LWN: Comments on "The sad, slow-motion death of Do Not Track"

The sad, slow-motion death of Do Not Track

mpr22 — Mon, 14 Sep 2020 21:10:24 +0000

Bill Hicks Was Right.

The sad, slow-motion death of Do Not Track

nix — Mon, 14 Sep 2020 15:20:00 +0000

It's pretty obvious that most people don't want ads

Don't ignore the power of self-delusion when your paycheque depends on it. I know several people who work in adtech and a couple who work in old adland, and all of them are insistent that I am a freakish exception and that everyone really, really loves ads and everyone loves pervasive tracking and it's not creepy at all. (One of them actually watches ads in his spare time because he thinks they're an art form in their own right.)

I've pointed out that this is sort of disproved by the soaring popularity of adblockers, but nooo the problem there is that the messaging is wrong: people who use adblockers have all been lied to by evil people who point at the occasional rare bad apple like malware being delivered in ad networks, and if they can only find the right 'message' (i.e., countervailing lie) everyone will love ads again: sure they slow down your web browser, but in return you are gifted all these wonderful ads! Everyone loved ads in the high days of TV, you could tell by the way there were ads on TV: since the market is always right, that is proof enough!

(The existence of the ad-free BBC apparently does not constitute any sort of disproof, since it's government-funded. You'd think this would mean that it had a closer tie to the people the market is sampling the true opinions of, but apparently letting the people actually have input rather than leaving it up to the mythical superpowers of the all-wise market is axiomatically bad. Odd that.)

The sad, slow-motion death of Do Not Track

jezuch — Fri, 31 Jul 2020 13:15:18 +0000

I remember <marquee/>... Although I don't understant *why* I do ;)

Comment display

excors — Wed, 29 Jul 2020 14:41:52 +0000

Okay, thanks for clarifying that! (I have no problem with it personally, I was just curious in the context of this discussion.)

Comment display

corbet — Wed, 29 Jul 2020 13:04:47 +0000

The feature you describe is for project-leader subscribers; it is indeed implemented by storing the date/time the reader last looked at specific articles. That information is only kept for those subscribers, expired out after 60 days, and used for no other purpose.

I'll review the privacy policy and make sure that's covered.

The opposite opposte approach

excors — Wed, 29 Jul 2020 11:52:58 +0000

I don't think that's correct, because the "unread comments" page is not the only way LWN indicates what you've read. For example when I view this article (https://lwn.net/Articles/826575/) all the comments are displayed as "old" (the faded yellow colour). But if I open your comment's parent (https://lwn.net/Articles/827260/), your comment is displayed as new, until I refresh the page and it's displayed as old. If I open your comment's grandparent (https://lwn.net/Articles/827186/) they're all displayed as new again. I expect (based on prior observations) that if I open those pages after posting this comment, my comment will initially be marked as new and the earlier comments will be marked as old.

I assume that means LWN is tracking the date you visited every /Articles/NNN/ URL (which includes comment pages, not just articles). If you've never visited that specific page, all comments are considered new (even if you've seen them via a parent page). If you have visited, only comments posted after the last visit are considered new. So LWN knows exactly which pages you have visited, and actively uses that information. I don't know how long that is tracked for - from some very rough testing I suspect it's at least a month, but not many months. LWN's privacy policy doesn't appear to disclose the collection of this information, but I can't see any other reasonable way the observed behaviour could be implemented.

(This all applies to a logged-in subscriber. I assume the behaviour is different for anonymous users and maybe for non-subscribers.)

The opposite opposte approach

pabs — Wed, 29 Jul 2020 01:12:43 +0000

LWN's approach to unread comments appears to work without tracking what you have seen, it seems to be solely based on tracking the dates when you load the unread comments page. Thats marginally better, but of course article/comment delivery via email and MUA-side read tracking would be nicer.

Anyway, we appear to have gotten side-tracked, my point was that logins allow an increased level of tracking and browsers facilitate that by making login sessions long lasting instead of only for requests that "need" to be authenticated.

The opposite opposte approach

rgmoore — Tue, 28 Jul 2020 20:18:02 +0000

There are legitimate, user favorable reasons for wanting to track what things you have seen. For example, it makes it possible to show you only new comments, or to highlight new comments so you can quickly skip the stuff you've seen before. It would be good if LWN had an option not to record that information if you don't want them to track it, but I'm personally OK with it because I find the features it enables to be very helpful. I see that kind of simple feature as being qualitatively different from tracking intended to enable advertisers to profile me.

