Yahoo Stops Honoring 'Do-Not-Track' Settings

An anonymous reader writes "When web browsers started implementing 'do-not-track' settings, Yahoo got some respect for being the first of the huge tech companies to honor those settings. Unfortunately, that respect has now gone out the door. As of this week, Yahoo will no longer alter their data collection if a user doesn't want to be tracked. They say there are two reasons for this. First, they want to provide a personalized web-browsing experience, which isn't possible using do-not-track. Second, they don't think do-not-track is viable. They say, '[W]e've been at the heart of conversations surrounding how to develop the most user-friendly standard. However, we have yet to see a single standard emerge that is effective, easy to use and has been adopted by the broader tech industry.' It looks like this is another blow to privacy on the web."

Yahoo, kill yourself!

Horrible decision, a standard isn't being honored "EVERYWHERE" so you decide to undermine it entirely without replacement? What's the REAL reason, money?

Sell your assets and gtfo!

Re:Yahoo, kill yourself!

[joe_frisch]

Google and Yahoo make money by selling information that they collect from users. Microsoft makes money by selling software. The typical person is a Microsoft customer, but a Google / Yahoo product.

Re: Yahoo, kill yourself!

[Scowler]

Maybe they see the irony in maintaining a list of people who don't want to be tracked.

Re:Yahoo, kill yourself!

[nmb3000]

Horrible decision, a standard isn't being honored ANYWHERE so you decide to undermine it entirely without replacement?

FTFY.

The simple fact is that Do-Not-Track was a damned bogus idea from the outset. Saying to the massive web of advertising conglamorates and third parties -- all of which make more money the more they can identify you down to an individual -- "Won't you kindly not track me? That would just be great, thanks" is akin to asking the mob nicely not to burn your place down when you refuse to pay protection money, or calling up the NSA and asking them nicely to stop spying on your personal affairs.

If you don't want to be tracked, you need to take steps to make it happen yourself. The tools are there -- use them. If enough people start blocking all forms of advertising, perhaps the intrusiveness and privacy violation will recede. Or maybe the entire advertising industry will collapse (one can always dream).

Re:Yahoo, kill yourself!

[rudy_wayne]

Horrible decision, a standard isn't being honored "EVERYWHERE" so you decide to undermine it entirely without replacement? What's the REAL reason, money?

Sell your assets and gtfo!

As far as I know Google doesn't honor it either on their services, but Microsoft do, which is an interesting situation

That's because Microsoft, despite whatever flaws they may have, makes all their money selling actual products -- Windows, Office, Games for Xbox, etc.......

Companies like Google and Yahoo, on the other hand, have no actual products. Their revenue depends entirely on advertising. YOU are the product and you are being sold to advertisers.

Nothing surprising at all about Google and Yahoo not honoring Do Not Track.

Re:Yahoo, kill yourself!

[ShanghaiBill]

Google and Yahoo make money by selling information that they collect from users. Microsoft makes money by selling software.

Microsoft is losing the battle for online advertising, so they are instead trying to poison the market. In MSIE 10 and 11, the "do not track" is on by default, which means the user never actually made a decision to set it. Microsoft's original plan was to diminish the ability of ad agencies like Google to collect information. But instead, they gave those agencies an excuse to ignore the setting, since no human made a decision to set it. Some more ethical ad agencies check the browser ID and only ignore the setting if it is MSIE. Unfortunately, ethics and advertising seldom go together.

Re: Yahoo, kill yourself!

[rudy_wayne]

That's not how it works, it's not a list unless they make a list. Not to mention they championed the idea and were early adopters.

Yahoo pretended to support Do Not Track only because they figured anyone stupid enough to actually use Yahoo for anything was too stupid to figure out how to turn it on.

Then Microsoft made it on by default in Internet Explorer, still the most widely used browser and probably used by 98% of the people stupid enough to use Yahoo for anything. All of a sudden, Yahoo didn't think Do Not Track was such a good idea any more.

Re: Yahoo, kill yourself!

[TangoMargarine]

Internet Explorer, still the most widely used browser

No.

http://en.wikipedia.org/wiki/I...

Re:Yahoo, kill yourself!

[CreatureComfort]

So you are arguing that privacy/security on by default is a bad thing?

Re:Yahoo, kill yourself!

[Bengie]

I agree, asking a remote server to not record the data you send it means you trust the server. If you do not trust it, then either to not use it or do not send it they data you're sending it.

Re:Yahoo, kill yourself!

Not really. What you're thinking of as a 'product' is more accurately described as 'bait'. Calling it a 'product' is akin to calling a fisher's lure or net the product, rather than calling the *fish* the product.

Re:Yahoo, kill yourself!

[B33rNinj4]

Mayer needs new drapes for her conference room.

Re: Yahoo, kill yourself!

When the privacy/security decision is left up to the advertiser, it isn't a viable solution, and is deeply flawed. The DNT header gives additional information for which your identity can be singled out with..

Re:Yahoo, kill yourself!

[joe_frisch]

Part of the problem is what I believe to be a flawed business model for marketers. They feel that they need to somehow "steal" people's information and use it to "force" adds on them. The phrase "targeted" adds suggests a hostile approach. My impression is that most people want to see informative adds for products that they might buy. If it were easy for customers to craft their on online profiles so that they would see adds of interest to them, advertisers would be able to directly provide relevant information.

Right now I'm not in the market for a car - all the adds in the world won't do any good. In a few years when I am ready to buy, I will want to see information on the types of cars that I might consider buying. The way things are set up now, immediately after I buy a car I will be flooded with car adds - despite the fact that a recent purchases is the least likely to buy again.

Re: Yahoo, kill yourself!

When the privacy/security decision is left up to the advertiser, it is deeply flawed and an unfeasible solution. Additionally the DNT header grants the tracker additional entropy for which your identity can be singled out with.

It was a really silly idea, nobody really expected these guys would honer this, even if it did have legislative backing.

Re:Yahoo, kill yourself!

[Monoman]

Privacy/Security != Anonymity

There are subtle differences depending on the interpretations.

Re:Yahoo, kill yourself!

[ShanghaiBill]

So you are arguing that privacy/security on by default is a bad thing?

Yes. Because, in practice, having "do not track" on by default, is the same as not having it at all.

Re:Yahoo, kill yourself!

[tokencode]

They're trying too, they're just not really good at anything though so it may take a long time...

Re:Yahoo, kill yourself!

[sjames]

Defaults should represent a best guess as to what most people will want. For once, for whatever reason, I'd say MS got it right.

If the ad agencies don't believe that to be the will of the users, they are deluding themselves. Nobody likes to be stalked.

Re:Yahoo, kill yourself!

[Ash-Fox]

Horrible decision, a standard isn't being honored "EVERYWHERE" so you decide to undermine it entirely without replacement? What's the REAL reason, money?

The standard approach is not to honour it.

Re: Yahoo, kill yourself!

[ShanghaiBill]

It was a really silly idea, nobody really expected these guys would honer this

Except that they were honoring it, before Microsoft poisoned the well.

... even if it did have legislative backing.

The laws/regulations required them to honor "user requests" not "browser settings". Once the browser setting is on by default, it no longer indicates a "user request" and there is no legal requirement to honor it.

Re:Yahoo, kill yourself!

[sjames]

Only given unethical scumbag advertisers (which makes any sort of honor system non-viable). Very few people want to be tracked by strangers. I would guess there are more people who want to be whipped until they bleed.

Re:Yahoo, kill yourself!

[ShanghaiBill]

Very few people want to be tracked by strangers.

If you ask "Do you want to be tracked by strangers?", then of course nearly everyone will say "no".

If you ask "Do you want web services personalized to your needs and preferences?", most people will say "yes".

Re:Yahoo, kill yourself!

[sjames]

Then it's up to the advertisers to come up with a way to personalize ads without being able to track the users. It can be done.

Re: Yahoo, kill yourself!

[DarwinSurvivor]

Next time, try reading the next 10 words.

Re: Yahoo, kill yourself!

[TangoMargarine]

(still the most widely used browser) and (probably used by 98% of the people stupid enough to use Yahoo for anything)

are two different clauses. If they weren't, he would have said:

still the browser most widely used by 98% of the people stupid enough to use Yahoo for anything

Re: Yahoo, kill yourself!

