Mozilla uses Google Analytics Premium Service ($150k/year) which includes a contractual option to prevent secondary use of the visitor data. Therefore, they see it as legally in the spirit of Do-Not-Track -- Google is a contractor collecting the visitation data solely for the pleasure of Mozilla.
From the latter thread, Stacy Martin at Mozilla represents "Google Analytics will not correlate or report on any customer data with any other data, they will use Mozilla data only to provide and maintain the service for Mozilla, and they will not share or use it for any other purpose."
EDIT: The contractual arrangement is relevant. Section 9.3 item 2 of the IETF do-not-track draft draws has an exception for this very situation, "data obtained by a third party exclusively on behalf of and for the use of a first party".
The bug report is not about the legal contractual agreement between Google and Mozilla, but rather about user expectation from a "do not track me" option. Some users, maybe faulty or silly, consider a "do not track me" option to simply mean, do not track me.
It doesn't mater if Google sign a service contract that Mozilla pays $150k/year. "Do not track me" means, do not track me. It doesn't matter if Google promise to not be evil. Do not track me still means, do not send tracking data to Google. It doesn't even matter how extremely useful or good intention Mozilla or Google has with the tracking data. "Do not track me" really do mean, do not track me.
Something to consider. In Firefox, the DNT options have a Learn More link that answers the question:
"Do Not Track is a feature in Firefox that allows you to let a website know you would like to opt-out of third-party tracking for purposes including behavioral advertising. It does this by transmitting a Do Not Track HTTP header every time your data is requested from the Web."
While you can debate whether that's the appropriate place for that information, it's not as if Mozilla is hiding this information. It's easily reached, and not at all intentionally hidden away. Nothing devious. Just a question of how to appropriately display the information.
A very good point, as I never clicked on their help site. Thank you.
It's interesting that the summery text on their Do Not Track FAQ has zero mentioning that tracking is redefined as "third-party tracking", but the FAQ question "What is Do Not Track" does. The summery is more in line with common expectation of the word tracking, while the FAQ question is more in line with the definition scope found in the standard.
An easy fix, would be to add "third-party" next to the word tracking in the option menu.
The problem is, DNT isn't just a Firefox thing, but something that the industry is attempting to adopt. So, DNT as a whole means something specific. It's a shame that there is that disconnect, but it's not a Mozilla specific problem.
Safari says even less about DNT (Ask websites not to track me) and the help isn't much better, though they have a separate section for blocking 3rd party cookies. But that's different from DNT.
This is a case where DNT as an industry standard means one thing to the industry, and one thing to the uneducated public. Damned if they do, damned if they don't.
The language used is an important part when determining user expectations. its like the old "free phone" advertisement, but which wrote in tiny print in the service contract a monthly fee. That practice is now mostly banned as false advertisement, and good riddance as "free" has a clear definition.
So yes, I think there is a clear distinction between "do not track me" and one that is limited to any specific tracking techniques.
For example: You come on to my site, I want to know how you're using it, I don't want your personal details, I just want to see how you're interacting with the site I've made for you. Why do I want to know? Well it depends on the purpose of the site, but for the most part it is so that I can optimise and improve what my site offers to you and others.
But you've politely requested that I don't track you. For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site. You have a right to privacy, but that's got bugger all to do with you coming on to my site, once you've made that choice you are within my domain, under my roof, living by my rules. Until you leave of course.
Some sites may respect that request, but they're the kind of site who have no need to track behaviour anyhow, and are likely not tracking to begin with. kind of makes the request moot.
People get way too offended by analytics tracking when it's there for their benefit. The internet would be one ugly place if webmasters and designers had no clue how people were interacting with it. If you want to go back to the dark ages then feel free to try. But you won't benefit from the advances we've made or are yet to make because of large scale, anonymous tracking across the web.
I've no respect for Do Not Track. It is a silly, backwards, progress-endangering concept that should be burnt on a pyre.
Think of a scenario where a site is maliciously tracking you, where a forced browser level request could to not track be sent, and maybe we'll talk. But then again I'll probably just retort that any malicious tracking will have a way around such a forced request, and so it's pointless.
Do Not Track is snake oil for the conscientious objector.
>> I have a right to track how people use my site.
But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.
>> once you've made that choice you are within my domain, under my roof, living by my rules.
No, my computer, my browser, my roof, my rules.
>> People get way too offended by analytics tracking when it's there for their benefit.
No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on. They may or may not object to it, but right now they don't even know.
And it's so lovely of you to have made the decision for me that it's to my benefit, so I don't have to worry about pesky things like privacy concerns, or having control over my own computing.
>> Do Not Track is snake oil for the conscientious objector.
This is about the only thing we agree on. It's pointless and it was never going to achieve anything.
Seriously, people should be warned that they are tracked, the purpose for which they are tracked and what exactly is tracked. Google Search for example is giving warnings lately, that you have to manually dismiss (probably because of EU laws) and I view that as being progress.
On the other hand demanding of publishers to not track you while you're on their property is unreasonable. Of course, you can complain about it, you can stop using such services or websites and so on. Voting with your wallet (or eyeballs) still works, even on the web.
I also view the "Do Not Track" header as a good thing, because it's an automated way for publishers to respect your wishes, should they choose to do that. But customers must also understand that this header represents a kind request, nothing else and we shouldn't make it something else, as that's a slippery slope.
>> On the other hand demanding of publishers to not track you while you're on their property is unreasonable.
I'm not on their property.
I'm fairly happy for them to record what they can see at their end in terms of what pages I go to, but I find it very unreasonable to demand that I run whatever code the website operator asks me to run, to turn my computer into a machine that reports anything/everything about my site interaction to anyone the site owner feels like, and all on the basis of an implied social contract of some form.
