Slashdot Mirror
Mozilla Proposes 'Do Not Track' HTTP Header
MozTrack writes "The emergence of data mining by third party advertisers has caused a national debate from privacy experts, lawmakers and browser supporters. Mozilla's Firefox, a popular browser company, has proposed a new feature that will prevent people's personal information from getting mined and sold for advertising. The feature would allow users to set a browser preference that will broadcast their desire to opt-out of third party, advertising-based tracking. It would do this via a 'Do Not Track' HTTP header with every click or page view in Firefox."
Advertisers and tracking services will fight this to the bitter end.
Athiesm is a religion like not collecting stamps is a hobby.
"Mozilla's Firefox, a popular browser company"
What would be the point. It isn't enforceable and even if laws were passed, you can circumvent it by tracking from an offshore server.
I am becoming gerund, destroyer of verbs.
...because the do not call list totally works.
All kidding aside, I'm sure something like this would work for a little while, but just like the do not call list, advertisers will find some way around it. By the way...advertisers? When you call me or spam me via email, I make sure to AVOID your products...and I'm confidant I'm not the only one.
Living With a Nerd
The problem is that sites would be justified (imo) to then not offer you service based on this.
“We support this site with ad revenue. Tracking is part of that. No Tracking, no service”.
This is fine really. People aren’t entitled to web content. In many cases your privacy is what you are trading for it, and you should be made aware of this and have the option to decline. This kind of header (and possibly others like it) would let you specify in what you are ok with, and let a site then decide whether it’s enough to grant you access.
The problem is that people don’t like this... they want the privacy _and_ the content.. so people would probably just go back to using ad-blockers and cookie deleters as soon as they start getting rejected access messages.
Of course the opposite could happen as well. Web traffic could plummet as everyone enables the feature.. causing a site owner to re-think whether web tracking makes sense for them.
Personally I don’t mind being tracked. Somewhere out there, someone has a very detailed profile of what makes me tick.. and really it’s not doing me much harm that I can see. I read an article about raising my new pet dog and I every other ad I see for the next 2 weeks is about obedience training.. creepy but doesn’t hurt me. This is a personal decision however, and I think people do have the right to be paranoid about their data and should have the option to opt out.
Just proposing the idea is damaging to Mozilla's already floundering technical credibility.
Basic idea seems the same, right? http://www.faqs.org/rfcs/rfc3514.html
This tag would be entirely worthless because no one would be forced to anything but discard it.
Rather than this useless addition, why not have the browsers just not send the information in the first place? Or would that make too much sense?
All this will do is provide another data point for marketers.
Proud member of the Weirdo-American community.
This will obviously be just as effective as the IP header evil bit proposed in RFC 3514!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
The "don't tase me bro" kid got tased anyway.
Mozilla's Firefox, a popular browser company
...Do I even need to say what is so wrong with this?
Eh, I will anyways:
Given how popular Google and Wikipedia are these days, mess-ups like this should have completely vanished by now.
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
fun ff addon... dont leave homepage without it https://addons.mozilla.org/7en-US/firefox/addon/refcontrol/
They've already developed a "DO NOT TRACK" bit, but you might have missed it because it's labeled different: it's called "DO NOT VISIT."
Why do people get so fundamentally stupid about the web in particular? If, for example, every store you visit tracked your comings & goings and your purchase history, would you still scream bloody murder? NO, because they all already do this and nobody seems to give a rat's ass. But on the Big, Scary Internet the rules are somehow all different.
Using Firefox + Adblock Plus + NoScript:
No. Time Source Destination Protocol Info /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1
27 3.918190 10.4.12.92 216.34.181.48 HTTP GET
Frame 27 (582 bytes on wire, 582 bytes captured) /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1\r\n
Linux cooked capture
Internet Protocol, Src: 10.4.12.92 (10.4.12.92), Dst: 216.34.181.48 (216.34.181.48)
Transmission Control Protocol, Src Port: 34619 (34619), Dst Port: http (80), Seq: 1, Ack: 1, Len: 514
Hypertext Transfer Protocol
GET
Host: tech.slashdot.org\r\n
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Fedora Firefox/3.6.12\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 115\r\n
X-Do-Not-Track: 1\r\n
Referer: http://slashdot.org/\r\n
Connection: keep-alive\r\n
Cache-Control: max-age=0\r\n
\r\n
Oh and Slashdot, how the heck am I supposed to post on your system when I'm behind my ISP's NAT and someone else has already beat me to it?
Banu
Spammer: "How shall we ever continue our illegal data-mining now that people can ask us nicely not to abuse their privacy?
Our evil plan is foiled!"
This seems like a bad joke - the "Evil bit" but for http headers. It must be a political move, trying to set the boundary for debate.
If this is serious it's a terrible idea: it'll be on by default for everything so it's not a compromise (and could therefore be done with laws banning the tracking); all older software that doesn't send this header would be fair game; sites will simply refuse content unless you turn it off (see AdBlock).
tomorrow who's gonna fuss
Not sure if this is a Mozilla originated proposal or not. Could someone familiar with the issue summarize events since Sept. 2010?
http://33bits.org/2010/09/20/do-not-track-explained/
http://donottrack.us/
http://hackademix.net/2010/12/28/x-do-not-track-support-in-noscript/
Rather than this useless addition, why not have the browsers just not send the information in the first place? Or would that make too much sense?
Well, that would make cookies useless...but then, as you're an AC, perhaps you don't believe in cookies ;)
If airlines can charge a passenger for luggage to fly with them for your vacation, how long before websites or browsers sell you this as a service or charge it as a fee to use their service.
I detest that everywhere I turn there is some sort of Advertising shoved down my throat. And as a citizen of the US, I would like to see the citizens stand up for our civil rights a bit more and tell the corporations and the government to back the heck off. It reminds me of the movie Wall-E. As you see Wall-E traverse the area he works, there is nothing but advertisments everywhere. Are we really headed there?
Why must every product I purchase now force me to see and ad for something else? /sigh
Life takes interesting turns, but the most interest is when you're off the beaten path.
It doesn't have to be 100% effective. The biggest trackers are Google and Facebook. They are large companies that need to comply with the law and with standards.
Obviously something like this is useless if even Facebook ignores it but otherwise it would be quite a handy supplement to my array of NoScript/Adblock+/Ghostery. Sure, many smaller, less reputable companies will ignore it but when it comes to tracking, size matters.
Advertisers and tracking services will fight this to the bitter end.
Google, as well as other major online ad and tracking services, already support "Do Not Track" mechanisms with similar functionality.
If you don't want anyone to know your IP address, just stick 0.0.0.0 into the IP "source" field. Just as realistic, and far more effective than spamming your details then politely asking people to forget them.
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
...and
Quickly: What's wrong with that?
A nice feature that will be welcomed if they can push to have it standardized by everyone, especially M$
Now all I have to do is track all the "do not track" headers.
For justice, we must go to Don Corleone
Unenforceable rules are useless!!!
With a penalty behind it (a la Do Not Call) it could work, otherwise it's about as effective as the TCP packet evil bit.
Personally I would encourage people to proactively block advertisers using existing tools such as AdBlock and NoScript. That way you don't have to trust the advertisers not to track you.
This could be a huge turn for companies that make a living out of the loopholes of the Internet from yesteryear, which can either stop doing their data-mining or change they way they do their data-mining. Quite possibly a more obtrusive way.
OR
This could just be a placebo, so that us semi-geeks (the ones that read these things and are aware of them but aren't really attracted to ACT upon it) can sit back and look at the rest shut up about it for a little while.
All glory to Arstotzka!
I would track those with the header set even more.
Rather than this useless addition, why not have the browsers just not send the information in the first place? Or would that make too much sense?
Well, that would make cookies useless...but then, as you're an AC, perhaps you don't believe in cookies ;)
A lot of the information in cookies is not necessary for them to serve their function.
You still have to trust the host not to track you.
As an aside, what I *would* like to see is an attribute added to the tag which allows you to specify the IME for mobile devices. It's not to much to ask for is it?
This is a great idea. Other posters are right that website operators won't be technically forced to respect the Do Not Track request, but this is a political solution, not a technical solution, and politics is how this needs to be resolved.
Currently, users have no voice. They can't tell websites not to track them except by cumbersome means such as sending emails to the operators. Even then, it's only one email from one user. Website operators can assume that there's no desire for privacy -- in fact it's something they publicly argue.
But clicking the DNT checkbox is much easier. Now the websites are confronted with millions of users, maybe hundreds of millions, requesting 'Do Not Track me'. Ignoring their reasonable requests would be bad for business, for reputation, and most importantly, for politics. If the websites don't comply to a reasonable request from a large number of their constituents, legislators will pass laws to force them. If most websites do comply, then the few who don't will be the odd ones out and face even greater risks to their business.
Just as importantly, DNT raises awareness. I know of few typical end users who are aware of tracking or understand its importance and implications. DNT will at least make them aware that tracking is an issue and that it's important enough that somebody with authority someplace thought they should be able to opt out of it.
(I don't think there's a technical solution to tracking. The value of tracking the (1 billion?) people on the web is great enough that any security measure will be overcome.)
I would like to restore the privacy options we already had, that have been eroded:
- Stop browsers from accepting 3rd-party cookies by default (I'm looking at YOU Firefox!)
- Clear cookies daily. This used to be a Firefox option, now unavailable. If logging in once a day is too often, you misunderstand the concept of "password"
- Any plug-ins need to follow these same rules. Ex: Flash "cookies"
The problem, once again, is that the relevant authorities had completely lacked the foresight to outlaw the practice of tracking at the very beginning when it would have been most productive. At the very outset of the new cyber world, Internet connections should have been perceived as sacred with no data collection to be permitted or shared.
But this did not happen. As a result, these third-party tracking companies (with their dubious claims of effectiveness) have grown too large and too widespread to effectively combat. Any attempt to impose anti-tracking methods or legislation will now be met with serious resistance.
We cannot reap what we have failed to sow.
X-No-Archive despite the X is the admitted standard on Usenet to opt out of post archive. But nowadays, I won't bet two cents on a such "standard" gaining consensus.
Léa Gris
Like Microsoft last month, and other browser makers soon to follow, Mozilla is only doing this so that the FTC doesn't force them to. The FTC proposed this and essentially said to everyone "Do this on your own or we'll write a spec for it and you won't like it."
It can read:
Well, golly gosh jeepers, guys. It shore would be nice of you to be nice. C'mon guys, really...
You had better not track me, OR ELSE!
This move by mozilla is genius. Have you seen the kinds of things lawmakers are talking about, e.g. making it illegal for website to track customers? By proposing a much better mechanism Mozilla will hopefully prevent any sort of crazy no-tracking legislation from becoming law.
Of course these headers wont be universally honored -- that's not the point. If lawmakers find this solution to be inadequate the most likely scenario is they will mandate that website honor this header, which would be WAY better than the alternative of lawmakers unilaterally deciding how this should work.
Cheers to Mozilla for trying to start this conversation outside the narrow walls of Slashdot. The proposed solution may be ineffective or even have adverse unintended consequences, but the problem is real. Internet tracking is beyond intrusive; it's dangerous. The same techniques used for arguably legitimate purposes by advertisers can (and are) used by malware authors.
Most web users, simply aren't aware of the potential danger of simply pointing and clicking. Market research and advertising are essential to capitalism; they help buyers and sellers find one another. But there must be limits. If television advertisers could peer back at us in our living rooms and measure the pupils of our eyes, I suspect there would be an outcry loud enough for end-users to hear.
This is a passive measure which relies on the second party for compliance, much like robots.txt. You can put as many denials as you want in there, but the "bad bots" will ignore it, if they even request it at all. The data miners will do the same, it would be in their interest to ignore this header.
Personally, I'll keep adding lines to my hosts file.
I still use Proximitron to rewrite all my headers and cookies. I like sending "I am a cookie, eat me!" and other items like "Browser is nunya Bidness". But then again Yahoo Mail doesn't recognize my browser.. :)
The thing is, They Know we don't want to be tracked, tagged, folded, spindled, and mutilated. Just like telemarketers know you don't want their call, junk mailers know you don't want their paper stuffing your box etc etc. They just don't give a rat's ass because they're psychopathic corporations. If they thought they could get away with it they would roast your child on a spit for a nickel and Wall Street would reward them handsomely when they pointed out that the supply of children was nearly inexhaustible.
A better approach is to define a header that says you DO want to be tracked. The 3 people in the world who actively want that can submit a patch to actually implement it if they like. It won't matter much either way.
I assume Insurance companies would LOVE a "do not track" header. they just start tracking who uses it, and increase their rates!
Google has an opt-out in ad preferences that is based on HTTP cookies. Unfortunately they are easily deletable by accident. This HTTP header don't have this problem.
That would assume default settings or non-compiant browser would get "more" privacy from honest advertisers. Persons really interested at being tracked would turn it on.
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) crowd-sourced
approach to preventing users from being tracked. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which will vary from state to state and country to country)
(x) It does not provide an adequate method of enforcement
( ) Nobody will spend eight months sitting in dull planning meetings to do it
( ) No one will be able to find the guy
(x) It is defenseless against rogue websites
(x) It tries to stop a fundamentally broken cookie model
(x) Users of the web will not put up with it
( ) The government will not put up with it
(x) Advertisers will not put up with it
( ) Requires too much cooperation from unwilling sources
(x) Requires immediate total cooperation from everybody at once
( ) Many advertisers cannot afford to lose what little business they have left
( ) Anyone could anonymously destroy anyone else's career or business
( ) Users are too stupid to know they're being tracked anyway
Specifically, your plan fails to account for
(x) Browsers' unwillingness to change to suit something that will be circumvented in days
( ) The existence of programmers for hire
(x) The W3C
( ) Sources' proven unwillingness to "go direct"
( ) The difficulty of changing all those websites
( ) How few people actually care
(x) The vast majority of "programmers" are unable to even code in semantically-correct HTML
( ) Unpopularity of weird new headers
(x) Unstoppable moneyed Kung-Fu
( ) Legal liability of vigilante sites
( ) The training required to be even an craptaculous web monkey
(x) Users hate pop-ups
( ) The necessity of ignoring laws from other countries
(x) Americans' huge distrust of anyone not from their country/state/city/block
( ) Reluctance of governments and corporations to be held to account by two guys with a blog
( ) Inability of random people on the internets to demand anything
( ) How easy it is for corporations to manipulate unemployed sweaty shut-ins
( ) Rupert Murdoch
( ) Pron
( ) Hulu
(x) Technically illiterate politicians
( ) The tragedy of the commons
(x) Craigslist
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to visit Drudge, Slashdot and Democracy Now without seeing those Cash for Gold ads
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don’t think it would work.
(x) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Maybe you should actually visit reality every fortnight or so
Yeah, right.
RFC 3514 - The Security Flag in the IPv4 Header - aka the evil bit
I have heard much more stupid suggestions on how to improve privacy. One suggestion in the past was that websites had to offer users a way to opt out of having cookies stored on their computer. The reason that is much more stupid is that there is no other way to store information about the user opting out than by doing it through a cookie.
You could still implement it, but it wouldn't do the user any good. Once they decide to opt out, the webserver could tell the browser to delete all cookies, and they could track the fact for the duration of the http connection. Once the connection gets closed and the user sends a request on a new connection, there will be no information in the request to let the server know, that this is the user that opted out. The information that the user had opted out was in fact deleted at the users request. Such an implementation would be stupid, but it would essentially be what would have been the outcome if previous suggestions had been implemented as suggested.
This browser header would OTOH be much more feasible to implement. Of course it isn't going to technically enforce anything. But there are enough websites that want to play by the rules, that it would still mean something.
If some browser vendors decide that it should be opt-in rather than opt-out and change the default setting in their browser, they do run the risk of making websites decide not to honer the header from those browsers.
Having the header shouldn't mean the website cannot set cookies at all. It should still be possible to set session cookies when technically required for some use case. It should also be possible to set cookies, when the user explicitly do things that would require cookies. For example if they fill in a registration form or a login dialogue, the site can set a cookie. However such a cookie should be deleted at logout time. The site should also be able to set cookies if the user decide to save preferences. But the cookie shouldn't contain any information beyond the preferences. In other words, if two users decide to set the same preferences, they should get identical cookies. And log entries on the webserver shouldn't contain anymore information from the cookie than what was used to render that request. For example if the preferences contain a language setting that applies to all pages, and a display setting that only applies to a subset of the pages, then all requests could log what language the user was using, but not what the other setting was.
All of this is just for those sites that want to play by the rules. Of course there will always be sites that won't play by the rules. But that shouldn't stop us from agreeing on an improvement for those sites that will respect such a header.
Do you care about the security of your wireless mouse?
Regarding all the "WON"T WORK" statements, can someone explain why this isn't already provided by the excellent Ghostery extension? For example: It's running now, set up to run without notifications and block all known bugs. To me, it's mostly invisible. Hovering on a status bar icon tells me that it's blocked Slashdot's use of Google Analytics and Doubleclick scripts.
I appreciate the effort by Mozilla to drumbeat this issue (ahem) but I'm not sure I get it.
and in related news. Changes to the IP protocol now include the evil bit. Any packet with evil intent has it's evil bit set to 1 and everything else is set to 0. So to filter out bad communications just drop all packets with the evil bit set to 1.
