The Tracking Protection Working Group (TPWG) has been engaged with issues of online data protection, privacy and tracking since 2011. Its Tracking Protection Expression draft recommendation (TPE), substantially completed in 2013, first became a Candidate Recommendation (CR) in August 2015.The main feature of the TPE, the DNT request header, is now implemented by all the major browsers via a general preference setting, with the JavaScript API for registering a site-specific preference implemented by browser extensions, as well as Microsoft’s Internet Explorer and Edge browsers.

The DNT header indicates settings that a user has made within their browser, either directly or mediated by script on a page, to indicate their preference of agreeing or declining to be tracked. Once a “general preference” is configured, browsers add the DNT header to all HTTP requests, including requests to be sent to embedded sub-resources. The header value can either start with “1”, meaning “Do Not Track”, or “0” signifying “this user has agreed to tracking for the purposes explained”. There is a defined JavaScript API letting a browsing context change the DNT setting for its own domain origin, or for the domain origin of its embedded sub-resources – so called “site-specific” consent.

GDPR & ePrivacy

The General Data Protection Regulation (EU) 2016/679, which has just come into force, is important for web privacy because it clarifies what makes for valid user consent in more detail than the Data Protection Directive that preceded it. The existing ePrivacy Directive (introduced in 2002, amended 2009) requires prior user consent for access to storage in browsers, other than for a restricted set of exempted purposes, and now for consent to be valid it must meet its description in the GDPR. Consent must not only be freely given, specific, informed and unambiguous, it must be indicated by the user’s affirmative act – it is no longer enough to display “implied consent” notices, pre-selected checkboxes, or cookie walls, and it must be as easy for users to withdraw consent as to give it.

The GDPR also introduces much larger fines, making data and privacy protection a board level topic.

There is also a new ePrivacy Regulation (ePR) in the works, aimed at replacing the ePrivacy Directive. Although the European Parliament completed its deliberations last year, and voted through its own draft text, the European Council has dragged its feet somewhat. Even so, the important trilogue discussions between the European Parliament, Council and Commission, aimed at finalising the text, are expected to start soon. DNT

DNT

DNT is a highly efficient way to convey user consent to web servers because the header is always present in every request. A JavaScript global property also allows a browsing context, say for an iframe tag or a first-party page, to immediately determine the current setting. Although HTTP cookies can of course also encode a consent signal, there is no way to selectively include them in sub-resource requests, as cookies once stored will always be sent to their respective domain origins (i.e. to access third-party resources on any first-party site), and moreover there is no simple or efficient API a browsing context can use to set cookies for its embedded sub-resource domains.

The TPE also defines a JSON resource, called the Tracking Status Resource (TSR), to be made available by domains that implement DNT, located at a well-known path (/.well-known/dnt/). This resource enables domains to declare their identity, policy for tracking, and other important items, important so that browsers can show users the servers being enlisted to supply content for a page, to support the now legally required transparency. European data protection and privacy law requires that users be able to determine who they may be tracked by, for what purpose, and give their informed and specific consent if they freely choose to.

The Tracking Protection Working Group was chartered in 2017 to demonstrate the viability of TPE to address the requirements for managing cookie and tracking consent that satisfies the requirements of EU privacy legislation”. This resulted in a new CR for the TPE in October 2017 which included improvements for the Javascript API and other elements.

Later further changes in the draft were put forward to meet the requirements for the European Parliament’s agreed text for the EU’s ePrivacy Regulation, and to allow for the communications of agreed purposes requested by the AdTech or “industry side” group members. The API was extended so that a site-specific signal was available to indicate the required right-to-object for permitted “web audience measurement”(A8.1d in the European Parliament’s ePR text), i.e. to send a DNT:1 header to certain domains even if the general preference had not been set, and to define an extension to the header so that a purpose descriptor could be sent when consent had been given, i.e. an extension to the DNT:0 header. A new “purposes” property for the TSR was defined whereby a server can indicate, via a dynamically created web page, the purposes the user has agreed to by decoding the new extension field in the incoming DNT header.

Implementation

Now that the GDPR is in force, and the ePrivacy regulation final text hopefully soon to be agreed, the fact that a CR exists for efficient signalling of user consent may encourage browser providers to implement or update their DNT implementations.

If they do, DNT would offer a much better signalling method for user consent than techniques based on HTTP cookies. Third-party cookies as presently constituted cannot convey site-specific consent1, and it is unlikely that users, once they have been made aware of their right to give their prior consent, will agree if their only option is to be tracked across the entire web. Although the IAB EU’s recently introduced Consent and Transparency Framework (CTF) allows for consent to be recorded in first-party cookies, and so site-specifically, there is no mechanism to persist it within a sub-resource context without using a third-party cookie (or other domain specific storage), which is then incapable of recording the site-specific context. Without persistence the efficiency of indicating consent to third-parties becomes a problem.

In DNT the browser absolutely determines which domain receives the consent signal, within the parameters of the Same Origin Policy and, while it does not need the elaborate encoding of party identity, with its attendant fingerprinting risks, underlying the CTF’s “daisybit” identifier, this can still be incorporated in a consent-based protocol where the “daisybit” is only sent to the parties the user has agreed to. This could give the online advertising industry, the publishers that rely on it, and web users a win-win outcome – good for data protection, privacy and commerce.

Extensions

The architecture of the DNT protocols has been designed to be extensible, and there have been discussions in the TPWG about additions that could help publishers and advertisers improve efficiency by extending the protocols for consent-contingent targeting and privacy-oriented audience measurement. If representatives from publishing and advertising wish to engage with that, the TPE is a great base to build on. We have had a charter extension till September but if new members with a commitment to engage were to appear, we should be able to extend it further.

1) Safari’s recent innovation of Intelligent Tracking Prevention (ITP) has introduced the concept of “partitioned” or “double-keyed” cookies as a privacy enabling mechanism, which, by default, only allows embedded third-parties access to cookies that are scoped to a first-party site. If these new cookies were standardised, perhaps under the control of Feature Policy or Consent-Security-Policy response headers, then cookies could be used to implement tracking restricted to a set of sites a user has agreed to. Together with the transparency and verifiability elements of the DNT protocol elements, this could be a powerful aid to user autonomy and privacy protection on the web.