Truly respecting DNT would undermine Google's core business and the cash cow that is AdWords, by reducing the amount and / or quality of user activity data fed into the platform.
Such a change goes too much against the Alphabet Corporation's own self-interest and well-being for it to be voluntarily offered.
As with many things in Western Civilization, it traces back to capitalism and the unfortunate incentives it can encourage.
100% right. They don't respect do not track because they don't believe they have to, it's in their interests not to, and they don't behave according to an ethical framework that would lead them to do things that contradict their direct short-term interests.
If the user desires to be tracked, they dont set the flag. You can't reframe a 'no' into 'but they clearly were asking for it'. Thats pretty messed up.
I think it was well-understood from the start that "please don't track me" requests had no teeth, and would be generally ridiculed and ignored by the vast majority of sites with an incentive to do so.
I’m not so sure about that. When Microsoft decided to turn DNT on by default for IE11 (edit: IE10), which was basically just pointing out that the emperor had no clothes, there was a lot of real anger at that decision: both Hacker News and places like the Apache project railed against it.
This is because on by default is against the standard. The only real standard around DNT is the Tracking Preference Expression[1] which says how to declare you comply with DNT without saying what compliance means. It isn't exactly a preference to not be tracked if the decision was made by your browser for you. Roy Fielding committed a change to Apache to ignore DNT on IE[2] as a result.
1) Why should "off by default" be the standard and "on by default" a standard violation? Any sane person, especially after consulting with users, would conclude that it should be the other way around. There's no a priori reason to say that "no explicitly-expressed desire not to be tracked" is less valid than "no explicitly-expressed dire to be tracked", since we all know most people just stick with default settings.
The reason is that no one ever intended to actually honor DNT unless it was only used by a tiny fraction of people (and probably not even then), so that's the way the standard was written. Complaining that IE "violated the standard" was a useful way to try and distract from this fact.
2) IE10 violated standards left and right, and most of the time web servers and developers just grumbled and dealt with it. In no other case did anyone commit code to Apache to ignore headers sent by IE. Why different for DNT? Because unlike most settings, DNT actually cost them money. So once again "it violates the spec!" was a figleaf for the real problem.
I agree with your sentiment that on by default should be the standard. However, it isn't. The standard is specific and it says it should be off by default.
The standard was designed to be completely toothless and the advertising industry still tried to water it down. There's no enforcement mechanism and nothing that says what it means to comply.
The off-by-default behavior was the result of a compromise made between the advertising industry and privacy groups. Since DNT was voluntary, adtech firms were not going to voluntarily destroy a huge chunk of their businesses. The only way to get buy-in was to ensure that it reflected an individual user desire for those who cared enough about privacy to enable it. The subtext was that this had to remain a fairly small set of users.
> The subtext was that this had to remain a fairly small set of users.
You're completely right, and I think this gets to the root of what DNT proves -- that it was self-regulation under the assumption that it would not hurt advertisers or force them to change their processes for most people.
One can imagine an (admittedly unrealistic) alternate universe where DNT was off by default, but some kind of significant event caused a huge percentage of users to voluntarily turn it on. In that world, advertisers would probably still stop honoring the header. Because what they were implicitly agreeing to was, "we will stop tracking a tiny minority of users who might otherwise just block us anyway."
And to be fair, you can't really blame the advertising industry for not being on board with self-regulation that would force it to radically change its approach to business. I think that's why DNT still matters for illustrative purposes. It shows why consumer adblocking and anti-tracking tools need to exist outside of the control of the advertising industry. It can't be a partnership, because it's unrealistic and, frankly, unreasonable for users to ask advertisers to voluntarily kill their own businesses.
No tool that has an actual real impact on privacy to anyone other than a tiny percentage of already irrelevant users is ever going to come out of the advertising industry being "responsible". Any kind of voluntary standard that advertisers are respecting (using easily blocked cookies, creating well-labeled ads, etc...) only exists because most consumers aren't using it to protect their privacy or because advertisers don't have the legal power to get rid of it.
"And to be fair, you can't really blame the advertising industry for not being on board with self-regulation that would force it to radically change its approach to business"
This is why my country was one of the last in Europe to abolish slavery. The government had to find money to compensate the industry. A sound argument on paper but considered an embarrassment now.
To be clear, I don't think it's important to find an arrangement that benefits advertisers. I'm not trying to evolve online advertising like Brave is; I don't care about finding a solution where everybody wins. I use an adblocker everywhere, even on sites that don't track me, because I actively want to see the ad industry crash, burn, and then mostly die. I want them to be unprofitable.
I just don't think it's fair to ask advertisers to voluntarily help me with that.
Microsoft killed DNT by enabling it by default in IE. I was working for one of the largest web analytics companies at the time, and we were fully prepared to support it (the code had been written!). But after Microsoft's move it was immediately dead across the industry.
Basically, Microsoft sacrificed consumer privacy as part of its petty feud with Google (and after their own attempts in ad tech went up in flames—taking a $6B write-down on their acquisition of AQuantive).
At the risk of being a little combative, I'm going to call this an excuse.
Why didn't your company disable it for just IE? It wasn't hard at the time to detect which browser people were using based on headers.
You could have checked to see which browsers turned it on by default and ignored them specifically. If IE went the route of trying to make IE's headers imitate Firefox's or something, fine, then disable it for IE and Firefox, but keep it on for Chrome.
But the idea that one browser misbehaving meant that suddenly no browsers could be trusted sounds to me like an excuse. Across the industry we build browser-specific behaviors for all kinds of things. What's so special about user tracking that nobody in the industry could do that?
It's a nice excuse. Every adtech firm can now say: "But we've been prepared to honor that! Look at us, we tried to play nice, we even wrote the code for it! But then that naughty Microsoft came and ruined it all!".
Like if adtech companies weren't literally the best players at figuring out which browser a visitor uses.
No offense but your company makes money from tracking people. It is safe to assume that you oppose anything that is threatening to your revenue. You will fight privacy on the internet at every step.
I think it's well-understood from the start that website terms of service hidden away in a tiny, low contrast font link in the footer have no teeth, and would be generally ridiculed and ignored by the vast majority of users.
DNT was added to stop a congressional investigation (and so potentially actual regulation). It did enough at the time to prevent anything happening until it blew over.
