I still haven't heard a cogent explanation of what this is supposed to do.
"Do Not Track" sounds nice, but seems no easier to scope than the initial problem of excessive information collection. I think it's safe to say that I want companies to 'track' me in order to keep me logged in for a session. Likewise, I hope that my bank keeps logs of visitors, so that it can respond to abuse / hacking attempts. Is this aimed only at behavioral advertising, or is it meant to have a broader scope?
It seems like the technical execution is almost misguided without having the policy discussion first and figuring out what it is we disagree with. Without that, I don't feel like this is going to draw a strong enough line to separate people abusing tracking from the legitimate uses.
From http://donottrack.us: "Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms."
Emphasis on "websites they do not visit" directly, meaning that it only applies to iframes, popups, etc. If you typed it in the address bar, or clicked on a link to get there, the site isn't limited by DNT.
"Many people are logged in to Facebook all the time. I would think that an explicit login overrides any DNT header."
As a user, I want to be stay logged in to Facebook when posting a TC comment. But I don't want Facebook to track me when I visit some random site with a like button. How do we draw the line here?
A solution that I've found works well for me is simply disabling cookies, and whitelisting any site that I want to use that requires them, or that I am attempting to log in to.
This is made easier for me by the fact that I don't use Facebook.
I think Facebook and Disqus are different cases. The only reason anyone ever logs into Disqus is to be able to use it on third-party sites. Not so for Facebook. People's intentions matter.
If you don't want to be tracked, the site that handles authentication can still keep you logged in, but it isn't allowed to track your whereabouts.
In the case of facebook they can show the "like" button, but they cant use the information that it has been shown for you on a particular site, on a particular date/time.
Facebook's entire purpose is to show you things you are interested in. The fact you didn't like something on a given site is nearly as useful as if you did.
I don't know what legal ramifications could follow sites which declare they support Do Not Track as a spec but in actuality do not support any of the features of the spec in a meaningful way. Other than just bad press if discovered, I don't think there is any punishment for not properly following a technical spec outside of civil lawsuits.
sites which declare they support Do Not Track as a spec but in actuality do not support any of the features of the spec in a meaningful way
Seems that it's like P3P[0], in that it causes problems for developers but in no way keeps a company from asserting things that they don't actually follow, and there's no way to verify that they are.
Ending your list with etc. undermines your point. With this header set, can my site track what pages a user views to recommend pages to him later? Can compliant sites keep stats for engineering purposes? Grandparent is dead-on - it's bad enough that this does not affect the behavior of bad actors, but if it isn't even clear what effect it will have on good ones, the false sense of security may be worse than nothing.
The intent is to enable users to "opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms". So you can have an analytics package on your site and do everything you mention, but you cannot offload your statistics gathering to yoursitename.statistics.net, which can track the user across websites, because the users are visiting your site, not statistics.net.
A hypothetical and largely incorrect real-life analogy: you can use cameras to recognize regular clients and keep statistics on them, but you cannot send the camera images to another company to have them processed, because your clients are visiting your store, and not that other company. (This analogy is largely incorrect because camera images are more privacy-sensitive than cookies, and different legal and moral issues are involved, but there's still a similarity.)
How that's "wtf"? If I don't want companies to make statistics using what I do that sounds perfectly legitimate to me.
Now then again DNT is an intent, the vendor does whatever he likes, and can support DNT for other features and still have statistics. There's no list of things you can do or not do. There's no agreement either. It's just the user indicating that they don't want to be tracked in any way.
It's a wtf because you can't draw any good lines on statistics. Web server admins have legitimate reasons to track (i.e. log) all requests to some extent against their web sites. We have good tools to help analyse a lot of this.
Consider a real world equivalent. Suppose you walk into a bookstore and buy a book with cash. The store might not be able to track you individually but they can track how many people visited, how many books they sold, etc. You can't say that's not legitimate.
So I could see an argument that the line that should be drawn is one that involved tracking cookies, but that is quite a narrow exclusion regarding statistics of individual users. You can still get pretty good stuff from the access log and there's no case to be made that DNT means Do Not Log.
this is a load of crap that gets repeated again and again, please stop.
advertising existed before every move you made was tracked, and it was quite profitable. There is zero reason that such invasive bullshit is a requirement.
HN user fauigerzigerk put it best:
I would like to agree with your idea of tracking
as payment, but I really can't, because:
a) Most of the time I don't have a choice. There's
no option to pay them money and even if I pay them
directly, they may still keep collecting tons of
personal information about me on top of it.
b) It's sneaky. I don't really know what
information they have and how they use it. I just
have a couple of completely meaningless words
from their privacy policy.
c) I don't know the price I'm paying.
The last point is the most important one.
The value and the risk associated with a
particular piece of information greatly depends
on what other information it is combined with,
but I can't control that. The company could get
acquired tomorrow by some ad behemoth that knows
a lot of other things about me, so the price I'm
paying could change after the fact. That's not
the way payment works. I have to know the price
I'm agreeing to pay before I enter that contract.
You make a good point and I agree with you, I just wish you had not put "period" at the end of your sentence. If you point stands good, but putting period like really is kinda close minded, don't you think?