[Somebody+Is+Using+My]

"On by default" is not an entirely accurate description. When you first run a version of Internet Explorer that supports DNT (IE8), or Windows 7 or 8, you are presented with several configurable options, one of which asks if you want to allow tracking by advertisers. While the "yes" radio-button is pre-selected, users do have to actively accept this choice. It is not as if Microsoft invisibly enabled this feature without alerting the users.

Admittedly, many users will just accept the defaults and press "OK", but they are still making that choice. Given the choice people generally do not like being tracked, and - although most people have been trained to just press OK - were they properly educated about the issue most would likely enable DNT anyway. Moreso, few people complain that Microsoft also includes software to avoid phishing sites (e.g., SmartScreen) which are enabled by "default" similar to DNT; these capabilities are added because the end-users find them useful. Microsoft is just protecting users from skeevy internet marketing, and just because some firms depend on this sort of underhanded tracking in no way excuses them from their deceitful practices. Features like "Do Not Track" were created because advertisers pushed too hard in one direction; now they ignore user's attempts to bring balance to the equation. I have no sympathy for the Googles and Yahoos and Facebooks; they broke the social contract first.

Re:Yahoo, kill yourself!

[interkin3tic]

I think that's wildly missing the point.

Advertisers bend over backwards to find out your interests voulontarily and send you targeted information. Google lets you know what it thinks it knows about you and, at least the last time I saw it, lets you edit it. Or at least gives you the impression that you can edit it. Fill out online surveys, etc. They try to make it VERY easy.

And yet, they're resorting to tracking why? Because the vast majority of people won't voulontarily tell advertisers what they're interested in. The heydey of spam e-mails that cost you money really left their impression on people, we hate online advertisers.

Tracking is bad because it's an invasion of my privacy, not because it leads to annoying things like ads for cars. Even if advertisers were only telling me things that were relevant and valuable, and even if the information they collected had no chance of falling into the wrong hands, it's still not something I allowed, and I never will allow it if I can help it.

Re:Yahoo, kill yourself!

[joe_frisch]

I don't think the tools are well known. For instance I didn't know I could get at my google info.

A more serious problem is the lack of trust. There is a concern that you will only be able to add information, not remove it, and your spam levels will just increase. (this may not be true, but its a valid concern).

Re:Yahoo, kill yourself!

[Krojack]

For all we know Microsoft could be tracking us via the OS. if it was true someone would have found packet traces by now but who knows, but in theory it could be done. I'm also going to bet MS tracks everything done via Xbox Live. That's some good info right there to sell to gaming companies and now upcoming video streaming.

Re:Yahoo, kill yourself!

[AC-x]

Microsoft is losing the battle for online advertising, so they are instead trying to poison the market. In MSIE 10 and 11, the "do not track" is on by default, which means the user never actually made a decision to set it

It's on by default, but it is also part of the setup questionnaire when you first start up Windows 8 so it's not like the user isn't presented with the choice...

Re:Yahoo, kill yourself!

[LordLimecat]

Its not being honored because some geniuses decided that it would be a great idea to make DNT a default setting-- which made it UTTERLY PREDICTABLE that websites would eventually stop honoring it.

Good call, though guys. We won the ideological fight by making it the default, even if practically speaking we shot ourselves in the foot. Now we can continue to criticize Firefox and Chrome for defaulting DNT off, and praise IE for singlehandedly tanking the idea!

Re:Yahoo, kill yourself!

[kumanopuusan]

"Do not track" was supposed to represent the user's preference. MS turned it on by default and broke the standard, which is SOP for them.

Re:Yahoo, kill yourself!

[Cragen]

I disagree. I would say "no" to being tracked for any reason, if I have a choice. I do NOT want web services to "personalize" my needs and preferences. I am a big boy and do not need your help, nor your attempts to route my attention, however small that period of attention span is.

Re:Yahoo, kill yourself!

[Grishnakh]

You just don't understand the bit about "most people", do you?

Re:Yahoo, kill yourself!

[Sloppy]

So you are arguing that privacy/security on by default is a bad thing?

Nobody's arguing that. The mistake is in thinking of DNT with a privacy/security mechanism. If that's what it were, Microsoft's decision would be defensible or even good. But DNT is something totally different. I'd argue two things:

1) DNT is for expressing a user's preference. Not even just a preference, but the user's preference. It is impossible for any application's default setting to express a user's preference for anything. (Your editor can default to a white background, but it can't, out of the box, honestly tell other people that YOU prefer swiss cheese over provolone. The person who wrote your editor might have some strong opinions and could even show some polling information, but in the end, he doesn't really know what kind of cheese you want. He can only take a guess.) MSIE's default DNT:swiss header is a communication between a web server and Microsoft Corporation, rather than a communication between a web server and a user.

Yes, a DNT:swiss default is a bad thing (just as bad as a DNT:provolone default). By doing that, Microsoft undermined DNT and helped the ad industry justify ignoring it. If you're a user, you should be angry at MS about this (at least so far as DNT is important at all).

2) DNT is nearly useless for protecting a user's security. If you want security, then you must deny capability to your adversary, or put costs on things, not merely politely ask him to behave in a certain manner. That means having your browser not initiate certain connections, or not send certain things (or send noise) over those connections, or .. whatever.

I have to say "nearly" useless because at least DNT could signal that some users care, but just don't care enough to stop sending intell. But it looks like this subtlety was lost on .. damn .. nearly everyone, I think.

Up to now I've thought of DNT as a basically good idea (a weak one, but still positive), but maybe it's time to accept that if nobody understands DNT then it can't possibly communicate anything meaningful.

Re: Yahoo, kill yourself!

It was a really silly idea, nobody really expected these guys would honer this

Except that they were honoring it, before Microsoft poisoned the well.

... even if it did have legislative backing.

The laws/regulations required them to honor "user requests" not "browser settings". Once the browser setting is on by default, it no longer indicates a "user request" and there is no legal requirement to honor it.

Microsoft conducted and published research that showed that more than 80% of users wanted this on. So having it as a default is honoring the wish of an overwhelming majority of users. And not being tracked should be the default state, and users could opt in to personalization if they want to. Microsoft set this default the way defaults should be set.

And btw, there where multiple articles at the time quoting major ad and publishing executives on that they had no intention of honoring DNT anyway. So trying to blame their actions on Microsoft is misguided.

Re:Yahoo, kill yourself!

[Ol+Olsoc]

weak one, but still positive), but maybe it's time to accept that if nobody understands DNT then it can't possibly communicate anything meaningful.

Tracking has proven to be an excellent way to serve me up advertisements for things I have already bought.

Re: Yahoo, kill yourself!

[Blue+Stone]

>While the "yes" radio-button is pre-selected, users do have to actively accept this choice.

So ... on by default, by your own admission.

And there's the rub. DNT might have been a little lame, but it was something of a truce between scumbag advertisers and browser makers based on that one condition: not on my default - and yes, that means not pre-selected as being on, whether that option is shown to the user or not.

Microsoft broke the treaty and now, what little benefit DNT gave, is going, going, gone...

Re:Yahoo, kill yourself!

[khellendros1984]

Change "web services" to "targeted advertising" (i.e., get rid of the marketing obfuscation), and most people will say "no" again. If you don't clearly tell someone who you're giving their information to and for what purposes, then the "yes" that they give isn't exactly informed consent.

Re:Yahoo, kill yourself!

[Darinbob]

I have Yahoo mail via my ISP. Thus, Yahoo ALREADY is making money by serving me email on the web, they do not need to go further and sell information or serve me inane advertisements (which I never see anyway). This is like cable TV, pay them lots of money and then still have to put up with ads and shitty service.

Re:Yahoo, kill yourself!

[Darinbob]

Bogus or not, do-not-track was an indication of customer desires, and Yahoo is explicitly saying that they don't care about what the customers want and that they will invade our privacy instead.

Re:Yahoo, kill yourself!

weak one, but still positive), but maybe it's time to accept that if nobody understands DNT then it can't possibly communicate anything meaningful.

Tracking has proven to be an excellent way to serve me up advertisements for things I have already bought.

This is, at least partly, intended and something advertisers are happy with. Research show that people who are most receptive to an ad for a product are people who just bought it and are (often subconsciously) looking for affirmation of their choice. Targeting these customers build repeat customers. A lot of Apple advertising fx is intentionally targeted at existing Apple customers. Even if you just bought the new iPhone 5, Apple continuing to convince you that you made the right choice make you more likely to be happy with it and buy the iPhone 6 too.

Re:Yahoo, kill yourself!

[Ol+Olsoc]

This is, at least partly, intended and something advertisers are happy with. Research show that people who are most receptive to an ad for a product are people who just bought it and are (often subconsciously) looking for affirmation of their choice..

