Is there a simple privacy law that actually makes sense?

Filed under DuckDuckGo Q&A

Yes! Despite all the protestations you hear from Big Tech, there is a simple privacy law that makes sense without destroying the tech industry. Let me explain, but first, for context if you’re unfamiliar, you should know that DuckDuckGo (my company) has a vision to raise the standard of trust online and so this topic is near and dear to our hearts. We’re vehemently opposed to tracking users and are the leading provider of privacy protection tools, including a private search engine alternative to Google (DuckDuckGo Private Search), a private mobile web browser alternative to Chrome (DuckDuckGo Privacy Browser for iOS/Android), and a plugin that makes your desktop searching and browsing more private (DuckDuckGo Privacy Essentials for Safari/Firefox/Chrome).

As you probably know, many countries are right now taking up the greatly needed task of updating their privacy laws for this modern era. However, they are consistently missing one key component when doing so: an easy opt-out mechanism. Anyone who ever has been to a European website in the past year will know what I’m talking about. While Europe’s GDPR law does a lot of great things, it also has created pop-up hell, much like the cookie law that preceded it.

What we need right now is a law that works in concert with GDPR (and other similar laws) to give consumers a simple mechanism to exercise their opt-out rights. And thankfully, there is an old idea which we can resurrect for this purpose.

Ten years ago, privacy researchers proposed this compelling idea to help protect people’s privacy online: a web browser setting called Do Not Track. Once enabled, your browser would thereafter send a Do Not Track signal to the websites you visit, informing them that you do not give them permission to collect or share your personal information for behavioral advertising, price discrimination, or for any other purpose. If this setting was working, then all those hidden trackers that are watching you around the Internet would be cut off in one shot.

Unfortunately, the idea fell apart when the ad-tech industry balked at any meaningful self-regulation. Despite that, many web browsers actually did build the feature into their platforms, and, in the intervening years, hundreds of millions of people worldwide have turned the feature on. A Forrester research report found 25% of people using the Do Not Track setting, and a national survey we conducted found 23%.

Of course, unbeknownst to the vast majority of these people, this browser setting is doing next to nothing right now. It is currently left to each site individually do what they think is right. And, lo and behold, none of the big tech companies do anything with it, giving all these people a false sense of privacy. That, however, can change overnight with a law that mandates Do Not Track compliance.

It is extremely rare to have such an exciting legislative opportunity where the hardest work — coordinated mainstream technical implementation and widespread consumer adoption — is already done. That’s why we even took the time to draft model Do Not Track legislation earlier this year.

Here’s how it would work. The signal would work like it already does today – enabled by your web browser, operating system (for apps), or Internet router (for home devices). Once on, companies that receive the signal would have to respect it, and stop tracking you. The legislation would need to define the line of what is allowed and what is not allowed. We defined it like this in our proposal:

  1. No third-party tracking by default. Data brokers would no longer be legally able to use hidden trackers to slurp up your personal information from the sites you visit. And the companies that deploy the most trackers across the web — led by Google, Facebook, and Twitter — would no longer be able to collect and use your browsing history without your permission.
  2. No first-party tracking outside what the user expects. For example, if you use Whatsapp, its parent company (Facebook) wouldn't be able to use your data from Whatsapp in unrelated situations (such as for advertising on Instagram, also owned by Facebook). As another example, if you go to a weather site, it could give you the local forecast, but not share or sell your location history.

As a one-and-done setting, Do Not Track provides that simple mechanism to enable consumers to exercise their opt-out rights and avoid invasive data collection and profiling. The endless stream of privacy popups that Europeans have been subject to under GDPR would significantly diminish with Do Not Track. And, as a setting built into major browsers and operating systems, it is not easily undermined by dark patterns.

Importantly, giving legislative teeth to the Do Not Track browser setting would not destroy online advertising, as some companies fear. People who turn Do Not Track on could still be shown contextual ads (based on the context of the page, i.e. its content like the search you type in), as opposed to behavioral ads (based on creepy profiles of your search history, likes, purchases, and more). Increasing evidence says this can be similarly profitable and it is in fact how DuckDuckGo makes money. In other words, business can continue to thrive, users can continue to get great products, and your privacy can be protected.

Thankfully, we’re not alone in recognizing this opportunity. Several U.S. Senators have expressed bipartisan support for Do Not Track legislation: Sen. Wyden proposed a bill in November 2018, and Sen. Hawley introduced the “Do Not Track Act” in May 2019, similar to our proposal, which is now co-sponsored by Sen. Feinstein.

The technical work is done, the legal foundation is in place — what we as individuals can do now is call upon our elected representatives to support Do Not Track legislation to give control back to users. This old idea has finally found its time!

I have been speaking out a lot personally on this topic, so if you want to learn more, check out our legislation, read my op-ed in the New York Times, listen to this episode of Recode/Decode, or check out my testimony in front of the US Senate.

Is there a simple privacy law that actually makes sense?
Share this