Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Not Track Ineffective and Dangerous, Says Researcher

Posted by samzenpus on from the best-intentions dept.

Seeteufel writes "Nadim Kobeissi, security researcher, describes the Do Not Track standard of the W3C as dangerous. 'In fact, Google's search engine, as well as Microsoft's (Bing), both ignore the Do Not Track header even though both companies helped implement this feature into their web browsers. Yahoo Search also ignored Do Not Track requests. Some websites will politely inform you, however, of the fact that your Do Not Track request has been ignored, and explain that this has been done in order to preserve their advertising revenue. But not all websites, by a long shot, do this.' The revelations come as Congress and European legislators consider to tighten privacy standards amid massive advertiser lobbying. 'Do not track' received strong support from the European Commission."

33 of 207 comments (clear)

  1. Legislation by anthony_greer · · Score: 5, Insightful

    The days of the wild west on the net are gone...If the big boys in the industry cant get their shit together soon, we will get legislation, and that will be bad for everyone!

    Just once I wish these companies could see that it is in the best interest of everyone to keep the government out and work together to reach a policy that will be adopted as a general standard without a law mandating it...

    1. Re:Legislation by jazman_777 · · Score: 5, Informative

      Most big companies see it in their best interest to use the government to crush their competitors, all while the government gives them a free hand.

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    2. Re:Legislation by Anonymous Coward · · Score: 4, Insightful

      It's 2013. Anyone who still thinks "vote with your wallet" works is a fucking idiot.

      "Vote with the ballot box" is and will always be the fairest way: one person, one vote.

      "Vote with your wallet" is similar but with the number of votes you get weighted by the size of your wallet.

      DNT fails because large corporations are a bunch of lying, two-faced bastards. Abandoning DNT is no more sensible than repealing any law or policy "because rich people don't feel like following it".

      Regulation works, except when regulatory capture happens. And regulatory capture happens when regulation is weak.

      It's time to end Free Market As Religion. The balance that was social democracy represented the pinnacle of human civilisation, and it's time that America moved forwards to pre-Reaganite progress, and Europe to pre-Thatcherite progress.

    3. Re:Legislation by Anonymous Coward · · Score: 3, Insightful

      "As you can tell by the total absence of murder now that murder is illegal."
      "As you can tell by the total absence of rape now that rape is illegal."
      "As you can tell by the total absence of theft now that theft is illegal."

      See, that sophomoric black-and-white "X is not 100% effective therefore it is 0% effective" argument is shit. And it always will be shit.

      As for spam:
      1) There would be way more spam if spam were entirely legal;
      2) Anyway, spam is very poorly regulated, thanks partly to regulatory capture: i) there are too many exceptions; ii) the deterrents are weak; and iii) enforcement of anti-spam legislation is lackadaisical.

      You start chasing down all major spammers with jailtime and a 0% tolerance policy and watch the amount of spam plummet.

    4. Re:Legislation by epyT-R · · Score: 2

      Oppression is oppression, whether it's corporatocratic tyranny, or abuse by ivy league lawyers in governments who think what's best for them is best for everyone else...Oh wait, both have basically the same attitude. The real fun begins when each side helps the other out, as is happening more and more these days.

    5. Re:Legislation by epyT-R · · Score: 2

      "Vote with the ballot box" is and will always be the fairest way: one person, one vote.

      hahahaha..hah.. ha.... You say wallet-voting fails then defend voting? What planet are you from? Neither works in systems where consensus and feelings matter more than truth and facts. It's hard to manipulate people who stick with the latter two, leaving corporates and government without much power, thus they work to maintain an impulsive, emotional buyer/voter base..

      DNT fails because it leaves the fox guarding the henhouse.. The only way to get rid of web tracking is to kill the scriptable browser.

    6. Re:Legislation by epyT-R · · Score: 2

      Spam isn't much of a problem because of reasonably good technical solutions, not because of law written by ivy league lawyer techno-weenies who think they know what it is they do to/for the rest of us.

    7. Re:Legislation by Opportunist · · Score: 2

      The big boys in the industry ARE getting their shit together. That is exactly WHY we get legislation.