It also prodded me to install adblock and noscript.

Re: Yahoo, kill yourself!

[mysidia]

Microsoft conducted and published research that showed that more than 80% of users wanted this on. So having it as a default is honoring the wish of an overwhelming majority of users.

It DOESNT matter what 80% of users wanted.

This was not a negotiation.

Advertisers were not and are NOT willing to accept no tracking as a default.

They will use ANY and all means at their disposal to circumvent any implementation of "no tracking as a default"

Re:Yahoo, kill yourself!

[mysidia]

If the ad agencies don't believe that to be the will of the users, they are deluding themselves. Nobody likes to be stalked.

The ad agencies are unwilling to accept the will of the users until explicitly stated.

It's not merely about not tracking users who merely PREFER not to be tracked.

It's about not tracking users who SO STRONGLY reject tracking, that the user is willing to explicitly go through extra work to OPT OUT or state their preference.

Anything that has been relaxed to a default state: advertisers will not be willing to honor.

They are paying for all this, by the way --- without advertisers, much of the internet would implode.

Re:Yahoo, kill yourself!

[sjames]

The ad agencies are unwilling to accept the will of the users until explicitly stated.

In actuality, not even then. How many people sign up for the do not call list and still get called? Before that, how many were hung up on the instant it sounded like they were going to request not to be called again. How many were removed from the call list for a grand total of 2 seconds?

Advertisers were ignoring the do not track flag before IE made it a default. All IE did was give them one more excuse.

And note, this isn't a do not advertise flag, it's a do not track flag. Advertising got along just fine for a long time without stalking people.

Code words for...

[FlyHelicopters]

That is corporate speak for, "we decided we could make more money this way, so here is a bs reason for us to change, when we really just want more money."

Re:Code words for...

[NewWorldDan]

It was a dumb idea anyway. Asking a web server to honor the "do not track" setting is like asking my dog to guard a plate of cookies. If you want this to work, you've got to control privacy from the client, somehow. Alternately, you need a legal remedy of some sort.

People still use Yahoo?

[genner]

Anyone savvy enough to care about this issue stop using Yahoo long ago anyway.

Re:People still use Yahoo?

[knotprawn]

I know some people who still use Slashdot

Re:People still use Yahoo?

[Taelron]

I wish I had mod points today... I was going to ask the same thing. Yahoo search stopped being relevant 6 or 7 years ago...

Re:People still use Yahoo?

[ShanghaiBill]

Anyone savvy enough to care about this issue stop using Yahoo long ago anyway.

You are equating "care about this issue" with "don't want to be tracked". That is not always true. I care very much about my privacy. But, in most cases, I want to be tracked. I get a more personalized experience, and I see fewer ads that are irrelevant to me. When I want privacy, I open a new private browser window. There is a tradeoff between privacy and personalization, and not every informed user wants, or should want, 100% privacy 100% of the time.

Re:People still use Yahoo?

[AvitarX]

Yes, thank you.

I agree 100%, I see ads of things I actually want, from brands I don't know.

The google cards on my phone are great, finding information about products I searched for, and news updates about subjects.

The personalized experience is fantastic.

Re:People still use Yahoo?

[marcello_dl]

Track beta!

Re:People still use Yahoo?

[AmiMoJo]

The ads are not "relevant" to you, they are what advertisers want you to see. If you are a young male expect lots of scantily clad women waving stuff in your face. If you are a mother you will probably be hit with more "one weird trick to shed pregnancy pounds" or Jezebel ads. Six months after you buy a car you will still be getting ads for them.

The advertisers don't have enough information to to give you really relevant ads. Many of the most relevant products might not even be advertised on Yahoo anyway. All they have are some vague and out of date indicators and some stereotypes to work with.

Best thing to do is block ads and just google when you want something. The best possible ad is a large number of positive reviews from reasonably independent sources, like Amazon users or people posting on forums. If your product is good and your company is reasonably social advertising is free. If your product is shit advertising costs money and I don't want it anyway.

Re:People still use Yahoo?

[ScuzzMonkey]

The ads are not "relevant" to you, they are what advertisers want you to see.

Those things aren't mutually exclusive.

The advertisers don't have enough information to to give you really relevant ads.

Then isn't the solution, if you want what the GP professes to want, less privacy?

Best thing to do is block ads and just google when you want something.

Ironic that you're citing one of the biggest data-aggregating advertisers out there today as a relevant source, when you appear to be arguing against exactly what they are doing to present you with those results.

Re:People still use Yahoo?

[DarwinSurvivor]

And yet are still one of the largest email service providers in the world.

Re:People still use Yahoo?

[sinij]

Please, nobody want to see ads. There are people who blocking them, and there are people who don't know how.

Re:People still use Yahoo?

[sinij]

Exactly! Ads are mostly about manipulation, not providing you with information.

For example, you don't drink coke because you like sugary carbonated drinks, you drink it because you now unconsciously associate sugary carbonated drinks with Coke. This way when it is time to pick your beverage, instead of cognitively-intense process of evaluating available choices you default to "the usual". Every time you are blasted with Coke ad this connection gets reinforced... you do you think there anyone left on Earth that still has to be informed about existence of Coke?

Re:People still use Yahoo?

[sinij]

Ads are not about informing you, they are about manipulating you. Otherwise, why would Coke keep advertising? Do you think there anyone left that is not aware it exists?

Re:People still use Yahoo?

[chihowa]

So why not make the tracking opt-in, so that you can choose to be tracked and everybody else can also get what they want?

You could even go and set up accounts with all of the tracking agents so that you can tweak your profile and ensure that you're getting the most targeted ads. Doesn't that sound better to you? A requirement to opt-out of intrusive marketing is bullshit.

Re:People still use Yahoo?

[Darinbob]

Not much choice here, as my ISP uses Yahoo as their webmail service. So reading the same email at work and home means webmail is a useful service for that, also useful if I want to read email from a remote location. I'd like to dump it but I can't easily do it (and no, I don't want lots of advice on using imap and a local mail client or how to get an android mail reader that doesn't suck).

Re:People still use Yahoo?

[toddestan]

Dude, you should change your password because one of them is posting with your account!

Surprise, anyone?

[Gaygirlie]

Has it ever been a surprise to anyone that a measure that service-providers must voluntarily follow would not be followed? I mean, if by not following the measure you can generate more cash than by following it then why would you choose to do it, especially if no one else does it either? No, do-not-track was doomed all the way from the beginning.

Re:Surprise, anyone?

[Sockatume]

There's no technological barrier to ignoring robots.txt, yet Google, Yahoo and the rest obey the standard meticulously. Does this mean that my own right to privacy is given less regard than a web server's?

Re:Surprise, anyone?

[TheRealMindChild]

Not obeying robots.txt can land you into a never ending spiral of following links to the same content with different URLs

Re:Surprise, anyone?

[An+Ominous+Coward]

Commercial search engies must skate a fine line between fair use and copyright violation. There is at least some potential that ignoring robots.txt could land them in legal trouble.

At the moment, lacking contrary legislation, user-identifiying information that is transmitted to a server is considered property of that server owner. If there was legislation defining that information as property of the user, much like Canada (among others) defines metered electricity usage information as belonging not to the utilites but to the resident, then Do-Not-Track might have some teeth.

Even then, though, it's probably a lot harder to legally demonstrate a violation of that setting than showing a search engine has cached a page it wasn't given permission to cache.

Re:Surprise, anyone?

[Bengie]

Not honoring robots.txt could land them in a DMCA issue, while tracking you is just recording facts.

Simple enough to fix

[JudgeFurious]

Yahoo stops using "Do-Not-Track" and in response people who care about it implement "Do-Not-Yahoo". These things tend to work themselves out over time.

Re:Simple enough to fix

Yahoo stops using "Do-Not-Track" and in response people who care about it implement "Do-Not-Yahoo". These things tend to work themselves out over time.

The same people also need to implement "Do-Not-Google" for the same reason.

Re:Simple enough to fix

[ThatsNotPudding]

Yahoo stops using "Do-Not-Track" and in response people who care about it implement "Do-Not-Yahoo". These things tend to work themselves out over time.

You may remember exactly every service you use(d) that had a Yahoo email account as the main or fallback address, but the majority of folk out there don't. Admittedly, some of the fault is their own, but they are locked-in to a service that has now decided to abuse them for cash.

I am willing to sacrifice.

