'Do Not Track,' the Privacy Tool Used By Millions of People, Doesn't Do Anything

An anonymous reader quotes a report from Gizmodo: When you go into the privacy settings on your browser, there's a little option there to turn on the "Do Not Track" function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she's never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use "Do Not Track" to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We've got bad news for those millions of privacy-minded people, though: "Do Not Track" is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.

Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn't respect DNT, it does "provide multiple ways for people to control how we use their data for advertising." (That is of course only true so far as it goes, as there's some data about themselves users can't access.) From the department of irony, Google's Chrome browser offers users the ability to turn off tracking, but Google itself doesn't honor the request, a fact Google added to its support page some time in the last year. [...] "It is, in many respects, a failed experiment," said Jonathan Mayer, an assistant computer science professor at Princeton University. "There's a question of whether it's time to declare failure, move on, and withdraw the feature from web browsers." That's a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place. Only a handful of sites actually respect the request -- the most prominent of which are Pinterest and Medium (Pinterest won't use offsite data to target ads to a visitor who's elected not to be tracked, while Medium won't send their data to third parties.)

sunscreen

I use spray-on sunscreen all the time. Why are you saying it doesn't do anything?

Re: sunscreen

[0111+1110]

I was hoping to see a link to sunscreen testing that showed for some strange reason...but there is probably some fragment of truth to the author's strange assertion. The best sunscreens use minerals like zinc or iron to physically block the UV and I havent seen mineral based formulations that are thin enough to spray. I wonder if she was paid to make that comment by shady, cream based sunscreen manufacturers

Out of Band Solutions are the Only Way

[Kunedog]

Same is true of on-site privacy settings. Simply asking a site to behave does nothing. Enforce it by blocking their servers, and deleting their cookies. Don't use the site at all, if practical.

Re:Out of Band Solutions are the Only Way

[WaywardGeek]

Clearly the world just needs to get off its butt and adopt real privacy and security.

Microsoft killed any hope by violating the standar

[raymorris]

The major advertisers had agreed to follow the standard. Then Microsoft quickly killed any chance of that happening by violating the standard in their browser. The agreement was that users could actively choose send DNT, selecting privacy over customization.

Microsoft made it the *default* setting, so a DNT header was sent for everyone, though most people have never heard of it. There is no chance that sites would a) degrade their site and b) lose money, by default, for every Windows user. Once Microsoft did that, the only reasonable thing for sites to do was ignore it.

Had Microsoft NOT violated the standard by setting it as the default, there would at least be a chance the the advertisers would have respected it for the small percentage of users who actively made that decision.

Donut Track

[mentil]

Ironically, the 'do not track' bit can be used as a piece of data to help track people.
All along, the hope was that governments would mandate respecting the 'do not track' flag. AFAIK no such thing has happened anywhere. If there are no big business interests behind it (a la Net Neutrality) it's very unlikely politicians will pay attention to it. OTOH, Congress is currently looking into privacy issues regarding Google and Facebook, so now would be the time to push the US govt. to mandate respecting the DNT flag.

Re:Microsoft killed any hope by violating the stan

[Todd+Knarr]

I don't recall Microsoft's implementation violating any of the published specifications. It didn't conform to what the advertisers wanted (opt-out implementation with the default being "allow to be tracked"), but it doesn't violate the spec. To quote from the spec (Tracking Preference Expression W3C Editor's Draft 07 March 2016):

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the user's decision to use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as SuperFred, but might imply a preference if invoked as SuperDoNotTrack or UltraPrivacyFred.

Microsoft's browser is advertised as having this preference set by default, so the decision to use it by a user, knowing what the default was, would imply they wished to have DNT set by default. That this would result in less tracking than advertisers wish... doesn't seem to me to be within the scope of the standard. Every time users (as opposed to advertisers) have been surveyed, the results seem to heavily support an opt-in model where tracking is not permitted unless a user opts in to tracking (similar to the results for email where users heavily favor a model that does not permit email contact unless the user opts in to email contact).

It *does* serve a purpose!

[BenBoy]

[only] 9% of visitors have it turned on

So then, it does something ... it sharpens up browser fingerprinting by making one more unusual ... It would be strange if that information weren't being used to track visitors.

Re:Microsoft killed any hope by violating the stan

[ChatHuant]

You say Microsoft broke DNT because they actually used the header, so poor tracking networks had no choice but ignore it. You don't seem to realize that your complaint is a real life example of a catch 22: ad slingers promise they'll respect the DNT header only as long as users promise not to use it.

The reality behind this absurd design is more interesting: the alleged "standard" had never been anything more than a publicity stunt orchestrated by Google and their (at that time) lapdog Mozilla. The reason why they did that was to block a competing DNT mechanism, proposed by Microsoft as a W3C standard. Microsoft's design stopped your browser from connecting to a tracker site completely. It didn't rely on the tracker's good will and honesty; it was a pro-consumer, not pro-ad industry solution.

