Hacker News new | past | comments | ask | show | jobs | submit login
"Do Not Track" HTTP header supported by IE, Opera, FF, Safari but not Chrome (wikipedia.org)
146 points by TomAnthony on May 20, 2012 | hide | past | favorite | 100 comments



I still haven't heard a cogent explanation of what this is supposed to do.

"Do Not Track" sounds nice, but seems no easier to scope than the initial problem of excessive information collection. I think it's safe to say that I want companies to 'track' me in order to keep me logged in for a session. Likewise, I hope that my bank keeps logs of visitors, so that it can respond to abuse / hacking attempts. Is this aimed only at behavioral advertising, or is it meant to have a broader scope?

It seems like the technical execution is almost misguided without having the policy discussion first and figuring out what it is we disagree with. Without that, I don't feel like this is going to draw a strong enough line to separate people abusing tracking from the legitimate uses.


From http://donottrack.us: "Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms."

Emphasis on "websites they do not visit" directly, meaning that it only applies to iframes, popups, etc. If you typed it in the address bar, or clicked on a link to get there, the site isn't limited by DNT.

This is not legal advice.


So Disqus, and any site that uses it is screwed then?


When you say 'screwed', how do you mean exactly?


Disqus isn't a site you visit directly, it is a plugin service which site owners can plug into their site.

As part of its functionality it relies on the ability to uniquely identify a user across sites (to provide user authentication).

There are quite a few other services that work in a similar way.


Many people are logged into Disqus all the time. I would think that an explicit login overrides any DNT header.

On the other hand, if I'm not logged in, I don't want them tracking me across all the Disqus-enabled sites I visit.


"Many people are logged in to Facebook all the time. I would think that an explicit login overrides any DNT header."

As a user, I want to be stay logged in to Facebook when posting a TC comment. But I don't want Facebook to track me when I visit some random site with a like button. How do we draw the line here?


Pragmatically, we draw it with Adblock and NoScript and friends.


A solution that I've found works well for me is simply disabling cookies, and whitelisting any site that I want to use that requires them, or that I am attempting to log in to.

This is made easier for me by the fact that I don't use Facebook.


Suggested friend: Ghostery.


Is Ghostery useful if a person is already using a privacy list for AdBlock, such as EasyPrivacy[1] or Fanboy Tracking List[2]?

[1] https://easylist.adblockplus.org/en/

[2] https://secure.fanboy.co.nz/


Yes, it lets you more easily re-enable things on a case-by-case basis. Like NoScript, but focused on privacy.


I think Facebook and Disqus are different cases. The only reason anyone ever logs into Disqus is to be able to use it on third-party sites. Not so for Facebook. People's intentions matter.


I would say authentication isn't tracking... its authentication.


Good.

So Facebook & Google are fine, too then. You authenticate with them, then they add features based on that.


That's a play on words. You can authenticate yourself to something and then be tracked for other reasons.


If you don't want to be tracked, the site that handles authentication can still keep you logged in, but it isn't allowed to track your whereabouts.

In the case of facebook they can show the "like" button, but they cant use the information that it has been shown for you on a particular site, on a particular date/time.


Yeah, but that is kind of useless.

Facebook's entire purpose is to show you things you are interested in. The fact you didn't like something on a given site is nearly as useful as if you did.


Thats from an advertiser perspective, not from a user perspective.


Not at all.

Facebook show's me updates from my friends activity. It can better match those to my interests if it knows what I am interested in.


I don't know what legal ramifications could follow sites which declare they support Do Not Track as a spec but in actuality do not support any of the features of the spec in a meaningful way. Other than just bad press if discovered, I don't think there is any punishment for not properly following a technical spec outside of civil lawsuits.


sites which declare they support Do Not Track as a spec but in actuality do not support any of the features of the spec in a meaningful way

Seems that it's like P3P[0], in that it causes problems for developers but in no way keeps a company from asserting things that they don't actually follow, and there's no way to verify that they are.

[0] http://en.wikipedia.org/wiki/P3P


The FTC would likely investigate, if you had a non-trivial number of users. You really don't want this.


What if they're not in the USA?


European regulators are worse, China is its own story, everywhere else is pretty lax afaik.


So who cares, shady operators will just move?


Do not track me for advertisement, statistics, etc. is the intent.