[Payden+K.+Pringle]

I am fine with sacrificing user friendliness for my privacy. Do not track me or I won't use your services. I have two yahoo emails which incidentally are used as account/spam dumps. I won't even use them for that if this is how Yahoo has chosen to do things.

Re:I am willing to sacrifice.

[jmd]

Funny..my Yahoo account is a spam dump too.

I find it comical that when I empty my spam folder an advertisement pops up in the window. Sad

My Standard

[Banichi]

>'we have yet to see a single standard emerge that is effective, easy to use and has been adopted by the broader tech industry.'

Here is my 'standard'; NoScript and AdBlock Plus.

Re:My Standard

[Luckyo]

Ghostery does it much better with less overkill that noscript tends to be guilty of.

Re:My Standard

[Maxo-Texas]

You also probably want Better privacy too. It gets rid of supercookies.

Hopefully some more ideas will come out of this thread.

Re:My Standard

[geminidomino]

Just a suggestion: Consider replacing Ghostery with Disconnect. Ghostery embraces the Dark Side

Re:My Standard

[SeaFox]

You could also use Ghostery but not enable the data sharing feature mentioned in that article.

Re:My Standard

[Luckyo]

I'm talking about the fact that noscript blocks too many page elements.

Not that it's taking too many system resources.

Re:My Standard

[Luckyo]

Or you can just uncheck the box?

Re:My Standard

[Luckyo]

Tools > ghostery > manage ghostery options > unckeck "enable ghost rank".

It's the first god damn check box on the options page. You have to really not want to see it to miss it.

The WWW is dead.

First, they want to provide a personalized web-browsing experience, which isn't possible using do-not-track.

But the user clearly does not want a personalised web-browsing experience.

Ghostery, Secret Agent, CS Lite and NoScript are essential today, and nobody should EVER go online without those, or some equivalent. Let them personalise that.

The Web has been hijacked and is now fundamentally broken. It is being transformed into a locked-in content delivery platform, something like cable TV with a camera that records your every movement. It needs to be handled with gloves and goggles, like you would when accessing a chemical weapons research facility.

We'll need to develop another Internet, this one has been taken over by marketroids and is beyond saving.

Re:The WWW is dead.

First, they want to provide a personalized web-browsing experience, which isn't possible using do-not-track.

But the user clearly does not want a personalised web-browsing experience.

Ghostery, Secret Agent, CS Lite and NoScript are essential today, and nobody should EVER go online without those, or some equivalent. Let them personalise that.

The Web has been hijacked and is now fundamentally broken. It is being transformed into a locked-in content delivery platform, something like cable TV with a camera that records your every movement. It needs to be handled with gloves and goggles, like you would when accessing a chemical weapons research facility.

We'll need to develop another Internet, this one has been taken over by marketroids and is beyond saving.

Wasn't Ghostery bought by a marketing firm?

Re:The WWW is dead.

The Web has been hijacked and is now fundamentally broken.

We'll need to develop another Internet, this one has been taken over by marketroids and is beyond saving.

And you've just made the same rookie mistake as many, many before you.

Repeat after me: The web is not the internet. The web is not the internet. The web is not the internet.

The web is a marketing-infested public urban shithole scarring the landscape of the internet, but it's not the internet itself. There are 65535 more ports (ok, only 65534 if you count 8080 as a valid alternate for a public-facing site) for services to talk on. There are a near-infinite number of possible protocols, services, and things to do. Just because the vast majority of clueless plebes have decided to colonize one service does not mean the end of the internet.

It would be trivial to set up a "dark web" that would work exactly the same way as the current one but uses an agreed-upon alternate port. All the "cool kids" would be doing it within a few nanoseconds, and you'd probably have a year or two of peace before the marketing twats took over. Then you just move back to good-ol' port 80 and repeat.

When you want to shake the marketer-assholes for a longer period of time, you just change the protocol. It'll take them years to figure out how to fuck up Not-HTTP-But-It-Does-The-Same-Thing-And-Uses-Lua-Scripting-Instead-Of-Javascript. And when that gets taken over, or before then if you're smart, you'll create Not-HTTP-But-It-Does-The-Same-Thing-And-Uses-Brainfuck-Instead-Of-Lua. The "sheep" will follow, and the marketers will have to change their shit up again. This will cost them money and time. And eventually, they'll give up because, hell, what's after BrainfuckScript? Do they really want to find out?

CAPTCHA: quagmire. Because catching marketer-asshats in a quagmire is an art form us techies should be proud of. Also: "giggity".

Re:The WWW is dead.

[rudy_wayne]

First, they want to provide a personalized web-browsing experience, which isn't possible using do-not-track.

But the user clearly does not want a personalised web-browsing experience.

Nobody can give me a "personalized" experience unless they can somehow read my mind.

Do I want to constantly see ads for XYZ just because I once searched for XYZ or once visited the XYZ website? Fuck You Yahoo, Google and anyone else talking about a "personalized web-browsing experience"

Re:The WWW is dead.

[westlake]

But the user clearly does not want a personalised web-browsing experience.

The geek may not want the personalized browsing experience. But the geek doesn't speak for everyone.

The Web has been hijacked and is now fundamentally broken. It is being transformed into a locked-in content delivery platform, something like cable TV

What did you expect to happen when hundred of millions of people with no preconceptions of what the web and the Internet "should be" began purchasing broadband services? You can't even assume anymore that a user is accessing the web through a general purpose computer and browser ---

and not an HDTV, WiFi Internet radio, e-book Reader, video game console, smartphone, tablet or some other device.

We'll need to develop another Internet, this one has been taken over by marketroids and is beyond saving.

Go for it.

But you are building nothing but an echo chamber, a walled garden for the geek.

Nothing but a bubble --- and bubbles burst,

Re:The WWW is dead.

[AvitarX]

I want a personal experiance.

I like my Google cards on my phone, I like ads for things I am shopping for from smaller companies I've not heard of.

Re:The WWW is dead.

[squiggleslash]

But the user clearly does not want a personalised web-browsing experience.

Speak for yourself.

I do want to see ads that aren't offensive to me, and might even be for things I'm interested in. The tracking cookies by the major advertising sellers are designed to do that. And I don't see a privacy issue in having some of my web history stored in a computer that only gives indirect answers to what's in it along the lines of "Would the user with cookie abcdefghij most like to see an ad for chocolate, tampons, or diarrhoea medicine"?

Now, in theory there's a solution that would keep everyone happy. You have webbrowsers provide some sort of flag to servers saying "This person has positively confirmed they do not want their information stored, even harmlessly, even in a way that would benefit them, when it comes to ads." It would be set if the user was asked a fair question, along the lines of "Would you like remote servers to store some information about your browsing history so that any ads you can see are more likely to be relevant to your interests?"

Unfortunately, when someone tried to implement exactly this, some idiots at Microsoft, cheered on by the braying "We don't understand this but it's vaguely related to privacy" mob, decided to send this flag claiming that the user of the webbrowser didn't want the personalized ads, regardless of whether they'd even been asked. The result was that the flag became meaningless, and companies like Yahoo have decided to ignore it.

Why is it a lot of political campaigns seem to be designed to shoot the campaigners in the foot?

Privacy only works when it's in your own hands

[gsslay]

The problem with "do not track" is that it was entirely up to the website to honour the browsing session. Most don't. And the ones that you'd reallywant to not have track you are the ones that really ignore it. It's therefore useless.

It's like a system of street privacy that relies on people being trusted to close their eyes when you walk by. Just because you ask them nicely. People will look, and you can't stop them.

If you want privacy you have to be the one in control of what is being revealed. You can't rely on others to keep your privacy for you.

Re:Privacy only works when it's in your own hands

[jones_supa]

Indeed, I always thought "do not track" was a silly feature. I can ask the website to not track me, but how can I ever know what actually happens behind the scenes. If we really want such feature, the browser must somehow make me impossible to track.

Re: Privacy only works when it's in your own hands

[BeNude]

Ghostery FTW.

Re:Privacy only works when it's in your own hands

[wile_e8]

This is why I've never bothered with do-not-track settings. Not only is it wholly unenforceable, but it seems like a giant "Look at me!" sign. Given that the vast majority of people don't even know do-not-track exists and never change the default settings on any program, surfing with the do-not-track flag on seemed like a great way to tell the people I really don't want tracking me that I'm technically literate enough that they should pay closer attention to me.