If you don't like it, don't use it - simple as that.
The only thing I find reasonable is for users to be warned that they are tracked, precisely for enabling them to move to alternatives that better respect their wishes.
His website is running in your browser by your choice, not his ;-)
>> If you don't like it, don't use it - simple as that.
>> His website is running in your browser by your choice, not his ;-)
Excellent, now how do I know ahead of time, or without digging through the source, which sites are going to try and run this stuff?
--edit-- Also, and here's the rub - again I just requested some data from his server, and it provided it to me. I made no promise to render or run it in the way he wants. If he has requirements about that sort of thing then maybe he needs to specify them.
Well, the "Do Not Track" option is too simplistic and probably needs improvements.
Ideally, the browser would start by making an OPTIONS request in which the server would reply with something like "yes, I'll track this user in spite of their preferences" (even with a link to their privacy policy) and then the browser could block the view with a warning, just like how Chrome and Firefox are giving warnings for insecure connections, giving users the option to add exceptions or to go somewhere else.
You're making a false dichotomy - you imply the only choices are a) allowing tracking, or b) not using sites that track.
As I implied in my other comment, this is a false dichotomy; by using browser extensions, I can and do control my browsing experience to benefit from sites that track while preventing them from tracking.
The very concept that I should subject myself to the whims of web sites is completely counter to the history and culture of the net.
Then return an error when requests with the DNT header are made. You can't expect people to magically know ahead of time that your website is being used to spy on them.
Actually, I can use your site and benefit from it, while simultaneously blocking your ability to track me. It's called Ghostery (and similar browser extensions).
I use Ad-Block Plus and Ghostery for all my web browsing, and have both Ad-Block Plus set to block _all_ ads and Ghostery set to block _all_ tracking scripts.
These extensions do not make 'polite requests'; they directly control the browsing experience to my benefit.
I (and my extensions) control my browsing experience, not you.
(You can argue that this is unfair, but in the long run I believe the outcome will be a better business model for sites to make money.)
You do know that sites will track you without javascript or ads? As well, do you browse without cookies and images, as those extensions will not help you there? And without session IDs in URIs, since you seem to want the web to return to byzantine times?
> I believe the outcome will be a better business model for sites to make money
Sites will make less money without use of cookies, images, and support of encoding sessions into URIs. You ARE welcome to use the web without these things, but it is going to mean you are not a customer of many entities, because your kind are vanishingly small in number.
I think a number of different issues are being conflated here.
Secondly, in my ordinary web browsing, I'm not trying to avoid all tracking whatsoever - I'm much more interested in blocking the 99.9% low-hanging fruit of commercial 3rd-party tracking. If I really was paranoid / needed to prevent tracking completely, I'd use a much more sophisticated setup.
Given that context, the fact that some people may be trying to embed image web bugs on a bunch of pages isn't nearly as important or interesting; AFAIK most commercial 3rd-party trackers are javascript-based these days. Same applies for straight cookies - blocking the 3rd-party javascript usually prevents these begin set in the first place.
> since you seem to want the web to return to byzantine times?
> without use of cookies, images, and support of encoding sessions into URIs
I'm not advocating for that at all - there is a continuum between only viewing raw HTML and running every bit of 3rd-party javascript someone decided to throw into the page.
My comment was bascially arguing that there _is_ a continuum, and that it is possible to block the vast majority of 3rd-party trackers, _without_ having to turn of JS completely, do anything really paranoid.
My whole comment, essentially, was about _avoiding_ turning off JS etc., and still maintaining a level of control over my browsing experience. I actually develop web applications for a living, so it would be a bit silly of me to say that we shouldn't have sessions support!
> > I believe the outcome will be a better business model for sites to make money
What I was referring to here, is that if ads and 3rd-party tracking are blocked, then sites will have to create new revenue streams to operate with - and if that means paying directly for good content, then I look forward to supporting that business model.
I think your annoyance is misplaced. I develop rails apps for a living, so I am aware of the importance of js, sessions etc. - I'm merely stating that I can have my cake (blocking 3rd-party trackers) and eat it (still use the next) too.
But the post I responded to is wrong. Blocking third party trackers does not block my hosting of the JS file; this is only discouraged for most trackers. Most trackers also have a gif-pixel option and by default (eg. quantcast) or a server-to-server option (eg. kissmetrics). I was merely pointing out your conclusions are wrong about Firefox, extensions, or HTTP headers preventing the capabilities of trackers. And again, you are very welcome to not be tracked online; that is very much within your right; you are just spreading falsehoods. Have a look at evercookie, for example.
I am annoyed that they accept money to whitelist ads and am also annoyed that they allow whitelisting like this at all; however there is a considerable distance between having opt-out whitelisting, and what you're implying.
Client and server, guys. A web browsing experience is a cooperative endeavor that occurs on property controlled by both the host (web server) and the visitor (user agent).
At a fine-grained level, different aspects of that experience can be said to occur specifically on client or server. Each of those aspects can be constrained or manipulated by the respective property owner.
When it comes to preferences of the visitor for certain server actions (or inactions), one can only make a request. This isn't a grand moral point, or a technical one, but one of basic property rights and personal freedom. And such a request is what the DNT header signifies.
Likewise, when the server has preferences for certain user agent actions (such as running JavaScript or storing cookies) again it can only request that this occur since the user agent can typically disable JavaScript or cookies. This is what certain HTML metadata elements and the Set-Cookie header signify.
If visitors are unhappy with the behavior of a server, they can avoid it. In aggregate, such avoidance can become a significant market force. At the same time, a website that does no analytics for DNT visitors and has a high ratio of DNT visitors may also become less competitive and valuable over time. Both can feedback into respective preference consideration. This is ultimately the meager value of DNT. It (combined with adequate education) provides extra context data that can motivate through market forces an adjustment to web browsing norms.
