Ask HN: Do you respect DNT in your personal websites? How?
Yesterday, I have published some article (that is irrelevant to this discussion) up on my blog. In it, I've embedded a YouTube video. Now, it got me thinking. Even though I have configured my analytics service (Piwik) in such a way that it respects Do Not Track policy, embedding a YouTube video made me break my own, so far not heavily enforced, Do Not Track policy.
It got me thinking, and honestly, I have no clue how much time have I done it in the past by embedding third party content.
So, my question is: Do you respect DNT in your own personal blogs / websites / web app projects, and if so, how? Do you carefully inspect every source before embedding it, re-host everything and things like that, or are you using some sort of an automation tool that I am not familiar of that will force you to only embed content that respects DNT?
I should point out that I'm not aiming for a regular DNT is a good/bad idea discussion, but for the practical examples on how someone, as a website owner, could respect the DNT idea if he wants to.
59 comments
[ 0.21 ms ] story [ 119 ms ] threadIt excludes people from the discussion. HN is a broad church and we shouldn't assume too much domain knowledge beyond the obvious commonalities.
You can also assume DNT is pretty much ignored. For instance, if I set DNT and I visit a website adhering with those EU cookie regulations, while I'm still being shown that cookies are being used to track me and that by using the website I agree (never mind that 3rd party cookies are already being sent)? I already stated that I do not want to be tracked.
Oh, but maybe you would assume setting the DNT preference in the browser does something meaningful, such as disabling 3rd party cookies, disabling beacons, ServiceWorkers and cache lifetime?
Nope. There is no point in honoring DNT: you are either tracking or not tracking your users depending on which resources you're including on your website. If you don't want to track your users, do not include 3rd party resources. If you do include 3rd party resources, then it's it's up to the 3rd-party to honor DNT.
But my assumption, even though I take every reasonable countermeasure I can think of, is that G & co. still know a lot more about me than I would have liked. But that's something no amount of technology will solve.
I can't really see any other obvious way to deal with it, unfortunately.
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/d...
I am not saying this is a bad way (it is much better than many others), just that users should be made aware of the cause.
http://coffeespace.org.uk/dnt.js
http://coffeespace.org.uk/projects/do-not-track.html
1. You don't respect DNT by default for a majority of users (since a user explicitly needs to disable JS).
2. You provide a relatively easy option for your viewers to disable tracking and make sure that everything works without third party tracking.
If I got it right, what you're doing is definitely not respecting DNT by default, but still doing more than most of the Web in order to reduce tracking (especially if you're donating screen estate in order to point that out).
Thus your users wouldn't have to fiddle with disabling javascript just for you(if they even know how to)
I checked the DNT box on piwik because I care about privacy and why not, right, but I don't think it's unethical to collect information about people who are requesting free content over the web.
As a society we need to decide whether it's good to centralize our reading and use it to target ads, but that's a different question than collecting a lot of information on my piwik (which, as far as I know, doesn't report anything back to G or FB).
https://www.adafruit.com/product/3410
If you click the play icon under the product shot, and you have DNT enabled, you'll get a modal:
"This embedded content is from a site (www.youtube.com) that does not comply with the Do Not Track (DNT) setting now enabled on your browser.
Clicking through to the embedded content will allow you to be tracked by www.youtube.com."
As much as I'm not a fan of modals, I can't think of anywhere else that's even pretended to care about this.
They allow you to specifically override your DNT policy and watch the video embedded, or open the YouTube video in a separate tab (which would make them respect the DNT policy on their own website).
EDIT: I've also just remembered that I've seen some website (EFF, IIRC) embedding youtube-nocookie.com URL (operated by Google itself, judging by the certificate), which is used to embed a YouTube video without storing actual third party cookies from Google (you're still making an external connection, of course, but you're limiting third parties from storing and accessing cookies). Wish I remembered that yesterday.
Somehow I feel that the burden of starting a website today is kind of crazy - analytics, comments (and the implied spam filtering), social media sharing integration, onsite feedback, social logins, T&C, privacy policies, cookie legalities, DNT, ... all apart from the content we actually want to put there, even if only as individuals.
Long story short, there's no way to enforce DNT from an end user perspective.
From a web developer perspective, even if you roll everything yourself, its difficult to actually track down everything that you could be accidentally sharing. For example are you using a CDN? Does your host track this data, and share it? Do you use a third part API somewhere in a library you decided to use? So on, and so forth.
June 2018 the new EU General Data Privacy Regulation comes into force.
And it requires that you allow users to do exactly that.
It should also be my responsibility to add an option to break DNT upon user's desire (for example, click-to-enable YouTube embed and click-to-enable sharing buttons), and, if we take things to extreme, I should even be able to have a small icon next to every single link that will tell the users if the website I linked to respects DNT or not.
The DNT thing is broken completely for the end users, there's no point in arguing about that. But, if I, as the website owner, want to respect it for my viewers, I need some strategy on how to do so, which is exactly what this question is about.
I firmly believe that:
1. Enabling DNT by default is a bad idea, but the option should be there.
2. If my visitor enables DNT on his own browser, and that decision was solely made by the visitor (as in, not enabled by default which IE tried to do some time ago), I should at least try respecting it as much as possible.
This Ask HN is specifically posted to see how can I accomplish #2.
A way you could (in theory) get around this is by having the user view some virtual web browser, so that Google still gets all that lovely advertiser time but your server is the one making all the requests to their service. One issue is if your site gets more than a few hits a minute, your server will probably either kill over or start providing a terrible user experience if it wasn't like that in the first place.
If you really want to respect DNT and don't want to affect user experience (too much), I would have some JavaScript reveal code for the embedded content - with a warning that the once they have clicked the button you can no longer respect their DNT request. A DNT request could translate from `/index.html` to `/index.html.dnt.html` for example, if you pre-process your pages to be statically served.
Since I am not setting any cookies, I have also removed the EU Cookie Policy script (which, ironically, uses a cookie...)
I can do this, because I am writing my own content management system.
I probably should add a "You are not being tracked by this website" 'thingie' ?
I wrote a blog post about it, though..
You should enable your privacy extensions [url to extension/page how to set up content blockers]
these privacy obsessed liberal types can cry all they want about something never had but I'm still making money and they are still wrong
also what have they ever done for me other than get in the way?
it's survival of the fittest
if i wasn't making money selling their information I'd probably be in the gutter like the homeless they ignore and neglect everyday (see san francisco)
- You have to persist comments right? 12 lines of JS?
- You generally want some sort of (cross-site) user management
- Spam
- Moderation
Seems a bit more complex than 12 lines of js.
[Edited to add 'cross-site']
If dnt is set, Google Analytics isn't served: https://github.com/HearthSim/HSReplay.net/blob/8c1f2eb8cfda6...
I completely agree that DNT is flawed but it doesn't cost me much to respect it and the people who set DNT most likely block Google Analytics in one of their extensions anyway. I would rather they see nothing has been blocked.
I also include a link to the EFF's Privacy Badger in our privacy policy, alongside mentioning our DNT policy: https://www.eff.org/privacybadger
We should have moved away from privacy-theater by now.