No browser ever expected it to do anything other than provide additional tracking metadata.
Or, as PR people phrase it, to adjust the optics of tracking.
That said, I think the DNT flag being formalized is important to web development.
Previously, one of the core arguments of advertisers was "people do not care about being tracked". Individuals choosing to turn on DNT demolishes that.
Unfortunately, browsers turning it on by default muddles that indicator or intent, even if it's good for individuals.
It only muddles things if you think people want to be tracked by default. Otherwise it just implements the default everyone already know and advertisers bullshit about.
The argument of advertisers is not that people want to be tracked by default. It is that they don't care. DNT had a chance to proof otherwise. But "enabled by default" means that the browsers care, not (necessarily) the users.
And Duck Duck Go's just-released study (https://spreadprivacy.com/google-filter-bubble-study/) shows that Google tracks you, not just DNT or not, but whether you are logged in or not, incognito or not, probably no matter what you do.
When Google recently silently made Chrome log you in whether you logged yourself in or not, I switched to a different (previously unused, non-Chrome) browser on a new computer, and without logging in to anything Google (but from the same house), I went to YouTube. It asked me to log in, but I didn't. It proceeded to suggest mainly links to very niche-interest, low-view-count videos I had previously in the past few days, making it clear that it had at least a very good guess who I was anyway.
Apparently, asking me to log in was mostly just asking for my permission for what they were going to do whether I agreed or not.
Regardless of whether or not the DDG study is accurate, it should be taken with a grain of salt since DDG has a clear incentive to get more people onto their search instead of Google.
Of course, I agree, which is why I included my own experience as a third example, or the 333rd example, or whatever it is by now. At some point all the tests with different flaws, all the personal experiences that may have other explanations, all the Google statements, the discoveries by companies and governments with vested interests...are all finding the same thing. It adds up to Google tracking us in all sorts of ways, many of which we aren't aware of, in order to give themselves the power to do things on an enormous scale, many of which we aren't aware of.
If their study is accurate, why it needs to be suspect just because they want people to use their service? If I provided a good service and my competitor provided a bad one, and I said "this guy does bad stuff, use my stuff instead" and you knew it's true - would you still use bad service just because I'd profit from you using the good one? That makes no sense.
Who would you trust to run a report like this? The EFF? They have a dog in the hunt too. Congress? Since they believe the internet is made of tubes, I don't trust them either. I can't think of anyone with the skillz to do this type of report will not have a bias one way or the other.
I believe (I haven't read the study in detail) that their results show that different people get different results when not logged in. They didn't actually correlate this with anything like purchase history or individual user info. Others ha e hypothesized that the differences are due to location.
In other words, the study proves that different people get different results. It doesn't prove, as they claim in some press, that this is because Google tracks you while you aren't logged in. It's misleading on DDGs part to claim such of that's the case.
(I work at Google, but have nothing to do with ads).
As a broader point, just because you have a null hypithesis does not mean the study is biased. That's completely not how academia works.
Bias as the gp used it doesn't mean statistical bias which also isn't what you mean, but more like "even if these results are technically accurate, they may be misleading", a common example would be p-hacked results. This, contrary to what you say, often involves inventing a hypothesis after the fact, such that it is easily disproven with your data.
You make a good point that the fact that there are different results doesn't mean that they are personalized. It could simply be that Google is providing different search results so they can get better data on what people want to click. This would be a benign — indeed legitimate — explanation for the DDG study results.
However, there isn't evidence that this was what was happening, and Google hasn't exactly covered itself in glory on the privacy front so I tend not to give them the benefit of the doubt on this front. I'd love to see a response from them addressing some of the points from the DDG study.
I work for Google, but not on browsing or anything related and have no special knowledge of the space or how Google handles these things.
I don't believe that Google tracks you in incognito mode. My understanding that the DDG study showed that they continue to track you when not logged in, which is consistent with Google's public statements on the matter.
It could have had legal bearing, if Microsoft had not turned it on by default.
Before DNT, the way consent basically worked was that companies just assumed you consented, and only if you specifically denied consent, they would have no chance to defend that in court.
With DNT, if the user turned that on themselves, they would have clearly signalled that they want this the other way around. Do Not Track me, unless I specifically give you my consent. This would have made it hard for companies to defend their behaviour in court.
With Microsoft turning it on by default, there was no way for companies to know, if the user actually wanted privacy, or if they supposedly wanted to be tracked, for whatever reason.
With the GDPR in place, you theoretically now need to get consent every time (including implicit consent, e.g. when the user asks for something to be shipped to their address, that means you can process their address). Most companies don't yet keep to it, though.
Surely google can assume that browser settings represent the user'choice when it fits Google's interest, and they can assume that browser settings don't represent the user's choice when it fits their interest. But everyone knows that google won't tolerate a privacy measure that is used by a majority of users. Microsoft is not to blame for making privacy a default in their browser. It's google who is ignoring that setting.
You cannot just assume the user did not actually want the default setting in their browser.
>With the GDPR in place, you theoretically now need to get consent every time
This is false. There are multiple ways to justify processing of personal data, and your example would fall under data processing necessary to perform a contract at the customer's request. Depending on your location, there might also be legal requirements to record and keep user data, which is also a valid reason that doesn't require consent of the user.
> It could have had legal bearing, if Microsoft had not turned it on by default.
How would that happen?
> Before DNT, the way consent basically worked was that companies just assumed you consented, and only if you specifically denied consent, they would have no chance to defend that in court. (...) With Microsoft turning it on by default, there was no way for companies to know, if the user actually wanted privacy, or if they supposedly wanted to be tracked, for whatever reason.
Herein lies the problem. Companies assumed consent. Which is a nice assumption if you want to abuse users and sell their data - though how can users consent if they typically don't even know what's being done to them? In reality, what companies should assume is lack of consent, and I'm very, very happy that at least for some of us, GDPR is fixing that.
> With the GDPR in place, you theoretically now need to get consent every time (including implicit consent, e.g. when the user asks for something to be shipped to their address, that means you can process their address). Most companies don't yet keep to it, though.
No you don't; you only need it for using user's data for things other than fulfilling user's request. It's kind of like with Cookie law - you don't really need a cookie banner, unless you're tracking people.