Along the lines of "adequate education", the option in Firefox should read "Tell websites to restrict their tracking of me. __(Learn more.)__"
Practically, how would you know in advance if a server will respect your DNT preference without first visiting the site? Well, in real life, how do you know whether someone who invites you over for dinner won't serve you poison? One way is through trusted third-parties, but the market hasn't yet demanded such a service (and may never).
>> When it comes to preferences of the visitor for certain server actions (or inactions), one can only make a request.
Absolutely. But the OP seemed to be saying that it was his right as the server owner to make me run his tracking scripts on my end.
If I have the wrong end of the stick then great, I'll shut up, but he seemed to be saying that clients don't get to go to his site and then reject his use of analytics by (for instance) refusing to load the scripts. I find that attitude quite objectionable.
I think it's his right not to provide site content for people who refuse to run his scripts, that seems perfectly reasonable, it's his site and his copyright material. I'd be perfectly happy for my initial request to have a header that says "By the way, I don't run analytics, social network widgets or graphical advertising". Then everyone is informed and everyone has a choice.
> he seemed to be saying that clients don't get to go to his site and then reject his use of analytics by (for instance) refusing to load the scripts. I find that attitude quite objectionable.
Yeah, it's perfectly fair and reasonable to have that attitude.
Practically speaking, something like the Collusion extension/add-on or Disconnect extension/add-on allow you to forcefully constrain a wide range of "tracking" activities preferred/requested by the server.
I think of websites like private properties. You are given conditional access on the assumption that you can behave (T&C / AUP), otherwise it's like trespassing. So, I don't think that people should expect excessive rights of freedom that they might have on their own property or even in public. It's a balancing act.
That's really not how I think, nor does it really reflect reality, IMHO. They are on my property, it's all rendered and running in my browser on my device. All that's happened is I've requested some data from the server and they've given it to me, from then on how I display it and what gets run is entirely up to me.
If we want to attach terms and conditions to it (i.e. to use this site you must accept analytics/tracking/advertising) then lets make a framework to automate this stuff. I'm perfectly happy for my browser to say, up-front, that it won't be displaying graphical ads and it won't be running any known trackers or analytic suites, it won't be providing you any location data, nor will it be loading any social media buttons or widgets. You can then decide if you want to give me your data. That would be fine.
But I'm not buying into some idea of an implied social contract to let website owners do what the hell they want with my device.
> If we want to attach terms and conditions to it (i.e. to use this site you must accept analytics/tracking/advertising) then lets make a framework to automate this stuff.
Look, let's try an analogy. I run a shop, you want to come into my shop, you want to physically bring yourself into my shop, with your personal items, including your wallet and let's say a bag to help you purchasing items, or perhaps just to browse.
I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?
You are an agent entering my property. This is what your computer does when you access my site.
I can extend this further. You have your wallet, you make a purchase, I have a till I record the purchase and even give you a receipt of the purchase, so that you can come back and we can both agree that you've been here before. So you come on to my site and you click on a download, I record the event through Google Tag Manager, which shoots it across to Google Analytics, and I even give you a cookie, useful for both of us. Next time you come to the site perhaps that cookie will mean I hide the download button from you, or it shows another related download to you.
Feel free to rip up the receipt, or delete the cookie, you're messing with the accepted way of doing things and harming yourself as well as me, but please go ahead you're free to. But please try to understand that not everyone is out to get you, I'm not trying to 'spy' on you, I couldn't care less about you as an individual. I'm trying to optimise for the whole, for my business, for my clients. I have no evil agenda, and if I did you wouldn't be able to stop me because evil finds a way.
The social contract exists, it is established, and it is incredibly close to how physical suppliers of products and services work. You live your life allowing businesses to track your movements within their physical domains, so why have a double standard for virtual domains?
Don't pretend for a moment that because my 'shop' is rendering at your physical location that you aren't in fact virtually visiting me. You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.
Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.
>> You are an agent entering my property. This is what your computer does when you access my site.
No, no it does not. I'm not in your shop. I'm in my house. I requested some data from you, your server provided it. I'm under no obligation to do anything with that data at all, let alone allow you to execute arbitrary code on my computer because you feel like it's your right to.
It's closer to mail order, both in fact and in statute (remote selling regulations etc). You know I've ordered the catalog, you don't get to know it lay open at page 23 for half an hour or that I spent 15 minutes staring at the underwear models.
>> You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.
Cool, turns out I don't want it that badly that I'll allow my machine to tell you everything about what I'm doing, so if purchasing from your shop is conditional on you getting to run this code, do us both a favour and block my access.
>> Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.
You make the sweeping assumption here that it's ok to collect as much data as you like for purposes you think are good.
I disagree.
--edit-- let me make this very clear: I don't care in the slightest why you want to collect analytics data, I'm not interested in taking part and I won't allow my computer to leak information constantly.
That mail order business keeps a record of your transaction and uses transaction records in aggregate to figure out what to stock, when, in what quantity, and how to position products in its catalog. You don't have a right to opt out of that, nor do you have a right to opt out of a website owner recording the HTTP requests you send to it.
>> I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?
Unless something about my behavior stands out to you I can make a reasonable assumption that 1) you are not going to watch me the entire time and 2) the only record you are going to keep of my visit is the transaction receipt, and perhaps a note that one more person came into your shop today.
Every web server platform I am familiar with already logs access requests, which I don't think anyone is arguing against and you are free to monitor and analyze as you wish.