      What did you expect, invention? Lobbying is where you spend your money these days as a company, not innovation. It's not the better product that makes the race, it's the better lobbying.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Legislation by hairyfeet · · Score: 3, Informative

      I hate to break the news to ya sparky but in case you ain't kept up on current events the courts ruled "money equals speech" so your ballot box is worth jack and squat.

      You honestly think the best candidates anybody could come up with were Obama and Romney? Even though I don't believe in libertarianism you might want to look up "Jon Stewart Ron Paul" to see how badly the media is rigged, they treated Paul as "he who shall not be named" and the video ends with a reporter talking to an anchor and the reporter says "Here we are talking about Palin and Christie, who aren't even running, and not saying anything about paul who is doing good in the polls here" and the anchor gets a douchebag smirk and says "if you get any footage of Christie or Ppalin send it in, you can keep the Paul stuff"

      And THAT, that right there, is why your vote isn't worth used toilet paper. the media chooses which two shills you get, its coke in a can VS Coke in a bottle, because only pre-bought shills need apply. if you think voting would ever do anything ask yourself these questions: How many protested against the wars? How many sat out there in the cold during occupy? Think those people don't vote? of course they do but when your choice is Coke in a can VS in a bottle it don't really matter who you choose, its just different corporate masters. Obama is owned by the media cartels and his VP is the biggest media shill in DC, Romney was owned by Wall Street, 6 of one, half dozen of the other, either way you are fucked.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. meanwhile... by Anonymous Coward · · Score: 2, Interesting

    Many of us here have been saying DNT is a bad idea since it first appeared (and often, on slashdot, we've been downmodded for it). The right way to do this is NOT to depend on the good will of the remote side. Even you passed laws that demand compliance, the data collection will just move out of the jurisdiction of those laws, and anyway, the companies involved will buy themselves exceptions and find creative loopholes. You can't win, that way.

    You CAN avoid giving them much data in the first place. You don't have to load their web bugs, their trackers, accept their cookies, or flash objects, and you can obscure your user agent string, and if you're really paranoid, even your IP address. Don't give them the data, and they can't track you with it, or at least, can't tie it to any real world identity.

    And it goes without saying, don't use bloody Facebook.

    1. Re:meanwhile... by Anonymous Coward · · Score: 4, Insightful

      Someone will say, "I shouldn't have to do that!", and they're right, they shouldn't. But the simple reality is that you do have to do all that, and some others in that ilk (only whitelist javascripts you trust). It's your computer which loads those trackers. You are free to tell it not to do that, but don't fool yourself into thinking businesses built around tracking your every move will ever have your best interests at heart.

  3. Poisoning the well by morcego · · Score: 5, Insightful

    For a long time, advertisement didn't bother me. I refused to use ad blocking addons, and considered ads just part of a trade. Sites give me content, I look at the ads.

    Then came pop-ups. Pop-unders. Flash adds. Ads with music. Ads that would make my cockatiel go into convulsion, and start to drool and chase the neighbor's cat. And I have to tell you, my neighbor really loves her cat. And being chased by a drooling cockatiel will really humiliate a cat, and all dogs will start making fun of it. Not an idea situation.

    So, back to the issue at hand. What MOST sites did was poison the well: no one can drink front it. It got so bad that I eventually had to start using ad blocking addons.

    Now people want to implement VOLUNTARY sensitive advertisement and privacy practices. Obviously, they are trying to convince people we no longer need our ad blocking addons. By saying they will do something that is exactly the opposite of what they have done so far, ostensibly.

    Sure, some sites will do the would Do Not Track dance. But those are the same sites that already respect our privacy and my neighbor's cat. Exactly the ones that don't need it.

    The ones that need it the most, will just ignore it.

    Fun, isn't it?

    Fuck Do No Track. I will keep my Javascript and Ad blocking addons.

    --
    morcego
    1. Re:Poisoning the well by bmo · · Score: 5, Insightful

      Then came pop-ups. Pop-unders. Flash adds. Ads with music. Ads that would make my cockatiel go into convulsion, and start to drool and chase the neighbor's cat. And I have to tell you, my neighbor really loves her cat. And being chased by a drooling cockatiel will really humiliate a cat, and all dogs will start making fun of it. Not an idea situation.