Re:Privacy only works when it's in your own hands

[Ghostworks]

Exactly. It was always a pretty bad idea. In fact, it reminds me a great deal of the RFC 3514 "evil bit"

Do-Not-Track is basically a "Don't be evil" bit. It makes a plea on behalf of the end user and the end user hopes some distant system honors it. Any time you implement some version of the evil bit, you should expect that it's not going to work.

(Then again, there are a lot of tech features in use now -- such as a PDF owner_pass edit lock, or phone service Caller ID blocking -- which are also based on "please keep private" bit, and those are effective for 98% of the people out there who are just to lazy to get around them. So maybe there's something to be said for an evil bit after all.)

Re:Privacy only works when it's in your own hands

[Sobrique]

Which in turn, is something that's extremely difficult - especially for a non technical user. You can probably approximate it with TOR, but that has it's own price.

Re:Privacy only works when it's in your own hands

[jones_supa]

True...

Re:Privacy only works when it's in your own hands

[Darinbob]

It is useful if you visit sites that respect it. Just because it doesn't magically make you untrackable everywhere you go does not mean it is useless. It's just one member of a very large set of small tweaks that can increase privacy. If you learn a site does not honor do-not-track then you can boycott it, block it entirely in noscript, etc.

They still exist?

[Sir+Holo]

I "opted out" about 10 seconds after seeing that message on a Yahoo site.

The thing is, I strenuously avoid Yahoo. After the latest Firefox update, though, typing a search in the address field doesn't go to my preferred (in settings) search engine, but instead to Yahoo.

Yahoo search results are terrible, but most of the screen is filled with jumping icons a million other things I was not searching for.

Re:They still exist?

[Maxo-Texas]

You probably want to use "duckduckgo" instead of google as your default search provider.

Google tracks a lot of information about you- even when you are anonymous. Last I heard it was 57 different things. I also keep googleleadservices and googleanalytics disabled in noscript.

Re:They still exist?

[Jbcarpen]

After the latest Firefox update, though, typing a search in the address field doesn't go to my preferred (in settings) search engine, but instead to Yahoo.

Firefox stores data about which search engine to use in a set of XML files. If something else gains access to those files, it can edit them to keep the name and icon of, e.g. google, but send the actual search to goatse (or wherever). If you delete the files, then the "restore defaults" button on the "manage search engines" panel will enable, and restore the originals.

Re:They still exist?

[the+eric+conspiracy]

Startpage is cool too.

Re:They still exist?

[CanHasDIY]

You probably want to use "duckduckgo" instead of google as your default search provider.

I would love to promote duckduckgo, but in reality the results that site brings up are seldom relevant, and normally suck.

I've recently switched to using Startpage for searches, as it protects my "anonymity" and pulls relevant search results, since it uses Google search on the back end.

Re:They still exist?

[Sir+Holo]

Firefox stores data about which search engine to use in a set of XML files. If something else gains access to those files, it can edit them to keep the name and icon of, e.g. google, but send the actual search to goatse (or wherever). If you delete the files, then the "restore defaults" button on the "manage search engines" panel will enable, and restore the originals.

Wow, thanks!!!

I found only one XML file doing just that redirect, deleted and restored, but no luck. I'll have to search harder for the multiple instances you mentioned.

Re:They still exist?

[Maxo-Texas]

I have started to use Startpage.

Thank you!

Do not honor Yahoo

[briancox2]

Fortunately, there is little or no loss to the modern day internet user experience by ignoring Yahoo completely, either.

Sigh: personalized web-browsing experience

[fahrbot-bot]

First, they want to provide a personalized web-browsing experience, which isn't possible using do-not-track.

This is one of the phrases and behaviors that annoy me the most about various sites, especially search sites. I search for both personal and work related things, don't want searches tailored to anything other than the specific thing for which I'm searching at that time. I generally don't care what I searched for 24h ago (looking at you Google side-bar).

In a related rant, I can't stand the Google side-bar, Instant and Suggestions and make every attempt to disable and or strip them out (using Proxomitron) though now that Google has switched to HTTPS, that makes things more difficult for me - sigh.

Dear Providers, Don't "help" me unless I ask for it.

If this is real...

[HybridST]

IIRC yahoo is worth less than nothing at the moment. Re: www.bloombergview.com/articles/2014-03-17/is-yahoo-s-business-worth-less-than-nothing

Why would I listen to a company with such outstanding performance?

Yahoo?

[Threni]

I can't imagine why I would ever go near a Yahoo site. Yahoo Answers? Seriously? Didn't Stack Exchange demolish that nonsense? Yahoo email? With the `win tickets to the World Cup` spammy sigfiles a good 8 months after the World Cup finished? What do they offer than other companies don't offer, better, and without the lack of respect?

Re:Yahoo?

[Dcnjoe60]

What do they offer than other companies don't offer, better, and without the lack of respect?

Yahoo Groups?

Re:Yahoo?

[CanHasDIY]

I can't imagine why I would ever go near a Yahoo site. Yahoo Answers? Seriously? Didn't Stack Exchange demolish that nonsense?

Hey, now - Yahoo Answers is still a great place to get terrible advice from trolls. Like when I was looking for a humane way to put down my gecko, and the top rated response was to put him in the freezer.

Re:Yahoo?

[Threni]

Thanks, but no. (The quality of Yahoo Answers, with the clunky, shitty website-ness of Google Groups. 2003 wants its online forum back!)

Re:Yahoo?

[Dcnjoe60]

YMMV, but the quality of various groups is dependent on the members of the group, not Yahoo and they had groups long before Google did.

Re:beta

[Andrewkov]

Slashdot Stops Honoring 'No Beta' Settings.

There's a headline for ya..

The single standard is:

[drolli]

Noscript, only per session cookies, and surfing trough a proxy.

Do not track was flawed from the start

[Sobrique]

I can't say I'm surprised. Do not track settings that are optional on the part of the sites you're visiting are simply never going to work - the ones that'd honour it are also the sites you wouldn't be particularly worried about in the first place. Targeted advertising and profiling is big business, and the big revenue stream for the 'free' content providers. It really comes as no surprise - pretty fundamentally you get what you pay for. If you're paying nothing in monetary terms, then you'll be paying in privacy instead.

No effective standard?

[zarmanto]

"However, we have yet to see a single standard emerge that is effective, easy to use and has been adopted by the broader tech industry.' It looks like this is another blow to privacy on the web."

I don't know about you, but I can think of one fairly effective and extremely easy to use "standard"... AdBlock.

I'll ask again

[koan]

Why does anyone use Yahoo? You can't get an email without giving up your cell number, their "answers" section is absurd, they really have nothing to offer IMO.
There are far better choices, it seems like a recently beheaded chicken, still running around on autonomic pilot.

Time for the legal system?

[Dcnjoe60]

Maybe it's time for the legal system to get involved. If entities won't honor privacy, maybe we need the equivalent of the "Do Not Call" list for telephones implemented for the internet. Of course companies like Google and Yahoo will then just alter their service agreements to state that you do in fact agree to be tracked.

Re:Yahoo going downhill fast.

[ledow]

I've always said that the time to stop using a company is when they do things that aren't in your interests - or indeed the interests of any logic.

Companies that "rebrand".
Companies that give poor customer service.
Companies that gobble-up and retire old, famous brands.
Companies that force you to move to their "new" interface / app / whatever (take note, Slashdot!)

These things achieve nothing that a customer would want them to achieve and actually hint at lots of poor, cyclical management decisions in order to justify someone's job (Let's outsource! Let's bring in-house! Let's outsource!)

I stopped using Hotmail when they forced a new interface on me that was worse and never got fixed (and I was a paying customer back-in-the-day).

I stopped using Geocities when I had to convert it to a Yahoo Account.

I stopped using a Yahoo account (entirely separate to the above) when they started to hinder me getting to my email.

I've stayed on GMail because I learned my lesson and no longer rely on any web interface to stay static. You piss about, I'll use IMAP into my favourite webmail / browser. Done.

With free services, brand loyalty is lost incredibly quickly. When MySpace *went out of fashion* everyone jumped on alternatives.

Let's get this straight - you want me to view adverts? Make it as painless as possible and put something I WANT TO USE behind the adverts. And, you know what? I will.

until IE 10 broke it

[raymorris]

> But the user clearly does not want a personalised web-browsing experience.

Until MSIE started lying about the user's preferences. The standard specifies what should be sent if the user has not expressed a preference. IE 10 lies and says the user requested a uncustomized version when they didn't. That makes the whole thing useless when browsers lie about what preferences the user expressed.