If you must monitor individual visitor's behavior it seems most stores have already worked that one out too, for example membership programs. A new analogy may read
> I'm going to give you the option of signing up for a membership program. If you sign up I will offer you services tailored to your habits whilst you are in my shop.
Even if you require membership for your services the terms of the relationship (e.g. you will be tracked) are, usually, available prior to the socially-questionable activity (e.g. tracking).
But for your analytic package the analogy would be more like
> I'm going to install live cameras throughout the shop to record you whilst you are in my shop. I'm going to review the recordings, or send them to a third party, so I may identify you and analyze your behavior at my own discretion.
Even if a shop has a camera the only social contract I am aware of is that the tape may be reviewed in the event of criminal or suspicious behavior.
> All that's happened is I've requested some data from the server and they've given it to me, from then on how I display it and what gets run is entirely up to me.
You currently already have this option. You can control all this. That you've setup your browser to, by default, automatically grant JavaScript the right to run or accept cookies from third parties or numerous other things is on you.
That's it has become fairly standard practice is a result of the masses wanting it that way.
> If we want to attach terms and conditions to it then lets make a framework to automate this stuff
This is a terrible idea, as it will just devolve into the same type of faux-consent as click-through agreements and whatnot. Then there will be some legal concept that you've agreed to render web pages a certain way, and you'll have created the world you don't want.
If computers are to empower individuals, they must be owned by individuals and function as individuals' agents - not simply as local terminals running opaque code dictated by someone else (either through the technical means of DRM, or in this example legal means). Machine boundaries are trust boundaries, and network protocols mediate between them. Protocols enforce how processes communicate, but only make recommendations for how they should act. Relying on anything else is madness and should be considered a bug.
This is probably a discussion I would prefer us to have offline but the gist of it is that as a nascent industry, we have to make strides towards self-regulation very quickly. The NAI knows about the dangers lurking ahead. Overregulation is not a bogeyman. It is a real threat.
DNT is good for us. We don't want to track someone who explicitly does not want to be tracked (boo, Microsoft IE team!)
As far as I know, DNT was designed to be a tri-state with { NoPreference, On, Off. NoPreference is the default. If it is turned on by default, what would NoPreference mean?
One could argue that DNT preference where chosen when the users opted to use IE with DNT as default. As such, NoPreference has no meaning when the user chose is always made one way or the other.
In the end, Microsoft made the decision to force it into a yes/no, rather than leaving it at "NoPreference". I can fully see the argument that Microsoft is not following the spirit of the standard in doing so.
> But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.
You already have control over this. That doesn't contradict someones right to track how people use the site.
> No, my computer, my browser, my roof, my rules.
And again, you already have control over this. However, if you give data to a remote server, they have the right to use that data. You are, in fact, giving them that data.
> No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on.
That's a result of people wanting defaults, and most people change those defaults to be the least annoying as possible, regardless of security/privacy implications, even if it's explained to them.
> And it's so lovely of you to have made the decision for me that it's to my benefit, so I don't have to worry about pesky things like privacy concerns, or having control over my own computing.
But you do. You can prevent cookies from being put on your computer. You can prevent 3rd party cookies. You do have this control.
What do you not have control over that you feel you should have control over? You keep talking about control as if you don't have it?
>> You already have control over this. That doesn't contradict someones right to track how people use the site.
>> And again, you already have control over this. However, if you give data to a remote server, they have the right to use that data. You are, in fact, giving them that data.
I think we may be talking at cross-purposes. The post I replied to says that they have a right to run tracking scripts and I don't have the right to reject them. This is what I disagree with.
Track that my IP address has requested page A, then B, then D, F, Q and P in rapid succession? Knock yourself out. I have no problem with this. If I want to obfuscate it I'll use Tor or a proxy. But he doesn't get to force me to run his scripts.
>> most people change those defaults to be the least annoying as possible, regardless of security/privacy implications, even if it's explained to them.
Indeed, but at least then they are informed and its their choice to make. At the moment this isn't really the case.
>> What do you not have control over that you feel you should have control over? You keep talking about control as if you don't have it?
I know I have these powers and I exercise them. I'm only arguing against people who seek to take them away.
> I think we may be talking at cross-purposes. The post I replied to says that they have a right to run tracking scripts and I don't have the right to reject them. This is what I disagree with.
Yep, I saw that. Maybe it's just my interpretation. I thought of that as saying "I have the right to have scripts that track you." Not "I have the right to require that you run those scripts." So, they can provide the scripts, you can just choose to not have them run.
That's where I am coming from, and I don't get that anyone is trying to take that part away from you. That's all =)
Well, that's not something the OP can expect. After all, that's not the way HTTP and associated technologies work. Regardless, it's a shame. Not that it changes what I said (at least, within the context of my understanding).
>> I have a right to track how people use my site.
> But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.
Exactly! But you also don't have the right to tell him not to send tracking info either. You do, however, have the right not to execute it. For instance NoScript, Ghostery,and AdBlock+ will prevent the requests for this content from being made and executed.
> No, my computer, my browser, my roof, my rules.
I think OP meant that once you make a request to his server, his server is free to do what it wants with that request. I agree with this line of thought because most if not all others are silly.
> No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on. They may or may not object to it, but right now they don't even know.
Again, you have the ability to not let your computer send these types of requests for special analytics packages &c. You can't possibly believe that his storing access logs is wrong.
> This is about the only thing we agree on. It's pointless and it was never going to achieve anything.
>> I think OP meant that once you make a request to his server, his server is free to do what it wants with that request.
I don't think they did mean that -
"But you've politely requested that I don't track you. For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site."
"People get way too offended by analytics tracking when it's there for their benefit."
It looks to me like they're saying that if you go to their site you have to run their scripts regardless of your own wishes, and that you're 'under his roof' and will therefore do what he says.