Google realized the danger, and proposed a different mechanism (the current "standard"). Via their membership in the Digital Advertising Alliance and other ad industry groups (participants in the W3C's standardization commitee), they forced it through, with great fanfare, thus blocking the consumer-friendly alternative.

The ridiculousness of the design was obvious at the time. Just a few things: it's impossible to enforce your settings against a non-cooperating site. It's impossible to even confirm whether your request is being honored. There's no mechanism for a site to notify you in advance that it won't respect the DNT header. Add the fact that it's opt-out (leaving the less-technical majority of users unprotected by default), and it's pretty clear who the "standard" was for - hint: it was not for consumers.

If you want to blame somebody, you should pick Google and Mozilla. All Microsoft did is call the ad industry's bluff and expose Google's DNT for the lie it always was.

Re:Sexist BS.

[Waffle+Iron]

I'm sure that it was placed there purposefully to trigger uptight twits such as yourself.

Accept all cookies instead

[Meeuw]

I often use an incognito window or a privacy browser (like firefox focus), which gives me a cookie wall everytime I visit a website. I wish it would be possible to tell their cookies aren't saved any longer than needed and I can't be tracked that way (and they don't have to show me their cookie wall).

Re:Accept all cookies instead

[Niggle]

If you're using Firefox, take a look at extensions such as "Cookie Auto Delete" and "Self-destructing cookies". They can be configured to delete the cookies the instant you close the tab.

Re:Microsoft killed any hope by violating the stan

Yep, I agree. This is one example of a time where Microsoft did exactly the right thing - privacy by default, and was one of the most shameful aspects of Mozilla's downfall, refusing to support privacy by default. For me, this was a major factor in dropping Firefox, as soon as it became abundantly clear that they favoured large ad networks over the user using logically invalid and morally bankrupt arguments to justify their stance it was ultimately the icing on the cake that pushed me over the edge having already lost patience with the technical ineptitutde of Firefox's staff through their repeated failure to secure their browser, fix memory leaks, and maintain decent performance on top of the general UI design failings as it went down hill.

The one thing that hasn't happened with DNT yet that really needs to happen is a big court case - I'd wager if you've set your browser to tell a site to not track you, but it does so anyway through wilful refusal to acknowledge your request then there's a fairly easily winnable case here, at least in the EU, certainly under GDPR this would now be seen as wilful infringement.

This for what it's worth is how I always saw DNT ultimately working; not as some solution that would ever work technically for the reasons you cite, but as something that could in theory provide perfect legal ammunition, regardless of Google's arrogance in believing they'd pulled a fast one.

I would wager any push to now remove this functionality is an attempt to try and avoid the inevitable legal consequences of willfully ignoring a user request not be tracked which is a legal right under GDPR, and likely many other data protection legislation across the globe. It's for this reason that this feature MUST stay because ad networks can not pretend they somehow have user agreement to track people, by keeping this in, and continuing to ignore it ad networks are admitting that they're tracking users against their will, which again, in some jurisdictions is almost certainly now illegal. If the feature is removed then ad networks can once again play ignorant and pretend they didn't know a user did not want to be tracked.

What a strange idea.

[jd]

It's odd that it doesn't happen in other languages. It's even odder that nobody actually proposes it for English. It's fascinating that gender-neutral defined the poetry and fluidity of English for its first thousand years, with the whining by the right being limited to the last ten.

It's almost as if people want to create an insult to a subject they don't understand. They try their best, but fail miserably.

It's complaints like this that make me despair of humanity. Honestly, Slashdot used to have intelligent geeks. Maybe it still does, relative to the population. Jumping off a bridge has more appeal than this crap.

Re:Microsoft killed any hope by violating the stan

[ShanghaiBill]

I don't recall Microsoft's implementation violating any of the published specifications.

It didn't violate the standard, but it certainly violated the spirit. Microsoft's action was designed to sabotage DNT. It was a successful attempt at "Embrace, Extend, Extinguish", the same strategy they employed to kill so many other standards.

DNT was intended to indicate an affirmative desire to not be tracked. It was never intended to merely indicate laziness and apathy.

Microsoft knew they were destroying DNT. This was clear, intentional evilness.

Re:Microsoft killed any hope by violating the stan

[AmiMoJo]

they forced it through

According to this link Google was one of the ones who objected to it, not one of the ones who forced it through. The people who voted for it included other browser developers like Mozilla and Microsoft.

The EFF backs Do Not Track. It's imperfect but it's a wedge we can use to push for legally required compliance. The user has made a clear statement that they do not wish to be tracked.

It's tempting to think that having privacy enhancing add-ons is the answer, simply blocking ad servers and tracking cookies. But those things are far from the only methods used to track you, and if you want to interact with all but the most trivial web sites you can't block it all. So the only real solution is to legally mandate that companies don't collect that data, i.e. DNT with legal enforcement. Or do like the EU did and require an explicit opt-in to tracking.

Re:Sexist BS.

[mentil]

I agree. E.g. 'It puts the lotion on its skin, or it gets the hose again.'

