How should software companies set the default privacy settings on their products? Microsoft’s announcement last week that the next version of its Internet Explorer web browser will ship with its “Do Not Track” functionality switched on has sparked a lively debate on this very issue.
“Do Not Track” is a technological standard being implemented in all major web browsers that allows users to tell web sites, advertising networks, and other online service providers not to track their web surfing activities. “Do Not Track” accomplishes this by sending out a small packet of information to participating websites to inform the site that the user does not wish to be tracked.
It probably comes as a surprise to most Internet users (and to most readers of this blog) that a single website, or an advertisement or social media plug-in appearing on that site, can track all of a user’s online activities for days, months, or years afterwards. The very fact that most Internet users have no idea that companies are able and willing to track all of their online activities should inform how software companies, including browser developers, set the default privacy settings in their products.
The academic literature on law and economics makes a strong case for setting default rules in whatever way the parties to a relationship – and especially the stronger party – do not want, because it forces the parties to reveal information that might otherwise not come to light. Given the ignorance of even savvy internet users to the pervasiveness of online tracking, the case for switching “Do Not Track” on by default is overwhelming, because it confronts users with an option they currently don’t know that they have, which is the option not to be tracked.
In its response to Microsoft’s announcement, Sid Stamm and Alex Fowler of Mozilla explain that the Firefox browser does not switch “Do Not Track” on by default because Mozilla assumes that users have not made a choice about online tracking one way or another. Mozilla’s decision appears to be based, at least in part, on the fact that unlike other privacy-enhancing technologies, which are passive, “Do Not Track” requires a user to “broadcast” their preferences, since the technology works by sending out signals on whether the user intends to be tracked.
Mozilla’s decision not to switch “Do Not Track” on by default might be defensible if the Firefox browser asks the user to make a choice on “Do Not Track” the first time it is run, as its does with regards to making itself the default browser.
But this is not how Mozilla has decided to implement “Do Not Track” in Firefox. Instead, users must go to the “Preferences” option in the “Firefox” menu, navigate to the “Privacy” tab, and then select the “Tell websites I do not want to be tracked” option. How many Firefox users will know to do this, given that most Firefox users (like most Internet users) have no idea they are being tracked in the first place?
To be sure, there is not enough time in the day for a web browser to seek the affirmative consent of the end user to every little thing that happens to a user online. This is why Firefox, like every other browser, ships with a wide variety of default settings, from search engine (Google) to cookie acceptance (yes) to blocking suspected phishing sites (yes). And although Mozilla tries to draw a distinction between privacy technologies that do or don’t “broadcast” information about a user’s privacy settings, this is a distinction without a difference, because Firefox currently broadcasts all kinds of user preferences to web servers (including browser version, operating system, and screen resolution) by default.
The bottom line is that by leaving “Do Not Track” switched off by default on the theory that Firefox users have not affirmatively opted into it, Mozilla is subjecting its users to an online tracking system that the vast majority of them don’t even know exists. This is not a default that promotes choice, but one that makes a sub-optimal choice for users who don’t know they have one.