>> You can't possibly believe that his storing access logs is wrong.
No, I don't, that would indeed be silly!
I believe that it's rude to try to demand people run your code, and if you do demand it then we need to find a way for me to tell him up front that I'm not going to, so he can decide if he still wants to send me the page data.
I generally agree with you but I didn't read what he said that way. Just in the same sense that the browser has the right to avoid running javascript (or loading ads) that a server sends it, the server has a right to log requests the the client gives it (and certainly every server by default logs the IP, timestamp and request URL). I see it as 2 sides of the same coin.
And though there are many analytics products that rely on running javascript on the client, almost all have fallbacks to 0px images--all that is needed is to comb through the logs occasionally.
OK, I don't disagree with you but I will refer you to the stuff I was replying to -
"For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site."
"People get way too offended by analytics tracking when it's there for their benefit."
And the followup by the same OP -
"I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?
You are an agent entering my property. This is what your computer does when you access my site."
It seems clear to me that they feel entitled to have their scripts run on my computer. I have no issue with them checking their logs to see what I requested and when. Scripts, cookies, 0px images, each of these are mine to block as I see fit because I own the client, not them.
> Exactly! But you also don't have the right to tell him not to send tracking info either. You do, however, have the right not to execute it. [...]
You're right about both parties' rights. However, dealing with the "Most Trusted Internet Company in Privacy" [1], I expect them to do better than to insist each their rights to the letter. With regard to this discussion, as a novice user, I'd expect Mozilla /not to track me/. No ifs, no buts -- Do Not Track ought to skip all third-party tracking and remove any of my identifying data from their logs as soon as reasonably possible.
"once you've made that choice you are within my domain"
Often, I haven't made that decision; an ad/tracking/analytic company has made the decision for me and often not for my benefit.
If I'm visiting a site that talks about rocketry and I'm suddenly being served ads for fishing lures and rods because 10 minutes prior, I was searching for fishing reels, it feels creepy. And it's entirely your opinion that feeling creepy about being served ads for something I'm not currently looking at is wanting "to go back to the dark ages".
Take it in another way. If I'm visiting a flea market on Saturday morning and going by some stalls that sell home made cookies and such, I'm fine getting a flyer for pastries, donuts and cakes. I'm not fine getting a flyer for an 18 pack of socks at the cookie stall because Friday night after work, I went shopping for boxers at a completely different place.
Since many advertisers seem to have the Zuckerberg mindset when it comes to privacy and the mere notion of wanting to remain "un-caterered to" no matter how helpful and in my benefit you think it is, we're forced to take measures into our own hands.
BTW... Mozilla.org not respecting Do Not Track is exactly what I expected since they've decided that my request is needless considering what they produce.
> People get way too offended by analytics tracking when it's there for their benefit.
Strong disagree. Whether a user finds benefit from tracking is the opinion of the user, not the opinion of the site doing the tracking.
It's very arrogant for a site to say "I'm doing this to you for your benefit", especially if it's not made clear what this is. If you find yourself having to tell someone that what you are doing is for their benefit, without explaining exactly what you are doing and why, you can safely assume it's not genuinely for their benefit.
I can agree that malicious tracking cannot be prevented - but this does not mean that benign sites are implicitly permitted to maliciously track people. That is totally unethical.
Rather than attempt to reply to all the misconceptions below, I figured I'd post here.
I'm not on your server. My browser isn't on your site. It sent a request to your server to send me a copy of some content. Your server sent that content. It's all on my computer.
This, in my opinion, is why Do Not Track is silly: You, nor your server, have any right to the expectation that I'll send tracking information (that your site provided in, say, a cookie) with every request. Meaning that the browser makers should be providing users options in this space- the power lies entirely with the browser makers and their users. Of course, completely omitting cookies and other tracking details leaves you, the site owner, making assumptions about user behavior on your site from a limited number of details like IP address and perhaps user agent strings. The ever popular cookie was the answer to maintaining session data across requests, and Double Click made famous the idea of tracking users across many sites (by embedding their assets [a blank pixel, a JavaScript, etc] and giving the user a doubleclick.net cookie.) Double Click's concept was, in the minds of most Internet users, a perversion of the purpose of cookies.
> I have the right to track how people use my site.
lol no you don't. You're choosing to respond to HTTP requests to your site, you put it out in public. I'll make whatever requests I want to your site and do whatever I want with what you give me, which may include rendering some or all parts of a "web page" as I see fit. If I give you some data in turn, sure, do what you want with it.
Do Not Track is silly because it's based on trust. I don't trust you to not track me even if I ask you not to. The only privacy is when I choose not to send you data (and I shouldn't, and browsers are horrible in this regard, they have failed their users).
People get way too offended by analytics tracking when it's there for their benefit.
While I agree with the rest of your comment, isn't it possible that analytics is just snake oil for webmasters? The third party services like GA collect a staggering amount of real-time aggregate data in return for sharing a sliver of it with webmasters in the form of pretty graphs. I'm not saying this information isn't useful, but can webmasters reconcile the results against their own logs? Can they submit sanitized logs for analysis instead of including code in web pages, so they can proactively protect user privacy while sharing only the minimum data necessary for their needs? In any case, analytics services aren't motivated purely by altruism and their business model plausibly extends beyond purely providing a service to webmasters.
There's a large effective difference between "do not track" as it is outlined in the bug, and how many people see it (see, for example, comment 16 in the report, and then comment 25)
Specifically, it's to do with third party cookies, not any particular site.
If I visit someone's website, I'm usually perfectly happy for them to record my visit and my actions. If, on the other hand, I visit their website and some invisible actor (say, an advertiser) also tracks me, then it becomes insidious, especially if that other invisible actor is active on multiple sites.