(Or in other words, amount of UX problems GDPR/cookie law cause are directly proportional to how abusive a website is towards its visitors. It's a useful signal.)
If it had teeth, every spammer, scammer and bot would be using the system to make their actions harder to stop. Every site with an interest in tracking will happily use this argument as an excuse to broaden their right to keep the "not tracking" to whatever the legal minimum is.
Google exploited Safari to track users who had opted-out of being tracked so relying on them to respect a cookie may have been futile even if they supported it.
The current charges involve Google's use of special
computer code to trick Apple's Safari Web-browsing
software into letting it monitor users that had blocked
such tracking.
So did literally everybody else building a website that was embedded in an iframe. I was there in 2011, at a startup, copying the same StackOverflow answer as everyone else so we could store cookies in Safari.
This is such a non-issue. It was widely regarded as a bug in Safari.
So, is Google guilty in this case? Because i think in UK, a group of iPhone users are suing them. More of a coding practices mistake than a specific company one?
I much rather remember DNT as an opportunity for the industry to regulate itself before browsers vendors were forced into taking the matter into their hands.
They of course blew that opportunity and will have to pay the price. We're already seeing apple and mozilla becoming very aggressive to prevent tracking and ads.
Of course, you are totally right. The future is for those companies and app vendors that respect privacy AND take good care of the personal information they have been giving, keeping them accurate and secure, not selling them around for the highest bidder.
TBH I wish Mozilla were taking a more agressive stance against ads and tracking.
It's nice that they've recently taken a stand, but they're still not taking it very seriously (only blocking "abusive" trackers, IIRC) and it's 5-10 years later than they should have done it.
Why aren't they sponsoring uBlock Origin or Privacy Badger?
It was certainly obvious to me, if I recall correctly.
The idea of asking sites not to track is just so pathetic. If you don't want to be tracked, you do whatever it takes to not be tracked. For example, I'm fine with everything about Mirimir being tracked, correlated, etc. But Mirimir is thoroughly compartmentalized from my meatspace stuff, and from other personas. And it's not really that hard. For most people, it would just mean running multiple VMs that connect via different VPNs.
I'll be sure to tell my 69 year old father to "keep his meatspace stuff compartmentalized" and just go ahead and subscribe to several "different VPNs" so that he'll be able to fire up "multiple VM's" when he doesn't want to be tracked. Easy right? Piece of cake.
I wonder if I can append to every web request a header that has my personal terms of service and if companies don't want to comply to MY terms, they can simply refuse service.
Broadcasting your terms isn't the same as the listener agreeing to it. You aren't guaranteed copyright just because you say so - i.e. you don't have a copyright on films made of you in public.
Maybe this was intended as a joke, but if someone with legal experience can reply, I'd be interested to know how far this can actually fly.
After all, companies frequently have "drive-by" EULAs that you "agree" to by simply not leaving the site, so if that's legally binding, why is the reverse not true?
If I understand correctly, the last provided contract is what holds for service transactions. So, unless tracking pixels also serve a tos back, my terms of service provided in the header determine the legal status of the transaction.
Websites, on the other hand, because the html includes the TOS, and the final contract.
I certainly hope it was a joke. I don't personally want to see a Web where every HTTP request has to be manually reviewed by a human, let alone a whole legal department, before a response can be issued.
I also don't personally want to read a terms of service, let alone hire a lawyer to tell me it's consequences for every HTTP request, before it gets shoved down my throat one-sidedly in the form "if you're using this site you agree everything our legal department wrote which gives us the right to trample your rights however we like using all the legal loopholes out there, and sometimes even beyond, and hey we'll also be forcing US laws on you even if you're in a totally independent country while ignoring your hard-earned rights protected by your country's laws", but it's somehow the standard practice.
That kind attitude is a serious double standard going on for years, favoring corporations and companies over the rights of individuals. So forgive me when I find it very hard to sympathize with anything you said.
It's both stupid to attach an implicit TOS to an HTTP request and stupid to attach one to an HTTP response. I want to see us move away from implicit TOS. I don't want to see us go farther down that hole.
It's like claiming, "well, if my local factory can dump toxic waste in the river, why can't I?" You're right, it's a double standard that you're held to more accountability than your local factory. But the correct way to fix that double standard is to go after the factory, not to say, "well heck with it, everybody can dump now."
My ultimate goal is to keep the river clean, not to make things fair.
> well, if my local factory can dump toxic waste in the river, why can't I?
Yes, that can be one interpretation, but only with intended irony, not literally.
But suppose you're saying it literally; you wouldn't because you're living there. And also because regulations will never allow you to, because your local company has your politicians in their pockets and they effectively get a free pass in the form of bills thanks to ~~legitimized bribing~~ lobbying while you'll just be sent to prison. Which is a part of the irony I was trying to point out.
> My ultimate goal is to keep the river clean, not to make things fair.
It's very easy to say such things. Words are cheap. How exactly were you going to keep the river clean toward your ultimate goal, again? By offering your stashed billions on the moon as counter-lobby during next elections? Are you also going give us World Peace and unicorns while you're at it? Or assuming you also know how unrealistic you actually sound, would you just be content by opposing the dissent in favor of the status quo by pretending to take the moral high ground?
I assume that most people here are trying to make a point with the suggestion, not actually to trying to suggest an action that normal people should take. The fact that it's ridiculous to imagine tying a TOS to an HTTP request is illustrative of the fact that it's ridiculous to tie a TOS to the response.
> It's very easy to say such things. How exactly were you going to keep the river toward your ultimate goal, again?
Again, I get that you're probably just trying to talk about how broken our current legal system is and how difficult it is to change that. I agree, and I'm probably preaching to the choir when I say this.
But if you mean it meant literally, I would say that a good starting point is trying not to one-up the factories with our own pollution. It is very hard to stop factories from dumping toxic waste into the river. It is harder to stop both factories and every one of my neighbors from dumping toxic waste into the river.
That's all that I'm getting at. TOS reform is already a very hard problem, and we should avoid making it harder than it already is.
I can imagine that it might feel good for someone to say, "if corporations don't want to play fair, then we'll make it so literally every action on the web will require a lawyer," in the same way that it might feel good to say, "if corporations don't care about the environment, we'll see how they feel once we've just burned all the trees."