      What you left out of that extensive list was malware served up through ad networks. It's not enough to go to "trusted sites" but you have to trust their ad servers too. On one site I still frequent, there was an ad serving up malware for an exploit in Windows. They have since clamped down on who their ad server is, but after that people installed adblock plus as a security measure.

      --
      BMO

    2. Re:Poisoning the well by mister_playboy · · Score: 3, Funny

      My filesystem is case-sensitive, you insensitive clod.

      --
      Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
    3. Re:Poisoning the well by Anonymous Coward · · Score: 2, Informative

      You might want to think a bit more about the meaning of the word signature.

  4. Most advertisers are still stuck in the 1970's. by Andy+Prough · · Score: 3, Insightful

    They still act like there are just 3 network TV stations, and that if they write a witty line in an ad, 50 million people will see it and go buy their crap. Like "Think Mink", or "Got Milk?". They still think they can bombard the public's eyeballs with ads and force us to robotically buy whatever they are selling. "Do Not Track" isn't even a speed-bump for these geniuses.

    1. Re:Most advertisers are still stuck in the 1970's. by alvinrod · · Score: 3, Interesting

      It still works on some level though, otherwise they wouldn't bother doing it. Same reason there's still loads of spam. You don't need 50 million people to buy what you're selling. Just over the cost is fine, and anything beyond that is gravy. The market is relatively free, so it's going to tend towards equilibrium. So baring any external forces (e.g. government regulations) or some other massive change in the market, advertising isn't going to go away. At least there're things like ad block on the internet. Prior to DVRs there wasn't a good way to get around advertising on TV or the radio. Even if you left the room while it was on, it still ate into the program schedule. Even if you don't block ads on the web, they're by and large less obtrusive than what we had before.

  5. Not a technical solution by Anonymous Coward · · Score: 3, Insightful

    The poster asserts that DNT is a (not very good) technical solution to a technical problem, and proposes other technical solutions.

    The problem is that DNT is neither a technical solution, nor is it trying to solve a technical problem.

    DNT is the first step in a legal solution to a social problem.

    You may argue whether legal or technical solutions (or both, or neither) are more effective against this social problem. However, put DNT into the right bucket first!

  6. "Good will" by stafil · · Score: 3, Interesting

    Anything that leaves your privacy on the "good will" of the companies is inefficient to protect my privacy.

    If I do want to protect it, I'll use tools like Ghostery and DNT+ where I can choose *myself* what info I send, and not rely on them honoring the DNT.

    I know I will be flagged "flame" but honestly the DNT looks a lot like the "evil bit" to me.

  7. evil bit by shentino · · Score: 4, Funny

    Next up, being unarmed and begging pretty please shown not to prevent robberies.

    This is just like the evil bit. Anything requiring cooperation from assholes is doomed to failure.

  8. Google, MS etc. do not ignore DNT by ark1 · · Score: 4, Insightful

    They use it as yet another indicator of your personality to better target ads.

  9. Use Ghostery by Sarusa · · Score: 2

    Relying on the people who want to track you to honor your "Please don't" request is just guaranteeing disappointment.

    Now there are plenty of ways you can clamp down on the tracking and cross-site leakage, from NoScript to RefControl, but the single easiest cross-browser cross-platform way to do it is Ghostery: https://www.ghostery.com/

    Most importantly, unlike the other methods (NoScript in particular) it only very rarely breaks a page. So it's just set up and forget.

    I'm sure it's not as effective as some other tactics, but the 'works on everything' and 'just works' is really key to just using it all the time everywhere.

  10. No kidding by Sycraft-fu · · Score: 5, Insightful

    Advertisers need to STFU as they are the reason all this happened. Most people really don't mind non-invasive ads that much. They'll let them happen and likely not even complain. However the advertisers seem to think that more obnoxious, more invasive, etc is the way to get attention. Eventually, it pushes people over the edge and they will block it.

