When Microsoft announced last October that Internet Explorer 10 would ship with Do Not Track set as a default, the ad industry said it would refuse to recognize the setting within IE10 because it "does not represent user choice." That move raised concern among some privacy advocates who feared it would derail the Do Not Track process entirely. The ad industry sounded similar alarms when Mozilla announced it was considering automatic blocking of third-party cookies -- the core technology of most Web trackers -- in an upcoming version of Firefox.
While industry trade groups like the Network Advertising Initiative and the Digital Advertising Alliance offer opt-out mechanisms for consumers, these only curtail data collection related to the delivery of targeted ads.
"Self-regulation," says Mayer, "is an oxymoron."
Yet self-regulation combined with FTC oversight may be the most practical path forward, argues Marc Groman, executive director of the NAI and former chief privacy officer for the FTC.
"Companies that are good actors spend a shocking amount of time and resources reading the FTC tea leaves," says Groman. "And when companies go over the line, the FTC brings actions that help inform the entire ecosystem what practices are off limits."
The greatest potential harm from tracking comes not from delivering ads based on one's browsing history, says Groman, but from using that data to make other decisions about users -- such as their eligibility for insurance, credit, or employment. That's why trade groups like the NAI and the DAA prohibit their members from using data for this purpose, and both groups periodically monitor members for compliance.
Still, many tracking companies don't belong to any industry trade group and operate entirely without oversight. Of the 477 companies listed in Evidon's database of online trackers, roughly one-third have no group affiliations, and more than 800 tracking companies aren't listed at all.
"I don't think most companies are doing nefarious things with data," says Jules Polonetsky, director of the Future of Privacy Forum. "But they haven't done a good job convincing consumers they're using data to make their lives better. You can call it self-regulation, but that can't be the minimum standard. These companies need to commit to using our data only for good and engage in an honest debate over what uses of data we support and which ones should be curtailed."
Stealth computing: Technology for covering your tracks online
When legislation and self-regulation fail, there's always technology. Today, anyone with decent computing skills can enjoy a relatively private Internet experience using off-the-shelf tools and services.
For example, Web surfers can use Abine's DoNotTrackMe, Evidon's Ghostery, or Disconnect to thwart Web trackers. Anonymous search engines like DuckDuckGo and Ixquick don't record IP addresses or other information that can be used to identify you. Services like PrivateProxy and HideMyAss can mask your IP address from the websites you visit. Tools such as Privacyscore and Priveazy help consumers make better decisions about what data to share, which sites to use, and what apps to install.