Do Not Track Does Not Conquer
At times it can seem like protecting one's online privacy is a Sisyphean struggle. Even when the software industry listens to the concerns of privacy advocates, the site owners and secretive data-collectors who profit from pillaging private information are quick to find every loophole and work-around in existence to regain their access to profitable data. Such seems to be the case with the Do Not Track HTTP header (DNT), which has garnered support from browser vendors — plus a steady stream of assaults aimed at undermining it, courtesy of advertisers.
Preferences, browsers, and intent
Although "opt out" mechanisms for web tracking have been discussed for years, the DNT HTTP header approach was first proposed by Mozilla's Mike Shaver. It has subsequently been developed under the stewardship of the World Wide Web Consortium's (W3C) Tracking Protection Working Group. According to the latest draft of the specification, DNT is an optional HTTP header field that can take either 0 or 1 as a value, where 1 indicates that the user prefers not to be tracked, and 0 indicates that the user prefers to allow tracking. The key issue, however, is that the header is intended to represent a user preference — which most interpret to mean a conscious choice on the user's part — and it must not be sent at all if the user has not expressed such a preference to the browser.
Initially Mozilla was the only browser vendor behind DNT, but Opera added
support in July in Opera 12, as
did Apple a few weeks later in Safari 6. Google
added
support in Chromium on September 13. In all four browsers, the DNT
setting must be manually enabled in the application preferences.
Mozilla contended
from quite early on that this is a critical facet of making DNT a
workable solution. If DNT were enabled automatically or by default,
it would no longer represent "a choice made by the person behind
the keyboard
", but one made by the browser vendor.
The decision was controversial — after all, reasoned critics, who in their right mind wants to be tracked? But Mozilla stood firm, and eventually the other browser makers followed suit. Until June 2012, that is, when Microsoft announced that Internet Explorer (IE) 10 (which is scheduled to ship with Windows 8) would present the DNT option as a check-box shown to the user during installation, with the do-not-track option selected by default.
But enabling DNT by default violates the specification, opponents
argued, and strips it of its meaning. And if the DNT header does not
reflect an actual user's decision, the argument goes, advertisers will
be justified in ignoring it. Apache's Roy Fielding objected strongly
enough that he committed a change
that causes the web server to un-set the DNT header when it is sent by
IE 10. Fielding is a member of the W3C Tracking Protection Working
Group, and his log message for the commit said that "Apache does
not tolerate deliberate abuse of open standards
". He
elaborated on that interpretation in the inevitable argument that
followed on GitHub,
calling
Microsoft's decision broken because it violates the specification's
requirement that the DNT header default to "unset." Apache, he said,
"has no particular interest in what goes in the open standard --
only in that the protocol means what the WG says it means when the
extra eight bytes are sent on the wire.
"
Conspiracy theorists might suspect that Microsoft's decision is a subtle ploy to undermine DNT entirely to curry favor with advertisers and other user-tracking firms. If so, the advertising world is doing an excellent job of maintaining a cover story; the Association of National Advertisers (ANA) publicly criticized the decision in an open letter to Microsoft management.
Step right up
Regardless of what happens on the browser and server fronts, DNT still
relies on voluntary compliance on behalf of site administrators and
service providers — and, by extension, compliance that matches
up with what the user intends. The meaning of DNT might seem to be
straightforward, but the people who make their money tracking users
cannot be forced to agree. In September, Ed Bott at ZDNet
reported that the Interactive Advertising Bureau (IAB) and the
Digital Advertising Alliance (DAA) "devised their own
interpretation
" of DNT, under which they would continue to
collect information, but would refrain from using that information to
deliver targeted ads to the browser. Presumably that restraint lasts
only for the duration of the browsing session in which DNT is sent.
Lest anyone propose a "Do Not Target Ads" HTTP header that IAB and DAA might conversely interpret as a reason to stop collecting tracking information, remember that nothing obligates advertisers or other information brokers to react to the header at all. Grant Gross at IDG said at least one site, a "tech-focused think tank" called the Information Technology and Innovation Foundation (ITIF), has unilaterally decided it will simply ignore the DNT header, and its site will report that fact to visitors.
