The Federal Trade Commission's (FTC) call for a "do not track" mechanism to be created to protect Web users' private information from being exploited by online advertising networks sounds good on paper, but implementing such a technology would be a thorny process. It is not because the technology is so difficult to create, but rather because most of the companies that make Web browsers are supported by or are themselves online advertising networks.

Google, Microsoft and Apple, for example, all have online advertising networks, whereas Mozilla and others get money from Google for search deals, Chris Soghoian, a privacy and security researcher in the School of Informatics and Computing at Indiana University Bloomington, said Wednesday at the "Future of Online Consumer Protections" conference hosted by the Consumer Watchdog advocacy organization in Washington, D.C.

Google, which makes the Chrome Web browser but also bought Internet advertising technology company DoubleClick in March 2008 for $3.1 billion, derives 90 percent of its revenue from advertising, Jamie Court, president of Consumer Watchdog, a Santa Monica, Calif.–based nonprofit formerly known as the Foundation for Taxpayer and Consumer Rights, said during his opening remarks Wednesday.

The FTC later that same day issued a preliminary staff report suggesting that one way to better protect privacy online is for Web browsers to feature a setting that enables consumers to choose whether to allow the collection of data regarding their online searching and browsing activities (ad networks such as DoubleClick and Microsoft's Atlas collect this data in order to provide more targeted advertising services). According to the FTC, the most practical approach would probably involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads.

Instead of a cookie plug-ins, however, browsers should come with a check box—perhaps part of the preferences menu—that sends a signal to ad networks that says, "leave me alone," said Soghoian, who until recently worked for the FTC as a technical advisor to the agency's Division of Privacy and Identity Protection. "It would not be difficult to get the browser-builders to build such a mechanism in," he said, adding that last year he helped to write a 20-line prototype program to do this called TACO (for Targeted Advertising Cookie Opt-out). "The difficult part would be to get the ad networks to support it, and I think that's where the FTC is going to need to play hardball."

If the FTC does not have the authority, Soghoian suggested, "I think Congress is going to need to give them that authority. I don't think the ad networks are going to voluntarily agree to support any strong mechanism unless their arms are twisted."

The Web site DoNotTrack.Us, a collaboration of researchers at the Stanford Law School Center for Internet and Society and the Security Laboratory at the Stanford Department of Computer Science, explains how a do-not-track mechanism might work: Whenever a Web browser requests content or sends data using HTTP, the protocol that underlies the Web, it can optionally include extra information, called a "header". Do not track simply adds a header indicating the user wishes to not be tracked.

Although do not track has been compared with the Federal Communications Commission's successful National Do Not Call Registry implemented after numerous legal battles in 2004, Soghoian pointed out the former would include neither a government record of Web sites that track users nor a list of consumers who do not want to be tracked. "You want a generic opt-out that is persistent and tells people, 'leave me alone,'" he said.

Much Web security has been reactive—consumers receive pop-up ads, so the Web browsers start featuring pop-up blockers, and then the ad networks find a way to evade the barrier. "If we simply continue the arms race that we've had for the last few years, we don't get any relief, because it's not illegal to engage in a cat-and-mouse game and innovate around browser privacy controls," Soghoian said. "I like the idea of the consumer sending their privacy preference every time they interact with an ad network because that then gives the FTC a hook to go ahead and nail these companies for telling consumers they will obey their preferences and then not doing so."

Although many companies use privacy policies to explain their information practices, the policies have become long, legalistic disclosures that consumers usually do not read and do not understand if they do, according to the FTC. The idea of building a do-not-track mechanism into browsers adheres to the FTC report's recommendation that Web software companies adopt a "privacy by design" approach to their products.

Mozilla, maker of the Firefox Web browser, responded to the FTC's report by indicating that the company needs to examine the proposal in greater detail. Mozilla vice president and general counsel Harvey Anderson was upbeat on his blog, commenting that the FTC "has proposed a set of principles that align well with the Mozilla manifesto and our approach to software development including: privacy by design, transparency, user choice and no surprises." Google noted in a statement to The New York Times that the company agrees with the FTC's view that privacy policies should be easier to understand and that corporate data-gathering practices should be more transparent.

Other companies that sell services via the Internet have been less cautious in their criticism of efforts to block online tracking. Advertising has emerged as a key driver of online content, services and applications available to users at little or no cost, Time Warner Cable president of media sales Joan Gillman testified Thursday at a U.S. House of Representatives Energy and Commerce Committee hearing to address potential do-not-track legislation. She defended targeted advertising, which relies on specific information about online users, as the most effective way for advertisers to reach potential consumers and encouraged the government to let the industry self-regulate (pdf).