This gets a bit blurred when you've got large vendors with multiple presences. For example, years ago when you logged into Hotmail, you'd be briefly redirected via passport.com (then live.com), and then directed back to Hotmail. Similarly, going to Microsoft's web page, or MSN's, or Technet, or any other site in the Microsoft stable, would redirect via the same site. This gave them single-sign-on, but also allowed them to "track" your activity across the entire network. That behaviour is used by many other large organisations such as Google.
However, it's also made its way into other large sites like Facebook and Twitter, because sites like that have "social media buttons" appearning on sites that aren't served by those sites but are served by Facebook and Twitter, so becoming third-party objects, and doing the same sort of pervasive insidious tracking across multiple domains and web properties.
The thing is, Google Analytics (as mentioned in the article) is such a pervasive ubiquitous invisible actor, but it's damn useful, so lots of people want to use it. The problem is that it's a third party object, and it's of massive benefit to Google too, not just the site owner.
So, where "do not track" fails is in distinguishing between "tracking" that's acceptable to many people, and "tracking" that's somewhat more invisible and pervasive. Switching it all off is harmful to the internet, but until it's sold correctly, it won't be acceptable otherwise.
The thing is, Google Analytics (as mentioned in the article) is such a pervasive ubiquitous invisible actor, but it's damn useful, so lots of people want to use it. The problem is that it's a third party object, and it's of massive benefit to Google too, not just the site owner.
Several web font services now fall into that category as well. The problem from a user's point of view is that you can block Google Analytics or Facebook Like buttons without any loss of functionality you probably wanted, but blocking Typekit or Google Web Fonts will often mess up the rendering of a page.
This changes the rules fundamentally. Before, with free services where you weren't the customer but the product, you could opt out by simply not using the service. Now, even with services where you really are the customer and maybe you really are paying for it, you can't opt out of the potentially intrusive third party service without opting out of or significantly degrading the main service you wanted to use as well.
This is a tricky area. Those third party services are pervasive precisely because they are useful to people who build the web sites that users enjoy, and if they're being given away for free, they have to fund themselves somehow. I also don't have much sympathy for people who don't load up someone's web site as it was presented to them but then complain that it doesn't look right or work properly (see also: not running JS, complaining that you can't want Flash content on your iPad, etc). In some respects, these third party services are almost certainly beneficial to users, too, because they act as CDNs that probably improve performance and lower bandwidth requirements compared to having every site self-host the same common material.
On the other hand, privacy matters. We have drifted into a situation where this kind of ubiquitous monitoring is widely used by site owners, but many of them probably don't even realise the implications for their users' privacy, or just don't care. We have rules about data protection and spamming and the like to deal with similar situations in slightly different contexts, and maybe it's time we had some rules about tracking by services that are incorporated indirectly on other people's web sites and possibly without a visitor's knowledge.
> Switching it all off is harmful to the internet.
See comment 28 in the report. No one has argued to turn of all analytics on website. That is a straw man argument. The bug report simply ask that users who explicitly do not want to be tracked, can have their request granted. Turn off analytics for them and the problem is solved. Alternatively, they can use analytics that do not track each individual user.
We used to live in a world where statistics did not include 100% tallied votes. It was simply too expensive to do survey on all customers, all citizens, all users. Trends and data was extracted out of a limited sized sample, commonly from a opt-in basis. With websites however, it as cheaply and easy to track all users as it is to track a limited set of users, so data tend to be 100% rather then a subset. Thus, total tracking has always been about the price, rather than need.
I usually use an analogy to explain this. Tracking via first party cookies is like walking into a store that uses security cameras. I have even seen boards that inform the visitors that the store is under surveillance. Generally, the security camera is only monitored/used by the folks running the store.
Third party cookies are like as if the security camera is monitored and used by a random third party company who you are not even aware of. This is why it is bad.
"Do not track" in its present (non-)state is a farce. It should be implemented at the browser level.
My ideas on DNT:
If a user specifies "do not track" in their browser-global or site-specific settings then ALL requests to third party domains should simply be blocked.
This could be backed up by a site-provided manifest (potentially containing a comment for each ones justification, or a flag to say if its required or optional) to 'whitelist' 3rd party domains that they require it. There should be a browser feature to view this whitelist and 'uncheck' any sites you disagree with.
In fact, IMHO, thats the way modern browsers should work anyway - it would certainly solve a huge number of other issues (XSS, etc).
> ALL requests to third party domains should simply be blocked.
It's too late to do that. There's lots of websites relying on 3rd party CDNs for non-tracking purposes (CloudFront, Google-hosted jQuery, etc.)
Filtering on domain name alone won't prevent traffic from going through 3rd parties — tracking companies can ask websites to set up DNS CNAME for them or they'll use top-level HTTP redirects (like google.com uses to track SERP clicks).
And "my mom" isn't going to be able to vet list of domains. She'll call me and ask me to "fix" the computer so that "Log in with Facebook" works and there are no scary technical questions.
Yeah, DNT is kind of silly. It's like someone read the evil bit RFC (http://www.ietf.org/rfc/rfc3514.txt), thought it was a good idea, and implemented it at the level of HTTP.
I'd like to expand on this idea, by suggesting that in the case of sites being 'whitelisted' in the site-manifest, that they should only have access to an alternate cookie type, such that they are only accessible via that domain.
i.e. instead of them having access to cookies stored under their own domain (e.g. cookies stored under thirdparty.net) they have access to cookies stored under the scope of the domain of the website in the browser address bar (e.g. cookies stored under thirdparty.net@targetdomain.com).
This would allow the use of third party services, but specifically restrict their usage to the target domain.
