The whole concept of DNT is just stupid. It's misleading users and won't work.
By telling users you have better privacy simply because your browser adds a random header tag onto requests you're misleading them. Sites have no obligation to obey it and it will give users a false sense of security.
We already have proven, well defined method of DNT already: private browsing. This works by simply removing resources after the session ends. There's no reliance on servers, so it will always work.
Or if a large portion of the industry decides to voluntarily adopt the standard, to counter the threat of legislation.
A number of large ad networks have already announced support for DNT. Sure, there will always be sites that ignore the header, but there's also a realistic chance that it will give users a meaningful choice about how their behavioral data is used by many of the biggest sites they use most often.
As the CTO of an adserving company, I can confirm that we consider (too) strict legislation a big threat, and as such are more than willing to adopt initiatives like the DNT header.
The good thing about legislation is you can go after those minority of bad guys. That's what happens when businesses call individuals who are on these privacy lists, they are reported to a regulator and the regulator investigates.
Telephone networks are still largely national-based. The idea of individual countries implementing "Do Not Track" legislation is a mess. Do they only enforce it on sites based in their own country? If so, it's useless to users. If they apply it to all countries, it won't work.
Ha! People have been getting around the do not call lists in the UK for years now by dialling in from other countries where our regulatory bodies are powerless. Trying to regulate it on the world wide web would be even harder.
Message from Germany: Doesn't look like that from here. Our politicians are fighting the wrong battles and loosing most of them as well. I haven't seen a single law passed in the last 10 years that actually enhanced privacy in the real world.
As if that would be appropriate or necessary to solve whatever privacy problems we have.
It's the U.S. government trying to take anonymity and privacy away from the Internet; do we want them making weak, unenforceable, irremovable laws on how to implement an HTTP header?
Individual sites are not really the ones auctioning ad inventory that is targeted by a user's cookies. That specific technology continues to become consolidated in a handful of exchanges. You could probably get 95%+ of cookie-targeted impressions compliant by regulating 5 or 10 companies.
We already have proven, well defined method of DNT already: private browsing.
You are still being tracked with private browsing. You IP, user agent, OS, screen resolution, etc. are enough to connect the dots in most situations.
This is a decent idea that will need to be implemented to some degree if sites are eventually going to support under-13s, since it is illegal to track their behavior under current law. But you are right, I don't see a lot of places voluntarily signing up to make less money.
I agree with your critique of DNT, but private browsing isn't magic, there's plenty a bad actor could do to track you regardless of what you throw away at the end of the session, which means the same critique applies (unless you're using it for it's intended purpose, privacy from other users of your computer, and even then it's got holes).
Current implementations of private browsing just throw everything away at the end of a session. That doesn't prevent cross site tracking during a session. If you start up a browser in private browsing mode, then log in to Facebook and visit some site with a like button on it. Facebook still knows you visited that site. At least, I think that's how it works.
Thanks. So a better implementation should perhaps instantiate a different session for each browser window (sharing the same session for the tabs in the same window). The user should also avoid logging in to any service linked to a known profile.
A better implementation would be one which instantiates a different session not on a per window basis, or even a per tab basis, but on a per "domain in address bar" basis.
And by session, this wouldn't just be the cookie store, it would also be the cache store and everything else which can be manipulated for tracking purposes.
EDIT: I'd also want it clearing between browser restarts too.
If this became (over night) the default standard way for browsers to behave, the vast vast majority of websites (at least 99.9% I'd guess) would continue to work without issue and it would pretty much annihilate nearly all privacy/tracking issues on the web.
Stuff like Google Analytics would continue to be able to work, but wouldn't be able to gather as many different types of information. Advertisers would be able to continue to advertise, but they would lose the ability to track you across sites, which potentially might hit their revenue a bit.
Well, I was thinking that cross site authentication would be impossible in case of per domain session, but yes, a completely new anonymous user profile directory should be created.
