Facebooks's position paper on "Do Not Track" for W3C Workshop on Web Tracking and User Privacy
A "Do Not Track" proposal should focus on the data practices of entities that are not accountable because they do not engage with users and make their presence known. In these situations, a user may not know that an entity is collecting information about her, may not have a place to look to learn more about that entity's data practices, and may have no recourse if she objects to those practices after learning of them. Because of these difficulties, a "Do Not Track" mechanism should provide a meaningful way for a user to express her preference not to share information with entities that are invisible (or unreasonably visible) and tracking on the site.
The same concerns are not implicated when the user has a relationship with the company conducting the tracking and understands that the entity may be collecting data. For example, Facebook's social plugin enables users to go the Washington Post website and see a list of news stories that their Facebook friends have found interesting. The social plugin also makes it easy for users to recommend news stories, fostering the kind of interactive discussion and community engagement that is the hallmark of the social web. Although the social plugin collects information so that it knows which Washington Post news articles the user has shared or commented on, this kind of tracking is a far cry from the covert surveillance that users are most worried about. Facebook's presence on the Washington Post website is clear, meaning that Facebook users know who is collecting the information and have various means of communicating with Facebook if they are concerned about Facebook's information practices.
Information collection by a company with which a user has a relationship and whose presence on a webpage is clear does not present the same concerns because the user expects that the entity may be collecting data. The user also can more easily learn about the data collection and provide feedback, share less information, or terminate the relationship altogether. Finally, users can seek redress if they object to an approach taken by a company they know: among other steps, they can complain about that company by name to government or consumer organizations or try to force a reduction in that company's stock price through grassroots public relations efforts. None of these corrective measures are available for "no-name" companies that are invisible to the Internet users from whom they collect data.
A contextual "Do Not Track" approach that recognizes these differences in user expectations, and that adopts bifurcated requirements for companies depending on whether they are known to and interact directly with users, is reminiscent of existing legislation like the approach of the U.S. Federal Trade Commission (FTC) to "Do Not Call", which similarly contains an exception for established business relationships. Under the FTC's Telemarketing Sales Rule, an entity can make calls to a telephone number listed on the national "Do Not Call" registry if it has an established business relationship with the call recipient. This exception is consistent with people's expectations: although people may not want to receive unsolicited telemarketing generally, they are less likely to object to such calls when they have recently purchased or made inquiries about a product that the caller is selling. The "Do Not Call" registry helps people convey their privacy preferences to the telemarketing industry at large, but people who receive telemarketing calls from entities with whom they have an established business relationship have other means of controlling the entity's information practices. For example, they can request that the entity stop calling them, terminate the relationship, or attract regulatory or market scrutiny of the entity's conduct.
Companies engage in various forms of monitoring in order to protect user security, ensure the effectiveness of their services, to find new ways of responding to user needs and to innovate and offer new kinds of products and services. These kinds of data collection have been inherent in the structure of the Internet since its inception and users generally accept that they do not raise the same issues as tracking for the purpose of behavioral targeting. For instance, web servers routinely collect client computers' IP addresses in order to communicate with them and receive requests to deliver specific web pages to particular addresses. Similarly, a website may use historical login data that it has collected for account security purposes, such as the additional account security questions that Facebook would ask a user who always logged in from Washington, D.C. if we suddenly see failed login attempts on that account from Belarus. While these collections of information might be defined as "tracking," they are clearly not practices that users would intend to block by expressing a "Do Not Track" preference. To the contrary, they are inherent in the structure and proper functioning of Internet services. It is essential that any "Do Not Track" specification define what "tracking" is prohibited.