Other members of the advertising business have embarked on their own
campaigns to nip DNT in the bud. In June, the US Senate held hearings
about tracking and DNT in particular. As the Electronic Frontier
Foundation (EFF) observed,
ANA representative Bob Liodice testified at the hearings that DNT
would undermine cybersecurity, including "issues such as online
sexual predators and identity theft
". The Senate did not seem
to buy Liodice's argument (Senator Jay Rockefeller, chairman of the
Committee on Commerce, Science, and Transportation, declared the
cybersecurity argument "a total red herring
"), although
the EFF noted that online tracking does raise important law
enforcement questions in addition to its advertising angle.
Most recently, DNT critics gathered at the W3C Tracking Protection Working Group meeting in Amsterdam, where the Direct Marketing Association (DMA) proposed that an exception be added to the DNT specification for "marketing." The EFF blog entry about the meeting quotes the DMA representative as saying:
Such an "exception" would seem to cover the precise tracking scenario for
which DNT is designed, and indeed other members of the working group
fought back. Fielding accused
DMA of "raising issues that you know quite well will not be
adopted
". The EFF views DMA's participation in the meeting as
an attempt to undermine or derail the specification-writing process.
That is a bit of a judgment call, but it is clear from the latest
traffic on the working group's mailing
list that DMA, DAA, and other advertising groups are not meshing
well with the software industry representatives who typically account
for the bulk of W3C participation. In recent weeks there have been
multiple threads about redefining basic terms like "service provider"
and "user agent" that indicate (at the very least) a culture clash.
On the plus side, there have been sites and web services that have voluntarily announced their intention to comply with DNT; Twitter is the highest-profile. But the specification is far from completion, and as recent events show, voluntary compliance will only take care of a subset of the data-collecting entities on the web today. In the GitHub comment linked to above, Fielding speculated that the long-term ploy of DNT advocates was to get widespread adoption, then to push for mandatory compliance through legislation. Whether that will happen is anyone's guess; the US Federal Trade Commission (FTC) has endorsed DNT, which in addition to the US Senate hearings might provide enough evidence to make the advertising industry wary.
Implementing a campaign of "good enough for most" self-regulation would be one path to avoiding such government oversight, and derailing or gutting the specification could be effective, too. At the moment, the advertising business seems to be pursuing both tactics. It is up to the W3C and privacy advocates to respond, but at least for the time being the only guaranteed way for users to safeguard their privacy remains the do-it-yourself approach: Tor, NoScript, Adblock Plus, and so on. A world where user-tracking is simply not an issue sounds nice — it just doesn't sound likely in the near-term.
Index entries for this article | |
---|---|
Security | Privacy |
Security | Web browsers |
Posted Oct 18, 2012 12:04 UTC (Thu)
by AndreE (guest, #60148)
[Link] (4 responses)
I also didn't realise that man has an a priori predisposition to being tracked. And that NOT tracking him without his explicit permissions intrudes upon one of his fundamental freedoms.
Well, at least standards compliance is held in high regard.
Posted Oct 18, 2012 13:34 UTC (Thu)
by njwhite (guest, #51848)
[Link] (3 responses)
The idea in the spec that default behaviour should be "please track me" seems dumb. I know it's technically more "I don't mind if you do," but the history of the web thus far makes it pretty clear that that's how it should be interpreted. To spin any alternative to this as "reducing user choice" is ludicrous.
I presume the defaults are really that way in order to preemptively placate the advertising industry, but I wish they were honest about that.
But whatever, I have zero faith in "voluntary compliance" with this stuff. Or government mandated compliance, for that matter.
Technologists have to be bold and accept that tracking is basically always dangerous and a bad idea, and design systems around that. It sucks that at present it's only technically savvy people who can protect themselves reasonably, and no amount of voluntary good behaviour by industries who are so morally dubious, and derive their income from tracking, is going to change that.