Ending your list with etc. undermines your point. With this header set, can my site track what pages a user views to recommend pages to him later? Can compliant sites keep stats for engineering purposes? Grandparent is dead-on - it's bad enough that this does not affect the behavior of bad actors, but if it isn't even clear what effect it will have on good ones, the false sense of security may be worse than nothing.


Key word is "intent". Privacy != security. Close, but not quite.


statistics

WTF? So analytics packages will somehow have to exclude these browsers from all reports? Some reports? Can you count impressions from these users?


The intent is to enable users to "opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms". So you can have an analytics package on your site and do everything you mention, but you cannot offload your statistics gathering to yoursitename.statistics.net, which can track the user across websites, because the users are visiting your site, not statistics.net.

A hypothetical and largely incorrect real-life analogy: you can use cameras to recognize regular clients and keep statistics on them, but you cannot send the camera images to another company to have them processed, because your clients are visiting your store, and not that other company. (This analogy is largely incorrect because camera images are more privacy-sensitive than cookies, and different legal and moral issues are involved, but there's still a similarity.)


How that's "wtf"? If I don't want companies to make statistics using what I do that sounds perfectly legitimate to me.

Now then again DNT is an intent, the vendor does whatever he likes, and can support DNT for other features and still have statistics. There's no list of things you can do or not do. There's no agreement either. It's just the user indicating that they don't want to be tracked in any way.


It's a wtf because you can't draw any good lines on statistics. Web server admins have legitimate reasons to track (i.e. log) all requests to some extent against their web sites. We have good tools to help analyse a lot of this.

Consider a real world equivalent. Suppose you walk into a bookstore and buy a book with cash. The store might not be able to track you individually but they can track how many people visited, how many books they sold, etc. You can't say that's not legitimate.

So I could see an argument that the line that should be drawn is one that involved tracking cookies, but that is quite a narrow exclusion regarding statistics of individual users. You can still get pretty good stuff from the access log and there's no case to be made that DNT means Do Not Log.


Statistics != "logging"

Then again anyone is free to track/not track, stat/not stat (so far at least) and only "not track" subset of their data (as long as they don't lie)

Then again there's a few privacy-aware websites who do logging and some stats but on pseudonymized IPs which is also a pretty decent compromise.


But what about mining statistics from logs?


Does that mean the access_log should omit visitors who set this header? Does this mean log analysis tools should omit such records in the logs?

I am confused as to how this works for statistics purposes.


[deleted]


this is a load of crap that gets repeated again and again, please stop.

advertising existed before every move you made was tracked, and it was quite profitable. There is zero reason that such invasive bullshit is a requirement.

HN user fauigerzigerk put it best:

    I would like to agree with your idea of tracking 
    as payment, but I really can't, because:

    a) Most of the time I don't have a choice. There's 
    no option to pay them money and even if I pay them
    directly, they may still keep collecting tons of
    personal information about me on top of it.

    b) It's sneaky. I don't really know what 
    information they have and how they use it. I just 
    have a couple of completely meaningless words 
    from their privacy policy.

    c) I don't know the price I'm paying.

    The last point is the most important one. 
    The value and the risk associated with a 
    particular piece of information greatly depends 
    on what other information it is combined with, 
    but I can't control that. The company could get   
    acquired tomorrow by some ad behemoth that knows 
    a lot of other things about me, so the price I'm 
    paying could change after the fact. That's not 
    the way payment works. I have to know the price 
    I'm agreeing to pay before I enter that contract.
https://news.ycombinator.com/item?id=3751905


You make a good point and I agree with you, I just wish you had not put "period" at the end of your sentence. If you point stands good, but putting period like really is kinda close minded, don't you think?

If your point is strong you should have no need to throw your hands up in the air and say "end of discussion" which is what period pretty much means. Your making the call that this discussion is over because you know best.

I had to post this, your 'period' distracted your entire argument for me.


fair enough, i just feel its an issue that needs a strong stance, but i understand your concerns. I removed it.


[deleted]


Stores don't track my payments if I pay in cash and give them no identifying information (some local businesses, that I trust and want to support, I will join their rewards program that allows them to track me). I don't have a credit card, so they can't track me. My bank can only track me when I pay with my debit card, which I don't do often.