Re:until IE 10 broke it

[Ksevio]

There are a few issues that make this different though. The web is mostly funded by ads, tracked or non-tracked, they're still needed. With tracked ads, sites can get away with fewer of them (fewer ads = better user experience = users stay around more). It's not something that most people want (given the option to add ads, they wouldn't choose it), but on the other hand they prefer ads to having to pay directly.

For the tech-savvy and even past that these days, there are options like ad-block available. Some types of ads were deemed too-obnoxious (like pop-ups) so all the browsers block those. People choosing to not support the websites they visit by blocking ads is their choice. There are usually too few of them to significantly cut down revenues. If everyone did it, either a new revenue source would be needed (such a s subscription services), ads would have to be added in sneakier ways, or websites would shut down. No one really wants to go with those options.

The do-no-track option is similar. If few people pick it, then it's going to work fine and people will support it, but making it the default for all people for all websites means you're basically just saying tracking isn't allowed at all. People might not "opt-in" to being tracked for advertising purposes, but it's not illegal, and people certainly seem to opt for free websites with fewer ads.

Re:until IE 10 broke it

[squiggleslash]

That's deeply wrong and anti-consumer

No, it isn't.

the consensus is that opt-in is the correct choice in pretty much all cases

The "consensus" is anything but. It's true a large group of Slashdotters are demanding it, but ignoring context or what the flag is supposed to do.

Remember: this isn't about computers posting details of you by name on search engines reporting that you posted on the NRA forums site, viewed pictures on HotChicksBrushingTheirTeeth.com, and the last four music CDs you bought on Amazon.

This is about some servers acting as black boxes, receiving information like "Session associated with abcdefghij included visits to websites with key words 'guns', 'rifles', 'toothbrushes', 'lingerie', 'REM', 'Seig Seig Sputnick', 'Tigra and Bunni', and 'Kellis', and then being asked questions of the form "Of the following ads: [Cheezits, Acura, Radio Shack, Colgate], which would session abcdefghij be most interested in?"

Yahoo and Google profit from the vast number of users who don't know about the intricacies of the do not track standards and options

How ironic. It seems that the vast majority of people who donâ(TM)t really understand the do not track systems are those who demand insane defaults like "Servers should make no attempt to deliver relevant ads to a user unless they've specifically said they want them".

Re:until IE 10 broke it

[chihowa]

That whole standard was stupid anyway. It was essentially making tracking the default state and requiring the user to opt-out. Intrusive marketing like this should be opt-in.

Honour?

[XB-70]

Yahoo! has stopped honouring so much of its user experience that they are doomed to failure.

Yahoo! Groups is bloated with spam that can't be blocked by its admins.

Yahoo! Messenger is so fraught with bugs and bloatware that users are fleeing in droves.

The main Yahoo! website is dated and mindless.

Yahoo! Mail is an abomination of unusable kludges and missteps.

Lastly, who uses Yahoo! to search for anything anymore, anyway?

Put a wooden stake in it, this thing is dead.

IE 10 broke by DNT lying

[raymorris]

The DNT standard specifies what should be sent under three conditions:
a) The user expresses that they DO want customization
b) The user expresses that they do NOT want customization
c) The user doesn't express any preference

IE 10 lies and says b when the truth is c. That makes it impossible to know who actually chose DNT. The whole thing is useless now that it doesn't to indicate the user's stated preference.

Re:IE 10 broke by DNT lying

[radarskiy]

From http://tools.ietf.org/id/draft...
"5. Header Syntax

      The Do Not Track HTTP header, "DNT", must take one of two values: "1"
      ("opt out") or "0" ("opt in"). All other values are reserved. ...
6.3. Default

      A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
      It MUST NOT transmit OPT-IN without explicit user consent."

The standard explicitly allows opt-out as a default

FARK.com

[hduff]

Does Slashdot get all its news stories from FARK.com?

I read most of the current crop there first.

At the Risk of Summoning APK

[sexconker]

Welcome to my HOSTS file, Yahoo.

Question

[kqc7011]

Anyone working or have a easy to use program that writes a false browsing track? Let the trackers try to make sense out of compromised data. The "easy to use" is what I want.

EFF release an alpha of Privacy Badger

[Kinwolf]

Good day for the EFF to release the alpha of privacy badger that blocks tracking cookies http://www.pcworld.com/article... https://www.eff.org/privacybad...

Yahoo learned from the Best

[WillAffleckUW]

"First Be Evil" is the motto of Google.

And now Yahoo is doing it.

Wonder where their CEO worked before?

"Lean In" my foot. More like "Steal Muchly".

The problem is the ad industry

[Todd+Knarr]

Any standard that's effective and easy to use will not be accepted by the advertising industry, so making the "success" of a standard contingent on that last is nonsense. The DNT standard does serve one useful purpose whether or not it's accepted: it provides a single, easy-to-interpret, unambiguous indication to advertisers as to whether or not the user has consented to tracking. It removes their ability to say "Well, they didn't say otherwise so we assumed they're OK with it.". It does that whether or not they honor it, and it gives us a good talking point when it comes to policy and regulatory discussions: "The DNT standard exists. It's in use. It's easy to interpret on their side. They're the only ones sticking their fingers in their ears going "Na Na Na Can't hear you!".". That makes regulation an easier sell.

that proposal voted down years ago. standard says

[raymorris]

The proposal you linked to was voted down several years ago. The last call standard is:

Key to that notion of expression is that the signal sent must reflect the user's preference, not the choice of some vendor, institution, site, or network-imposed mechanism ..
A user agent must have a default tracking preference of unset (not enabled)

See

Neither are allowed under the standard

[raymorris]

> That's not lieing anymore than telling the server that you've opted in when you haven't.

Both of those would be a lie, which is why neither are allowed under the standard.
The standard says that the browser "must not send a tracking preference expression if a tracking preference is not enabled. This means that no expression is sent for each of the following cases: ... the user has not yet made a choice for a specific preference".

See:
http://www.w3.org/TR/2014/WD-t...

Re:Good

[gnupun]

Exactly, we shouldn't be tracked regardless of the do-no-track setting. Who wants to willingly be e-stalked and data mined? They are stealing our info without permission and without compensation.

That's a separate issue. IE breaks that too

[raymorris]

> the consensus is that opt-in is the correct choice in pretty much all cases. By default, users should always be opted out of things that infringe their privacy.

You might be right about that*. That's a different topic than the DNT RFC, though. The DNT header tells which preference the user specifically asked for. DNT does NOT specify anything about what a site should do - what cookies they should set or not set, etc. Let me quote from the DNT RFC for you "this document does not define site behavior for complying with a user's expressed tracking preference".

The DNT header is a way for the user to communicate their preferences to the server. What the server does by default, in the absence of any instructions from the user, is a separate issue entirely. It's not what DNT is about. Perhaps the following discussion will make it more clear.

* About defaults, what a site should do when a user doesn't express a preference (and when they do). It's my opinion that the default behavior, when the user hasn't made any selection, should normally be somewhere in the giant middle area between the two extremes. Here's an example or two.

Case1 - No preference chosen:
      There are a lot of things that a site should NOT do by default. Let's just call one example "long-term advertising tracking". For our purposes today, there's no need to define exactly what that means.

      There are some things the site SHOULD set a cookie for, or otherwise remember. Suppose I load Slashdot and I'm shown Beta. I click on the "Fuck Beta, give me the classic interface" button. Ten minutes later, I load Slashdot again. I'd prefer that Slashdot not give me beta again, by setting a "beta=no" cookie. Maybe that cookie will expire in a day, a week, or a month, but it would be good for Slashdot to recognize that "whoever this is, he doesn't like beta". So they track that preference, and I'm happy.

So by default, Slashdot could reasonably track some things and not others.

Case 2 - User specifically requested DNT:

    If I've specifically requested privacy, the site should act similarly to the way the browser does in "incognito mode" - pretty much don't set any cookies, for example. Slashdot should NOT set a cookie to remember that you hate beta, if you ask them not to remember anything. On sites like Youtube and Craigslist with a "safe search" or "possible adult content" confirmation page SHOULD keep popping up that warning. That user has explicitly requested that the site not remember that they want safe search off.

Case 3 - User specifically requests "a customized experience" (DNT off)

      If the user specifically says they want maximum customization, the site SHOULD remember that I hate beta and not show it to me again.
Safesearch should default to whatever I set it too - I've asked the site to remember my preferences. Ebay.com should, since I requested it, show me good deals on items I've been searching for recently.