Posted Oct 18, 2012 19:01 UTC (Thu)
by iabervon (subscriber, #722)
[Link] (1 responses)
If you want sites to pay any attention to any new header, it must be in the site's interest to do so; otherwise, they'll ignore it in ways that are just hard to notice. In order to get sites to actually respond to the DNT header, you need a substantial portion of the people who set it to 1 to watch for site being inappropriately knowledgeable and avoid them and tell their friends the site is creepy. If the general population isn't going to contribute to enforcement like that, it'll be meaningless if it's the default.
Posted Oct 19, 2012 10:32 UTC (Fri)
by AndreE (guest, #60148)
[Link]
Which makes Mozilla completely illogical and transparent rhetoric about the user's true desires all the more galling.
Posted Oct 20, 2012 7:19 UTC (Sat)
by erwbgy (subscriber, #4104)
[Link]
I presume the defaults are really that way in order to preemptively placate the advertising industry, but I wish they were honest about that./p>
Nope. The point of the default being 0 is so that it is clear that the user set the DNT value and not the browser vendor. That way it specifies an actual user preference that advertisers will find harder to ignore. Setting the default to 1 like IE is doing makes it no longer a preference that the user has explicitly stated and advertisers can just ignore it saying: "the user didn't specify DNT, they just happen to be using IE".
Posted Oct 18, 2012 16:21 UTC (Thu)
by ThinkRob (guest, #64513)
[Link] (10 responses)
How anybody thought this would have any meaningful effect is a source of much amusement.
Posted Oct 18, 2012 17:49 UTC (Thu)
by rillian (subscriber, #11344)
[Link] (9 responses)
Expressing a clear user preference both removes the argument that that person wants desires tracking by default, and provides a place to hang privacy legislation, which really can compel corporate behaviour.
Posted Oct 20, 2012 18:15 UTC (Sat)
by giraffedata (guest, #1954)
[Link] (8 responses)
Posted Oct 20, 2012 18:55 UTC (Sat)
by sfeam (subscriber, #2841)
[Link] (4 responses)
Posted Oct 20, 2012 20:28 UTC (Sat)
by giraffedata (guest, #1954)
[Link] (3 responses)
OK, I read it and what one advertiser really concluded was this:
(The article also talked about public relations fallout, which again might be counteracted if prospects had a way to shut off the targeting, even if they rarely use it).
Posted Oct 21, 2012 10:23 UTC (Sun)
by bosyber (guest, #84963)
[Link] (2 responses)
Why would people want an ad for something they bought already? Hardly ever unless it is only about weekly shopping. And then they don't need to be enticed to buy it as it is already on their shopping list, evidently. For one-time-only buys it is just as useless for the opposite reason.
In my experience, that makes it more annoying - yes targeted, but too late/useless. To make it useful, they'd need to predict buys. And that can be pretty creepy, like with the pregnancy stuff. If they get it right, which is really hard.
The Amazon 'other people that looked at/bought this also bought Y' is occasionally useful, when the items deal with a specific well defined topic (say learning about a certain programming language), but even there it has a lot of misses. For fiction it can be really off-putting even.
Posted Oct 21, 2012 17:27 UTC (Sun)
by giraffedata (guest, #1954)
[Link] (1 responses)
Maybe I didn't include enough context, but I'm sure what the advertiser was talking about was consumables, such as groceries and cleaning supplies.
I can easily believe coupons for those work, because without the coupon, the person might delay restocking, and consequently consuming, or might go to a different store to restock.
Obviously, the system isn't perfect. Sometimes the price you pay for sending someone a coupon that works is you have to send him 5 that don't. Amazon kept pressing me to buy a certain model of garbage can for a month after I bought it - from Amazon. But I know the program that did that works on average.
