eff.org
On the heels of President Obama’s recent introduction of a Privacy Bill of Rights, the Digital Advertising Alliance (DAA), the latest self-regulatory organization for online advertising, agreed to support widespread implementation of Do Not Track (DNT) browser headers. This is a laudable step, and in the coming months the responsibilities for how websites respond to the signal will be articulated in multistakeholder meetings through the W3C’s Tracking Protection Working Group. One conspicuous absence from the Do Not Track discussions is Facebook. As a company that tracks millions of users around the web, Facebook needs to follow in the footsteps of Google, Microsoft, Yahoo!, and others by committing to respect user choice.
There is no denying Facebook’s popularity in the online arena. It is consistently ranked in the top five websites visited in the world. In the month of December 2011 alone, users spent more than 9.7 billion minutes per day on Facebook on personal computers, while in the mobile sphere the Facebook app is one of the most downloaded applications across the smartphone ecosystem.1 Facebook is apt to translate this popularity into effective advertising, which is fundamental to its revenue stream. Facebook said as much in its IPO documents, where it stated: “We generate substantially all of our revenue from advertising and payment processing fees.”2 Facebook also provided explicit figures. In 2011, they made $3.15 billion of $3.71 billion solely from advertising.3 In combination with Facebook’s dominance in social media and its engagement with both Facebook and non-Facebook users outside of Facebook.com, Facebook’s reliance on advertising as a major revenue stream is a reason that Facebook should be involved in current W3C discussions about the future of online advertising.
Facebook has a complex relationship with users—sometimes it acts like a social network, but other times it acts more like an online tracking company. This tracking takes place without a user ever having to interact with the Facebook “like” or “social plugin” buttons: just seeing the “like” button is enough for Facebook to collect a record of your reading habits. It was third party tracking practices similar to this that inspired the Do Not Track movement. Like other companies that engage in cross-site tracking, Facebook needs to commit to respecting the Do Not Track header.
Facebook’s interaction with users is further complicated by Instant Personalization, a system that allows non-Facebook sites to embed interactive Facebook widgets and conversations. Instant Personalization inherently requires tracking. When an individual has “instant personalization” enabled in her Facebook settings and then sets the Do Not Track header, we recommend that Facebook clarify whether or not she is agreeing to opt back in to being tracked while using instant personalization. This could be done with an interstitial explaining the tracking inherent to instant personalization and asking her whether, given her preference to not be tracked, she would still like to see and use instant personalization widgets. This type of transparent privacy control can ensure that Facebook users better understand how Facebook collects data on them. These complications are all reasons for Facebook to further engage in Do Not Track discussions and the Do Not Track mechanism.
It’s clear that Facebook wants to be a part of the conversation around advertising and privacy. According to AdAge, when the Commercial Privacy Bill of Rights Act (PDF) was introduced last year, Facebook sent an “army of lawyers” to Washington to convince Senators Kerry and McCain to carve out exceptions to their privacy bill so that Facebook could track its users via social widgets on other sites (dubbed the “Facebook loophole”). Facebook currently retains two lobbying firms, and it nearly quadrupled its lobbying budget last year to $1.35 million.4 The best Internet policy arises from collaborative efforts with users, advocacy groups, and other technology companies—not backroom deals on Capitol Hill. This is especially true when many policymakers and the public are watching online advertisers closely to see if they can improve their poor track record when it comes to self-regulation.
Currently, the W3C’s Tracking Protection Working Group involves stakeholders that include privacy organizations, tracking companies, the DAA, and academics to refine what Do Not Track means and how it is implemented. Facebook’s prominence in the online advertising world, its reliance on advertising as a revenue model, and its activity in Washington make it clear that Facebook should be more involved in the negotiations on advertisers’ responsibilities to respect Do Not Track.
After a privacy agreement was reached with the FTC in November 2011, Mark Zuckerburg wrote: “I’m committed to making Facebook the leader in transparency and control around privacy.” Do Not Track is the next step for users to control how they can be tracked and what data can be collected. It’s time Facebook engage with the larger Internet community and respect the rights of users who opt out of tracking.