If your point is strong you should have no need to throw your hands up in the air and say "end of discussion" which is what period pretty much means. Your making the call that this discussion is over because you know best.
I had to post this, your 'period' distracted your entire argument for me.
Stores don't track my payments if I pay in cash and give them no identifying information (some local businesses, that I trust and want to support, I will join their rewards program that allows them to track me). I don't have a credit card, so they can't track me. My bank can only track me when I pay with my debit card, which I don't do often.
The thing is, in the offline world, you can control much better who's tracking you. And this is why people get upset at CCTV cameras too; while you can see the people around you who are observing you, and choose to modify you're behavior by whether someone's around or who is around, CCTV means that you may be observed, recorded, and tracked at any time without consent.
Because there is ample evidence that good content was available through the internet and later the web, before it was permitted to be used as a commercial vehicle and long before the web became laden with cheap advertising.
The "Do Not Track" HTTP header is useless, equivalent to a "Do not Steal from Me" T-shirt. It is also harmful because it gives users a false feeling of protection and security. The question should not be why Chrome didn't implement it, but why Opera and Firefox did.
It will make all the difference in a court case when you have specifically denied consent and someone has continued to do something.
If you want to get pedantic about it just being text, all law is just text, books upon books, but its the enforcement that counts. This opens the door for enforcement of other laws.
You're not denying consent, you're sending some non-standard bytes to their server which will be lost as soon as the request is processed. Without legislation, do not track is just an honor system.
You're mixing levels of analysis here. You might as well say, "He didn't vote; he just used some sort of chemical-containing stick to make marks on a thin slice of a tree." Your point about legislation being needed would be stronger without that.
My point isn't about levels of abstraction, it's about standardized communication protocols. Making marks on a thin slice of a tree conveys a vote exactly because that's what the government decided the way to make a vote would be. If I write my vote in hieroglyphic etchings on an old shoe and post it to the first lady, I can't expect my vote to be counted.
Effective communication is about what people agree on. Government recognition is one avenue for that, but it often follows the populace rather than leading it.
I understand your point, but 'evil do-ers' break existing laws then this could be considered evidence.
I'm fairy sure a mix privacy & contract laws in my country would hold companies subject to this as its stands if you didn't agree to allow them to do it in a EULA.
Because if I'm not mistaken by accepting the request you are agreeing to contractual obligations... so the server has to accept your contract to engage in transactions... the server can choose to accept or deny this transaction... by default accepting the contract.
Of course you would have a good defence against this a well, so agreed you'd need it standardised to make it a real threat against a company in court. Would be interesting to see played out in court TBH.
Also if stances are made like this then changes will never manifest, because its close to useless now doesn't mean it won't become a foundation for something later.
"you are expressing your desire to not be tracked."
Yes. And I think this is important. For example, for cases brought by the FTC, class actions, and other litigation it might be useful.
If a company ignores the Header sent by the user and tracks her anyway, then one could argue the company too has expressed an intent.
The Header is machine readable like any other. A server can parse it and take a specific action based on its presence or absence. Arguably it does have technical merit.
Well Twitter won't track you if you have "do not track" enabled.
Unless you have Chrome.
It should be pretty obvious why Chrome doesn't implement it. It's against the core business of Google (tracking). They will only implement if it causes a PR issue (and this very post is a PR issue btw, even thus a small one)
Google has an "Incognito" mode which provides an even better tool against tracking than DNT, because it doesn't depend on the merci of the websites you are visiting.
Also note that almost no other browser are supporting such a feature out-of-box, at least not when this feature was added to Chrome.
So while I'm not a big fan of Google, either, I find it hard to argue that Google doesn't care about privacy features in Chrome.
Even if what you said is true, it's definitely interesting that the browser that is on the forefront of implementation of almost every new web feature is about a year behind on only this one while all the other major browsers have already implemented it.
It might have to do with the fact that most Web technologies do something useful while this just sends an extra header that pretty much every site they visit will ignore. I wouldn't prioritize it either at this point in time. This is a movement that needs support from site maintainers, not browser implementors.
This is misleading. The important actors in the "who supports Do Not Track" is not browsers but websites. "Browser support" just means "we'll tell the website that you'd rather not be tracked". If every browser sent this header, and every website ignored it, it would be a complete failure.
So what, if any, websites support the "Do Not Track" header?
Well, websites are the ones to lose with this, not browsers(except ones with conflict of interest like Google and Microsoft). So websites can say "Hey, a popular browser like Chrome doesn't support it, so why should we?". That's why it's important for all browsers to support it so that there will be more pressure on websites to support it.
On the other hand Google provides browser extensions that lets you opt-out from advertising cookies and Google Analytics tracking. These are not vastly popular though, each at around 100k installs for the Chrome version.
Opting out of a privacy violation that should not take place to begin with is insane.
Also, way too little way too late.
Ten years ago this might have been seen as constructive contribution towards industry self-regulation. Now it's just a sick joke that won't do anything to change the fact that tracking without explicit permission will be illegal in many parts of the world.
Given that Google is perhaps the only company whose main business is online ads and ads relevance is crucial, it is natural that they cannot give up the opportunity of tracking profile of ads viewers as easily as other companies.