The thing is, in the offline world, you can control much better who's tracking you. And this is why people get upset at CCTV cameras too; while you can see the people around you who are observing you, and choose to modify you're behavior by whether someone's around or who is around, CCTV means that you may be observed, recorded, and tracked at any time without consent.


children are also starving in africa, does that mean anything more trivial than that should not be addressed until that is?


[deleted]


You mean like playing on people's fears of paywalling by saying something like

"If we don't alllow web advertising to be unregulated, all good content will be paywalled."

You mean that kind of irrational fearmongering?


Is there any evidence to support your worry?

Because there is ample evidence that good content was available through the internet and later the web, before it was permitted to be used as a commercial vehicle and long before the web became laden with cheap advertising.


[deleted]


"No, there's no evidence to support my worry."

OK, thanks.


The "Do Not Track" HTTP header is useless, equivalent to a "Do not Steal from Me" T-shirt. It is also harmful because it gives users a false feeling of protection and security. The question should not be why Chrome didn't implement it, but why Opera and Firefox did.


It will make all the difference in a court case when you have specifically denied consent and someone has continued to do something.

If you want to get pedantic about it just being text, all law is just text, books upon books, but its the enforcement that counts. This opens the door for enforcement of other laws.


You're not denying consent, you're sending some non-standard bytes to their server which will be lost as soon as the request is processed. Without legislation, do not track is just an honor system.


You're mixing levels of analysis here. You might as well say, "He didn't vote; he just used some sort of chemical-containing stick to make marks on a thin slice of a tree." Your point about legislation being needed would be stronger without that.


My point isn't about levels of abstraction, it's about standardized communication protocols. Making marks on a thin slice of a tree conveys a vote exactly because that's what the government decided the way to make a vote would be. If I write my vote in hieroglyphic etchings on an old shoe and post it to the first lady, I can't expect my vote to be counted.


Effective communication is about what people agree on. Government recognition is one avenue for that, but it often follows the populace rather than leading it.


I understand your point, but 'evil do-ers' break existing laws then this could be considered evidence.

I'm fairy sure a mix privacy & contract laws in my country would hold companies subject to this as its stands if you didn't agree to allow them to do it in a EULA.

Because if I'm not mistaken by accepting the request you are agreeing to contractual obligations... so the server has to accept your contract to engage in transactions... the server can choose to accept or deny this transaction... by default accepting the contract.

Of course you would have a good defence against this a well, so agreed you'd need it standardised to make it a real threat against a company in court. Would be interesting to see played out in court TBH.

Also if stances are made like this then changes will never manifest, because its close to useless now doesn't mean it won't become a foundation for something later.


Is there any law that actually prevents tracking? It doesn't really matter whether you consent or not if it's legal either way.


It reminds me a lot of RFC 3514's evil bit[1].

[1] http://www.ietf.org/rfc/rfc3514.txt


We can finally rest assured our computers are safe, since all evil packets get filtered. Right?


From a technical point of view it has little merit, granted.

I think from a legal point of view though , you are expressing your desire to not be tracked.

This would be preferable to legislation dictating that the user must manually approve all cookies etc.


"you are expressing your desire to not be tracked."

Yes. And I think this is important. For example, for cases brought by the FTC, class actions, and other litigation it might be useful.

If a company ignores the Header sent by the user and tracks her anyway, then one could argue the company too has expressed an intent.

The Header is machine readable like any other. A server can parse it and take a specific action based on its presence or absence. Arguably it does have technical merit.


Well Twitter won't track you if you have "do not track" enabled.

Unless you have Chrome.

It should be pretty obvious why Chrome doesn't implement it. It's against the core business of Google (tracking). They will only implement if it causes a PR issue (and this very post is a PR issue btw, even thus a small one)


Google has already committed to supporting it in Chrome. It's just not in it yet.

I don't know if they've made any promises to honor DNT requests, but their browser will be able to send them.


Google has an "Incognito" mode which provides an even better tool against tracking than DNT, because it doesn't depend on the merci of the websites you are visiting.

Also note that almost no other browser are supporting such a feature out-of-box, at least not when this feature was added to Chrome.

So while I'm not a big fan of Google, either, I find it hard to argue that Google doesn't care about privacy features in Chrome.


IIRC, Firefox's private browsing mode is older than Incognito.


It enables social pressure on sites to honor it.

Once it exists, sites can be forced to explain why they don't obey the users' express wishes.


Not only social pressure, but perhaps legal pressure too.