But that would really be cutting off our own noses to spite our collective face.
In the US, at least, so-called “browsewrap” agreements, those that are linked in a website footer and purpose to bind you simply for visiting a site, are legally unenforceable. However, “clickwrap” agreements, where you get a text box with the terms and have to click “agree”, are enforceable – despite the unlikelihood that even a single user read the terms before agreeing. I don’t like either type, but it’s important to distinguish them. You won’t be bound just for receiving an HTTP response, any more than you can bind someone else by sending an HTTP request; there has to be a human in the loop knowingly choosing to agree to something, even if they don’t know what it is they’re agreeing to.
That said, I don’t know much about how other countries’ legal systems treat such agreements, but from what I’ve heard, they tend to be equally or more restrictive of them, not less.
> those that are linked in a website footer and purpose to bind you simply for visiting a site, are legally unenforceable.
Before going to other countries: are you referring to a very recent local Florida state law (after Vitacost.com, Inc. v. James McCants, found with a quick search), or is there an even newer federal US law?
> That said, I don’t know much about how other countries’ legal systems treat such agreements, but from what I’ve heard, they tend to be equally or more restrictive of them, not less.
Given no such law existed even in Florida until last year, I'd be more cautious before extrapolating this internationally.
I'm a bit confused what you mean. There is no law, but quite a bit of precedent in various U.S. jurisdictions, including from the federal appeals courts of two different circuits, as listed on Wikipedia:
The Vitacost case you mentioned is not listed there but, looking at the decision, seems to be a straightforward application of two of the precedents (Nguyen v. Barnes & Noble and Hubbert v. Dell); it doesn't disagree with them.
I did forget one complication when writing my previous post, which is, at least according to the aforementioned Hubbert v. Dell, there are some circumstances where a browse-wrap agreement may be enforceable:
> In 2005, the Illinois Appellate Court ruled in favor of a browse-wrap agreement in Hubbert v. Dell Corp. In this case consumers of Dell products were repeatedly shown the words "All sales are subject to Dell's Term[s] and Conditions of Sale", including a conspicuous hyperlink, over a series of pages. The court found that this repeated exposure and visual effect would put a reasonable person on notice of the "terms and conditions".
But that's fairly different from a typical browse-wrap agreement.
There's an interesting side effect to adblocking, which is that sometimes even the clickwrap agreements get blocked and the user never gets a chance to see them in the first place.
I wonder how many sites I've visited where blocking 3rd-party scripts broke their Javascript and prevented them from ever giving me a TOS popup. I have no way of knowing for certain, but given that I regularly find websites where the box does pop up but doesn't work properly, it's probably not zero.
IANAL, but if I was a site operator and I really needed absolutely every visitor to my website to be legally bound by a TOS, a Javascript-powered clickwrap agreement would not personally help me sleep any better at night.
Yes, that's perfectly possible, of course. Companies hate such ideas because they can have legal standing under certain circumstances and in certain legislations, or at least have a potential to create some problems.
You could also print out EULAs and ToS, modify them as you think is reasonable, and send the modified version back by snail mail as a contract suggestion with a short note stating that you find the original version unacceptable for various reasons and have made these suggestions for alterations. If enough people would do that - a few thousand might suffice - many currently ridiculous and frivolous EULAs would probably be changed very soon.
Depends on how badly the company needs your individual business, and/or how much you want their services, since they're under no obligation to accept or even review your proposed amendments. I suspect very few companies would have an incentive to take them seriously.
We get fairly routine requests from state universities and similar institutions who want us to fill out various forms, agree to supplemental terms, or alter our EULA for their special cases. Labor and legal costs would mean we'd lose money on lots of those sales, so we just respond with a blanket "sorry, we can't do that, good luck to ya" type message. The customer is then free to go about their lives without our software, or (more often) find some way to agree to the EULA as-is after all.
This Week in Law, on the TWiT network, covered this some years ago. The lawyers on the panel agreed that it wouldn't hold at all. I believe (this memory is hazier) that their reasoning was that it's clear that the website is presenting a take-it-or-leave-it contract, and it's easy for you to leave it.
I too am offering a take-it-or-leave-it contract, prior to any other contract with the website, delivered to an endpoint that is specifically empowered to enter into contractual relationships with clients.
This looks very similar to P3P protocol. It required that that each website announces its privacy-related TOS in machine-readable format, and it is your browser which compares announced settings to your personal preferences, and refuses the service if they do not match.
> P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P will inform the user and ask if he/she is willing to proceed to the site
As far as I remember, one of the main problems with DNT is that most its users actually didn't enable it intentionally (because there are browsers that enable it by default).
Yeah, because we all know that your average user default position is "sure, track me however you want". Just like their default is "sure, scam me however you want", because they didn't explicitly check a "Do Not Scam Me" checkbox.
> because there are browsers that enable it by default
Can't speak for others but I do not enable it because doing so could lead to me being tracked as the majority has it disabled. This is also the reason that the tor browser also has it disabled.
I am not aware of any popular browsers that enable it by default in this day and age.
> On April 3, 2015, Microsoft announced that as of Windows 10, it would comply with the specification and no longer enable Do Not Track as part of the operating system's "Express" default settings, but that the company will "provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so".
So for the specific browsers that do follow the standard, like Edge, Chrome, and Firefox, why doesn't Google respect the flag for those browsers now? I know that Google has the ability to detect which browser I'm using, because they tell me to install Chrome every time I visit their homepage.
I'm seeing IE mentioned all over the place here, but it what it looks like is that one bad actor was just the excuse the advertising industry needed to mass-ignore the setting on every browser, everywhere, regardless of whether or not they violated the standard.
>why doesn't Google respect the flag for those browsers now?
They need your data to personalize ads and make money out of it. It's Google's business model. It doesn't matter which browser you are using.
You remember incorrectly. Right from the beginning, DNT was a useless “evil bit” that everyone was going to either ignore or obey only as long as it was used exclusively by a tiny fraction of sufficiently-technically savvy users. As soon as Microsoft announced it was turning DNT on for everyone, the game was up, and the people pushing it tried to distract attention from the fact that this kind of self-regulation never works by shooting the messenger, even though users’ clear preference is to have blocking protection on by default.
one of the main problems with {setting} is that most its users actually didn't {enable/disable} it intentionally (because there are {software implementations} that {enable/disable} it by default).
