Ask HN: Do you respect DNT in your personal websites? How?

75 points by r3bl ↗ HN
Yesterday, I have published some article (that is irrelevant to this discussion) up on my blog. In it, I've embedded a YouTube video. Now, it got me thinking. Even though I have configured my analytics service (Piwik) in such a way that it respects Do Not Track policy, embedding a YouTube video made me break my own, so far not heavily enforced, Do Not Track policy.

It got me thinking, and honestly, I have no clue how much time have I done it in the past by embedding third party content.

So, my question is: Do you respect DNT in your own personal blogs / websites / web app projects, and if so, how? Do you carefully inspect every source before embedding it, re-host everything and things like that, or are you using some sort of an automation tool that I am not familiar of that will force you to only embed content that respects DNT?

I should point out that I'm not aiming for a regular DNT is a good/bad idea discussion, but for the practical examples on how someone, as a website owner, could respect the DNT idea if he wants to.

59 comments

[ 0.21 ms ] story [ 119 ms ] thread
I had to look this up - DNT stands for "Do Not Track". More here: https://en.wikipedia.org/wiki/Do_Not_Track_legislation
I have edited my post so that it includes "Do Not Track" instead of DNT in the first paragraph. Hope that will stop others from having to look it up.
That's very decent of you.
I knew what it meant but I still find it irritating when people are lazy about less than universally understood acronyms.

It excludes people from the discussion. HN is a broad church and we shouldn't assume too much domain knowledge beyond the obvious commonalities.

DNT is flawed. As an user, I have no way to verify that DNT is honored. As such, I assume nobody respects DNT and proceed accordingly by taking my own tracking countermeasures.

You can also assume DNT is pretty much ignored. For instance, if I set DNT and I visit a website adhering with those EU cookie regulations, while I'm still being shown that cookies are being used to track me and that by using the website I agree (never mind that 3rd party cookies are already being sent)? I already stated that I do not want to be tracked.

Oh, but maybe you would assume setting the DNT preference in the browser does something meaningful, such as disabling 3rd party cookies, disabling beacons, ServiceWorkers and cache lifetime?

Nope. There is no point in honoring DNT: you are either tracking or not tracking your users depending on which resources you're including on your website. If you don't want to track your users, do not include 3rd party resources. If you do include 3rd party resources, then it's it's up to the 3rd-party to honor DNT.

Don't the countermeasures actually increase the specificity of your fingerprint though?
Not really, if you block the domains of the trackers or prevent their scripts or remote content from running altogether there's no fingerprint for them to get. That does only apply to 3rd parties though, but they are often the main concern.
Also, if you are allowing / disallowing 3rd party scripts (and removing state in between) you do not have a permanent fingerprint anyway.

But my assumption, even though I take every reasonable countermeasure I can think of, is that G & co. still know a lot more about me than I would have liked. But that's something no amount of technology will solve.

This is a bit of a lame answer, but generally I put any potentially tracking content in javascript. I make sure my blog renders correctly without javascript. Finally, I put a warning saying that if the user does not wish to be tracked, then they should disable javascript for the site.

I can't really see any other obvious way to deal with it, unfortunately.

This is actually not a lame answer at all. It's a plausible approach for your users who are worried about privacy to still use your site.
(comment deleted)
(comment deleted)
You could also put `if (navigator.doNotTrack === "1") { return }` at the top of your script.

https://developer.mozilla.org/en-US/docs/Web/API/Navigator/d...

If you do that, you might want to add a message saying that you disabled all JS functionality on the site because of DNT, because it is not something users would expect to happen. If I set DNT and go to youtube.com, I would expect to see video anyway. The same for embedded videos on some blog.

I am not saying this is a bad way (it is much better than many others), just that users should be made aware of the cause.

So, please, correct me if I'm wrong, but from what I understood:

1. You don't respect DNT by default for a majority of users (since a user explicitly needs to disable JS).

2. You provide a relatively easy option for your viewers to disable tracking and make sure that everything works without third party tracking.

If I got it right, what you're doing is definitely not respecting DNT by default, but still doing more than most of the Web in order to reduce tracking (especially if you're donating screen estate in order to point that out).

Make a checkbox and persist it with a cookie, the only use of the cookie would be a binary on/off choice. At the beginning of your script you look at the checkbox's state. If it's off you return out of the sript early, otherwise you run your usual tracking code.

Thus your users wouldn't have to fiddle with disabling javascript just for you(if they even know how to)

But how do you even know which origins are trackers, as a site owner? I know that social networks like Facebook and Twitter are, but what about GitHub? I guess, one way to find out is by viewing your site in Firefox w/ Tracking Protection enabled, and checking if any requests were blocked.
I don't use GA, instead I have Piwik that's configured with to respect DNT.
me too but it's costly -- it suddenly means that the file size of my logs is a more reliable metric for visitor count than the piwik dash.