The sad, slow-motion death of Do Not Track

nybble41 — Tue, 28 Jul 2020 15:54:59 +0000

Your objections seem a bit contrived. Adding another party to the auction system would drive prices up, not down. It's pretty obvious that most people don't want ads, and we already have plenty of evidence that they are often willing to pay to avoid them ("pay to remove ads" is a popular option in various mobile apps), but they are sometimes willing to put up with them in order to fund sites or apps that they care about when no other convenient method is available. The auction operator has no reason to care whether any ads are actually shown; they get paid the same either way.

As for jacking up the prices with fake bids, they're welcome to try. The user's agent wouldn't be configured to always place the highest bid at any cost. The user would set a threshold based on how many ads they're willing to see. If an advertiser's bid is excessively high then it would just let them win. At that point they can either pay up or take a penalty for cancelling after winning the bid (in which case no ad is shown and the user still effectively gets what they wanted).

The sad, slow-motion death of Do Not Track

nix — Tue, 28 Jul 2020 10:29:51 +0000

That would never do! It directly works against the interest of the auction operator (who wants *lots of advertisers* to drive up prices, not lack-of-advertisers to drive them down) *and* provides people with actual evidence that they're willing to pay to get rid of this stuff (and thus, that it is toxic rubbish that nobody actually wants), *and*, uh, could easily be spun as extortion and/or converted to extortion by sufficiently unpleasant advertising network operators (and these are not pleasant people). All they have to do is set up an "advertiser" of their own that always bids unrealistically high and that their advertising network always eventually refuses bids from, to jack up the price the user has to pay arbitrarily high. A crime? Sure, but very hard to prove, given that the operation of these auctions is even concealed from the advertisers.

The sad, slow-motion death of Do Not Track

nilsmeyer — Tue, 28 Jul 2020 09:18:28 +0000

Throw in the obligatory "your privacy is very important to us" banner, of course with the implied caveat "making money is even more important, though").

Perhaps the opposite approach could cut down on meaningless clicks

nilsmeyer — Tue, 28 Jul 2020 08:09:01 +0000

Yeah I think that's called a "dark pattern". And I don't think that would hold up as legal.

The opposite opposte approach

anselm — Tue, 28 Jul 2020 07:44:35 +0000

OTOH, you probably appreciate the “Unread comments” function (I certainly do).

In the end it comes down to a question of trust. Of course LWN.net sees everything I do on their site as I interact with their web server, and they remember enough of it to ensure that the site works conveniently for me. I do trust them that they won't build up a long-term profile of everything I look at on LWN.net and sell that to (whom exactly?) or give it to the likes of the NSA (unless compelled by law). I don't have that trust when it comes to the data RANDOM_AD_COMPANY collects via ads they serve to hundreds of sites that I might be visiting.

The opposite opposte approach

pabs — Tue, 28 Jul 2020 03:22:22 +0000

I don't think it is appropriate, for eg, for LWN to record which articles and comments I am loading, which they could do since I am always signed in, so that I can read subscriber-only articles.

The opposite opposte approach

rgmoore — Mon, 27 Jul 2020 16:27:29 +0000

This seems exactly right to me. Once I've accepted the need to sign on to a site, I've accepted their ability to gather my information. If I'm unhappy with that, I need to either stop dealing with them or complain to them about what they do with my data. The big problem comes when some third party I have no desire to have a relationship with gathers data on me from numerous sites. There is a huge potential for abuse there, and they've almost always evaded any attempt to get my consent.

Perhaps the opposite approach could cut down on meaningless clicks

anselm — Mon, 27 Jul 2020 10:39:30 +0000

There are certainly enough sites whose cookie configuration panels have a huge vibrant-green “ENABLE ALL TRACKING AND CONTINUE” button alongside a barely perceptible light-grey one that says “Save cookie preferences and continue”.

The opposite opposte approach

anselm — Mon, 27 Jul 2020 10:34:41 +0000

I don't think people have anything against being “tracked” (through an HTTP cookie or otherwise) by a single web site that they have deliberately logged in to. It's being tracked by a large number of third parties, without explicit consent, across a large number of – otherwise unrelated – web sites that is objectionable to many of them.