Except this message is largely ignored by everyone, Joker. I like the idea of not being tracked. Realistically without any legal weight behind it it was bound to be a no-op. It's comparable to fragile markings on packages to shippers.
So... I feel like this point doesn't get made enough. And I've always been confused about that.
Maybe I'm just reading the wrong articles, but the only place I can ever find someone pointing out that this only serves to increase user fingerprints is in communal discussions like HN, and rarely, and somewhere down the list. I can't ever seem to find it in articles.
Just try to enable Do Not Track in Chrome. See the scary long warning you need to accept. It makes you think you are going to get hacked or something if you accept it. You also need to click the "Confirm" button, which typically is reserved for serious stuff that has real effects.
> Enabling "Do Not Track" means that a request will be included with your browsing traffic. Any effect depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example to improve security, to provide content, services, ads and recommendations on their websites, and to generate reporting statistics.
No other privacy setting has such a scary warning.
So that if legislation is ever considered to curb their spying, they can say to congress "98% of users are OK with being tracked, according to their Do Not Track settings, so there's no reason to pass any laws!"
Just to add to this, in Matomo (Formerly Piwik. I always have to lookup their new name. It's one of the worst name changes I've ever witnessed. I'm sorry but I had to say it.) you have the ability to comply with DNT requests and even anonymize them in a specific way.
I wonder if the there could be a section in the GDPR that would forbid websites to track their users if they have such option turned on, and if it's legally feasible.
Are there any major websites that _do_ support DNT? I note for instance Hacker News does not:
> Our Site currently does not respond to “Do Not Track” (DNT) signals and operates as described in this Privacy Policy whether or not a DNT signal is received.
Sites that implement DNT should respond to either /.well-known/dnt-policy.txt or /.well-known/dnt/ or both.
Responding to /.well-known/dnt/ means a site has implemented the W3's Tracking Preference Expression (https://www.w3.org/TR/tracking-dnt/). This doesn't necessarily mean much as there's no agreed standard of what complying with DNT means. However, it typically implies that the site does something different for users with DNT enabled vs. disabled.
Responding to /.well-known/dnt-policy.txt is typically stricter and means a site adhere's to the EFF's guidelines (https://github.com/EFForg/dnt-guide) for DNT. This has rules for how long data is retained, which data can be retained, specifications around anonymizing data, and security precautions.
Disclaimer: I worked on Read the Docs' DNT implementation.
Props to Medium, because not only does it respect DNT, it pretty rigorously follows the advice about blocking third-party embeds if they don't respect it.[0]
Medium is not always on my good side, and I think the site has some problems, but at least somebody working there does really care about privacy, and I regularly notice and appreciate their work.
DuckDuckGo as well, but I would have a problem if they didn't respect DNT. Medium is the site where they really didn't have to care, but they did anyway.
Side Note: Isn’t it just dandy that Google security researchers are the ones finding all the PhD level zero days now a days? Like I’m sure they never use them before reporting them...
> Like I’m sure they never use them before reporting them...
That would be highly illegal. And while Google has been accused of various things over the years, like the Wi-Fi sniffing thing, actively exploiting someone else’s system would be on another level entirely. Of course, the same smarts that make complex exploits achievable can also make them harder to detect – but only to a point. It’s almost impossible to bring the risk to zero.
Its only because they pay researchers so damn much. Like more than you would believe... Other tech vendors cannot compete, and the best follows the money. Of course, some of us have ethics.
I think the main reason Google decided not to support DNT is that Microsoft turned it on by default in IE. Microsoft did this knowing full well that Google would be put between a rock and a hard place: either implement DNT and instantly start losing a ton of money or ignore DNT and look like the bad guy. Meanwhile Microsoft could sit on their high horse since it wouldn't cost them any money.
I suspect Google would have respected DNT if Microsoft had made it opt-in as it was intended.
Maybe depends on how they though it would play out in the media. Unfortunately the whole opt-in vs. opt-out is too complicated to be explained in most reporting. Google might have worried that not respecting Do Not Track for IE could be interpreted as an Anti-Mircrosft move that would run afoul of monopoly law.
Google didn’t respect user wishes before the flag.
DNT by default is the correct behavior because it is desired by most users. When you’re designing software and you have options for a white background or black background and 75% of your users prefer black then that should be the default, everything else remaining equal.
Tracking is definitely an “opt in” behavior, not “opt out.”
This is just Google being dishonest. Although pretty minimal since they track and always say this dumb stuff how people want “personalized ads.” They know it’s not true, but it’s sort of a white lie and we get awesome, usually, functionality.
Main reason why Google decided not to support DNT is because user data is valuable to them. They don't want to respect your privacy because invading user privacy is their business model. Microsoft tracks people too via analytics and you can read about it on their site so you can't say it wouldn't cost Microsoft any money. Only advertising companies would say that DNT opt-in is intended.
There’s a two part solution-
1) deprecate DNT, add Consent To Track (CTT). Allow users to set to Y. Default is blank or unset.
2) two year testing period to see how sites respect user intent. If sites continue to track when CTT != Y, then enact regulation
147 comments
[ 3.3 ms ] story [ 165 ms ] threadSuch a change goes too much against the Alphabet Corporation's own self-interest and well-being for it to be voluntarily offered.
As with many things in Western Civilization, it traces back to capitalism and the unfortunate incentives it can encourage.
[1] https://www.w3.org/TR/tracking-dnt/ [2] https://arstechnica.com/information-technology/2012/09/apach...
1) Why should "off by default" be the standard and "on by default" a standard violation? Any sane person, especially after consulting with users, would conclude that it should be the other way around. There's no a priori reason to say that "no explicitly-expressed desire not to be tracked" is less valid than "no explicitly-expressed dire to be tracked", since we all know most people just stick with default settings.
The reason is that no one ever intended to actually honor DNT unless it was only used by a tiny fraction of people (and probably not even then), so that's the way the standard was written. Complaining that IE "violated the standard" was a useful way to try and distract from this fact.