I can hear it now "Of course not, why would an ad company sabotage itself?".

Wikipedia says Chrome is set to support the header by the end of this year (2012).

Wikipedia's source: http://online.wsj.com/article/SB1000142405297020396080457723...


Google also said they would drop H.264 support from Chrome, but we're still waiting.


Even if what you said is true, it's definitely interesting that the browser that is on the forefront of implementation of almost every new web feature is about a year behind on only this one while all the other major browsers have already implemented it.


It might have to do with the fact that most Web technologies do something useful while this just sends an extra header that pretty much every site they visit will ignore. I wouldn't prioritize it either at this point in time. This is a movement that needs support from site maintainers, not browser implementors.


It is a little suspicious that Chrome is dragging it's feet, isn't it?

I guess we'll see if they honour their promise by the end of the year.


As far as I can tell, this official extension for Chrome has been available since January of last year and supports the header: http://googlepublicpolicy.blogspot.ca/2011/01/keep-your-opt-...


Since no one's mentioned Ghostery yet, I highly recommend it as a way to opt-out of all sorts of stupid tracking mechanisms on the Web.

http://www.ghostery.com/


This is misleading. The important actors in the "who supports Do Not Track" is not browsers but websites. "Browser support" just means "we'll tell the website that you'd rather not be tracked". If every browser sent this header, and every website ignored it, it would be a complete failure.

So what, if any, websites support the "Do Not Track" header?



The key part is not the websites but the services (ads, analytics, etc) that sites use.

For those, quoting from http://donottrack.us/implementations :

3PMobile, AdInsight, AdOcean, AdTruth, AP News Registry, Blue Cava, BlueKai, BrightTag, Chitika, Effective Measure, eXelate, Jumptap, m6d, Mochi Media, TagMan, Tealium, TruEffect, Ensighten, Twitter.

Note absence of Google with their advertiser hat on, as well as Facebook.


Well, websites are the ones to lose with this, not browsers(except ones with conflict of interest like Google and Microsoft). So websites can say "Hey, a popular browser like Chrome doesn't support it, so why should we?". That's why it's important for all browsers to support it so that there will be more pressure on websites to support it.


On the other hand Google provides browser extensions that lets you opt-out from advertising cookies and Google Analytics tracking. These are not vastly popular though, each at around 100k installs for the Chrome version.

https://www.google.com/ads/preferences/html/opt-out.html

https://tools.google.com/dlpage/gaoptout


Opting out of a privacy violation that should not take place to begin with is insane.

Also, way too little way too late.

Ten years ago this might have been seen as constructive contribution towards industry self-regulation. Now it's just a sick joke that won't do anything to change the fact that tracking without explicit permission will be illegal in many parts of the world.


Will be also supported by Epiphany (default GNOME browser): http://git.gnome.org/browse/epiphany/commit/?id=f7a3fca8a8e0...


Given that Google is perhaps the only company whose main business is online ads and ads relevance is crucial, it is natural that they cannot give up the opportunity of tracking profile of ads viewers as easily as other companies.


DNT does not work based on trust and if somebody is going to track you they are going to track you regardless of if you send them a HTTP header asking not to, or not

(the tl;dr of the spec is that it adds this HTTP header to all requests:

    DNT: 1
it can be set to 1 or 0).

There is also a large risk here of creating a false sense of security amongst less knowledgable users. We should be teaching users cookie control, plugin and request blocking as part of using the web, not an 'install once, forget forever' solution that doesn't work.

DNT is also adding more entropy to HTTP requests, making you easier to identify or profile. You get less privacy. Think about how much an advertiser would love to know that you are privacy conscious, that puts you in a certain socio-economic group.

I am a huge privacy nut and advocate but DNT will not work. The only way to fix this is better third party blocking and controls in browsers.

I have been meaning to flesh out a blog post against DNT for a while, since I keep getting emails asking to comment on media stories about it being adopted.


"We should be teaching users cookie control, plugin and request blocking as part of using the web, not an 'install once, forget forever' solution that doesn't work."

Doomed to failure. Users shouldn't need to know this stuff, and the vast majority never will. Even if it is taught and tested at school. There are plenty of things we could do to improve privacy, but much of it will cause the major browser vendors to make less money, so is unlikely to happen.

1.) Tie all cookies to the domain in the address bar. No more third party cookie tracking.