    Happened to me. I was fine with ads, I understand the need. However I really hated popups. No problem, popup blocker. Then game the fucking flash ads, ok fine so a flash blocker with click to pay for the stuff I want. Then, HTML 5 ads that take over a page. Ok, fuck you, all ads are blocked, I've had enough.

    Happens with more people I know too. They'll ask me if there's a way to deal with it and I'll point them to Adblock.

    Advertisers really need to understand that if you don't want your market to go away, you have to stop being dicks about it. Keep the ads low key and not fraudulent, and people will probably be ok with it by and large. Some won't, but most won't mind, at least not enough to do something. However the more invasive you are, the more people will block it out.

    1. Re:No kidding by Omestes · · Score: 2

      And if they aren't worth my money... I don't care. I don't need your content. Mostly I don't care about it, it is a distraction, nothing more. Perhaps a pleasurable one, but no more pleasurable than my hobbies, books, or friends. Something will fill the gap, we lived for hundred of thousands of years without your blog, and we can live a couple hundred thousand more without it again.

        Adapt or die. And the second you try to exploit me, is the second where I shop giving a shit about exploiting you.

      I will ad block, and if they die ask me for actual money. If I don't pay, it tells you what I think your worth. There is no right to profit.

      Further, you almost run into the RIAA fallacy. If no one paid, people would still make content. People always make content, it is what we do. I post reams of shit online (art, text, etc...) and will never get paid a cent for it. So do millions of other people. Sure, the volume will go down, but whose to say that the shit/quality ratio won't improve?

      --
      A patriot must always be ready to defend his country against his government. -edward abbey
    2. Re:No kidding by azalin · · Score: 3, Informative

      There is an "allow unobtrusive adds" feature in ABP which might provide a solution to this dilemma. It provides reasons and rewards for playing nice. Should this idea take hold in a big way (yeah, the day pigs learn to fly) companies might actually choose the static, boring but seen by everyone ad over the fancy, super tracking, animated attention whore add seen only by the few slobs who don't have blocking yet.
      Of course the whole thing will be gamed and I have no idea, if it will ever take off.

    3. Re:No kidding by Tom · · Score: 2

      Advertisers need to STFU as they are the reason all this happened.

      +100

      Anyone who listens to the people who brought all this about is either stupid or corrupt or both. The entire discussion should happen with the advertisers excluded.

      I want DNT. I want it to be enabled by default on all browsers. And I want ignoring DNT to carry a fine large enough that intentionally doing it large-scale will bancrupt your company. And I want that kind of intentionally ignoring it carry criminal penalties for the C-level executives.

      Because that's the only way short of shooting them that they'll learn to behave like responsible members of a community instead of psychopathic parasites.

      --
      Assorted stuff I do sometimes: Lemuria.org
  11. trivial, 99% effective fix by bcrowell · · Score: 2

    There is a trivial, 99% effective fix for this problem. In firefox, go to Edit:Preferences:Privacy and tell it to forget all cookies when you end a browser session. There is also a facility for whitelisting cookies from certain sites so that, for example, you don't have to log in to slashdot every time. Cookies from the whitelisted sites are remembered across browser sessions.

    --
    Find free books.
    1. Re:trivial, 99% effective fix by dririan · · Score: 3, Informative

      They can still track by IP address and you're browser fingerprint. Browser fingerprinting can be defeated though current browsers don't seem to want to help make it easier to do so.

      AC is right. Deleting cookies at the end of each session may help a bit, but there are still plenty of ways to identify you especially if you include your IP address (but that's not always reliable).

      I'm not sure what we'll do when IPv6 rolls around and every device has a unique address. Either you go back to NAT and share addresses, which is not completely effective due to fingerprinting, or you change your address every few hours or days. Either solution defeats the purpose of IPv6.

      There's already a solution for that. Use the randomly-generated address for normal things, but use your static address for servers and the like. IPv6 privacy extensions are supported on Windows, Mac, and Linux.

  12. Re:Killer 'Do Not Track' App? by alostpacket · · Score: 3, Informative

    Interesting, but I am pretty sure DNT was Mozilla's Idea. And frankly, it always seemed like a waste of time. Given all the ways that one can be tracked though, a technical solution seems difficult as well.