2) IE10 violated standards left and right, and most of the time web servers and developers just grumbled and dealt with it. In no other case did anyone commit code to Apache to ignore headers sent by IE. Why different for DNT? Because unlike most settings, DNT actually cost them money. So once again "it violates the spec!" was a figleaf for the real problem.
I agree with your sentiment that on by default should be the standard. However, it isn't. The standard is specific and it says it should be off by default.
The standard was designed to be completely toothless and the advertising industry still tried to water it down. There's no enforcement mechanism and nothing that says what it means to comply.
If you want something with teeth, try the EFF's pseudo-standard for DNT: https://github.com/EFForg/dnt-guide
You're completely right, and I think this gets to the root of what DNT proves -- that it was self-regulation under the assumption that it would not hurt advertisers or force them to change their processes for most people.
One can imagine an (admittedly unrealistic) alternate universe where DNT was off by default, but some kind of significant event caused a huge percentage of users to voluntarily turn it on. In that world, advertisers would probably still stop honoring the header. Because what they were implicitly agreeing to was, "we will stop tracking a tiny minority of users who might otherwise just block us anyway."
And to be fair, you can't really blame the advertising industry for not being on board with self-regulation that would force it to radically change its approach to business. I think that's why DNT still matters for illustrative purposes. It shows why consumer adblocking and anti-tracking tools need to exist outside of the control of the advertising industry. It can't be a partnership, because it's unrealistic and, frankly, unreasonable for users to ask advertisers to voluntarily kill their own businesses.
No tool that has an actual real impact on privacy to anyone other than a tiny percentage of already irrelevant users is ever going to come out of the advertising industry being "responsible". Any kind of voluntary standard that advertisers are respecting (using easily blocked cookies, creating well-labeled ads, etc...) only exists because most consumers aren't using it to protect their privacy or because advertisers don't have the legal power to get rid of it.
This is why my country was one of the last in Europe to abolish slavery. The government had to find money to compensate the industry. A sound argument on paper but considered an embarrassment now.
I just don't think it's fair to ask advertisers to voluntarily help me with that.
Basically, Microsoft sacrificed consumer privacy as part of its petty feud with Google (and after their own attempts in ad tech went up in flames—taking a $6B write-down on their acquisition of AQuantive).
Why didn't your company disable it for just IE? It wasn't hard at the time to detect which browser people were using based on headers.
You could have checked to see which browsers turned it on by default and ignored them specifically. If IE went the route of trying to make IE's headers imitate Firefox's or something, fine, then disable it for IE and Firefox, but keep it on for Chrome.
But the idea that one browser misbehaving meant that suddenly no browsers could be trusted sounds to me like an excuse. Across the industry we build browser-specific behaviors for all kinds of things. What's so special about user tracking that nobody in the industry could do that?
Like if adtech companies weren't literally the best players at figuring out which browser a visitor uses.
We have pretty strict laws about what can be in ToS and what cannot. For example, pretty much anything that's "surprising" is out.
This used to be the AGB-Gesetz (ToS-Law), but it was transformed into a more general framework but largely identical rules:
https://www.buzer.de/s1.htm?g=BGB&a=305-310
After all, the industry always claims it doesn't need regulation, because it can self-regulate.
So let's see if this is true. Shock, horror, surprise! It's not true! Mon dieu!
Next up: some regulation.
No browser ever expected it to do anything other than provide additional tracking metadata.
That said, I think the DNT flag being formalized is important to web development.
Previously, one of the core arguments of advertisers was "people do not care about being tracked". Individuals choosing to turn on DNT demolishes that.
Unfortunately, browsers turning it on by default muddles that indicator or intent, even if it's good for individuals.
When Google recently silently made Chrome log you in whether you logged yourself in or not, I switched to a different (previously unused, non-Chrome) browser on a new computer, and without logging in to anything Google (but from the same house), I went to YouTube. It asked me to log in, but I didn't. It proceeded to suggest mainly links to very niche-interest, low-view-count videos I had previously in the past few days, making it clear that it had at least a very good guess who I was anyway.
Apparently, asking me to log in was mostly just asking for my permission for what they were going to do whether I agreed or not.
Their methodology was pretty flawed and to top it all they also results "positive" to this kind of analysis.
This does not implies that google does not track incognito users either.
You're making the assertion. Do you have evidence to dispute the DDG study? The onus is on you.
In other words, the study proves that different people get different results. It doesn't prove, as they claim in some press, that this is because Google tracks you while you aren't logged in. It's misleading on DDGs part to claim such of that's the case.
(I work at Google, but have nothing to do with ads).
As a broader point, just because you have a null hypithesis does not mean the study is biased. That's completely not how academia works.
Bias as the gp used it doesn't mean statistical bias which also isn't what you mean, but more like "even if these results are technically accurate, they may be misleading", a common example would be p-hacked results. This, contrary to what you say, often involves inventing a hypothesis after the fact, such that it is easily disproven with your data.
However, there isn't evidence that this was what was happening, and Google hasn't exactly covered itself in glory on the privacy front so I tend not to give them the benefit of the doubt on this front. I'd love to see a response from them addressing some of the points from the DDG study.
I don't believe that Google tracks you in incognito mode. My understanding that the DDG study showed that they continue to track you when not logged in, which is consistent with Google's public statements on the matter.
Before DNT, the way consent basically worked was that companies just assumed you consented, and only if you specifically denied consent, they would have no chance to defend that in court.
With DNT, if the user turned that on themselves, they would have clearly signalled that they want this the other way around. Do Not Track me, unless I specifically give you my consent. This would have made it hard for companies to defend their behaviour in court.
With Microsoft turning it on by default, there was no way for companies to know, if the user actually wanted privacy, or if they supposedly wanted to be tracked, for whatever reason.
With the GDPR in place, you theoretically now need to get consent every time (including implicit consent, e.g. when the user asks for something to be shipped to their address, that means you can process their address). Most companies don't yet keep to it, though.
You cannot just assume the user did not actually want the default setting in their browser.
With most webpages shipping code from Google/Facebook, that was also already pretty bad for DNT.
This is false. There are multiple ways to justify processing of personal data, and your example would fall under data processing necessary to perform a contract at the customer's request. Depending on your location, there might also be legal requirements to record and keep user data, which is also a valid reason that doesn't require consent of the user.
https://gdpr-info.eu/art-6-gdpr/
I've checked the setting in MS Edge on 2 PCs and it was off on both.
