On or off? Setting Defaults for Privacy Online

How should software companies set the default privacy settings on their products? Microsoft’s announcement last week that the next version of its Internet Explorer web browser will ship with its “Do Not Track” functionality switched on has sparked a lively debate on this very issue. 

“Do Not Track” is a technological standard being implemented in all major web browsers that allows users to tell web sites, advertising networks, and other online service providers not to track their web surfing activities. “Do Not Track” accomplishes this by sending out a small packet of information to participating websites to inform the site that the user does not wish to be tracked.

It probably comes as a surprise to most Internet users (and to most readers of this blog) that a single website, or an advertisement or social media plug-in appearing on that site, can track all of a user’s online activities for days, months, or years afterwards. The very fact that most Internet users have no idea that companies are able and willing to track all of their online activities should inform how software companies, including browser developers, set the default privacy settings in their products.

The academic literature on law and economics makes a strong case for setting default rules in whatever way the parties to a relationship – and especially the stronger party – do not want, because it forces the parties to reveal information that might otherwise not come to light. Given the ignorance of even savvy internet users to the pervasiveness of online tracking, the case for switching “Do Not Track” on by default is overwhelming, because it confronts users with an option they currently don’t know that they have, which is the option not to be tracked.

In its response to Microsoft’s announcement, Sid Stamm and Alex Fowler of Mozilla explain that the Firefox browser does not switch “Do Not Track” on by default because Mozilla assumes that users have not made a choice about online tracking one way or another. Mozilla’s decision appears to be based, at least in part, on the fact that unlike other privacy-enhancing technologies, which are passive, “Do Not Track” requires a user to “broadcast” their preferences, since the technology works by sending out signals on whether the user intends to be tracked.

Mozilla’s decision not to switch “Do Not Track” on by default might be defensible if the Firefox browser asks the user to make a choice on “Do Not Track” the first time it is run, as its does with regards to making itself the default browser.

But this is not how Mozilla has decided to implement “Do Not Track” in Firefox. Instead, users must go to the “Preferences” option in the “Firefox” menu, navigate to the “Privacy” tab, and then select the “Tell websites I do not want to be tracked” option. How many Firefox users will know to do this, given that most Firefox users (like most Internet users) have no idea they are being tracked in the first place?

To be sure, there is not enough time in the day for a web browser to seek the affirmative consent of the end user to every little thing that happens to a user online. This is why Firefox, like every other browser, ships with a wide variety of default settings, from search engine (Google) to cookie acceptance (yes) to blocking suspected phishing sites (yes). And although Mozilla tries to draw a distinction between privacy technologies that do or don’t “broadcast” information about a user’s privacy settings, this is a distinction without a difference, because Firefox currently broadcasts all kinds of user preferences to web servers (including browser version, operating system, and screen resolution) by default.

The bottom line is that by leaving “Do Not Track” switched off by default on the theory that Firefox users have not affirmatively opted into it, Mozilla is subjecting its users to an online tracking system that the vast majority of them don’t even know exists. This is not a default that promotes choice, but one that makes a sub-optimal choice for users who don’t know they have one.

Editor’s note: Foley Hoag served as the independent auditor for Microsoft Corporation during Phase II of the Global Network Initiative’s implementation process.

2 thoughts on “On or off? Setting Defaults for Privacy Online

  1. “Do Not Track” works on participating websites.
    “Do Not Track” gives internet users the IMPRESSION that their privacy is respected, while on most websites it is NOT — particularly on the most concerning ones. Doesn’t that make it worse? It lures us into feeling all safe.

  2. Thank you for your comment. I agree with you that Do Not Track is far from a complete solution to privacy concerns on the web, since websites are under no obligation to honour an individual’s Do Not Track preferences. That being said, I think that Do Not Track can be rolled out in a way that enhances both user privacy and user awareness of the privacy risks of their online surfing activities. The key is transparency and communication with users. My ideal web browser would show me an icon similar to the HTTPS lock icon that indicates that the website I am visiting respects my Do Not Track preferences. Similarly, my ideal web browser would display a different symbol when I am visiting sites that do not respect Do Not Track. I would urge browser developers to implement this functionality to their programs. Until that happens, however, I think that switching on Do Not Track by default does more harm than good — particularly given the very low levels of public awareness regarding online tracking.

Leave a Reply

Your email address will not be published. Required fields are marked *


5 + = fourteen

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>