DNT does not work based on trust and if somebody is going to track you they are going to track you regardless of if you send them a HTTP header asking not to, or not
(the tl;dr of the spec is that it adds this HTTP header to all requests:
DNT: 1
it can be set to 1 or 0).
There is also a large risk here of creating a false sense of security amongst less knowledgable users. We should be teaching users cookie control, plugin and request blocking as part of using the web, not an 'install once, forget forever' solution that doesn't work.
DNT is also adding more entropy to HTTP requests, making you easier to identify or profile. You get less privacy. Think about how much an advertiser would love to know that you are privacy conscious, that puts you in a certain socio-economic group.
I am a huge privacy nut and advocate but DNT will not work. The only way to fix this is better third party blocking and controls in browsers.
I have been meaning to flesh out a blog post against DNT for a while, since I keep getting emails asking to comment on media stories about it being adopted.
"We should be teaching users cookie control, plugin and request blocking as part of using the web, not an 'install once, forget forever' solution that doesn't work."
Doomed to failure. Users shouldn't need to know this stuff, and the vast majority never will. Even if it is taught and tested at school. There are plenty of things we could do to improve privacy, but much of it will cause the major browser vendors to make less money, so is unlikely to happen.
1.) Tie all cookies to the domain in the address bar. No more third party cookie tracking.
2.) Tie all cache entries to the domain in the address bar. Gets rid of numerous tracking tricks at the cost of increasing bandwidth usage a little.
3.) Get rid of HTTP referrers. Completely. It's none of your business which site I was on before yours.
These three things alone would make a huge difference. It's the low hanging fruit that we need to get before we tackle the more difficult problems.
I think there's too much money involved though. The above improvements would definitely hit Microsofts and Googles bottom lines. But hey, there's no problem with insanely rich advertisers controlling the major browsers right. No conflict of interests there.
EDIT: I agree with all of your other points regarding DNT. Just not the user education one.
EDIT2: Another one:
4.) Make all cookies, session cookies. I configured my browser to delete all cookies on exit ages ago, and the web still works fine. I might have to type in my username each time I go to login to sites instead of having it auto-filled, but that's a good trade off. Besides, browser plugins like LastPass solve that problem better.
I wrote a Chrome extension to do what you describe, it breaks almost the entire web. I am experimenting with a generic rule set with a view of forking Chrome with a better default privacy and security policy.
I totally agree that users shouldn't need to know the details, but there are some things, like third-party cookies, that needs to be explained and simplified. A bit like not clicking on an exe email attachment.
I think the equivalent could be that users white-list websites, or 'install' them, if they trust them, which allows those sites to execute third-party cookies. Everything else would be 'incognito' by default.
But I am not entirely sure what would work, hence my experimentation at the moment. I know that the answer definitely isn't DNT.
I can't imagine a way that #1, #2 or #4 would be able to "break the web". Worse case scenario is they add a tiny amount of overhead. #3 might cause a tiny minority of websites to stop working, but they'd get fixed quickly if #3 was implemented.
This will only be useful if governments enforce it. The US has included it for consideration in the US Privacy Bill of Rights[1] and the EU may enforce it as well[2]. But until there is some form of punishment for not complying with DNT it is essentially window dressing.
Why would Chrome not support a meaningless header sent by the client?
You are asking Schneier to implement security by obscurity with emphasis on the obscurity part. Hell, you are asking the same people that sent a "This is not a P3P policy" P3P policy.
Now I don't know if they think, as do I, that all of this is just meaningless extra traffic on the wire, or that they are evil and don't want to commit to privacy guarantees. No way to tell.
The real question isn't whether Google's browser supports this, it's whether Google's servers support this. It may be that Google isn't adding it to the browser until it can commit to it on the server.
Well, sure, and if everybody installed effective ad blocking software so they never saw a google ad, that would decrease the load on google's servers too.
That makes no sense whatsoever. There are a few websites which do request it, and the header will do no harm to the ones that don't. So Chrome users will be unable to use that feature (going to be?) supported by Twitter, for example.
Did Google web properties use WebGL, NaCl etc. before Chrome supported them?
If you disable Cookies and Javascript you will stop probably 90% or more of tracking. How much tracking is done without using Cookies and without Javascript? KISSMetrics? What else?
There's lots of ways to track you. Here's a sampling: <http://samy.pl/evercookie/>; Turning off cookies and JavaScript will stop many, but not all. It also makes many popular websites nearly unusable. Browsing with JS and cookies off, and selectively turning them on, is an option that is only really practical for experts.
"Do Not Track" sounds nice, but seems no easier to scope than the initial problem of excessive information collection. I think it's safe to say that I want companies to 'track' me in order to keep me logged in for a session. Likewise, I hope that my bank keeps logs of visitors, so that it can respond to abuse / hacking attempts. Is this aimed only at behavioral advertising, or is it meant to have a broader scope?
It seems like the technical execution is almost misguided without having the policy discussion first and figuring out what it is we disagree with. Without that, I don't feel like this is going to draw a strong enough line to separate people abusing tracking from the legitimate uses.