Every Click You Make
Last week the Wall Street Journal ran a terrific series of stories called "What They Know." The general subject was personal privacy—or the lack of it—in the digital world, and the first article in the series explained how websites routinely track your movements on the web and collect a genuinely astonishing amount of personal information about you in the process. The Journal examined 50 sites using a test computer and discovered that these sites collectively installed a total of 3,180 tracking files—an average of 63 tracking files per site:
The state of the art is growing increasingly intrusive, the Journal found. Some tracking files can record a person's keystrokes online and then transmit the text to a data-gathering company that analyzes it for content, tone and clues to a person's social connections. Other tracking files can re-spawn trackers that a person may have deleted.
....Some of the tracking files identified by the Journal were so detailed that they verged on being anonymous in name only. They enabled data-gathering companies to build personal profiles that could include age, gender, race, zip code, income, marital status and health concerns, along with recent purchases and favorite TV shows and movies.
A full list of the sites they examined is here. The most intrusive were dictionary.com and msn.com, which installed over 200 tracking files each. The least intrusive were craigslist.org and wikipedia.org.
What to do about this? Europe, which generally has better rules than the U.S. regarding the collection and use of personal data, actually has tighter regulations about how long online data should be stored. After all, the local police might want to use it someday. The Christian Science Monitor reports that this is finally provoking a reaction:
Across Europe, a backlash against the storage of private data is growing. Civil society groups like the European Federation of Journalists have criticized the practice, and in Germany almost 35,000 people, including Justice Minister Sabine Leutheusser-Schnarrenberger, sued their own government over the issue.
"There is a real problem in Europe today. It is a breach of the European Convention on Human Rights, which says that everyone has the right to a private life. That fundamental right has to extend into digital life," says Christian Engström, a member of the European Parliament for Sweden's controversial Pirate Party, elected on a platform of digital rights.
This tension means that governments aren't always eager to restrict the collection of personal data online. Beyond that, though, there are technical difficulties for those who want to prohibit the practice. When Congress passed the Do Not Call law in 2003, their job was easy: everyone has a telephone number, and all you have to do is put those numbers into a database and tell solicitors not to call them. But there's no equivalent of a phone number in the digital world. Your computer's ID is its IP address, but most IP addresses change regularly. There's no way of creating a "Do Not Track" database and telling online solicitors to keep their tracking files away from everyone who signs up.
Alternatively, as Harlan Yu wrote recently, we could adopt the opposite approach: instead of asking users to register, we could require solicitors to register and then rely on browser settings that would prevent their domains from installing tracking files. Unfortunately, this has technical drawbacks as well, so Yu suggests instead a new standard that would allow your browser to notify every site you visit that you don't wish to be tracked:
The browser could enable x-notrack for every HTTP connection, or for connections to only third party sites, or for connections to some set of user-specified sites. Upon receiving the signal not to track, the site would be prevented, by FTC regulation, from setting any persistent identifiers on the user’s machine or using any other side-channel mechanism to uniquely identify the browser and track the interaction.
This would, of course, require legislation that requires online sites to honor the x-notrack request. That's the bad news. The good news is that whatever the eventual solution, the problem itself is finally getting some attention on Capitol Hill: Politico reported last week that Sen. Mark Pryor (D–AR) is writing a bill "aiming to give consumers more control over their online data....The focus of the bill, which is still in rough draft form, will be giving consumers the ability to opt out of being tracked across the Web." So stay tuned.
In the meantime, the Journal's full package of privacy articles is here, and they're well worth browsing through. It includes pieces that explain web tracking, cell phone monitoring, how much these tracking services know about you, the role of big companies like Google and Microsoft, and even advice on how to avoid tracking. You can't avoid it all, but there are things you can do to minimize it.