"Perhaps those should have been nailed down earlier, but they are the first things we are settling under the new plan to move forward," he says.
The gathering of some tracking data, such as screen resolution, IP address and referring URL, is required for the basic operation of the Web. But how much information is acceptable to users, and needed or just wanted by the advertisers who are funding commercial websites? "We're trying to walk through what is the least amount you can collect and retain while still allowing the third-party ad ecosystem to work," Brookman says.
"We don't need to tell the Web server nearly so much as we do right now," says Jonathan Mayer, a Stanford University grad student and former working group member. "We can limit it to the bare bones required for the Internet to do its thing."
Mayer has a strong bias against the retention of tracking data by third-party ad networks and has been at the center of some of the more contentious exchanges within the working group. "I don't want companies I've never heard of keeping track of where I go on the Web," he says flatly.
"One side wants the cessation of data collection for any purpose. The other side wants the status quo. It's difficult to rectify those positions, particularly when those tend to be the loudest voices in the room," says Alan Chapell, president of Chapell & Associates, a consumer privacy law firm serving the advertising industry, and working group member.
Then there's the issue of what actions would be required when the ad network receives a Do Not Track signal -- and at what point DNT policy actually applies. For example, should a Do Not Track policy pertain to tracking for all purposes, including market research by firms such as The Nielsen Company, or just for the delivery of those behaviorally targeted ads?
Big players vs. smaller ones
Suggestions that DNT policy only apply to third-party advertising networks have advocates for those organizations crying foul. Chapell, for one, thinks this gives big players such as Amazon, Facebook and Google a free pass at the expense of independent ad networks and the smaller publishers that use them.
According to the IAB's Zaneis, there is also more potential for privacy violations when you're dealing with the big ecosystems. Major players like Google and Amazon know the identity of each user once that user self-identifies through online account registrations and transactions. They can then combine online data with offline data from aggregators to serve highly targeted behavioral advertising.
Sign up for CIO Asia eNewsletters.