2.) Tie all cache entries to the domain in the address bar. Gets rid of numerous tracking tricks at the cost of increasing bandwidth usage a little.

3.) Get rid of HTTP referrers. Completely. It's none of your business which site I was on before yours.

These three things alone would make a huge difference. It's the low hanging fruit that we need to get before we tackle the more difficult problems.

I think there's too much money involved though. The above improvements would definitely hit Microsofts and Googles bottom lines. But hey, there's no problem with insanely rich advertisers controlling the major browsers right. No conflict of interests there.

EDIT: I agree with all of your other points regarding DNT. Just not the user education one.

EDIT2: Another one:

4.) Make all cookies, session cookies. I configured my browser to delete all cookies on exit ages ago, and the web still works fine. I might have to type in my username each time I go to login to sites instead of having it auto-filled, but that's a good trade off. Besides, browser plugins like LastPass solve that problem better.


I wrote a Chrome extension to do what you describe, it breaks almost the entire web. I am experimenting with a generic rule set with a view of forking Chrome with a better default privacy and security policy.

I totally agree that users shouldn't need to know the details, but there are some things, like third-party cookies, that needs to be explained and simplified. A bit like not clicking on an exe email attachment.

I think the equivalent could be that users white-list websites, or 'install' them, if they trust them, which allows those sites to execute third-party cookies. Everything else would be 'incognito' by default.

But I am not entirely sure what would work, hence my experimentation at the moment. I know that the answer definitely isn't DNT.


How does it break the web and what has the most breaking impact in your experience?


I can't imagine a way that #1, #2 or #4 would be able to "break the web". Worse case scenario is they add a tiny amount of overhead. #3 might cause a tiny minority of websites to stop working, but they'd get fixed quickly if #3 was implemented.


The Do Not Track movement and its whole premise is useless. I've blogged about why this is so a while ago: http://blog.idleworx.com/2012/02/do-not-track-movement-is-us...


This will only be useful if governments enforce it. The US has included it for consideration in the US Privacy Bill of Rights[1] and the EU may enforce it as well[2]. But until there is some form of punishment for not complying with DNT it is essentially window dressing.

[1]http://www.whitehouse.gov/sites/default/files/privacy-final....

[2]http://ec.europa.eu/justice/data-protection/article-29/docum...


Why would Chrome not support a meaningless header sent by the client?

You are asking Schneier to implement security by obscurity with emphasis on the obscurity part. Hell, you are asking the same people that sent a "This is not a P3P policy" P3P policy.

Now I don't know if they think, as do I, that all of this is just meaningless extra traffic on the wire, or that they are evil and don't want to commit to privacy guarantees. No way to tell.


Anyone sent in a RFC for using code 666 for "Server is evil and does not support Do Not Track headers".


The IETF does have a network-layer solution to that.

http://www.ietf.org/rfc/rfc3514.txt


Hmm... Somebody could presumably bake it into chromium


but will be incorporated by the end of 2012


The real question isn't whether Google's browser supports this, it's whether Google's servers support this. It may be that Google isn't adding it to the browser until it can commit to it on the server.


Allowing people to opt out of tracking would decrease the load on Google's servers.


Well, sure, and if everybody installed effective ad blocking software so they never saw a google ad, that would decrease the load on google's servers too.



That makes no sense whatsoever. There are a few websites which do request it, and the header will do no harm to the ones that don't. So Chrome users will be unable to use that feature (going to be?) supported by Twitter, for example.

Did Google web properties use WebGL, NaCl etc. before Chrome supported them?


the thing is why should it be supported if the website is tracking you any way?

its just a request to not track me but i don't can see if its really not tracking me.


Jesus' words (or Lincoln's, if you wish) apply here:

"If a house be divided against itself, that house cannot stand."


If you disable Cookies and Javascript you will stop probably 90% or more of tracking. How much tracking is done without using Cookies and without Javascript? KISSMetrics? What else?


There's lots of ways to track you. Here's a sampling: <http://samy.pl/evercookie/>; Turning off cookies and JavaScript will stop many, but not all. It also makes many popular websites nearly unusable. Browsing with JS and cookies off, and selectively turning them on, is an option that is only really practical for experts.


Without JS and Cookies the web is too crippled. It's not an option for most people. DNT tries to fix this on a more legal level than technical.


If that's not evil then I don't know what is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: