(No.181) Who is following me : tracking the trackers

Go to Report
Status: 
Accepted
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

privacy/data protection

Concise Description of Workshop: 

Interest in online tracking as a policy issue spiked with the release of the Preliminary Federal Trade Commission Staff Report in December 2010 entitled Protecting Consumer Privacy in an Era of Rapid Change – A Proposed Framework for Businesses and Policymakers calling for a “do not track” mechanism, the launch of the W3C Tracking Protection WG and the recent entry into force of the European “Cookie Directive”. However, the actual and potential observation of individuals’ interactions online has long been a concern for privacy advocates and others.
 
Much of the policy attention is currently focused on cookies used to track users to build profiles for more targeted advertising, but some of the more difficult issues are:

  • How to deal with less-observable tracking (e.g. browser and/or device fingerprinting, monitoring of publicly disclosed information)
  • How to develop laws that accommodate different tracking scenarios – for example:
    • different entities (law enforcement, companies, etc.); 
    • different and sometimes multiple purposes (security, personalising user experience, targeting advertising, malicious activity; etc.); 
    • first-party and third-party tracking o single site and multiple site tracking
  • Transparency (particularly on small mobile devices)
  • Whether a traditional consent model is sufficient and effective

This workshop will explore:

  • Current and emerging trends in online tracking (and their related purposes)
  • How to give individuals full knowledge of the tracking that occurs when they go online
  • Mechanisms to give individuals greater control over tracking and data use
  • The respective roles of all actors (government, law enforcement, Internet intermediaries, businesses, browser vendors, application developers, advertisers, data brokers, users, Internet technical community, etc.) 
  • Whether effective data protection online can be ensured solely by law. 
  • Whether self-regulation and voluntary consensus standards offer better options for tuning privacy choice to the rapidly advancing technology environment.
Organiser(s) Name: 

Christine Runnegar (Internet Society) and Sophie Kwasny (Council of Europe)

Submitted Workshop Panelists: 

Wendy Seltzer, Policy Council, World Wide Web Consortium (W3C) [confirmed]
Kimon Zorbas, Vice President, Interactive Advertising Bureau (IAB) Europe [confirmed]
Cornelia Kutterer, Director of Regulatory Policy, Corporate Affairs, LCA, Microsoft EMEA [confirmed]
Malavika Jayaram, partner at Jayaram & Jayaram, Bangalore [confirmed]
Rob van Eijk, PhD student at Leiden University, Council of Europe expert [confirmed]
Shaundra Watson - Counsel for international consumer protection, USA Federal Trade Commission [cancelled]
 

Name of Remote Moderator(s): 
James Lawson (Council of Europe)
Gender Report Card
Please estimate the overall number of women participants present at the session: 
About half of the participants were women
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Report
Reported by: 
Christine Runnegar and Sophie Kwasny
A brief substantive summary and the main issues that were raised: 

 
IGF2012  WORKSHOP 181 - Who is following me? Tracking the trackers
 
A report of the workshop co-organised on 8 November 2012 by the Council of Europe and the Internet Society (ISOC) at the 7th Internet Governance Forum (IGF), held in Baku, Azerbaijan (6-9 November 2012).
 
Introduction
 
The objective of this workshop was to explore:
 
► Current and emerging trends in online tracking and their purposes
► How to give individuals full knowledge of the tracking that occurs when they go online and mechanisms to exercise greater control over tracking and data use
► The respective roles of all actors (government, law enforcement, businesses, browser vendors, advertisers, data brokers, users, etc)
► Whether effective data protection online can be ensured solely by law and how to develop laws that accommodate different tracking scenarios
► Whether a traditional consent model is sufficient and effective
► Whether self-regulation and voluntary consensus standards offer better options for adapting privacy choice to the rapidly advancing technology environment
► How to deal with less-observable tracking (e.g. browser and/or device fingerprinting, monitoring of publicly disclosed information)
► How to ensure transparency, particularly on small mobile devices
 
Organisers and moderators
 
The Internet Society is the trusted independent source for Internet information and thought leadership from around the world. With its principled vision and substantial technological foundation, the Internet Society promotes open dialogue on Internet policy, technology, and future development among users, companies, governments, and other organizations. Working with its members and Chapters around the world, the Internet Society enables the continued evolution and growth of the Internet for everyone.
 
The Council of Europe is an intergovernmental political organisation that brings together 47 countries, making up an entire democratic continent. Its key objectives are promoting democracy, the rule of law and human rights. Its headquarters are in Strasbourg (France). 
 
For more information on the organisers, visit www.internetsociety.org and www.coe.int
 
The workshop was co-moderated by Christine Runnegar (Internet Society) and Sophie Kwasny (Council of Europe).
 
