A recent Wall Street Journal blog article (“Hey EU, Don’t Expect the Browser to Solve All Your Privacy Issues” by Ben Rooney of 26 May 2011) highlights the point of view of some in the browser industry (in the article, Mozilla’s Global Privacy & Policy Leader, Alex Fowler) by arguing that it should not be for browser companies to solve EU “privacy issues” with online cookies, and it would not be fair for the EU legislator to put all the burden on the browsing technology to comply with the new EU legal requirements that affect how browsers manage cookies. According to that industry representative’s opinion, privacy is not only a browser problem, and it cannot solve the cookie issue only through technology. The problem would not be so much the cookie but what companies do with the data they collect. “By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture.”
“According to Mr. Fowler, the problem is not so much the cookie, it is about what people do with the data that they collect. By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture, he said.
And as a browser manufacturer, and especially one that was built by an open-source community, their first duty was to the user, not to helping out websites comply with legislation.”
"Accept cookie?" (Photo by "ansik")
If browsers make online profiling possible by design…
Although I do agree that it is too simplistic to put all the compliance burden (in particular Directive 2009/136/EC, which came into force last 25 May) on a single actor, the article evades some essential facts.
First, it’s the browser that is making it easier for online advertisers, publishers and other online tracking companies to collect users’ personal data. If the browser makes that tracking possible in the first place, it is logical that they should help find a solution to prevent it, or at least bring back more effective control for its users.
… they should share its compliance burden
Second, compliance is not only on the browser manufacturers’ shoulders, but also on all the companies that receive users’ information thanks to browsers. It is not a “tech mandate” but it is confronting all stakeholders to their obligations to comply with laws (like the already cited European Directive) that aim at protecting browser users and consumers from online tracking without their awareness and consent.
A reader (Kimon Zorbas, VP IAB Europe)’s comment under the post states:
“We share the concerns of Alex Fowler on the risk of technology mandates. A focus on browsers is also problematic as it pushes potential (compliance and not only) liabilities to the browser manufacturers. That can’t be right. The internet industry will strongly oppose tech mandates. What users want is knowledge – once they know and have a choice they are comfortable. We recognise this and accept it and those are the guiding principles for good self-regulation. On OBA or other areas.”
“OBA” you said?
I would have to complete this statement (“What users want is knowledge – once they know and have a choice they are comfortable”) since it lacks a crucial piece of information. Assuming users know about “OBA” (which, it should be explained, means online behavioural advertising (more explanations here) and what OBA does (track users on an individual basis, mine their data – even very sensitive personal data such as financial and health information – and make decisions about that profiling without their being aware of it); assuming then that users are equipped with adequate tools to understand what the Internet tracking industry truly learns about them; assuming also that they can prevent the tracking from effectively taking place,… – that’s a whole lot of assumptions, don’t you think? – then you could say that users would have made a “choice” because they would have made it based on truly transparent information. Until that actually happens, it is difficult to pretend that there is any “choice” at all for the regular browser user.
But what kind of “cookie” are you talking about?
Mr. Fowler is right: “the problem is not so much the cookie, it is about what people do with the data that they collect.” However, one can’t put all the cookies in the same basket: there is a big distinction to make among them. Knowledgeable people talking about them should not entertain the confusion. There are the ones – let’s call them, for simplicity’s sake – the “good cookies” – that make the browsing experience swift and fluid, remember your username or the content of your online shopping cart. And the legislator has never opposed their use, neither in the European Union nor in the United States. Then, there are the cookies – let’s name these the “bad” ones – whose purpose is completely different from what the “good” cookies were originally meant for: marketing companies, publishers and other OBA actors use them to surreptitiously track users and profile them at a level most of them probably would not imagine nor expect. These are the cookies browsers should block to offer their users a first line of defense against online tracking that a vast majority of people browsing the Internet, were they aware of it, would never accept. And surveys have showed this time and time again.
If the industry is confused about cookies…
The new “Do Not Track” HTTP header-based browser feature is a step in the right direction. However, browser manufacturers should implement it in a way that does not rely on users’ previous knowledge of “OBA”, “bad cookies” and other forms of online tracking, especially if they know that most of them are not even aware of the extent of the profiling information their browser helps third party advertisers to compile about them. Now, is the browsing industry ready to effectively put their money where their mouth is when they proclaim that “their first duty [is] to the user”?
… why should they expect the regular online user not to be?
For the browser-savvy Internet users, those who do know fully well about what OBA and cookies do, it would be up to them to change their browser settings to accept them. If the companies using online tracking tools are so keen about the benefits of online behavioural advertising for consumers, it should not be difficult to convince them to accept being tracked. For the rest of us, cookie diet is recommended, but of the online kind.
A panel will explore the topic of “Do Not Track” in the context of online behavioral advertising at the upcoming Computers, Freedom & Privacy Conference on 14 June in Washington, DC. I invite you to check it out.