I'm with the bug author on this: "do not track" should mean do not track. And it explicitly mentions analytics on the DNT site.
Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms
However, Wikipedia says that the exact definition of what constitutes tracking is not yet clear.
The Do Not Track (DNT) header is the proposed HTTP header field DNT that requests that a web application disable either its tracking or cross-site user tracking (the ambiguity remains unresolved) of an individual user.
If the experience in question involves the tracking of users in some way, then I think it's pretty clear that there should be a different experience for users with the header set, versus those without it. Those who provide that header should, as the name of this functionality very clearly states, not be tracked.
If you choose to send an e-mail newsletter to your users, you should (at least) be obliged to provide an unsubscribe option - providing two different experiences.
If you choose to track your users, you should (at least) be obliged to assume that DNT users have opted-out of this tracking and be responsible for not tracking them.
In the EU, the two situations I described are both legal obligations (regarding collection of personal data, the legal obligation is probably stronger than I described).
[I have understood that this is not the same in the US and the situation is therefore murky and EU law is not respected on the internet as a whole.]
What you described is not a legal obligation, although I personally think you should provide the option to opt-out of ads - I know of several sites that do and this makes a positive difference to me as a user.
None: the website requires explicit opt-in permission to collect personal data in the first place, making opt-out DNT largely irrelevant.
e.g. from http://www.theregister.co.uk/2012/01/27/time_running_out_for...
[Peter Hustinx, the European Data Protection Supervisor] said that the DNT system "although valuable" seemed to "fall short of the" of the requirements for obtaining lawful consent set out in the EU's Privacy and Electronic Communications Directive.
In practice, I agree there are several problems: it is common industry practice to ignore data protection concerns (led by example of large US corporations) and EU member states have neither the intent nor the means to enforce the law. What's more, the recent cookie directive debacle makes the EU seem confused and toothless.
Intended reform makes the situation even more clear: http://ec.europa.eu/justice/newsroom/data-protection/news/12...
I particularly recommend "How will the data protection reform affect social networks?", which discusses the requirements of 'privacy by default' and 'privacy by design'.
Businesses collect personal data without explicit consent all the time. Think of records when you buy something by card, for example. Not only is the subject of the data not required to give explicit consent for keeping a record of this transaction, but they also have no right in law to have such data deleted, and indeed businesses may not be able to delete it within the law given their obligations to maintain adequate tax records. If you pay for something by card, it's implicit that you agree to this.
For something closer to the tracking we're talking about, it is normal to maintain server logs that show visits to your site, and to record various information that is voluntarily sent by browsers as part of HTTP requests. There's obviously some debate about how much IP addresses represent personal identification, but clearly in practice they can identify individuals under some circumstances. That doesn't mean someone has to ask you for permission to see your IP address when you visit their site, because obviously that would make no sense technically.
Obviously there are implications to keeping some of this data or using it for other purposes, but as I said, this is where things aren't always clear even in theory. Some issues really are black and white, but you quickly get into what is fair or reasonable or implicitly permitted by data subjects and what is crossing that line and should require explicit consent.
In practice, it's even worse, because we have silly things like the infamous EU cookie rules that are almost universally disliked by users (they make the experience of using web sites worse), almost universally ignored by business (who don't want the overheads of implementation and don't want their users' experience to be worse), and as far as I know universally unenforced by regulators (who would in many cases have to start by going after their own governments for flagrant violation). While possibly well-intentioned, such poorly conceived rules just bring data protection law into disrepute while alienating almost everyone. They also demonstrate that realistically there are few risks to flagrantly ignoring the rules as a business, which is hardly going to help with promoting good practice.
I'd love to run my own ad server, got any suggestions? Been a little while since I looked, but I only saw extremely expensive "enterprise" ad solutions, crappy open source solutions, and lots and lots of SaaS options.
Instead of the useless EU cookie legislation, we should have had legislation that enshrined explicit privacy preferences in to data protection law.
When I signup to a website I'm expected to agree to their Privacy Policy. Both site owner and visitor expect that policy, provided that it's legal, to be somewhat enforceable in court. When I'm just visiting, why is there no such equivalent?
The problem with DNT isn't that it can be ignored, it's that it can be ignored without penalty. People who think purely technical solutions (including Ghostery, NoScript, Adblock etc.) are the answer are ignoring the reality of how easy it is to fingerprint and track users on the web.
The man scored a major point, and Mozilla has chosen to run away from it. The DNT flag, so far, looks just like the worthless piece of promotional fluff and 3-card Monte it is. ESPECIALLY if Mozilla chooses to run away from it.
We're going to need laws to protect us from the continual government AND corporate riot of people-tracking. The People don't like it, and once they get done with NSA in Congress, they might as well get busy on making tracking OPT-IN. Including cookies, browser finger-printing, stashing stuff in browser cache (disk AND memory), and the hundreds of other ways these geniuses have evolved to invade the social communication space to promote their bottom line. We badly need to have this discussion as a nation. Because its starting to run over our boot-tops.
Tracking could be limited to dot-coms. Then let the People decide whether to keep dot-coms in their bookmarks, or leave the rats to go down with their ship of fools.
So maybe the text in the UI jut needs to be changed to be more accurate. Instead of "Do Not Track", something along the lines of "Request No Tracking Across Sites" or "Request No Cross-Site Tracking". This clarifies that it isn't the browser stopping tracking, it is the browser asking the sites not to, which they may or may not implement. It also clarifies that what is being requested not to happen is using the same identifier across sites and between different parties.
On an unrelated note, I'm really impressed with the Persona login on that site. When I first saw it I thought, oh no, not another username and password. Why can't they just use social login where I already have accounts? But all I had to enter was my gmail address, approve the usage, and I was done. No extra username and password even though I've never used Persona before. No need to confirm an email. It worked out really well.