 
 
 
Panellists
 
Wendy Seltzer, Policy Council, World Wide Web Consortium (W3C)
Kimon Zorbas, Vice-President, Interactive Advertising Bureau (IAB) Europe
Cornelia Kutterer, Director of Regulatory Policy, Corporate Affairs, LCA, Microsoft EMEA
Malavika Jayaram, Partner at Jayaram & Jayaram, Bangalore
Rob van Eijk, PhD student at Leiden University, Council of Europe expert
 
Background documents
 
The following background paper and related update were made available prior to the workshop:
 
http://www.internetsociety.org/sites/default/files/Tracking%20-%20Background%20paper%2020120711_0.pdf
 
http://www.internetsociety.org/sites/default/files/Tracking%20-%20Background%20paper%202%2020121030.pdf
 
Participants
 
The workshop was attended by circa 50 participants in the room, plus remote participation.
  
Thank you
 
The Council of Europe and the Internet Society (ISOC) would like to express our sincere thanks to the IGF Secretariat, our expert panellists, remote moderator and participants for making this a very successful workshop.

Conclusions and further comments: 

 
Some perspectives from the workshop
 
Tracking: setting the scene
 
The discussion started with the panellists’ definitions of online “tracking” and the way it is performed, ranging from a tool to follow users online and build profiles, to the fact of attaching a unique identification number (‘micro tag’) to an online activity in order to follow a digital footprint. Panellists also raised the specific issues of the interest of the users in being ‘tracked’ and the general lack of awareness of the ‘tracking’. 
 
A key question which was then addressed by the panellists was how users might avoid, or reduce, online tracking. Various existing technical tools were mentioned by the panel, such as: the Tactical Technology Collective initiative ‘me and my shadow’ aimed at helping raise users’ awareness of their digital ‘shadow’ and reducing it; the Electronic Frontier Foundation ‘Panopticlick’ test for users’ browsers and tools such as Collusion, and Tor which enables anonymised surfing. The limits of such tools, including that they can only catch a small part of the data in real time, was also pointed out.
 
It was reported that in the USA, the Federal Trade Commission encouraged industry to implement a universal, one-stop choice mechanism for online behavioural tracking (Do Not Track) that would provide a simple and easy way for users to control the tracking of their online activities.
 
The purpose of the proposed Do Not Track policy, and more specifically the Do Not Track HTTP header, was underlined precisely as being another tool aimed at enabling users to exercise better control over their online tracking.
 
The European data protection position regarding online tracking highlights the importance of the unambiguous nature of the consent of the user (see in particular WP29 opinions on consent and on cookie consent exemption) and the application of the e-privacy Directive to both first and third parties.
 
The Indian perspective regarding online tracking was presented as one generally favourable to technology, which is seen as positive, and the fact that no rules on online tracking currently regulate the matter was pointed out.
 
For the advertising industry, tracking is a means to better understand what products a user might want, relating to enabling services to fund high quality content, while being privacy-friendly through its “anonymous nature” and self-regulated practices.
 
Do Not Track (DNT)
 
DNT is a technology and policy proposal aimed at universally enabling users to opt-out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.
 
For the USA Federal Trade Commission, to be effective, a DNT system should include the following key principles: it should be implemented universally, it should be easy to find, easy to understand, and easy to use, the choices offered to the users should be persistent, it should be comprehensive, effective, and enforceable and should opt out consumers of behavioural tracking (both targeted advertisements and collection of behavioural data for all purposes other than those that would be consistent with the context of the interaction).
 
From a European perspective, it was underlined that DNT is a complementary tool but cannot be considered as the sole compliance element in respect of the e-privacy Directive.
 
The W3C Tracking Protection Working Group is trying to standardise the meaning and technology of DNT with a view to improving users’ privacy and control, by defining mechanisms for expressing user preferences around tracking and for blocking or allowing tracking elements.
 
Microsoft decided to enable DNT by default in Internet Explorer 10 on the basis of its consumers’ expectations (default ‘on’ supported by 75% of the users, with higher percentages when children are the online users) and gives a clear explanation to its consumers of what DNT by default means, who have the choice to leave it on or switch it off.
 
Discussions are still underway in the W3C Working Group which is being followed by several entities represented on the panel. The panellists expressed the hope that the Working Group would reach consensus soon and provide agreed recommendations.
 
It was also noted by one panellist that for the online behavioural advertising model, the prevalence of the expression of a DNT preference could entail hard limitations which may lead to the concentration of the business with bigger entities.
 
The panellists also exchanged views on the ways to ensure that the user’s choice to opt-in (EU) or opt-out of tracking will be complied with. Various enforcement and compliance instruments (regulatory framework, self-regulation, consumers’ organisations) were mentioned.
 
Finally, the undisclosed tracking and collection of data carried out by governments was also mentioned as an illustration of a lack of transparency and potential privacy infringement. 
 

Additional documents: