Slashdot Mirror
Mozilla Proposes 'Do Not Track' HTTP Header
MozTrack writes "The emergence of data mining by third party advertisers has caused a national debate from privacy experts, lawmakers and browser supporters. Mozilla's Firefox, a popular browser company, has proposed a new feature that will prevent people's personal information from getting mined and sold for advertising. The feature would allow users to set a browser preference that will broadcast their desire to opt-out of third party, advertising-based tracking. It would do this via a 'Do Not Track' HTTP header with every click or page view in Firefox."
Advertisers and tracking services will fight this to the bitter end.
Athiesm is a religion like not collecting stamps is a hobby.
"Mozilla's Firefox, a popular browser company"
What would be the point. It isn't enforceable and even if laws were passed, you can circumvent it by tracking from an offshore server.
I am becoming gerund, destroyer of verbs.
The problem is that sites would be justified (imo) to then not offer you service based on this.
“We support this site with ad revenue. Tracking is part of that. No Tracking, no service”.
This is fine really. People aren’t entitled to web content. In many cases your privacy is what you are trading for it, and you should be made aware of this and have the option to decline. This kind of header (and possibly others like it) would let you specify in what you are ok with, and let a site then decide whether it’s enough to grant you access.
The problem is that people don’t like this... they want the privacy _and_ the content.. so people would probably just go back to using ad-blockers and cookie deleters as soon as they start getting rejected access messages.
Of course the opposite could happen as well. Web traffic could plummet as everyone enables the feature.. causing a site owner to re-think whether web tracking makes sense for them.
Personally I don’t mind being tracked. Somewhere out there, someone has a very detailed profile of what makes me tick.. and really it’s not doing me much harm that I can see. I read an article about raising my new pet dog and I every other ad I see for the next 2 weeks is about obedience training.. creepy but doesn’t hurt me. This is a personal decision however, and I think people do have the right to be paranoid about their data and should have the option to opt out.
Confident, even!
Living With a Nerd
Basic idea seems the same, right? http://www.faqs.org/rfcs/rfc3514.html
All this will do is provide another data point for marketers.
Proud member of the Weirdo-American community.
This will obviously be just as effective as the IP header evil bit proposed in RFC 3514!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
The "don't tase me bro" kid got tased anyway.
Mozilla's Firefox, a popular browser company
...Do I even need to say what is so wrong with this?
Eh, I will anyways:
Given how popular Google and Wikipedia are these days, mess-ups like this should have completely vanished by now.
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
They've already developed a "DO NOT TRACK" bit, but you might have missed it because it's labeled different: it's called "DO NOT VISIT."
Why do people get so fundamentally stupid about the web in particular? If, for example, every store you visit tracked your comings & goings and your purchase history, would you still scream bloody murder? NO, because they all already do this and nobody seems to give a rat's ass. But on the Big, Scary Internet the rules are somehow all different.
Using Firefox + Adblock Plus + NoScript:
No. Time Source Destination Protocol Info /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1
27 3.918190 10.4.12.92 216.34.181.48 HTTP GET
Frame 27 (582 bytes on wire, 582 bytes captured) /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1\r\n
Linux cooked capture
Internet Protocol, Src: 10.4.12.92 (10.4.12.92), Dst: 216.34.181.48 (216.34.181.48)
Transmission Control Protocol, Src Port: 34619 (34619), Dst Port: http (80), Seq: 1, Ack: 1, Len: 514
Hypertext Transfer Protocol
GET
Host: tech.slashdot.org\r\n
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Fedora Firefox/3.6.12\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 115\r\n
X-Do-Not-Track: 1\r\n
Referer: http://slashdot.org/\r\n
Connection: keep-alive\r\n
Cache-Control: max-age=0\r\n
\r\n
Oh and Slashdot, how the heck am I supposed to post on your system when I'm behind my ISP's NAT and someone else has already beat me to it?
Banu
It doesn't have to be 100% effective. The biggest trackers are Google and Facebook. They are large companies that need to comply with the law and with standards.
Obviously something like this is useless if even Facebook ignores it but otherwise it would be quite a handy supplement to my array of NoScript/Adblock+/Ghostery. Sure, many smaller, less reputable companies will ignore it but when it comes to tracking, size matters.
Advertisers and tracking services will fight this to the bitter end.
Google, as well as other major online ad and tracking services, already support "Do Not Track" mechanisms with similar functionality.
With a penalty behind it (a la Do Not Call) it could work, otherwise it's about as effective as the TCP packet evil bit.
Personally I would encourage people to proactively block advertisers using existing tools such as AdBlock and NoScript. That way you don't have to trust the advertisers not to track you.
This is a great idea. Other posters are right that website operators won't be technically forced to respect the Do Not Track request, but this is a political solution, not a technical solution, and politics is how this needs to be resolved.
Currently, users have no voice. They can't tell websites not to track them except by cumbersome means such as sending emails to the operators. Even then, it's only one email from one user. Website operators can assume that there's no desire for privacy -- in fact it's something they publicly argue.
But clicking the DNT checkbox is much easier. Now the websites are confronted with millions of users, maybe hundreds of millions, requesting 'Do Not Track me'. Ignoring their reasonable requests would be bad for business, for reputation, and most importantly, for politics. If the websites don't comply to a reasonable request from a large number of their constituents, legislators will pass laws to force them. If most websites do comply, then the few who don't will be the odd ones out and face even greater risks to their business.
Just as importantly, DNT raises awareness. I know of few typical end users who are aware of tracking or understand its importance and implications. DNT will at least make them aware that tracking is an issue and that it's important enough that somebody with authority someplace thought they should be able to opt out of it.
(I don't think there's a technical solution to tracking. The value of tracking the (1 billion?) people on the web is great enough that any security measure will be overcome.)
I would like to restore the privacy options we already had, that have been eroded:
- Stop browsers from accepting 3rd-party cookies by default (I'm looking at YOU Firefox!)
- Clear cookies daily. This used to be a Firefox option, now unavailable. If logging in once a day is too often, you misunderstand the concept of "password"
- Any plug-ins need to follow these same rules. Ex: Flash "cookies"
Like Microsoft last month, and other browser makers soon to follow, Mozilla is only doing this so that the FTC doesn't force them to. The FTC proposed this and essentially said to everyone "Do this on your own or we'll write a spec for it and you won't like it."
While the 'Do Not Call List' has not been 100% effective, it had turned the tide dramatically. The number of telemarketing calls I get went from 2-3 every day before the list was implemented to 2-3 per month after. That's not bad. Of course, that is not counting the political spam that got a free pass on the 'Do Not Call List'.
As much as people here on Slashdot like to complain that this flag would do no good, and point to the 'evil bit' proposal as a joke, they seem to forget the robots.txt that seems to have been pretty darn effective. Specifically telling sites that you do not agree to be tracked sets a non-legal boundary to start a discussion. Illegal is not the same as evil. It is perfectly acceptable to avoid businesses because of evil behavior. Right now, you can't really get a consensus on tracking being evil. Most people would be able to agree that tracking someone when they explicitly requested not to be tracked is evil. While being directly and demonstrably linked to a specific evil act might not matter to the small website, bigger sites might find it less appealing. If, and this is a big 'if', ad revenue drops more from bad publicity for tracking than it does from using non-tracking advertising, larger sites might choose to use the non-tracking version.
There seems to be a weird myth on the internet that one must track to advertise, even though TV, magazines, billboards, etc, etc... have been advertising for generations without tracking. Somehow, even people that should know better have fallen for the "it's totally different because it's ON A COMPUTER" when it comes to ads.
99.999999%? I didn't realize there were less than a hundred people that cared. It'd be nice if this vocal minority would calm down, and let the rest of us rest our ears a while.
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) crowd-sourced
approach to preventing users from being tracked. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which will vary from state to state and country to country)
(x) It does not provide an adequate method of enforcement
( ) Nobody will spend eight months sitting in dull planning meetings to do it
( ) No one will be able to find the guy
(x) It is defenseless against rogue websites
(x) It tries to stop a fundamentally broken cookie model
(x) Users of the web will not put up with it
( ) The government will not put up with it
(x) Advertisers will not put up with it
( ) Requires too much cooperation from unwilling sources
(x) Requires immediate total cooperation from everybody at once
( ) Many advertisers cannot afford to lose what little business they have left
( ) Anyone could anonymously destroy anyone else's career or business
( ) Users are too stupid to know they're being tracked anyway
Specifically, your plan fails to account for
(x) Browsers' unwillingness to change to suit something that will be circumvented in days
( ) The existence of programmers for hire
(x) The W3C
( ) Sources' proven unwillingness to "go direct"
( ) The difficulty of changing all those websites
( ) How few people actually care
(x) The vast majority of "programmers" are unable to even code in semantically-correct HTML
( ) Unpopularity of weird new headers
(x) Unstoppable moneyed Kung-Fu
( ) Legal liability of vigilante sites
( ) The training required to be even an craptaculous web monkey
(x) Users hate pop-ups
( ) The necessity of ignoring laws from other countries
(x) Americans' huge distrust of anyone not from their country/state/city/block
( ) Reluctance of governments and corporations to be held to account by two guys with a blog
( ) Inability of random people on the internets to demand anything
( ) How easy it is for corporations to manipulate unemployed sweaty shut-ins
( ) Rupert Murdoch
( ) Pron
( ) Hulu
(x) Technically illiterate politicians
( ) The tragedy of the commons
(x) Craigslist
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to visit Drudge, Slashdot and Democracy Now without seeing those Cash for Gold ads
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don’t think it would work.
(x) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Maybe you should actually visit reality every fortnight or so
Yeah, right.