • Peter Cranstone's picture

    Dear Mrs Kroes, Would it be possible to show you a demonstration of a browser solution that not only includes support for the DNT header but also extends the levels of Privacy far beyond what is already being talked about. It meets all of your guidelines and already supports "Regional Privacy" with full encryption of the users data. It allows the user to make a Choice in how, and to whom they share their data with, and it fully supports all IAB policy initiatives. Finally it's fully compliant with all current Internet standards and is designed for easy integration into all current web services. Kind regards, Peter Cranstone 3PMobile
  • Peter's picture

    Please host the "grids-min.css" file you currently link to yahooapis.com on europa.eu's own servers; it's BSD-licensed
  • dolmetscher's picture

    Many people will get so fed up with this they will switch DNT off. This is beacuse the W3C committee is dominated by the commercial interests that profit from behavioral advertising. Mozilla gets 90% of its income from Google, Yahoo gets significant revenue from BA and increasingly also MS.
  • übersetzer's picture

    In fact, the EC even dropped the case against the UK Government in recent days, without taking any action *what so ever* against the UK Government or British Telecom/Phorm. übersetzung

Add new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.

Share this