I don't get it. Why is this different from inspecting your web logs? Sure you lose the first-party cookie aspect, but I bet you can get awful close just looking at the request IPs. There's "tracking" inherent in how everything works, so why does it matter if collection is contracted to a 3rd Party?
Does the poster expect the web server to not write a log line because he sent a DNT header too?
IP logs aren't sufficiently unique: my IP changes as I move my laptop around, it is shared with several other persons at work and home, and my IP at each of these locations changes.
Most DNT is concerned with Javascript, which has the ability to be very intrusive than mere web logs. Analytics services started with web logs, but quickly transitioned to Javascript, because I can track a cookie much better than an IP address, and get more information besides.
It's inherently different when contracted to a 3rd Party.
Third-party vendors are opposed because it would be the equivalent of giving all of the IP logs from a majority of the Internet to a single user (in this case, Google Analytics). The ability to discover trends on particular users than becomes massively possible in a way that simply doesn't exist with 1st Party tracking. The siren's call to monetize this data is ever present, so we seek to not allow the collection in the first place.
I'll say here what I said in the other reply, but briefly.
There's a difference between a 3rd party doing the analytics and a 3rd party cookie. GA can (and should) use a 1st party cookie for this, which would make it impossible for them to correlate between sites. As a bonus, turning off 3rd party cookies also breaks ad retargeting, which makes everything better.
At that point, it's the same as Mozilla doing it themselves, but your concerns about JS being more potentially intrusive is valid.
note: i may be wrong about GA using 1st party cookies. if so, that's really not cool.
GA does use 1st party cookies. There is still concern that with sufficient statistical analysis, Google can still track users across multiple sites. "Anonymous" data frequently turns out to be very personally identifying.
In particular, comparing behaviors and IP addresses used in Google products and captured in Google Analytics would be very easy.
Likewise, Google knows a super-majority of site entrances from their search engine, and a correlation is trivial given that most users are logged in for search.
To wit: if I perform a search with a unique referrer, and that unique referrer is then captured with my Google Analytics user cookie, then I can be readily identified as a person.
Doubleclick and other Google services share this issue.
Others do use Third Party Cookies.
Mozilla is threatening to turn off 3rd Party cookies entirely, which has caused no small amount of concern from ad companies.
See this post, one in a series of hilariously over the top diatribes from the Interactive Advertising Bureau:
http://www.iab.net/iablog/2013/06/mozilla-kangaroo-cookie-co...
Yeah, I saw the bit about turning off all 3rd party cookies, which made me happy as I already do that myself.
As for the ubiquity and potential for data sharing among Google services, I suppose I hadn't though that entirely through. I know there was one analytics company claiming it could track individuals between devices using some fancy statistics, but I assumed it was snake oil (it was not GA claiming that).
Anyway, I hear ya, and thanks. I can see a case against GA specifically, though I have a hard time swallowing it against all analytics. I suppose it's a question of trade-offs that people are willing to make.
One of the big differences between 1st-party and 3rd-party tracking is that Bob at Bob's Cakes can only see what you're doing on Bob's site (1st-party tracking), but if Bob uses Google Analytics, and so does Jane, and Sarah, then Google Analytics (3rd-party) knows about your activity _across_ Bob's, Jane's, and Sarah's sites, which can potentially be used in worse/more invasive ways.
Also, the javascript tracking scripts can capture a lot more information than a simple access log line - they're not directly comparable.
This isn't strictly true, which is why I made the differentiation above between 1st and 3rd party cookies. With the 1st party cookie you'd get a new GA cookie on each site (e.g. mozilla-GA, ycombinator-GA, etc), making those correlations impossible. In the case of 3rd party cookies, yeah, I totally get that they can be used for some seriously evil things.
It's possible GA could try to correlate IPs or browser fingerprints between 1st party cookies over multiple sites, but proxies and mobile devices would make that difficult. The fact that all the data is together in GA's warehouse doesn't change the fact that the data isn't there to be correlated.
As for JS being able to be more intrusive, sure, I get that. At that point, I suppose you have to trust the site you're on that they wouldn't use a service that was intrusive. Perhaps this is a bridge too far for some, which is reasonable.
I guess I just don't get wanting to ban the tool entirely when it could but is not currently be used nefariously. (working on the assumption that if GA started fingerprinting browsers someone would've seen the traffic by now. it's not easy to hide.)
I genuinely don't understand all the hatred out there for advert companies tracking user purchase trends. Can someone explain to me why I should care about this?
I think it's more a hatred of (perceived or real) trickery, deception, and weasel words, in this case. From an organization that should be a model for others to follow.
The very fact that the website must support DNT is its only and fatal flaw. Why should we trust websites to honor DNT when we keep sharing information with them?
I agree entirely. IF I send a request, I expect that request to be stored. If I don't want to make the request, I won't make the request (noscript, ghostery, and AdBlock+ go a long way to that).
DNT is a pointless 8 bytes that has no real, enforceable meaning.
https://bugzilla.mozilla.org/show_bug.cgi?id=858839#c21 https://groups.google.com/forum/?hl=en&fromgroups=#!search/m...
From the latter thread, Stacy Martin at Mozilla represents "Google Analytics will not correlate or report on any customer data with any other data, they will use Mozilla data only to provide and maintain the service for Mozilla, and they will not share or use it for any other purpose."
EDIT: The contractual arrangement is relevant. Section 9.3 item 2 of the IETF do-not-track draft draws has an exception for this very situation, "data obtained by a third party exclusively on behalf of and for the use of a first party".
http://tools.ietf.org/html/draft-mayer-do-not-track-00#secti...