Posted Oct 22, 2012 6:32 UTC (Mon)
by bosyber (guest, #84963)
[Link]
I suppose that we live in different areas (I live in the Netherlands) - I know hardly anyone who seriously uses coupons - sure we may watch what the advertising leaflets of the grocery stores have on offer and it might have some influence on where we buy what, but to be honest, the weather and other activities have more influence. Different experiences for different people I guess :)
Posted Oct 20, 2012 19:39 UTC (Sat)
by viro (subscriber, #7872)
[Link]
Posted Oct 22, 2012 9:04 UTC (Mon)
by njwhite (guest, #51848)
[Link] (1 responses)
Besides which, targetted advertising is still advertising. It still is intended to get you to make a less rational decision than you would otherwise. It's just more tailored to you. So more effective. So better at manipulating you.
I can't really understand why anybody would want targetted advertising. I kind of presume they can't have really thought about the implications very hard. Do argue with me, though ;)
Posted Oct 22, 2012 20:33 UTC (Mon)
by giraffedata (guest, #1954)
[Link]
That is a very narrow view of advertising. There is one kind of advertising that is intended to get you to make a less rational decision, but there is plenty of advertising that is intended to educate you so you can make a better rational decision. Many times the education is simply letting you know the product is available. Other times, it's telling you something you didn't know about the product. In some cases, advertising brings your attention to a feature of the product you would otherwise overlook in your rational decision-making process.
The basic educational aspect of ads sometimes gets lost in the creative ways the ad must present the information in light of the audience's limited mental capacity -- advertisers are fighting for every millisecond of your thinking time and byte of your memory -- but that doesn't change the ad's objective.
No one can argue with you unless you get more specific than you have so far about those implications.
Posted Oct 18, 2012 21:18 UTC (Thu)
by blitzkrieg3 (guest, #57873)
[Link] (5 responses)
Posted Oct 19, 2012 1:12 UTC (Fri)
by Tobu (subscriber, #24111)
[Link] (4 responses)
Posted Oct 19, 2012 5:35 UTC (Fri)
by cpeterso (guest, #305)
[Link] (3 responses)
Posted Oct 21, 2012 5:50 UTC (Sun)
by branden (guest, #7029)
[Link] (2 responses)
Ghostery?
Posted Oct 22, 2012 9:05 UTC (Mon)
by njwhite (guest, #51848)
[Link]
Posted May 30, 2015 21:40 UTC (Sat)
by Kamilion (subscriber, #42576)
[Link]
Right now there's a number of choices.
But what I've had the best luck with so far is uMatrix:
And it's 'younger brother', uBlock Origin.
However, uMatrix is a heck of a sledgehammer, and it's easy to put holes in the drywall of a lot of sites.
Both uBlock Origin and uMatrix are open source GPLv3.
Yes, that's right, I'm using five extensions to try and keep my privacy high and bandwidth low.
On second thought, I rarely see ghostery doing anything anymore, and it's actively conflicting with disconnect.me and causing ignorable extension errors like this:
"This extension failed to redirect a network request to about:blank because another extension (Ghostery) redirected it to data:application/javascript;base64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30="
Maybe it's time I gave ghostery the boot; I've cycled out all of my other extensions over time as new ones were introduced, or performance was improved (uBlock Origin has definitely reduced memory usage over AdblockChrome) in some way.
Time to open Ghostery up in notepad++ and apply ye olde reverse engineering talent against it... I can probably figure out how to dump the settings I've cultivated into a text file suitable for loading in uBlock Origin...
Posted Oct 20, 2012 11:17 UTC (Sat)
by paulj (subscriber, #341)
[Link] (3 responses)
Posted Oct 20, 2012 16:06 UTC (Sat)
by alonz (subscriber, #815)
[Link] (2 responses)
Posted Oct 20, 2012 18:08 UTC (Sat)
by giraffedata (guest, #1954)
[Link] (1 responses)
The header does not direct the server to do anything, so "default" doesn't make any sense. The three states provided for in the spec are:
"I prefer not to be tracked," "I prefer to be tracked," and no information about the user's preference. The latter is encoded by not sending the header, and is the only sensible thing for a browser to do without active directions to the contrary from the user.