Inherently pointless

[larwe]

A signal sent from the client that relies on the server side to honor some sort of contract is pointless. Even if there had been industry consensus on "what to do" with DNT, the situation would be more complex than that even in a world full of good actors. For example, GDPR would set limits on how to respond to DNT that differ from the limits set by US legislation. So from the user perspective, the exact effect of DNT would be opaque, it would be basically "turn off as much tracking as is required by the country that hosts the site, or maybe the country the site thinks you're calling from, or maybe the country the site thinks governs your particular account, if you're signed in.

The inherent lack of clarity is bad enough, but it pales in comparison to the real problem, which is that are very few good actors on the other end of the wire, and an end user has no way to scrutinize them. By the time it is divulged that SiteX is illegally ignoring DNT and storing information outside whatever the local law permits, it's too late - the information is already sold to a thousand different data brokers and it is as undeletable as a nude selfie posted publicly to Facebook.

The only meaningful solution is to build the protections into the client side, so that the client is prevented from sending data that can be gathered by the server end. The server cannot, and can never be, trusted by the end-user. It's disappointing that the options we have in browsers (even with extensions) are still relatively coarse. For example, we need the ability to block all active scripting (including that embedded in a page, not just by blocking specific URLs to malware Javascript sources) except for a small whitelist of items critical to the function of the site. We need a way of blocking particular APIs from being accessed by active web content (there is NO reason why a website needs to know my battery level on a mobile device. If there was a reason, it would be a very limited use case that I would only enable for that one particular site. Same principle applies to a lot of the data that's used to fingerprint browsers).

Re:porn...she...

[fisted]

Isn't all this what the singular 'they' is for?

What a waste of time to program a feature!!!

[sentiblue]

For a long time I thought DNT was a browser-level control. Meaning when you turn it on, the browser won't send tracked info to the site. When I realized DNT simply declares that you don't wanna be tracked and it's still up to the site owners to honor your wishes... I thought I was a damn big waste of effort to create a feature that in fact misled millions of people.

Expecting Facebook and Google to honor your wish not to be tracked? Are you out of your phucking mind? They make money by tracking. If they are forced by the government not to track, they may as well fire all their employees and shutdown their businesses.

We asked and they ignored our request

[Sloppy]

no one was ever going to honour it without being forced to which is why we need legislation.

So.. I suppose this is a good day to come clean and admit that I'm one of the people who thought (and said) DNT is basically a good idea. I still do think it's a good idea .. or rather, it was. And while I can see you probably disagree with me, you've also put your finger on how we might come together (but see below, because we still might not).

We had to ask, before we could justify making demands. DNT was a way of asking.

And yes, Microsoft undermined it so that if you ran MSIE, then your browser said you were asking, even though you hadn't actually asked. But really, how many people run MSIE? (Even 5 years ago.) How responsible is Microsoft for the strategy of asking, ultimately failing? Even as a DNT proponent, I can't really throw a lot of blame on them, and I think their conscious effort to kill DNT isn't really why it failed. It might have played a role, but the bigger reason that asking failed, is that we were asking one of the most wretched hives of scum and villainy in the entire history of human civilization: the modern ad industry.

Anyway, though, asking did fail. But I'm glad we tried. Check off that box. We can now say we asked nicely and our request was ignored. Escalating the conflict is no longer unreasonable, and we have something to point to the next time the adversary says "trust us."

On the other side of the coin, though, there are some basic principles that I hope we protect, and I know these things are at risk, and it's one of the reasons I had hoped that maybe, just maybe, DNT would have worked:

I don't think a government should be able to tell people what they're allowed to do internally on their own computers and their own storage. If you don't like that people remember all the information that you constantly go out of your way to give them, then stop sending it! It's the sender's responsibility, not the receiver's.

I hope that any legislative approach is somehow based on the initial acquisition or later exchange of the information, but does not restrict in any way that people are allowed to remember what you tell them, think about it, and act upon their thoughts. And my computer is my agent, so I want this freedom from thoughtcrime extended to my computer. Now, you can regulate me passing the information to other people! I think we all knew that, eventually, every person (yes, you, reader) is going to lose some speech rights in the conflict of the people vs the ad industry (though they're commercial speech rights, so this is hardly unprecedented). But I'd rather we stick to limiting our freedom of speech, before we even consider limiting freedom of thought. And yes, that's how high I really think the stakes are and I don't think I'm overdramatizing it. This has all the potential to lead to DMCA-level of evil. (Another law where I'm not interacting with anyone else, but somehow the government wants to limit what I can internally do on my own computer.)

If you willingly send the info to me, I get to have it. And whatever laws you pass to prevent this, will be selectively enforced because you can't tell what someone is internally doing until you already violate their privacy by crawling into their brain/computer. As if we need more selectively-enforced laws. *sigh*

Regulate the exchange of information between different entities. And possibly regulate (if you must) the policies that result in the info being sent in the first place. Cross-domain requests should be disabled by default; sorry CDN users. Sorry, guy who loads jquery from somewhere else. I'm shocked that this might have to become law, but for whatever fucking reasons, our browsers still do a thing that we all know is bad. That should have been addressed before we even tried DNT.