Twitter plans to roll out a new privacy policy on June 18, and, with it, is promising to roll back its longstanding commitment to obey the Do Not Track (DNT) browser privacy setting. Instead, the company is switching to the Digital Advertising Alliance's toothless and broken self-regulatory program. At the same time, the company is taking the opportunity to introduce a new tracking option and two new targeting options, all of which are set to “track and target” by default. These are not the actions of a company that respects people’s privacy choices.
Twitter implements various methods of tracking, but one of the biggest is the use of Tweet buttons, Follow buttons, and embedded Tweets to record much of your browsing history. When you visit a page that contains one of these, your browser make a request to Twitter’s servers. That request contains a header that tells Twitter which web site you visited. By setting a unique cookie, Twitter can build a profile of your browsing history, even if you aren’t a Twitter user. When Twitter rolled out this tracking, it was the first major social network to do so; at the time, Facebook and Google+ were careful not to use their social widgets for tracking, due to privacy concerns. Twitter sweetened their new tracking initiative for privacy-aware Internet users by offering Do Not Track support. However, when the other social networks quietly followed in Twitter's footsteps, they decided to ignore Do Not Track.
Now, Twitter proposes to abandon the Do Not Track standard and use the “WebChoices” tool, part of self-regulatory program of the Digital Advertising Alliance (DAA). This program is toothless because the only choice it allows users is to opt out of “customizing ads,” when most people actually want to opt out of tracking. Many DAA participants, including Twitter, continue to collect your information even if you opt-out, but will hide that fact by only showing you untargeted ads. This is similar to asking someone to stop openly eavesdropping on your conversation, only to watch them hide behind a curtain and keep listening.
Also, WebChoices is broken; it’s incompatible with other privacy tools, and it requires constant vigilance in order to use. It relies on setting a third-party opt-out cookie on 131 different advertising sites. But doing this is incompatible with one of the most basic browser privacy settings: disabling third party cookies. Even if you allow third party cookies, your opt-out only lasts until the next time you clear cookies, another common user strategy for protecting online privacy. And new advertising sites are created all the time. When the 132nd site is added to WebChoices, you need to go back and repeat your opt-out, which, unless you follow the advertising press, you won’t know to do.
These problems with DAA's program are why Do Not Track exists. It’s simple, compatible with other privacy measures, and works across browsers.
Twitter knows the difference between a real opt-out and a fake one: for years, it has implemented DNT as a true "stop tracking" option, and you can still choose that option under the "Data" section of Twitter's settings, whether you are a Twitter user or not. However, if you use the new DAA opt-out that Twitter plans to offer instead of DNT, the company will treat that as a fake opt-out: Twitter keeps tracking, but won't show you ads based on it.
What can you do as an individual to protect yourself against Twitter's tracking? First, follow our guide to disable the settings. Second, install Privacy Badger, EFF's browser extension that, in addition to setting DNT, attempts to automatically detect and block third-party tracking behavior. Privacy Badger also specifically replaces some social network widgets with non-tracking static versions.
Twitter is taking a big step backwards for user privacy by abandoning Do Not Track. The company should draft a new privacy policy before June 18 that keeps DNT support, and treats both DNT and the DAA opt-out as a true "stop tracking" option.