• by Wendy Davis  @wendyndavis, November 28, 2012

A group that aims to set standards to implement a do-not-track mechanism has tapped privacy expert Peter Swire to forge a consensus between privacy advocates, computer scientists and industry representatives.

Swire, a law professor at Ohio State University, will serve as co-chair of the World Wide Web Consortium's Tracking Protection Working Group. He has previously worked for both the Obama and Clinton administrations, and he coordinated the White House's efforts on the major privacy law of the 1990s -- the Health Insurance Portability and Accountability Act.

Swire replaces Stanford University's Aleecia McDonald, who stepped down as co-chair on Wednesday. She says she intends to continue to participate in the group, which is made up of a broad range of computer scientists, industry representatives and privacy advocates.

The move comes as the W3C's do-not-track effort appears to have reached an impasse. The organization has tried for more than one year to reach a consensus on how Web site operators should respond to do-not-track headers -- which were designed as a way for privacy-conscious users to opt out of online behavioral advertising. Every major browser now offers those headers, but they don't actually block tracking cookies. Instead, they send a signal to publishers and ad networks, but those companies are free to decide how to react.

To date, the tracking protection group has been unable to reach a consensus on several key areas. One of the biggest centers on collecting data from users who don't want to be tracked. Privacy advocates, as well as many consumers, say ad networks should stop gathering data about people's Web surfing activity if they have turned on do-not-track.

But the online ad industry generally says that companies need only to stop targeting ads based on users' Web-surfing activity when they say they don't want to be tracked. Many online ad companies have said they want to continue to collect analytics information from users, even when they activate a do-not-track signal.

A compromise proposal would allow companies to collect analytics information, but only if it can't be linked to specific users or devices. So far, there is little agreement about how to effectively anonymize that data, according to McDonald.

Another bone of contention stems from Microsoft's Internet Explorer 10 browser, which activates do-not-track by default when people use Windows express settings. The W3C group says that do-not-track should reflect a choice by users, but has never spelled out what should happen when people use so-called non-compliant browsers.

The ad industry takes the position that companies need not honor signals from non-compliant browsers. Privacy advocates counter that at a minimum, ad networks and publishers must notify users of those browsers that their do-not-track headers are ineffective.

Discussions surrounding those and other issues have become heated in recent months, says participant Jonathan Mayer, a Stanford University grad student and privacy advocate. "There's no doubt that group discussions have taken on a much more vitriolic tone of late," he says.

Jeff Chester, executive director of the advocacy organization Center for Digital Democracy, characterized the efforts to date as a failure. "This transition is more than just a personnel change. It reflects a 'multistakeholder' process in turmoil," he wrote today.

Meanwhile, the ad industry umbrella group Digital Advertising Alliance says the W3C shouldn't be considering policy issues at all. Instead, the DAA says the standards group should restrict itself to purely technical issues. DAA counsel Stu Ingis says those technical matters include how browsers communicate with publishers and how do-not-track signals are implemented across ad exchanges.

"The W3C is not the United Nations of privacy or policy," Ingis says. "The W3C does technical standard-setting."

But others say that do-not-track doesn't lend itself to purely technical decisions. "This is not something where you can decide, 'I'll write it in C++' or 'I'll write it in Java', " McDonald says. "The policy and the technology are deeply intertwined here."

Despite the recent rancor, some privacy experts are optimistic that the group will make headway under Swire's leadership.

"He's one of the unique people who is respected by all sides of the do-not-track debate," says Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum (where Swire serves as a senior fellow). "He's appreciated by business and trade groups as somebody who brings a pragmatic and practical approach to privacy regulations, and also respected by the advocacy community for the intellectual work he's done in advancing privacy, and the role he played in government in getting HIPAA adopted."