So what happens next?
Efforts in the W3C working group are continuing, but Zaneis thinks the most likely scenario is that the industry will work with "a few key players" to develop a policy that's an extension of a self-regulatory program developed by the Digital Advertising Alliance (DAA), an industry consortium.
Last fall, when frustrations over the W3C Tracking Protection Working Group's lack of progress came to a head, the DAA quit the group and formed its own DNT subcommittee. "We are working with key interest groups to develop principles to incorporate browser signals into the existing DAA program. Think of it as the compliance piece that will be lacking from the W3C process," Zaneis says.
Mozilla's Fowler thinks that DAA parallel effort, which industry groups need to pursue anyway for their own internal self-regulatory programs, might bear fruit. "If they get it right, the opportunity for the W3C to move quickly on a spec is there. It will make the job for the W3C a lot easier," he says.
Jonathan Mayer thinks a solution will need to come from elsewhere. He is now working on Tracking Not Required, a project that stores browsing history data locally "instead of [on] some site you've never heard of," and enables users to determine who gets to see that data.
Increasing numbers of users have been taking matters into their own hands by using anti-tracking browser add-on tools such as Disconnect, based on the add-on download statistics from the major browser vendors. And Mozilla recently released Lightbeam for Firefox, an add-on that attempts to raise consumer awareness by letting users see visually who is tracking them as they surf the Web.
In addition, Fowler says that Mozilla has been debating different approaches to blocking third-party cookies -- cookies placed by parties other than the publisher of the site -- including turning the feature on by default in Firefox. According to Alan Chapell, a similar move by Firefox or another major browser vendor would represent a tipping point that could break down the current system. (Apple's Safari browser, which has a relatively small market share, already blocks third-party cookies by default.)
Fowler adds that Mozilla is looking at a range of options, including limiting blocking in certain contexts. For example, third-party cookies might be blocked except when used in conjunction with a shopping cart, or when the user has a relationship with a given third-party site. Or it might create and use a third-party tracking protection list that ships with the browser. "It really is pretty open," he says.
However, Zaneis believes that third-party cookie blocking will only make matters worse. "If they turn off cookies today," he says, "tomorrow you will have a less transparent identifier out there. Companies will switch to statistical identification techniques, which are invisible to the user." And that, he adds, would undermine what Mozilla is trying accomplish.
Mayer isn't too worried. "The consumer control train has left the station," he says. "It's clear that we're heading for something very different, and I'm optimistic about it."
Downey, on the other hand, sees the newer, more sophisticated tracking methods such as browser fingerprinting as a big concern. "There are unique identifiers out there today and it's getting worse. We can't protect against that," she says. Only the browser vendors are in a position to solve the problem, she argues.