At present, most third-party analytics, advertising, and social functionality tracks a user across websites. But it doesn't need to. This page demonstrates how to implement many common functions while preserving user privacy.
Many websites are eager to learn about their visitors: Which content are they most interested in? How did they arrive at the site? When do they visit? Where do they come from? Websites often turn to prepackaged third-party analytics services to provide this functionality.
A few simple steps would significantly mitigate the privacy concerns raised by outsourced analytics. First, an analytics service should technologically limit user identifiers to each customer website. Tracking cookies, for example, should be restricted to a unique domain name for each customer. This limitation increases the difficulty of tracking a user across sites, while leaving unaffected the ability to observe a user on a particular site. Second, an analytics service should separately store and handle the data from each customer website using technical and business protections. Last, an analytics service should be contractually prohibited from using the data it collects.
Adobe's Omniture analytics product demonstrates these best practices. In providing analytics for Apple's website, Adobe assigns cookies from the domain metrics.apple.com
. Adobe silos each customer's data and agrees by contract that it will have "no right to access or use"
Advertising Campaign Measurement
Advertisers often seek to measure the effectiveness of their online advertising campaigns. Broadly speaking, there are four stages to quantify: showing the ad, users either clicking the ad or later visiting the advertiser's site, users browsing the site, and users making a purchase. Do Not Track would only affect one measurement: users who view an ad, do not click it, and then subsequently visit the advertiser's site. This metric is sometimes referred to in advertising jargon as "view-through conversion
Of course, an advertiser could continue to measure view-through conversion for users who have not enabled Do Not Track.
With this information, an advertiser can easily estimate an ad's view-through conversion rate.
Note that this estimate rests on the assumption that Do Not Track users and non-Do Not Track users view through at similar rates.
An advertiser may want to guarantee a user will see one of its ads no more than a set number of times. This practice is called "frequency capping
For details, see our article Tracking Not Required: Frequency Capping.
Request Consent - Tracking by Others on This Site
A website may want to ask or require a user to allow tracking by specific third parties on its site. Determining whether a user has opted out of tracking by a third party is technically simple. Here's one easy approach: enable the third party to signal whether a user has opted out.
The third-party script could notify the website using HTML5 cross-document messaging
window.parent.postMessage("DNT: 1", "*");
The website would listen for a specific third party's signal that the user has opted out of tracking.
if(event.origin == "http://thirdparty.com" && event.data == "DNT: 1")
// Ask or require the user to consent to tracking by the third party
// on this site
window.addEventListener("message", receiveMessage, false);
Here's an example of how a request for consent might look on the New York Times.
Request Consent - Tracking on Other Sites
Some web businesses are both first parties and third parties—at times a user interacts with them directly, and at times they are an incidental component of a webpage. These businesses may want to ask a user for consent to tracking on other sites.
Facebook is a noteworthy example of a company that is both a first party and a third party. It is a first party when a user browses the Facebook website, but a third party when a page includes the "Like" button.
To avoid seeing the user's identifying facebook.com
cookie, Facebook should serve the Like button widget from a different domain, such as fbcdn.net
(Facebook's content delivery network
). If the user clicks Like, the widget could then contact facebook.com
and Facebook could process the Like as usual.
Here's how the Like button might appear to a Do Not Track user.
Facebook could provide a preference for users to allow tracking on other sites.
If the user consents to tracking, Facebook could set a cookie on fbcdn.net
that signals the Like widget to function as if Do Not Track were not enabled.
Click Fraud Detection and Security Forensics
Not all advertising clicks are legitimate. Sometimes a website will generate clicks on ad spaces it has sold to increase revenue. Or sometimes a business will cause clicks on ads its competitors have bought to drive up costs. These behaviors are called "click fraud
," and advertising networks have a significant commercial interest
in detecting them.
Click fraud filters take a number of factors into account
: the IP address of a visitor, past actions associated with the visitor's IP address, time, geography, and more. Filters may also assess any unique ID the ad network has assigned to a visitor (usually via a cookie), but these IDs are easily removed or forged, making them less reliable predictors of foul play.
Do Not Track would only prevent an ad network from assigning a unique ID; all the other more reliable factors for click fraud detection would remain (subject to retention periods and use limits). A number of large ad networks, including Google's, already follow
this best practice: a user can choose to opt out of being assigned a unique ID.
Further Reading Chris Soghoian
gives a more detailed treatment in his short paper "Security and Fraud Exceptions Under Do Not Track
Most means of advertisment targeting are unaffected by Do Not Track. See "Do Not Track Is No Threat to Ad-Supported Businesses
For simplicity, the following discussion centers on a hypothetical advertising network. The same approaches would work for a data provider on an advertising exchange.
An advertiser may wish to target ads to a user based on her interests. Interest-targeted advertising has traditionally involved tracking a user's browsing habits, inferring her interests, and then matching an ad to those interests. Tracking is not, however, necessary for interest-targeted advertising.
The first step in interest-targeted advertising is learning a user's preferences. One privacy-preserving approach would be to just ask a user her interests directly. Google Ads Preferences
and Monster.com Cookie Preferences
both do just this.
Another approach would be to learn a user's preferences based on the ads she likes. Hulu's Ad Tailor
and RadiumOne's "Like Button
" allow a user to thumbs-up an ad so she will see more like it.
Yet another approach would be to infer a user's preferences based on her browsing history, but within the browser itself. Stanford's Adnostic
and Microsoft Research's RePriv
Having established the user's interests, an advertising network could use a privacy-preserving method to match ads to those interests. Instead of maintaining a database of user profiles and assigning a unique, easily trackable ID to each user, an ad network could instead store a user's interests within her browser. The simplest approach would be to set a cookie containing the user's interests. Monster.com's Cookie Preferences follows this approach; the interests above, for example, are represented in a cookie as:
A user's interests may themselves be fairly unique and trackable. Researchers have proposed alternative approaches that would only disclose a user's interests when she clicks an ad (Adnostic
) or never disclose her interests (Privad
). We do not take a position on which of these solutions is preferable; all are significant improvements over the status quo.