Skip to Main Content

Google Chrome's Sham 'Do Not Track' Feature

Chrome finally has a Do Not Track implementation?if you can find it and get past the browser's dissuasion.

November 9, 2012

The FTC has requested that browser makers come up with some mechanism that allows Web browser users to prevent their online activities from being stored and profiled by Web entities. The first response to this, coming late in 2009, was Internet Explorer 9's Tracking Protection feature, which lets users subscribe to blacklists from privacy organizations such as TrustE and PrivacyChoice. A month later came Mozilla's Do Not Track proposal. This was simply a small bit of text that the browser would send to the site you visit, telling it to pretty please not track you.

I'm no software engineer, but adding a feature that sends a tiny bit of text to each webpage request doesn't sound like a massive development project. In fact, every other major browser was able to implement this over a year before Google got around to it in . In the meantime, Google managed to add what do seem like far more impressive feats of software engineering—graphics hardware acceleration improvements, tab syncing, and support for the getUserMedia API, which lets a webpage access your webcam and microphone without the need for plugins like Flash or Silverlight.

Finally this week, after nine months of foot-dragging, Do Not Track arrived in a released version of Chrome. It should be noted that Google only said that it would be adding the feature after the White House put out a Privacy Bill of Rights with the suggestion that Congress would develop legislation that gives the FTC and State Attorneys General authority to enforce the protections.

So, after updating your Chrome browser to version 23, with the spanking new Do Not Track support, you might say "Where is it?"  You might think, oh, it must be turned on by default, since Google would surely want to protect my browsing privacy, and 75 percent of users say they'd like it on by default. Not so. It's off by default in Chrome. So, click that menu button that used to be a wrench but now has three lines, for Settings. Hmm, nothing there about Do Not Track. Nothing under "Tools." Choose "Settings" from the menu. Still no dice. Ah, but go all the way to the bottom of the page and click "Show advanced settings"—and voilà! "Advanced settings" - that won't scare non-technical consumers away, right?

But even if you braved the "advanced" designation and did find the Do Not Track checkbox, the very last option under Privacy, you're not out of the woods yet. When you click this unconfusing "Send a ‘Do Not Track request with your browsing traffic" option, you get a long wordy message about how the setting may do nothing to protect your privacy and will deprive you of targeted advertising. It also notes that sites can still collect your browsing history, but just may not use it to customize your ads.

Almost comically, when you click on the "Learn more" link in the message box, you're taken to an actually briefer Web page that basically says that Google doesn't honor Do Not Track. To be fair, the company has stated that it's working on hammering out Do Not Track policies within the Web industry. But if it's so hidden and forbidding to enable, how much consolation is that?

Even if Do Not Track is clearly implemented in a browser, the goodwill of the profit-driven advertising sites is a necessary piece of the privacy puzzle. In comparing Do Not Track with Internet Explorer's alternative Tracking Protection, I found that the former completely failed to block data from being sent to third-party sites—sites that I never knowingly visited but that had placed "phone home" code on pages I did want to visit. Conversely, IE's Tracking Protection, based on block lists, clearly halted traffic from my browser to these trackers.

All of this ineffectiveness and lack of observance of the Do Not Track header points to the inevitability of hard rules being issued by the FTC or even legislation by Congress. When the most visited purveyor of Web content openly states "At this time, most web services, including Google's, do not alter their behavior or change their services upon receiving Do Not Track requests," you have a clearly ineffective system.

Of course, that "At this time" points to the possibility that Google may at some future date honor Do Not Track. But when? And will it do so without government compulsion? FTC Chairman Jon Leibowitz recently said, "We support a self-regulatory approach." But even if Google does honor the system, what good is it when most users will never see the setting?

For more from Michael, follow him on Twitter @mikemuch.