The sad, slow-motion death of Do Not Track

"Do Not Track" (DNT) is a simple HTTP header that a browser can send to signal to a web site that the user does not want to be tracked. The DNT header had a promising start and the support of major browsers almost a decade ago. Most web browsers still support sending it, but in 2020 it is almost useless because the vast majority of web sites ignore it. Advertising companies, in particular, argued that its legal status was unclear, and that it was difficult to determine how to interpret the header. There have been some relatively recent attempts at legislation to enforce honoring the DNT header, but those efforts do not appear to be going anywhere. In comparison, the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) attempt to solve some of the same problems as DNT but are legally enforceable.

In 2007, the US Federal Trade Commission was asked [PDF] to create a "Do Not Track" list, similar to the popular "Do Not Call" list. This would have been a list of advertiser domain names that tracked consumer behavior online, and would allow browsers to prevent requests to those sites if the user opted in. However, that approach never got off the ground, and DNT first appeared as a header in 2009, when security researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky got together to create a prototype. In his 2011 article on the history of DNT, Soghoian wrote:

At some point, Soghoian said, "the Behavioral Advertising Opt Out header seems to have been discarded, and instead, focus has shifted to a single header to communicate a user's preference to not be tracked". The final format of the header is literally "DNT: 1".

Even back when Soghoian wrote that article, it was clear that getting advertisers to respect the header wasn't going to be easy:

Part of the problem was defining what "tracking" means in this context. The Electronic Frontier Foundation (EFF), which has been involved in DNT efforts from the beginning, defines it as "the retention of information that can be used to connect records of a person's actions or reading habits across space, cyberspace, or time". The EFF's article also lists certain exceptions that are not considered tracking, which notably allows for "analytics providers". The article is also careful to distinguish between tracking by a first-party ("the website you can see in your browser's address bar"), which is allowed, and tracking by a third-party (other domains), which is not.

Starting with Mozilla Firefox in January 2011, browsers began to implement the "trivially easy" part, allowing users to opt into sending the new header. Microsoft followed soon after, adding DNT support to Internet Explorer 9 in March 2011. Apple followed suit with Safari in April 2011. Google was a little late to the game, but added support to Chrome in November 2012.

In September 2011 a W3C "Tracking Protection Working Group" was formed "to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements". During its eight active years, the group published a specification of the DNT header as well as a set of practices about what compliance for DNT means. Unfortunately, in January 2019 the working group was closed with this notice:

As early as 2012, LWN wrote about how it wasn't looking good for DNT: advertising groups were pushing back (unsurprisingly), and there was no legal definition of how the header should be interpreted. In addition, Microsoft's decision in May 2012 to enable the header by default in Internet Explorer 10 backfired, as DNT had always been intended to indicate a deliberate choice made by the consumer. Roy Fielding even committed a change to unset the DNT header in the Apache web server if the request was coming from Internet Explorer 10 — possibly setting a record for the number of comments on a GitHub commit. Even though Microsoft finally removed this default in April 2015, it's likely that this well-intentioned move muddied the DNT waters.

A few high-profile web sites did honor Do Not Track, including Reddit, Twitter, Medium, and Pinterest. Tellingly, however, as of today two of those sites now ignore the header: Reddit's privacy policy now states that "there is no accepted standard for how a website should respond to this signal, and we do not take any action in response to this signal", and Twitter notes that it discontinued support (as of May 2017) because "an industry-standard approach to Do Not Track did not materialize". At present, Medium and Pinterest still act on the header.

Apple's Safari was the first major browser to lose support for "the expired Do Not Track standard" — it was removed from Safari in March 2019. Ironically, Apple's stated reason for removing it was to "prevent potential use as a fingerprinting variable". Tracking systems often use a fingerprint of a user's HTTP headers to help track them across different websites, and the DNT: 1 header — given its low use — adds uniqueness to the user's headers that may actually make them easier to track.

Since then, Apple has been steadily rolling out what it calls "Intelligent Tracking Prevention", which is an approach that prevents the use of third-party cookies after a certain time window and helps avoid tracking via query-string parameters ("link decoration"). Mozilla added similar protections from third-party cookies to Firefox in September 2019. Microsoft included tracking prevention in the new Chromium-based version of its Edge browser, released in January 2020. Even Google, where much of its revenue comes from advertising (and indirectly, tracking), announced its own plans to phase out support for third-party cookies in Chrome over the next two years.

In May 2014, LWN wrote about Privacy Badger, "a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web". Privacy Badger enables the DNT header and blocks requests to third-party sites that it believes are likely to track a user (which, not surprisingly, happens to block most ads). One of the goals of Privacy Badger is to goad advertising companies to actually respect the header. If Privacy Badger sees that a domain respects DNT by publishing the DNT compliance policy to company-domain.com/.well-known/dnt-policy.txt, it will stop blocking that domain. This sounds like a great idea for users, but it just doesn't seem to have taken off with advertisers.

One recent attempt to revitalize the DNT header is by DuckDuckGo, which is a company that builds privacy-oriented internet tools (including a search engine that "doesn't track you"). It found (in November 2018) that, despite web sites mostly ignoring the header, DNT was enabled by approximately 23% of adults in the US. In May 2019 DuckDuckGo published draft legislation titled "The Do-Not-Track Act of 2019 [PDF]" which it hopes will "put teeth behind this widely used browser setting by making a law that would align with current consumer expectations and empower people to more easily regain control of their online privacy". The company's proposal would require web sites to honor the DNT header by preventing third-party tracking and only using first-party tracking in ways "the user expects". For example, a site could show a user the local weather forecast, but not sell or share the user's location data to third parties.

Unfortunately, in the year since DuckDuckGo published the proposal, nothing further seems to have come of it. However, around the same time, US senator Josh Hawley, supported by senators Dianne Feinstein and Mark Warner, introduced a similar Do Not Track Act that was "referred to the Committee on Commerce, Science, and Transportation". There has not been any activity on this bill in the last year, so it seems there is little chance of it going further.

In June 2018, the W3C working group published an article comparing DNT with the GDPR. The GDPR requires a web site to get a user's consent before tracking them and, unlike DNT, that is enforceable by law. Similarly, the recent CCPA legislation is enforceable, but it only applies to businesses operating in the state of California, and only to the "sale" of personal information. As law firm Davis Wright Tremaine LLP noted, the CCPA waters are almost as muddy as those of DNT: "we do not yet have clarity under the CCPA, however, regarding which tracking activities (e.g., tracking for analytics, tracking to serve targeted ads, etc.) would be considered 'sales'". One possible way forward is to generalize efforts like the GDPR and CCPA rather than trying to give DNT a new lease on life.

It looks as though, after a decade-long ride with a lot of bumps, the Do Not Track header never quite got enough traction with the right people to reach its destination. It is still possible that one of the political efforts will go somewhere, but it seems less and less likely. Similar to how most of us deal with email spam, we may have to rely on technological solutions to filter out tracking requests, such as Privacy Badger and DuckDuckGo's browser extensions or the various browsers' "intelligent tracking prevention" schemes.