Too easy to get around
But was a bit surprised to see this pop up as an official Google extension.: https://chrome.google.com/webstore/detail/hhnjdplhmcnkiecampfdgfjilccfpfoe
A more sensible way would be simply to distribute a cookie blacklist that can be updated e.g. once every day. No new headers and other ad hoc stuff need to be invented, no fuss made about it. Alternatively, requiring tracking cookies to adhere to a particular naming scheme (e.g. "TC:" prefix) would as enforceable as those proposed headers and waste less bandwidth.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
Effectively this proposal is not more than saying "please don't track me" and then having a law that requires websites obey the user's request. As such I'd argue it is a legislative fix and so you also need one extra item on your check list: (X) Ignores the international nature of the web.
I disable this feature in my Mozilla's SeaMonkey web browsers, but I noticed some web sites go nuts without like on CNN's polls. It's annoying! I don't like web sites stalking my browsing histories! :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
"desire to opt-out of third party, advertising-based tracking" - how about we skip a few words, leaving "desire to opt out of third party advertising." ?
If I'm going to use AdBlock plus cookie/flashcookie/etc skipping in any case, I won't see the ads anyway and the browser may as well broadcast it to the server and skip the downloading of ads entirely. There's also no use for them to track me, as their targeted ads just as hidden as random untargeted ads, so no use to bother with precise targeting.
So they'll just use this as a way to advertise privacy software.
How so? How does me knowing that the model of guitar I'm looking for is available from some out-of-state dealer (who's offering free shipping, to boot!) for about 10% less than I can find it near where I live bilk me out of money?
Yes, ads are most likely to be helpful in finding the best vendor for a particular item. But how did you choose what model to buy? Ads provide less trustworthy information than editorial.
That ad is only being displayed because that vendor was the one willing to pay the most for that exposure, not because they offer the best price. A perusal of organic search results may turn up something better. There's also price comparison sites where the prominence and presence of a listing is less correlated to payment than pure advertising.
The act of advertising a service, or a product, is not intrinsically evil. And the act of connecting businesses advertising a product or service with customers who are more likely to be looking for that product or service means two things:
1) People not looking for that product or service are less likely to see those ads and have their time wasted by nonsense;
2) Advertisers have to spend less money connecting to the people who are interested in their products or services, which has a long-term effect of lowering prices through competition.
Advertising that is pushed to you is less likely to be helpful than advertising you request through search engines, deal sites, and manufacturer's websites, no matter how well-targeted they are. It's no coincidence that all these are going gangbusters, while display ads are in the doldrums, particularly due to their increasingly intrusive nature (both visually and privacy-wise).
Unfortunately this is bad news for publishers, who have relied on charging for surrounding their material with material they don't control. I think this will change, with greater use of affiliate-like systems that still allow publishers to retain editorial integrity.(Disclosure: I'm involved in one.) Publishers need to better cover the one good point that advertising provides -- discovery/awareness -- through better-compiled "what's new" and "real deal" lists.
How is it being injected into the process? In the course of doing my research, I decided to buy a particular Yamaha guitar, based on the reviews I found in several and my own experience with them.
So... I know the model I want, and now I want to look and see if I can find a good deal on it, and perhaps find people in my area who offer lessons and supplies... why wouldn't it be helpful to be able to compare prices of vendors who do business both online, and in my area? In some cases, the advertisements I've found are for businesses that I had no idea even existed, because they're miles away in towns I rarely visit - but easily found once I know they exist.
Do you think you clicked on enough ads on the review sites in order to properly compensate them for the help they gave you?
20 bytes extra added per each request will hit your upload caps faster...
Because as a younger-middleage man I really don't need tampon ads on websites, what I think would be much more useful is something like an X-Demographics header.
X-Demographic-Age: 35
X-Demographic-Location: Seattle, WA (for local ads)
X-Demographic-Interests: Programming, Games (Freeform text, for generic tet searches)
X-Demographic-Sex: Male (Optionally 'Yes' if you want porn site ads)
You give out the information you're willing to give out. People can lie, not use the fields or put garbage in; but they would be blocking ads or such anyway, so no real loss.
With the freqent legal requirement to not store info on children, X-Demographic-Age: 10 should block tracking on sites that would obey a do-not-track header as well.
Ideally, with better targetted ads, they would need as many, or be as intrusive to get the same clickthrough rate.
Unlike RFC 3514, which would require being able to sniff the wire to get the private data, this new proposal from Mozilla will enable evil to remotely crawl the web, searching selectively for the data marked "private" saving much carbon emissions which otherwise would be consumed parsing irrelevant data, looking for the private data users wish to protect. This might be the stupidest thing to ever be uttered from the Mozilla team, but the competition for that award is pretty stiff. I'd need to check the records to be certain.
If you mod me down, I shall become more powerful than you could possibly imagine.
browser proposes, web server disposes