Why would it be impossible? If you need to completely pass the user off to a different website temporarily, you should add the challenge/response data to the query string or post parameters. Cookies not required.
The fact that Flash had it's own cookies that weren't cleared by private browsing modes was a big story (don't know if they've fixed that yet) but there's a general problem of Zombie Cookies (as long as one ID method works the others can be recreated) and Panopticlick (ID you uniquely based solely on the random info, like installed fonts, sent to the server by your browser).
I agree 100%, this whole fiasco is just a about convincing the US Congress not do anything (which they shouldn't btw). Anyways, the DNT specification has exceptions in it large enough to drive a truck through. On the other hand if it would finally shut up people whining about being tracked online that would be worth (though I doubt it will, as whining is too much fun).
Turning on DNT by default is a great way to ensure it will be utterly ignored.
So I quite support the requirement that people explicitly enable it.
Remember the DNT is voluntary - but if everyone does it by default, then there is nothing left to track, so websites will have no interest in paying attention to the flag.
Isn't that the whole point? Websites may not have interest in tracking disabling policies, but a lot of people do. Maybe these advertising companies ought to incentivize users to opt-in to sell their data instead of the other way around.
Na.. that will be too much work for the user, plus disabling DNT will mean it's disabled for everyone, not just the said website. It also does not make alot of sense, disabling DNT does not make site any money directly. So it will only raise suspicion in a casual user's minds, that why would the site need to track him/her when there is no apparent monetary profit to the site.
Instead they can show a banner that DNT is enabled and when it is disabled, the banner is gone.
False dichotomy. It's not "targeted ads vs no content on the internet".
People will just have to use generic ads, not targeted ones.
I don't think there will be any meaningful difference in profit, and
even if there is, then so be it.
Yes, that is the whole point. Those people who are interested can send the Do Not Track header to indicate the preference. By sending it even when the user didn't indicate that preference, IE would have been the Boy Who Cried Wolf. Network owners wouldn't has been able to trust the header to indicate actual user preference.
I think you are conflating two problems - setting to off by default is also setting a default user preference - that the user wants to be tracked. This may or may not be the case - whether the default is on or off that will be the majority setting since most people don't know / dont't care enough to change it.
I think a couple other posters here have pointed out the larger problem - without ads like this, the free internet dries up and suddenly you need to start paying for everything from gmail to facebook (or whatever other tools/blogs/webcomics any of us visit).
Good for privacy litigation. "My client had DNT in her browser set to 'on' and the company intentionally ignored this and tracked her actions on the web, vioalting her right to privacy and causing monetary damages in the amount of $________."
Web developers might hate it, but DNT could be potentially good for end-users who want to make privacy claims. It's just one extra header. A few extra bytes. Meanwhile things like XML and JSON, which add considerable bloat to web responses, are accepted without any complaint.
On the other hand now every single line of code that gets changed has to reviews by a lawyer to make sure it is compliant with the DNT legislation. And if your a startup, the best way to take you down is probably a couple of frivolous DNT lawsuits.
Does the current spec take into account that unscrupulous ISPs (I'm thinking about hotel WiFi in particular) can strip the header before forwarding a request to a server?
It says they shouldn't do that. But you are never going to see enforcement, stripping headers can be sold as "security" to hotels who have no clue what they are doing.
I realise this, I used Chrome as the example as I imagine it has the largest audience of users here. I wish I could set incognito per site. I.e. opt in to cookie keeping. e.g. set cookie_keeping=true for gmail.com.
Honest question, why do people care if they are being tracked? The amount I care is quite far off from the amount everyone else seems to care, could someone educate me on why I need to care more?
The same for me. Why should I care if I'm tracked? And if I don't want to be tracked I'll use private browsing (it's not just for porn, you know?). If I want even more privacy I'll use a clean vm, or if I'm going paranoid I could use an anonymous proxy or similar.