And giving the user the chance to uncheck a checked box isn't active enough. An advertiser would be justified in considering the header not credible if a major web browser were known to work that way.
Posted Oct 20, 2012 19:12 UTC (Sat)
by paulj (subscriber, #341)
[Link]
It's optional, so "Don't send" is an option and it's already tri-state. Of course :).
Posted Oct 29, 2012 9:07 UTC (Mon)
by sustrik (guest, #62161)
[Link]
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Though no one has said it, I see clear implications that some believe nobody wants to be tracked, and that advertisers know that. Well, that isn't true. Advertisers believe users prefer targeted advertising to random advertising and I know that's not an unreasonable belief, because I do. I hate random advertising, and I would notice a degradation if I switched to a browser that told advertisers I'd prefer random ads.
Do Not Track Does Not Conquer
There was a fascinating article in the NYT earlier this year documenting that advertisers correctly know that shoppers hate to be targeted. To work around this they deliberately mix random ads with targeted ads so that the targeting isn't so obvious. Why do the shoppers hate being targeted? The article uses a real example of Target (the company) being so clever that it could figure out when a shopper was newly pregnant and therefore it would send ads for baby clothes, diapers, etc. But the shoppers' reaction tended to be OMG, how did they find out I'm pregnant!?. This did not achieve the desired increase in sales of baby gear.
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
There was a fascinating article in the NYT earlier this year
documenting that advertisers correctly know that shoppers hate to be
targeted.
We have the capacity to send every customer an ad blooklet,
specifically designed for them, that says, "Here's everything you bought last
week and a coupon for it." ... With the pregnancy products, though, we learned
that some women react badly.
That's a long way from saying advertisers know everyone hates targeted ads. In fact, it makes a good case for advertisers wanting a credible "do not track" header from browsers. Maybe with that, they could filter out those women who would react badly.
Do Not Track Does Not Conquer
"Here's everything you bought last week and a coupon for it."
shows a fundamental issue with those targeted ads (heh, originally I found I wrote attacks, hm):
Do Not Track Does Not Conquer
Why would people want an ad for something they bought already?
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
targeted advertising is still advertising. It still is intended to get you to make a less rational decision than you would otherwise.
I can't really understand why anybody would want targeted advertising. I kind of presume they can't have really thought about the implications very hard. Do argue with me, though ;)
Do Not Track Does Not Conquer
Are you thinking of Google's "analytics opt-out" addon? And yeah, I suspect there are ways to get some genuine client-side protection against third-party tracking (by shutting down ipc between origins, be it through cookies or whatever — a page accessing another origin's cookies through an iframe would either block or get cookies namespaced by the outer origin).
Do Not Track Does Not Conquer
The Ghostery add-on for Firefox and Chrome is an effective client-side "tracker blocker."
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
If I *HAD* gone, I might actually have been bound by their EULA! But as it is, I've never seen it, and it's not presented upon installation; so I can treat it as if it doesn't exist and isn't enforceable.
I use a combination of extensions.
Ghostery is pretty popular.
http://disconnect.me/ is another popular one.
Even the EFF's weighed in: https://www.eff.org/privacybadger
https://github.com/gorhill/uMatrix/wiki
https://github.com/gorhill/uBlock
https://github.com/gorhill/uMatrix/wiki/Using-uBlock-with...
Privacy Badger eats cookies, disconnect.me destroys annoying social networking buttons, uBlock Origin isolates all the domains serving malware, and uMatrix keeps me from tripping over advertiser-redirects when clicking links.
Do Not Track Does Not Conquer
Because (a) it would have made the spec more complicated, and (b) the authors of the DNT spec believed browser implementors will actually read the spec (including non-technical overview sections) and make rational decisions?
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer
Do Not Track Does Not Conquer