The key here is that the best thing for a site to do is different between case 1 and case 2. If explicitly you ask that Slashdot NOT set any cookies, it should not set a "NoBeta" cookie. If you haven't expressed any preference, setting a "NoBeta" cookie is probably a good thing. Lying, saying that the user has explicitly requested no tracking when they haven't done so, means you can't respect the user's wishes. If you honor IE's bogus DNT header, everybody keeps getting sent to beta. If you disregard it, people who have actually set DNT get tracked after they've asked not to be. Nothing that the site can do with IE DNT would be right, because the site don't know whether the user actually wants their expressed preferences forgotten or not.

My HTTP requests contain EULA

[BlazingATrail]

I always attach a hidden EULA to all my HTTP requests, so if the web site tracks me, they have violated my license and I can sue them for breech of contract and millions of dollars.

Ads - okay. "Don't /. Beta me" preference?

[raymorris]

> Do I want to constantly see ads for XYZ just because I once searched for XYZ or once visited the XYZ website?

I understand that point. For me, if I search for X a lot, I'd actually rather see ads for X than for fungal cream, but that's personal preference.
Let me ask you about something else, though. You said:

> anyone else talking about a "personalized web-browsing experience"

Suppose an interactive site like Slashdot or Yahoo Mail is rolling out a new design. By default, they send people to the new version of the site *cough beta cough*, but they have a button labeled "screw this, show me the classic version". You click on the button. Ten minutes later, you load the site again. Which should the site do:

A) Take you back to beta, even though a few minutes ago you clicked the "fuck beta" button.
B) Set a "NoBeta" cookie that lasts 60 days, so you won't see beta again for at least 60 days.

That's a bit tougher. That may be a case where a "personalized web-browsing experience" makes the site a lot better.
What do you think?

Privacy? What privacy?

[Tony+Isaac]

Anyone who thinks their Internet activity is private...is deluding themselves. If the NSA couldn't keep their activities private, what makes you think YOU can?

However

[fireylord]

As far as I understand the law here in the UK, the Office of the Data Protection Commissioner will probably be having a word with Yahoo shortly...

Re:Ghostery = INFERIOR + 'Souled-Out'

[Ash-Fox]

Calm down APK, I've already lost count of the amount of spam posts you made on this article (which use points I have already refuted long ago).

perhaps. In, out, or neither

[raymorris]

Many sites probably would have defaulted to lower privacy than some would like, but the DNT standard is NOT about what sites do. DNT allows the user to say "I opt in to customization", "I opt out", or neither. What sites do when the user doesn't choose, or when they do choose, is not part of the standard. The standard only specifies HOW the user can communicate their preference - not what affect that preference has.

Re:Better DNT Implementation

[TCM]

There is no job you can do if the other party is not trustworthy - other than limiting your communication. All this convoluted header bullshit is useless.

Stop crying for a legal solution when there's a perfect technical one: STOP TALKING TO TRACKING SERVERS! Advertisers had their chance. They failed it. So ignore them and let them sulk in their own bullshit.

Re:I've knocked you flat out on hosts before

[Ash-Fox]

Yes, and my statement still applies with regards to using my DNS solution:

You have very selective reading. I've clearly stated numerous times now that in practice, it essentially doesn't matter. There is no notable difference taking any effect here. You choose to ignore it, repeatedly.

You also forgot the other post where I tried your hosts file solution, which in turn generated multi-GB text file to do the equiv of a wildcard block on a domain for your preferred platform (Windows) and it broke windows services preventing DNS resolution from working. Not simply 'just working' as you would have us believe. Additionally, memory consumption was up.

P.S.=> Which I know (and you know, as would anyone reading here) you CAN'T DO, since it's impossible to do (& you know it, & you'll "Run, Forrest: RUN!!! from that challenge as per your usual, you zero accomplishment in coding little troll... lmao!

I don't need to respond when you prove my case.

Painting a target on your back

[CmdrTamale]

So, if I search for commercial ad blockers, I should expect targeted ads for better commercial ad blockers?

Yes, please. How do I adjust Ghostery and Ad-Block to allow this?
--
I'd like to set up a wireless ethernet, but I can't find any wireless cable.

Re:Nothing "dubious" about it

[Noah+Haders]

I thought anybody could adjust the HOSTS file, why do they need to download something specific?

Re: replacing Ghostery with Disconnect

[peacefool]

What's wrong with using both of them and / or Privacy Badger from EFF?

Re: replacing Ghostery with Disconnect

[geminidomino]

Using both of them has a couple of downsides:

1. The suggestion to replace Ghostery was based on the knowledge that its devs are willing to work *with* scumbag advertisers, which puts them on the wrong side of privacy concerns. Using both doesn't remove the untrusted extension.

2. Both (all 3) apps do the same thing. Ignoring the possibility of Ghostery "whitewashing" their own lists for pay (a legitimate concern given #1), they're likely using the same (or near enough) lists, so you're just adding overhead and slowdowns to every page load.

That said, I wasn't aware of badger, having changed to Disconnect when I learned about Ghostery going bad. I'll have to check it out, to see if it's better than Disconnect.

Re:You're MORE than welcome to... apk

[Ash-Fox]

You use MORE POWER, cpu cycles, RAM, + other forms of I/O by STUPIDLY "piling on more" when a native part of the OS itself (hosts & the IP stack) can do the job MORE than adequately for all of the benefits noted above (that you can't disprove AND YOU KNOW IT, lol).

Because apparently a zone file that is less than a kilobyte to block an entire domain verses generating a multi-GB hosts file to come up with every single hostname combination to block a domain fully and then using that multi-GB hosts file requires less "cpu cycles, RAM, + other forms of I/O" etc.

HEY STUPID: It's widely KNOWN & DOCUMENTED that with LARGE hosts files you MUST turn off the local USERMODE SLOW dns clientside cache service in Windows...

Exactly, because it breaks it. Thanks for proving my point yet again.

Re:You're MORE than welcome to... apk

[Ash-Fox]

You don't always need to block entire domains.

But, for the majority of cases, I would. One of the few exceptions is a dyndns service website and those tend to get the issues sorted quickly on their own before I become aware of an issue.

Redirect from recursion is a problem in DNS.

I resolved that problem years ago by setting the preference for resolution over TCP while people were arguing about making dnssec a standard.

He's right on that much as well as a hosts being less parts complexity and less room for breakdown (or in DNS' case, exploit).

I've come across plenty of malware on other people's machines that modified the hosts file on Windows XP, Vista and 7 (I haven't given 'free help' to people since Windows 8 came out). I'm pretty certain the hosts file can be exploited exactly the same as before to direct people to malicious sites. That 'less parts complexity' didn't help there. Hell, making a large hosts file causes a default Windows service to 'breakdown' reliably.

Re:Won't happen w/ my app running... apk

[Ash-Fox]

See subject & WRONG: My app LOCKS hosts against that

Cool story. However, I have seen enough apps mark the hosts file as read only and modify by SYSTEM only through malware protection software like spybot. Doesn't help against the more vicious malware.

(& when it makes the hosts file, it does so from a PRISTINE backup).

I don't see what moving/copying files has to do with this discussion.

P.S.=> That "default service" was one I confronted Microsoft on YEARS ago - it's not MY fault they don't fix it!

I never said it was, I just don't think a good solution is one that involves breaking services on Windows and the only way to get around it is to give up things like DNS caching.

E.G.-> Linux has no such issues, for example, with LARGE hosts files!

Actually if your hosts file exceeds 3.4GiB on a 32bit Linux system, you can end up prevented from logging in at the console because PAM can't handle the hostname look up for the local system. I don't even know if it's possible to load a hosts file if you don't have a RAM to hold it on Linux either. The file size I generated trying to block a single domain was far larger than that.

USERMODE SLOW dnscache service

Resolution of cached stuff seems faster than querying 8.8.8.8 here?

Re:That FACT shut you down easily... apk

[Ash-Fox]

I don't just mark it once - it's kept up by a hi-res timer (thus not locking the OS out of reads of hosts)

What... If you're going to have an application running in the background, why not just use a write lock? Your method sounds like it's wasting a lot of CPU cycles.

IF my original hosts were SOMEHOW to get 'poisoned' is what (not that it can, see above)!

Considering some of the ones I encountered involved rootkits that intercepted native reads (NtReadFile) and for most usermode applications would return the original file, that doesn't help.