How would that happen?
> Before DNT, the way consent basically worked was that companies just assumed you consented, and only if you specifically denied consent, they would have no chance to defend that in court. (...) With Microsoft turning it on by default, there was no way for companies to know, if the user actually wanted privacy, or if they supposedly wanted to be tracked, for whatever reason.
Herein lies the problem. Companies assumed consent. Which is a nice assumption if you want to abuse users and sell their data - though how can users consent if they typically don't even know what's being done to them? In reality, what companies should assume is lack of consent, and I'm very, very happy that at least for some of us, GDPR is fixing that.
> With the GDPR in place, you theoretically now need to get consent every time (including implicit consent, e.g. when the user asks for something to be shipped to their address, that means you can process their address). Most companies don't yet keep to it, though.
No you don't; you only need it for using user's data for things other than fulfilling user's request. It's kind of like with Cookie law - you don't really need a cookie banner, unless you're tracking people.
(Or in other words, amount of UX problems GDPR/cookie law cause are directly proportional to how abusive a website is towards its visitors. It's a useful signal.)
This is such a non-issue. It was widely regarded as a bug in Safari.
They of course blew that opportunity and will have to pay the price. We're already seeing apple and mozilla becoming very aggressive to prevent tracking and ads.
It's nice that they've recently taken a stand, but they're still not taking it very seriously (only blocking "abusive" trackers, IIRC) and it's 5-10 years later than they should have done it.
Why aren't they sponsoring uBlock Origin or Privacy Badger?
The idea of asking sites not to track is just so pathetic. If you don't want to be tracked, you do whatever it takes to not be tracked. For example, I'm fine with everything about Mirimir being tracked, correlated, etc. But Mirimir is thoroughly compartmentalized from my meatspace stuff, and from other personas. And it's not really that hard. For most people, it would just mean running multiple VMs that connect via different VPNs.
That includes asking and voting for regulations that help end this shitshow wholesale.
Give me a break.
Seriously, running VirtualBox VMs is easier than editing Word documents.
Seems reasonable, right?
This is the point OP seems to be making about online publishers.
After all, companies frequently have "drive-by" EULAs that you "agree" to by simply not leaving the site, so if that's legally binding, why is the reverse not true?
If I understand correctly, the last provided contract is what holds for service transactions. So, unless tracking pixels also serve a tos back, my terms of service provided in the header determine the legal status of the transaction.
Websites, on the other hand, because the html includes the TOS, and the final contract.
I also don't personally want to read a terms of service, let alone hire a lawyer to tell me it's consequences for every HTTP request, before it gets shoved down my throat one-sidedly in the form "if you're using this site you agree everything our legal department wrote which gives us the right to trample your rights however we like using all the legal loopholes out there, and sometimes even beyond, and hey we'll also be forcing US laws on you even if you're in a totally independent country while ignoring your hard-earned rights protected by your country's laws", but it's somehow the standard practice.
That kind attitude is a serious double standard going on for years, favoring corporations and companies over the rights of individuals. So forgive me when I find it very hard to sympathize with anything you said.
It's like claiming, "well, if my local factory can dump toxic waste in the river, why can't I?" You're right, it's a double standard that you're held to more accountability than your local factory. But the correct way to fix that double standard is to go after the factory, not to say, "well heck with it, everybody can dump now."
My ultimate goal is to keep the river clean, not to make things fair.
Yes, that can be one interpretation, but only with intended irony, not literally.
But suppose you're saying it literally; you wouldn't because you're living there. And also because regulations will never allow you to, because your local company has your politicians in their pockets and they effectively get a free pass in the form of bills thanks to ~~legitimized bribing~~ lobbying while you'll just be sent to prison. Which is a part of the irony I was trying to point out.
> My ultimate goal is to keep the river clean, not to make things fair.
It's very easy to say such things. Words are cheap. How exactly were you going to keep the river clean toward your ultimate goal, again? By offering your stashed billions on the moon as counter-lobby during next elections? Are you also going give us World Peace and unicorns while you're at it? Or assuming you also know how unrealistic you actually sound, would you just be content by opposing the dissent in favor of the status quo by pretending to take the moral high ground?
> It's very easy to say such things. How exactly were you going to keep the river toward your ultimate goal, again?
Again, I get that you're probably just trying to talk about how broken our current legal system is and how difficult it is to change that. I agree, and I'm probably preaching to the choir when I say this.
But if you mean it meant literally, I would say that a good starting point is trying not to one-up the factories with our own pollution. It is very hard to stop factories from dumping toxic waste into the river. It is harder to stop both factories and every one of my neighbors from dumping toxic waste into the river.
That's all that I'm getting at. TOS reform is already a very hard problem, and we should avoid making it harder than it already is.
I can imagine that it might feel good for someone to say, "if corporations don't want to play fair, then we'll make it so literally every action on the web will require a lawyer," in the same way that it might feel good to say, "if corporations don't care about the environment, we'll see how they feel once we've just burned all the trees."
But that would really be cutting off our own noses to spite our collective face.
That said, I don’t know much about how other countries’ legal systems treat such agreements, but from what I’ve heard, they tend to be equally or more restrictive of them, not less.
Before going to other countries: are you referring to a very recent local Florida state law (after Vitacost.com, Inc. v. James McCants, found with a quick search), or is there an even newer federal US law?
> That said, I don’t know much about how other countries’ legal systems treat such agreements, but from what I’ve heard, they tend to be equally or more restrictive of them, not less.
Given no such law existed even in Florida until last year, I'd be more cautious before extrapolating this internationally.
https://en.wikipedia.org/wiki/Browse_wrap
The Vitacost case you mentioned is not listed there but, looking at the decision, seems to be a straightforward application of two of the precedents (Nguyen v. Barnes & Noble and Hubbert v. Dell); it doesn't disagree with them.
I did forget one complication when writing my previous post, which is, at least according to the aforementioned Hubbert v. Dell, there are some circumstances where a browse-wrap agreement may be enforceable:
> In 2005, the Illinois Appellate Court ruled in favor of a browse-wrap agreement in Hubbert v. Dell Corp. In this case consumers of Dell products were repeatedly shown the words "All sales are subject to Dell's Term[s] and Conditions of Sale", including a conspicuous hyperlink, over a series of pages. The court found that this repeated exposure and visual effect would put a reasonable person on notice of the "terms and conditions".