I checked the DNT box on piwik because I care about privacy and why not, right, but I don't think it's unethical to collect information about people who are requesting free content over the web.

As a society we need to decide whether it's good to centralize our reading and use it to target ads, but that's a different question than collecting a lot of information on my piwik (which, as far as I know, doesn't report anything back to G or FB).

My personal website is without js and cookies - no tracking. Stats from server log.
One option (which I'm using) is pretty simple: do not embed external content. When I need to refer to a youtube-hosted video, I simply put a link. It's not even because of DNT, but in an attempt to make lightweight and accessible websites.
Is a good middle ground some like Reddit Enhancement suite does where you have a link and clicking it will expand in line?
Medium.com does this. I think it is a good middle ground.
Medium is hardly a paragon of lightweight page design, though.
Obviously not my own site, but an example I found which I thought handled this well;

https://www.adafruit.com/product/3410

If you click the play icon under the product shot, and you have DNT enabled, you'll get a modal:

"This embedded content is from a site (www.youtube.com) that does not comply with the Do Not Track (DNT) setting now enabled on your browser.

Clicking through to the embedded content will allow you to be tracked by www.youtube.com."

As much as I'm not a fan of modals, I can't think of anywhere else that's even pretended to care about this.

I have noticed at least two more sites doing the same, as far as YouTube videos are concerned: Medium and DuckDuckGo.

They allow you to specifically override your DNT policy and watch the video embedded, or open the YouTube video in a separate tab (which would make them respect the DNT policy on their own website).

EDIT: I've also just remembered that I've seen some website (EFF, IIRC) embedding youtube-nocookie.com URL (operated by Google itself, judging by the certificate), which is used to embed a YouTube video without storing actual third party cookies from Google (you're still making an external connection, of course, but you're limiting third parties from storing and accessing cookies). Wish I remembered that yesterday.

This is a great question. I have to admit that the only effort I've taken thus far is to minimize reliance of external parties. For example, on my utility site, I don't use google/fb auth but have used Persona and recently rolled my own auth ... and I keep very minimal summary analytics only.

Somehow I feel that the burden of starting a website today is kind of crazy - analytics, comments (and the implied spam filtering), social media sharing integration, onsite feedback, social logins, T&C, privacy policies, cookie legalities, DNT, ... all apart from the content we actually want to put there, even if only as individuals.

I honor it on my websites as best I can, and am in the process of even rolling my own analytics to avoid using any third-party.

Long story short, there's no way to enforce DNT from an end user perspective.

From a web developer perspective, even if you roll everything yourself, its difficult to actually track down everything that you could be accidentally sharing. For example are you using a CDN? Does your host track this data, and share it? Do you use a third part API somewhere in a library you decided to use? So on, and so forth.

Well, better prepare then.

June 2018 the new EU General Data Privacy Regulation comes into force.

And it requires that you allow users to do exactly that.

Well, 80% of my users are US based, and I kind of doubt the EU can't do anything to me in the US.
The existing sandbox iframe attribute is inadequate. I would like a mechanism to ensures private mode for the content in an iframe, even if private mode is not otherwise enabled.
Just descriptive links + no js/other dependency for me.
No one, on either end, should waste any time encouraging such a useless thing. I hate that my browser even has the option. No one wants to be tracked weather they say it or not, and that should always be considered when building websites.
Uh, I explicitly want to be tracked and actively try to make sure my data is clean and plentiful. I've only ever seen positive outcomes to more tracking.
Then you should get a checkbox to indicate as such, not the other way around.
I don't think your question really makes sense. The request to load the embedded YouTube video will contain the same Do Not Track headers as the requests loading your own site. It is up to the site owner to respect them (in this case YouTube). It's not your responsibility to try to re-host content from other sources in order to comply with the DNT request.
If I really want to enforce a DNT policy on my website, it is absolutely my responsibility to find a way to not embed a YouTube video by default, since I do know that YouTube doesn't give a crap about a DNT policy. It is also in my responsibility to not include original social sharing buttons, since they break DNT.

It should also be my responsibility to add an option to break DNT upon user's desire (for example, click-to-enable YouTube embed and click-to-enable sharing buttons), and, if we take things to extreme, I should even be able to have a small icon next to every single link that will tell the users if the website I linked to respects DNT or not.

The DNT thing is broken completely for the end users, there's no point in arguing about that. But, if I, as the website owner, want to respect it for my viewers, I need some strategy on how to do so, which is exactly what this question is about.

I firmly believe that:

1. Enabling DNT by default is a bad idea, but the option should be there.

2. If my visitor enables DNT on his own browser, and that decision was solely made by the visitor (as in, not enabled by default which IE tried to do some time ago), I should at least try respecting it as much as possible.

