Last December, the U.S. Federal Trade Commission called upon leaders in the Web browser industry to develop technological means to enable servers to comply with federal guidelines – which are likely to become laws.

The FTC mandated that they refrain from implementing any kind of behavioral tracking for individuals who explicitly opt out of all tracking. Although lawmakers two years ago envisioned a system where each server asks each user for her explicit permission, the preferable alternative would be for a user who simply never wishes to be tracked, to never be asked.

The challenge for the industry is to implement such a provision on HTTP, a stateless transfer protocol. For a server to keep track of whom it’s not supposed to keep track of, it might be best to have a tracking system. But that may end up being illegal, so W3C is instead considering a kind of handshaking protocol.

The second working drafts of W3C’s Tracking Preference Expression protocol and Tracking Compliance and Scope protocols, published Monday, are in large measure placeholders for a myriad of issues that have just now been discovered. It’s clear at this early stage that very little has been decided, but participants in the discussion are moving forward with the following basic principles: A new field expressing the user’s desire not to be tracked should be added to the HTTP header. This way, a server sees the user’s wishes and settings prior to making any kind of response.

But from there, the option is opened for the server to issue challenges in response. For example, would the user consent to tracking if the data was being kept only by the originating server, instead of sending it to a third party tracking service? Perhaps the user doesn’t know which service that is, so the server may respond with a link to a policy document on its Web site explaining the legal relationships between itself and its ad partners. From there, the user may be able to grant an exception – to say, “In this case, I’ll trust you” – or to continue her resistance to being tracked.

But the door is being left open for the server to respond with an exception of its own. Technically, it’s a way for the server to enter into a bargain with the user, which says, “Either you let my service track your behavior or I won’t let you in.” One of those placeholders in this week’s version of the W3C document leaves the door open even further, with this question in response to the Tracking Response Header Field: “Does it indicate when a site believes it has an exemption from DNT, such that the user can react appropriately if it isn’t true?… The header could say I see that you say DNT, but I am tracking you for the following reasons.”

Again, nothing has actually been standardized at this point. But what’s being actively considered is actively engaging the user in the protocol delivery and exchange process – something beyond the simple binary state that some engineers started with.

Presently, some Web users are able to opt out of some tracking methods by virtue of browser plug-ins, which produce cookies using a de facto standard format that many servers will read, and some will pay attention to. There isn’t any law or rule that says how tracking opt-out cookies must be observed by servers. But that isn’t the biggest problem with the current system, says a Carnegie Mellon report on the relative viability of the current slate of plug-ins, released last month entitled “Why Johnny Can’t Opt Out” (PDF available here). As Pedro G. Leon and his fellow researchers wrote, users have trouble with current opt-out tools because they don’t understand what all this bargaining between server and user is supposed to be about.

“Many of the tools we tested provide insufficient feedback to users. Participants were unsure of what it meant to be opted out and how they could tell whether opt-out was working. Participants who tested the browser cookie settings also had no mechanism for understanding what was happening behind the scenes unless Web sites didn’t work. DNT mechanisms also provided no feedback; however, there is currently no way for tools to confirm that DNT preferences are being honored. While AdBlock Plus did not provide explicit feedback, users noticed the absence of all ads on pages they visited and inferred that the tool was effective. In contrast, Ghostery and TACO users received notifications on every Web site visited about which companies were attempting to track them and whether trackers had been blocked. Users appreciated this feedback and gained an understanding of what the tool was doing.”

If Web standards bodies manage only to recreate the same scenario users are faced with today, there’s a danger that they’ll just leave their browsers in the default state, in which case, DNT could end up being mostly meaningless.

scott fulton