The sad, slow-motion death of Do Not Track

smurf — Mon, 27 Jul 2020 03:07:18 +0000

But it doesn't match many sites' business model. So instead of no popup you'd see the annoying "hey, make an exception for us or subscribe, otherwise you won't see any content" popup we're been fed by news sites for the last couple years.

The sad, slow-motion death of Do Not Track

Wol — Sun, 26 Jul 2020 23:04:00 +0000

> The logic would still be the wrong way around. The default ought to be "I don't want to be tracked", and you can opt-in to be tracked if you like. If its any other way no meaningful amount of people will ever use it.

That's irrelevant. If DNT is set, then the user has explicitly made a choice. In that case browsers shouldn't kick up a banner, they should just honour that choice.

If W3C or whoever specifies an equivalent "opt in" "I don't care about trackers" flag, then web sites should honour that, too.

Cheers,
Wol

The sad, slow-motion death of Do Not Track

amarao — Sun, 26 Jul 2020 20:08:34 +0000

I believe DNT perfectly fits into GDPR. Explicit request which ought to be honoured.

The sad, slow-motion death of Do Not Track

nybble41 — Sun, 26 Jul 2020 18:29:29 +0000

> I try to put my money where my mouth is by paying for ad-free subscriptions or using the donate button on web sites I use regularly.

Another option is Scroll <http://scroll.com/>. In exchange for a flat subscription fee of $5 per month you get to browse all of their partner sites ad-free. Much better IMHO than subscribing to each individual site just to avoid the ads. (Premium content is still separate. No affiliation, just a happy subscriber.)

I've often thought it would be nice to have some integration with the *advertiser* networks, not just the publishers. As I understand it there is a sort of auction system running in the background to decide which ads are displayed for each page view. Why not provide a way to let the end user in on that auction? If the visitor's automated agent wins, bidding from a pool of money set aside for that purpose, then the ad slot could just remain empty.

The sad, slow-motion death of Do Not Track

niner — Sun, 26 Jul 2020 12:44:23 +0000

Well here in bad old Europe you need the clear and unambiguous, actively given consent of the user to be allowed to track in the first place. So DNT must be enabled by default to have a chance to be taken seriously in the first place. Only if its enabled by default can its absence be interpreted as consent of the user to be tracked. Though even then a "Please Track Me" header would be better.

Perhaps the opposite approach could cut down on meaningless clicks

niner — Sun, 26 Jul 2020 12:34:28 +0000

I don't think the defaulting of tracking cookies to "off" does have anything to do with the DNT header. Websites doing so simply follow the law as a decision by the European Court has made clear in ECLI:EU:C:2019:801:

"On the basis of those explanations, it should be noted that, in accordance with Article 5(3) of Directive 2002/58, Member States are to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46, inter alia, about the purposes of the processing.

[...]

Thus, as the Advocate General stated in point 60 of his Opinion, the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour. However, consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user."

http://curia.europa.eu/juris/document/document.jsf?docid=...

Thus it can be said, that there is now no longer any doubt that tracking EU users is only legal if they explicitly gave their consent by clear and unambiguous action, e.g. opt-in. The only exception is if tracking is necessary to actually provide functionality to the user, e.g. login sessions.

The EU is really a gift to Europeans.

Perhaps the opposite approach could cut down on meaningless clicks

cpitrat — Sat, 25 Jul 2020 11:52:14 +0000

You could have both options: deny all and allow all

The opposite opposte approach

pabs — Sat, 25 Jul 2020 04:15:38 +0000

The technical mechanism used to login was not the point of my post.

The opposite opposte approach

NYKevin — Fri, 24 Jul 2020 18:50:36 +0000

Nothing at all, which is one of the reasons this proposal has already failed.

The sad, slow-motion death of Do Not Track

rgmoore — Fri, 24 Jul 2020 14:53:16 +0000

Blocking them is pushing towards the system I want to see.

Blocking ads alone is only an attempt to destroy the current system. If you want to push toward a specific alternative system, you have to actively support that alternative. Otherwise, you have no control over what you'll get in the long run. It might be the system you want, but it could be something worse, like a more abusive ad system that's harder to block or the collapse of useful ad-supported sites with nothing to replace them.

The opposite opposte approach

smurf — Fri, 24 Jul 2020 13:42:53 +0000

Well, the alternative is to log in on every visit *and* to mangle each and every one of your links with session IDs.

