Spy at will! FCC won't force companies to honor Do Not Track

The FCC has rejected Consumer Watchdog's petition to force Internet companies like "Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn") to honor the "Do Not Track" flag that browsers can send to web-servers, informing them that users do not want their Internet activity to be tracked and shared with third parties.

Consumer Watchdog had argued that when the FCC brought in its Net Neutrality rules that classified broadband providers as "common carriers" and announced plans to impose privacy obligations on them, it had created an uneven playing field because companies like Youtube (and co) could go on collecting the information that the telcos and cable operators would be banned from collecting. To make things fair, the FCC should also prohibit these companies from collecting data that users had asked not to have collected.

The FCC rejected Consumer Watchdog's request on rather strange technical grounds. Without commenting on whether it had the power or duty to regulate online services, it said that it would not try to, because doing so would be "inconsistent with the Commission's articulation of the effect of its reclassification." In other words, "When we defended our Net Neutrality decision, we said it meant one thing; ruling on this would mean admitting we might have been wrong."

I'm of two minds on this. I've always been skeptical of Do Not Track, because even if it has the force of law, there's no way to know whether it's being honored — or violated — without expensive, continuous auditing of thousands (millions) of Internet companies, many of whom are offshore data-brokers that you've never heard of. I think that there's a place for regulation in privacy, but that place is in backstopping technology.

Tools like the Electronic Frontier Foundation's Privacy Badger take real technological countermeasures to make tracking impossible. Rather than just asking a server not to track a user, Privacy Badger tries to prevent the server from getting the user's data in the first place. Baking Privacy Badger-like functionality into browsers would mean that users wouldn't have to trust that servers were honoring their Do Not Track bits — they could simply block those servers altogether.

In that world, it would be sensible to have a regulation that punished companies that took countermeasures to defeat Privacy Badger. If you know a user has taken steps to prevent tracking, and you go to heroic lengths to defeat those steps, you're doing something obviously wrong. We use the law for defense in depth, to help us stop companies from hacking our computers. But we start by making it so that the only way they can track us in the first place is to hack us.

Consumer Watchdog wanted the FCC to impose rules using its Title I and Section 706 authority to regulate "information services." The group pointed out that the FCC intends to impose new privacy rules on Internet service providers under Section 222 of the Communications Act, the privacy portion of the Title II common carrier regulations that the FCC is applying to broadband providers such as Comcast and AT&T. But those rules don't apply to websites.

"Consumers' privacy concerns about the Internet extend far beyond the broadband providers who are impacted by Section 222," Consumer Watchdog wrote. "Many consumers are as concerned—or perhaps even more worried—about the online tracking and data collection practices of edge providers… edge providers collect the same sensitive personal information that broadband Internet access service providers collect, and that the Commission is committed to protecting. If the Commission does not act to regulate the collection of personal information by edge providers, the Commission will in effect be granting a regulatory advantage to the edge providers, implicating concerns of market distortions."

Websites can keep ignoring "Do Not Track" requests after FCC ruling
[Jon Brodkin/Ars Technica]