It's a GREAT SOLUTION (better than toying with the faulty local USERMODE SLOW dnscache service TTL) since that service IS BROKEN WITH LARGER HOSTS FILES!

Or a bad solution because it breaks a service that works normally just fine until your hosts thing is involved.

I also saved RAM, CPU cycles, & other forms of I/O wasted

And waste it on a hi-res timer that messes with the hosts file instead...

(& I make up indexing by placing my fav. sites @ the TOP of hosts which equates to 2-3 million indexed entries, cached into RAM now by a FASTER SUBSYSTEM IN KERNELMODE - diskcache!)

Except the hosts file I generated was larger than the amount of RAM I had, for one domain. So, I don't see how that would work.

These facts in turn will do the rest & seal your coffin

I wanna run away and never come back!

Re:Additionally: You introduced overheads

[Ash-Fox]

THAT usage of TCP (vs. UDP) introduced callback overheads udp doesn't have!

But pretty much resolves the security issue, instead of risking that your hosts file might not have the address in question.

The REST of "sealing your coffin" is here -> http://tech.slashdot.org/comme... [slashdot.org] (I save CPU cycles, RAM, & other forms of I/O wasted on a broken service that MY TECHNIQUE FIXES)

I already countered this non-sense.

and here too before it -> http://tech.slashdot.org/comme... [slashdot.org] (my app locks hosts vs. write corruption hijack).

And that too.

P.S.=> Every SINGLE ONE of your "objections" = overcome & DESTROYED easily, by "yours truly"... but YOURS are still @ issue in using DNS (full of security holes in Kaminsky flaw redirection, & being ABUSED DAILY BY "fastflux" &/or "dynDNS" using botnets & also recursion dangers AND OVERHEADS as well + more...) - you FAIL, yet again, vs. myself...

Woha, you're scaring me!

Re:WTF? How did you "counter' it??

[Ash-Fox]

Per my subject: HOW did you "counter" for the FACT my app locks hosts against hijack?

I mentioned exactly which API call was being intercepted by a rootkit.

You still introduced overheads - Thus, your "fix" != efficient. Mine for dnscache is saving CPU cycles, RAM, & other forms of i/O wasted on a FAULTY service (with large hosts files).

My 'overheads' resolve the security issue complete. Yours does not and breaks things.

Re:You FAIL again.... apk

[Ash-Fox]

DNS = FULL OF SECURITY ISSUES in:

1.) Kaminsky flaw redirects

Not an issue with my setup.

2.) Abuse by "FastFlux" botnets

Not an issue with my setup.

3.) Abuse by Dynamic DNS using botnets

Not an issue with my setup.

4.) Abuse in DNS amplificaiton attacks.

Not an issue with my setup.

* YOU have to be STUPID to use something so full of holes in security!

As opposed to stuff like hosts file hijacking?

(AS WELL AS "bolting on more moving parts" to waste electricity, cpu cycles, RAM, & other forms of I/O locally, when hosts can do the job in combination with a remote SECURE dns (actually secure, OpenDNS = DNSSEC + updated vs. Kaminsky too, unlike you)).

Because my tiny zone file that blocks an entire domain is going to use less CPU cycles, RAM and other forms of I/O over the multi-GB hosts file? I don't think so. Also, it's less likely to randomly break other stuff too (see: Dnscache, PAM) etc.

perfectly protected vs. those threats (the worst ARE fastflux &/or dynDNS botnets)...

As is my setup.

P.S.=> For ANYONE to have a hosts as large as mine would take 15++ yrs. (that's how long it took me)

I think it took 15 minutes to get to 35GB here, when trying to block an entire domain through generating every single combination because I can't do something like wildcards.

Re:I save faulty slow usermode dnscache

[Ash-Fox]

You introduce overheads (DOUBLE in fact, as TCP is double the calls of UDP, & 2 way, UDP = 1 way outbound broadcast only).

Indeed and it's not vulnerable. Unlike the hosts file workaround that will only work for certain for any site part of the hosts file.

I break NOTHING & fix a problem... you "fix it" alright (lol, by introducing FAR MORE overheads, double in fact!).

Your methods break DNS caching and apparently generate overhead by running a hi-res timer and it still doesn't assure the situation is completely resolved.

I fix it more EFFICIENTLY, you do not (AND I WROTE MY OWN, unlike a puny ,b>mere "user" of the work of others like you...)

Not very efficient if you have to manually maintain that stuff honestly.

P.S.=> Lastly - You miss a lookup? YOU GO INTO RECURSION too, & THAT introduces problems as well as slowness overheads (are your upstream updaters DNSSEC secured? If not, there you go...)

No, my DNS server uses TCP for performing queries. It is not vulnerable to DNS spoofing.

Re:DNS = "rootkit proof", Ash-Fox? Riiight (not)

[Ash-Fox]

Are you trying to tell us rootkits can't affect DNS too?

It's going to be fairly more complex to target a DNS server with a rootkit than it is to intercept an API call for reading the hosts file. I'm also unaware of anything in the wild that does that with DNS servers.

By way of comparison - what did YOU do? YOU DOUBLE OVERHEADS ON DNS faulty & security issue riddled as it is in recursion + vs. botnets that abuse it as well as DNS Amplifiaiton attacks... by going from UDP to TCP, you literally doubled your overhead, literallly!

You can't do DNS amplification attacks over TCP... For one, spoofing the IP address means you won't be able to even establish a connection to do the request in the first place. The size of a SYN-ACK packet is tiny, so there wouldn't even be any advantage to even try to exploit TCP based service in this way.

I don't "break" anything: I literally FIX A PROBLEM AS EFFICIENTLY AS POSSIBLE by saving CPU cycles, RAM, & other forms of I/O wasted on a FAULTY SLOW USERMODE service (dnscache).

But by having a large hosts file to block for example, an entire domain, you then require massive amounts of disk space, RAM and even CPU to process such a thing plus hammering the hosts file with a hi-res timer...

P.S.=> Answer that - it's going to be YOUR undoing (since I can direct it RIGHT BACK AT YA easily) & you KNOW it... lol!

You really shouldn't be saying this stuff in every post, when I keep showing you up.

Re:You have TCP vs. UDP overheads (lol)... apk

[Ash-Fox]

YOU ON THE OTHER HAND LITERALLY DOUBLED YOUR OVERHEADS using TCP vs. UDP... period!

Maybe, but I don't even notice the difference and it's definitely secured against issues. Your method is not.

Lastly: ANYTHING ANY ROOTKIT CAN DO TO HOSTS CAN BE DONE TO A DNS SERVER PROGRAM PAL - so your SINGLE "point"?

Except DNS servers don't have a fixed configuration like hosts files, so the complexity is greater and I have not seen anything like that in the wild compared to hosts files.

You also "bolt on more" complexity AND ROOM FOR BREAKDOWN!

You mean like the windows DNS cache or PAM on Linux? No, I don't really see it being that bad.

(In fact, I got RID of a known issue as efficiently as possible - you didn't & MADE IT WORSE, lol (so any overheads I *may* introduce? Moot & made up for by my disabling usermode SLOW faulty dnscache)... apk

You don't even block malicious domains as a whole, just a few select subdomains from what is a known malicious domain which is why you have sub-GB hosts files. You are really making a bad case for security with host files and your 'lower' overhead doesn't excuse it.

Re:Your own medicine used against you

[Ash-Fox]

You're *trying* to tell us DNS = "rootkit proof"?

I'm saying the likelyhood of that being an avenue to be exploited seems really unlikely and the fact that I have never seen this done against a DNS server, but I have with hosts files.

That's YOUR puny SINGLE line of attack on me... answer it. It's now being used against you & there IS NO DEFENSE (according to of ALL people, you... lol!).

I countered other points just fine.

P.S.=> You fail - you doubled overheads on DNS using TCP vs. UDP where by comparison using hosts I save CPU cycles, RAM, & other forms of I/O on a SLOW usermode faulty + limited Windows' dnscache service ( & you're "bolting on more moving parts + complexity" to do it - I don't & lessen THAT too) - LESS IS MORE = GOOD ENGINEERING...

Sure, there is more overhead with TCP due to the need to exchange a few more packets, however the majority of packets... SYN, SYN-ACK, ACK etc. are certainly more. However, they are not doubling the bandwidth requirements, I'm not convinced the CPU load is notably changing etc. Calling this 'doubling the overhead' seems a bit of a stretch.

LESS IS MORE = GOOD ENGINEERING...

Less also just means 'less'. In this case, less security.