I'm not quite convinced that that approach has any advantages WRT cookies.

The opposite opposte approach

epa — Fri, 24 Jul 2020 09:22:04 +0000

Thanks for the link. My suggestion was for an HTTP header which achieves the same thing -- slightly cleaner in my view, but perhaps unlikely to be adopted. (Your company's legal department might not agree that you are compliant with data protection laws just because of that header. They might expect an explicit I Agree click, header or no header. But there is nothing the legal department can do about a browser extension.)

The sad, slow-motion death of Do Not Track

LiPo — Fri, 24 Jul 2020 08:45:23 +0000

IE was right. Tracking on the Internet brakes European fundamental rights. See also communication to W3C at https://ec.europa.eu/justice/article-29/documentation/oth..., for example, https://ec.europa.eu/justice/article-29/documentation/oth....

It is very unlikely if EU says the not tracking is opt-in. Actually, it is the other way around. The user has to give unambiguous, specific, informed and free consent to be tracked, see GDPR.

The sad, slow-motion death of Do Not Track

roc — Fri, 24 Jul 2020 03:42:16 +0000

When it's "opt in", we can make the argument that DNT represents the desire of the user. That made it easier to argue in and out of court that advertisers should respect it.

When it's "opt out", it no longer reflects the desire of the user which made it much easier for the ad industry to ignore it.

The sad, slow-motion death of Do Not Track

NAR — Thu, 23 Jul 2020 23:39:19 +0000

Once I was working at a company where I was not allowed to install adblockers. The experience was "interesting": I either got ads for businesses geographically near the company proxy (and 2000 kms from my actual location, so totally irrevelant) or ads for "marriage-minded bikini-clad Asian or Russian women (again, totally irrelevant). And it's not like I was visiting NSFW sites - they were blocked and also about 20+ people had clear view on my monitor in the open office, so I wouldn't dare to do that anyway.

The sad, slow-motion death of Do Not Track

josh — Thu, 23 Jul 2020 22:22:36 +0000

> Unfortunately I think one of the results of blocking ads is that companies like Facebook have a massive incentive to build far more intrusive advertising platforms.

And people can choose to not use Facebook as a result, and adblockers will help prevent other sites from feeding data to Facebook.

> Maybe if there was a pervasive, unintrusive and easily managed way to make micropayments to the sites that you visited it would remove a lot of the incentive for advertising, but getting that in place would be kind of hard to do, and would potentially have lots of /other/ perverse incentives. But short of that I don't think there's a decent solution.

There's absolutely a decent solution: block all ads, and don't treat it as your problem to solve. Someone else's ad-based business model does not obligate anyone to help them succeed. If enough people block ads, and enough technologies make it easier and less out-of-the-way to do so, ad-based business models will become less and less viable.

The opposite opposte approach

josh — Thu, 23 Jul 2020 22:17:24 +0000

What stops a site from doing that today, with the existing cookie-classification UIs?

Misclassifying a cookie might potentially subject the site to legal trouble, or lead a browser or search engine to treat the site as malicious.

The sad, slow-motion death of Do Not Track

davecb — Thu, 23 Jul 2020 15:15:36 +0000

I also recommended giving it a legal definition in a Candian request for comments by the CRTC

The sad, slow-motion death of Do Not Track

gerdesj — Thu, 23 Jul 2020 14:16:32 +0000

Remember <blink /> ?

The opposite opposte approach

pabs — Thu, 23 Jul 2020 13:52:32 +0000

Cookies that are used for login sessions are just another form of tracking.

The sad, slow-motion death of Do Not Track

JGR — Thu, 23 Jul 2020 13:47:20 +0000

Advertisers and large sites would soon work around this by increasing the size of cookie data with multiple copies, FEC, checksums, etc.
This would probably inconvenience users logging into small sites which won't get updated, more than it inconveniences advertisers.

The sad, slow-motion death of Do Not Track

freemars — Thu, 23 Jul 2020 10:47:35 +0000

I'd like to see Cookie Rot - your browser will happily accept, store, return cookies, but sometimes bits of the cookies get corrupted (perhaps every time the browser gets shut down?) You would need a list of uncorruptable cookies - your login credentials for LWN.net, for example.

The opposite opposte approach

leromarinvit — Thu, 23 Jul 2020 09:18:30 +0000

I don't care about cookies takes care of that at least for some sites (but certainly not all).