Consider bubbling, e.g. Google returns search results consistent with your previous clickthroughs. You end up seeing only results you agree with; it insulates your searching experience from disturbing foreign ideas like evolution or liberalism.
Tracking can be done by servers, using a workstation signature (ip/port, installed software versions etc, been discussed in other posts), it doesn't require your client station's consent (cookies).
Yet, when I look for "python", I'm not interested in snakes. When I look for "eclipse", it's almost sure that I'm not looking for astrological phenomena or (spare me!) books. It's incredibly useful to write "cinema" without having to specify which city I'm obviously in.
The point is: I want to be bubbled. In almost every situation, apart from reading opinions, it is the right thing to do for me.
In my humble opinion, the bubbling effect is overrated and (should be) avoidable with private browsing. Am I wrong?
So instead IE10, on first run should just pop up a very scary looking dialog filled with text on why the user should choose the "do not let websites track me" button instead of the "Let websites track me" one.
An issue sidestepped by this article is whether the statement in the second paragraph is correct:
> ... tech and ad companies who say they comply with Do Not Track could simply ignore the flag set by IE 10 and track those who use that browser.
That doesn't quite work. Web servers don't know what browser is on the other end of a connection. Yes, they know the "User-Agent:" line, but that is not the same thing.
Claiming to follow a privacy standard, but then ignoring it based on a conclusion reached via fallible means, is a bit scary. It strikes me as the beginning of a slippery slope, regardless of what position Microsoft ultimately takes with IE 10.
Does the DNT standard require that User-Agent strings correctly reflect the browser? [1] Guaranteeing a site follows DNT means that it will follow it, not that it will follow it only if headers are not forged.
Also, is "forging" really a dishonest thing in this instance? Browsers have been making themselves look like other browsers for years, in order to deal with stupid servers that make incorrect assumptions about the User-Agent string.
[1] Not a rhetorical question. I don't know the answer.
Yea, the whole idea of "They are not following part of the spec so we can treat them differently" seems like a sketchy argument.
Is there a clearing house for certifying browsers as DNT compliant? Or can the websites just say "Oh, THAT browser? Well I don't think it is DNT compliant so I am going to ignore the DNT headers even though they are perfectly to spec"
What is the situation if a user agent, on installation/upgrade, asks a user to update their DNT status but in doing so defaults to on? The user has to explicitly agree to turning this setting on (as they have to accept the configuration before proceeding), and is able to turn it off, but most people will just click through anyway.
I apologize in advance that this will probably end up looking a bit like a rant.
I'm sorry, but what is the deal with web-based tracking? I see comments like
> Whenever you visit a website with an ad, DoubleClick knows you looked at that article, and uses that to build a profile about your preferences. I don't think when your average joe reads an article that it is fair that their preferences are being tracked in this way.
and I honestly wonder how this sentiment can be so common, given the realities of our current society (note: this comment is not meant to say anything bad about that comment's author, it's just a convenient example of a trend in the discourse on this topic).
First, we give up many "rights" as tradeoffs for other things that we want. We have the right to the pay from our jobs, but that doesn't mean that we are entitled to get things from the store for free. We have to give up ownership rights of our money in order to trade it for goods and services. We have the right to free speech, but that doesn't mean that someone can't ask us to leave their home or other property if we say something that upsets them. We give up our right to say whatever we want by going onto someone else's property. This sort of situation is so common that it would be impossible for me to list all of the times in which we are faced with it here. However, this argument would not be complete unless I also stated that web-based tracking is in exactly this category: someone has set up a situation where your computer can exchange data with their server. However, in doing so, it is possible that they will notice that you have done so and keep a record of this fact. In other words, if you, through your computer, communicate with a company or individual, that company or individual may know that you communicated with them and what the contents of those communications were. You are giving up your right not to be known to have performed a behavior by a set of potential witnesses in exchange for performing that behavior in front of those witnesses. It's unreasonable to say that, just because you are communicating through computerized agents the other party should not be able to keep a record of your exchange.