    - Cookies
    - JavaScript
    - tracking pixels
    - HTML local DBs
    - Flash objects
    - fonts
    - screen size/colors
    - plugin config/versions
    - User agent
    - IP address
    - and now.... "DNT" toggle...

    It almost seems as the only way to keep from being tracked is via the TOR browser incognito mode in a freshly wiped VM or something. I honestly wonder if the 'net need to move more towards mesh/tor/ad-hoc networking. Basically if the "darknet" should be the "mainnet".

    Anyways, some info:

    EFF tool to see how well you can be tracked (fingerprinted)
    https://panopticlick.eff.org/index.php?action=log

    NAI (Network Advertising Initiative)
    Tracking opt out of 99 of some of the largest ad networks, including Google and MS (but guess who isn't there?)
    http://www.networkadvertising.org/choices/

    Apple iAd opt out
    http://support.apple.com/kb/HT4228

    --
    PocketPermissions Android Permission Guide
  13. It's not about whether the site honors it or not by Todd+Knarr · · Score: 3, Interesting

    For me, I don't care whether the site honors that header or not. If they're going to abuse tracking, they're not likely to suddenly come over all ethical and change their servers to not track. What the DNT header does is give a standard, recognized signal present in every single browser request that I do not consent to tracking. It's like the fence with the locked gates and "Private Property - No Trespassing" signs around a property: it's not going to keep trespassers out, but it's a clear and more importantly legally-recognized demarcation. If they jump over the fence onto my land and get in trouble because of being there, the court's going to look at the fact the land was clearly posted and tell them "Sorry, we don't accept your claim that you didn't know it was private property.". With the DNT header, no Web site can claim they didn't know I didn't consent to tracking. They can't claim implicit consent, because there's explicit non-consent in the very request they serviced. And this is why the advertisers are making such a play to get the DNT header dismissed and abandoned. Up to now they've taken the position of "You must consent as a condition of access, you accessed so we can assume your consent.". As long as there's no standard way of saying "I do not consent.", they can get away with that. But with a standard DNT header they can't argue that it's infeasible to check every possible way of not consenting. There's just one, and it's not ambiguous. The counter-argument of "If they don't want to allow access to those who don't consent, why did they not simply return an HTTP error when they saw the DNT header?" becomes rather more convincing.

    The secret the advertisers don't want to state up front is that they don't want to require consent to tracking. They just want to track everybody whether they consent or not. Anything that provides a clear, unambiguous message to them about consent or lack thereof is a threat to that position, because it makes it harder for them to argue a basis for their assuming consent.

    And a message to every Web-site and ad-network operator out there: if you're serious, stop whining and configure your servers to return 403 Forbidden to every request with the DNT header set. It's not that hard.

  14. Re:It's not about whether the site honors it or no by Opportunist · · Score: 2

    Hmm... if someone comes illegally onto my property after I clearly marked it, I may shoot him in defense. Say... does that work on that DNT too?

    Please, oh please say yes...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. Well, now I'm beginning to question the efficacy by Rogerborg · · Score: 2

    Of my "Please Do Not Mug" t-shirt.

    --
    If you were blocking sigs, you wouldn't have to read this.
  16. Actually by dutchwhizzman · · Score: 2

    Actually legislation helps a lot. By outlawing spam you have over 99% of companies in countries that have outlawed it not sending spam any more. By outlawing spam, ISPs get a legal reason to filter spam. There have been lawsuits against ISPs in the past from companies claiming large losses due to ISPs filtering their spam and the spam thus not reaching the ISPs subscribers. Yes, even though it's illegal in quite a few countries, it still happens. However, it's substantially less and legislation has helped the technical solutions to stay in place. Both have to work together in this case. The same should apply to privacy laws. If a certain company refuses to obey a countries privacy laws, it should be taken to court and fined so hard that any profit they might have gained will be taken from them plus an extra amount to make sure they or others will never try to do this again. Technical ways to stop tracking people are very hard to implement and the only real solution is to not visit web sites that track you any more. Either that, or have proper legislation in place and active prosecution of companies not following the rules.

    --
    I was promised a flying car. Where is my flying car?