This Ask HN is specifically posted to see how can I accomplish #2.

I agree that the IE decision was practically braindead and killed the utility of DNT. Because of it, we have no idea if the user actually specifically wants DNT (and this may degrade the user experience, so it should be opt-in), or their browser vendor simply decided for them.
I think you would have to go as far as re-hosting a lot of "high-end" content (such as YouTube), otherwise the JavaScript will surely be run as part of the media providing system. If you try running YouTube with no script, you won't get very far. I don't think re-hosting is technically legal though, which may be your first problem. You could try contacting the content creator to ask to duplicate their material, but more than likely this will be denied if they have ads on their video. To be completely honest, from looking at Facebook videos that have been re-uploaded from various sources, I think "fair use" is just a case of adding some text and emoji at the top and bottom of the video - so there's that.

A way you could (in theory) get around this is by having the user view some virtual web browser, so that Google still gets all that lovely advertiser time but your server is the one making all the requests to their service. One issue is if your site gets more than a few hits a minute, your server will probably either kill over or start providing a terrible user experience if it wasn't like that in the first place.

If you really want to respect DNT and don't want to affect user experience (too much), I would have some JavaScript reveal code for the embedded content - with a warning that the once they have clicked the button you can no longer respect their DNT request. A DNT request could translate from `/index.html` to `/index.html.dnt.html` for example, if you pre-process your pages to be statically served.

I have removed my Google Analytics tracking code from my sites, and have abandoned Disqus in favour of a self-hosted commenting solution.

Since I am not setting any cookies, I have also removed the EU Cookie Policy script (which, ironically, uses a cookie...)

I can do this, because I am writing my own content management system.

I probably should add a "You are not being tracked by this website" 'thingie' ?

I wrote a blog post about it, though..

Go a step further and add a disclaimer like

You should enable your privacy extensions [url to extension/page how to set up content blockers]

(comment deleted)
lol no we sell everything

these privacy obsessed liberal types can cry all they want about something never had but I'm still making money and they are still wrong

also what have they ever done for me other than get in the way?

it's survival of the fittest

if i wasn't making money selling their information I'd probably be in the gutter like the homeless they ignore and neglect everyday (see san francisco)

(comment deleted)
I don't track people in the first place on my websites, but third party content is a good point. I generally will self host all of my assets, but occasionally embed a YouTube video or something. I should probably put it behind a click-to-enable thing. I removed Disqus comments from my blog a while ago, too, because a platform for flamewars isn't worth tracking visitors over.
A non-tracking, embeddable comments widget would be a Good Thing. I wonder if anyone would pay $12 a year for that service, and whether that would be enough to support it.
Why? A 12 line open source JavaScript library would do the same thing and wouldn't have to hit up external services in the first place.
Oh off the top of my head:

- You have to persist comments right? 12 lines of JS?

- You generally want some sort of (cross-site) user management

- Spam

- Moderation

Seems a bit more complex than 12 lines of js.

[Edited to add 'cross-site']

12 lines of JS to display a button that dumps arbitrary HTML into the page when clicked (i.e. the third party widget). But I see now that you were talking about a non-tracking comment engine - my bad. I personally wouldn't pay for such a thing. The current model I have post-Disqus is to have private comments emailed to me and public comments written in the form of blog posts that I'll link to at the bottom of the article.
Well, you can use something like Isso, perhaps: https://github.com/posativ/isso
That's pretty good. I guess the idea that you would want cross-site identity is, really, tracking. The only benefit to the user would be some universal name and photo that remains the same across all sites. But that's a really marginal benefit. This isso project gets 98% of usefulness.
I wrote a tiny middleware for Django which sets the DNT variable on the request/response: https://github.com/HearthSim/HSReplay.net/blob/master/hsrepl...

If dnt is set, Google Analytics isn't served: https://github.com/HearthSim/HSReplay.net/blob/8c1f2eb8cfda6...

I completely agree that DNT is flawed but it doesn't cost me much to respect it and the people who set DNT most likely block Google Analytics in one of their extensions anyway. I would rather they see nothing has been blocked.

I also include a link to the EFF's Privacy Badger in our privacy policy, alongside mentioning our DNT policy: https://www.eff.org/privacybadger

I don't track people (any longer) and I don't check their DNT preference. Shame is not an incentive for me - or any website code - to do so.

We should have moved away from privacy-theater by now.

I do not embed. I do not use external resources. And I fight an often rearguard battle with my customers to let me act likewise on their behalf. No third party fonts, js, css, or images. No Youtube, and most definitely no Google Analytics.
I don't think you would have to re-host everything. One could place a placeholder (image maybe) instead of the embedded content that says "Click to activate third party resource. Caution, it may not respect DNT". Than if they click, swap it out with the youtube video or whatever. Gives them the choice to choose what they want to do.