Second, it is unfathomable (edit: To me. Please, tell me how your opinion differs) that this could be an issue for people because this is the state in which we constantly live. Every time you leave your house, your neighbors may take notice. Every time you go to the store, your actions are recorded (tracked!) by security cameras. The clerk knows what you bought and may recognize you as a regular customer. If you use a credit or loyalty card, the store keeps keeps a log (tracks) your purchases and builds a demographic profile. At a casino, the floor manager watches you gamble over security cameras. If they notice you winning a lot, they may ask you to leave for the day. I could go on like this all day. The point is that there are all kinds of times where we are tracked and where the only way to opt out is not to have dealings with the tracking entity or to not go out in public. There are all kinds of businesses built around or supplemented by tracking people. It seems to me that the tracking-things-you-witness ship has already sailed and if people wish to bring it back into harbor, they will first need to establish a reasonable test that makes it clear when tracking is actually abusive. It seems very unlikely to me that any test that wasn't specifically designed to do so would label all internet-based tracking as abusive, as some people seem to do, while calling these other behaviors OK.
There's a difference between a right that you are aware that you are giving in exchange for a service, and a right that you are unaware that you are giving. The way in which ad companies track users is so obscure that most people cannot be expected to be giving reasonable consent.
I think you're just upset because DNT might affect your income?
Tracking does not mean looking at server logs (or by analogy, reviewing security camera footage), it means things like cookies, Flash cookies, beacons and KISSmetrics.
Chances are DNT idea will have little effect. People raised issues with cookies back in the 1990's and in rerospect it hasn't impeded websites from tracking. People were forced to opt-in to cookies and everyone became desensitised to them over time. Now people don't even think about not accepting cookies. Tracking has gotten very aggressive though. Some of the behavioral tracking ideas are really pushing the limits.
DNT is hardly a draconian measure. Be glad that the web is still very much unregulated in comparison to meatspace.
Exactly. There was a time when the idea of users accepting/rejecting cookies on a per-site basis seemed plausible (though it might be annoying for the user), but those days seem long gone. Cookies are on by default and my guess is few users change those settings. DNT might be viewed as another attempt, however futile it may seem, at giving users some choice.
It's true a good portion of the web still works well without Javascript. This seems like a good thing as Javascript can be a mixed blessing. Enabling it comes with both benefits and risks. Like cookies, a user could selectively choose which scripts to allow, one at a time (remember the embedded Java applet days?), but this can quickly become more trouble than it's worth.
Perhaps a difference of JS from cookies is that with Javascript the user might sometimes see what the actual benefits are and they might be more enticing than those of cookies, e.g., "To see this cool doodad, you need to enable Javascript." It is very clear what the benefit will be: the doodad.
Contrast this with "To use this site you must have cookies enabled." Terms like "provide a better user experience" might be used to describe the need to enable cookies. But the specifics are usually absent.
If all websites were reasonable, and no one abused their ability to manipulate and track end users, things like DNT would probably not be necessary. But we know that's not the case.
Whenever you visit a website with an ad, DoubleClick knows you looked at that article, and uses that to build a profile about your preferences. I don't think when your average joe reads an article that it is fair that their preferences are being tracked in this way.
We should survey the public and ask: "Do you think it is okay that internet ad companies use the type of article you read to target ads that are more likely relevant to you?"
That is a reasonable question that gets to the crux of the issue. Retargeting and profile targeting may be borderline unethical, but Google and I both make good money doing it. I am not sure it is right, but we both have a vested interest in making sure we can continue.
By telling users you have better privacy simply because your browser adds a random header tag onto requests you're misleading them. Sites have no obligation to obey it and it will give users a false sense of security.
We already have proven, well defined method of DNT already: private browsing. This works by simply removing resources after the session ends. There's no reliance on servers, so it will always work.