But that's fairly different from a typical browse-wrap agreement.
I wonder how many sites I've visited where blocking 3rd-party scripts broke their Javascript and prevented them from ever giving me a TOS popup. I have no way of knowing for certain, but given that I regularly find websites where the box does pop up but doesn't work properly, it's probably not zero.
IANAL, but if I was a site operator and I really needed absolutely every visitor to my website to be legally bound by a TOS, a Javascript-powered clickwrap agreement would not personally help me sleep any better at night.
You could also print out EULAs and ToS, modify them as you think is reasonable, and send the modified version back by snail mail as a contract suggestion with a short note stating that you find the original version unacceptable for various reasons and have made these suggestions for alterations. If enough people would do that - a few thousand might suffice - many currently ridiculous and frivolous EULAs would probably be changed very soon.
We get fairly routine requests from state universities and similar institutions who want us to fill out various forms, agree to supplemental terms, or alter our EULA for their special cases. Labor and legal costs would mean we'd lose money on lots of those sales, so we just respond with a blanket "sorry, we can't do that, good luck to ya" type message. The customer is then free to go about their lives without our software, or (more often) find some way to agree to the EULA as-is after all.
It goes both ways.
Not to the legal system.
This Week in Law, on the TWiT network, covered this some years ago. The lawyers on the panel agreed that it wouldn't hold at all. I believe (this memory is hazier) that their reasoning was that it's clear that the website is presenting a take-it-or-leave-it contract, and it's easy for you to leave it.
By downvoting this comment you agree to send me 10% of your income for the next 10 years. ;-)
> P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P will inform the user and ask if he/she is willing to proceed to the site
https://en.wikipedia.org/wiki/P3P
DNT is optional, you're "asking" to not be tracked.
Google makes money off of tracking you, so it's not going to just up and not do that because you asked nicely.
Edit: internet explorer used to do that (https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...)
Can't speak for others but I do not enable it because doing so could lead to me being tracked as the majority has it disabled. This is also the reason that the tor browser also has it disabled.
I am not aware of any popular browsers that enable it by default in this day and age.
> On April 3, 2015, Microsoft announced that as of Windows 10, it would comply with the specification and no longer enable Do Not Track as part of the operating system's "Express" default settings, but that the company will "provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so".
So for the specific browsers that do follow the standard, like Edge, Chrome, and Firefox, why doesn't Google respect the flag for those browsers now? I know that Google has the ability to detect which browser I'm using, because they tell me to install Chrome every time I visit their homepage.
I'm seeing IE mentioned all over the place here, but it what it looks like is that one bad actor was just the excuse the advertising industry needed to mass-ignore the setting on every browser, everywhere, regardless of whether or not they violated the standard.
Maybe I'm just reading the wrong articles, but the only place I can ever find someone pointing out that this only serves to increase user fingerprints is in communal discussions like HN, and rarely, and somewhere down the list. I can't ever seem to find it in articles.
Here's an article actively criticizing the DNT flag: https://gizmodo.com/do-not-track-the-privacy-tool-used-by-mi... and it doesn't mention the fact that DNT enhances your fingerprint.
But look: https://panopticlick.eff.org/ even the EFF's own fingerprinting analysis tool recognizes that the DNT enhances your fingerprint. And yet they themselves proposed another DNT standard! https://www.eff.org/dnt-policy
> Enabling "Do Not Track" means that a request will be included with your browsing traffic. Any effect depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example to improve security, to provide content, services, ads and recommendations on their websites, and to generate reporting statistics.
No other privacy setting has such a scary warning.
― Upton Sinclair
That is: fuck off. In plain English.
But is is for your benefit. Really.
> Our Site currently does not respond to “Do Not Track” (DNT) signals and operates as described in this Privacy Policy whether or not a DNT signal is received.
- EFF (https://www.eff.org/.well-known/dnt-policy.txt)
- Read the Docs (https://readthedocs.org/.well-known/dnt-policy.txt)
Sites that implement DNT should respond to either /.well-known/dnt-policy.txt or /.well-known/dnt/ or both.
Responding to /.well-known/dnt/ means a site has implemented the W3's Tracking Preference Expression (https://www.w3.org/TR/tracking-dnt/). This doesn't necessarily mean much as there's no agreed standard of what complying with DNT means. However, it typically implies that the site does something different for users with DNT enabled vs. disabled.
Responding to /.well-known/dnt-policy.txt is typically stricter and means a site adhere's to the EFF's guidelines (https://github.com/EFForg/dnt-guide) for DNT. This has rules for how long data is retained, which data can be retained, specifications around anonymizing data, and security precautions.
Disclaimer: I worked on Read the Docs' DNT implementation.
Medium is not always on my good side, and I think the site has some problems, but at least somebody working there does really care about privacy, and I regularly notice and appreciate their work.
DuckDuckGo as well, but I would have a problem if they didn't respect DNT. Medium is the site where they really didn't have to care, but they did anyway.
[0]: https://github.com/EFForg/dnt-guide#a-embedly
That would be highly illegal. And while Google has been accused of various things over the years, like the Wi-Fi sniffing thing, actively exploiting someone else’s system would be on another level entirely. Of course, the same smarts that make complex exploits achievable can also make them harder to detect – but only to a point. It’s almost impossible to bring the risk to zero.
That’s why we have regulation.
I suspect Google would have respected DNT if Microsoft had made it opt-in as it was intended.
Is it really? Let me try:
You're going down the street while eating some cookies, and suddenly you meet a friend.
Opt-in: A friend sees your cookies, and asks, "Can I have one?"
Opt-out: A friend starts taking and eating your cookies, and says, "Tell me if you want me to stop."
DNT by default is the correct behavior because it is desired by most users. When you’re designing software and you have options for a white background or black background and 75% of your users prefer black then that should be the default, everything else remaining equal.
Tracking is definitely an “opt in” behavior, not “opt out.”
This is just Google being dishonest. Although pretty minimal since they track and always say this dumb stuff how people want “personalized ads.” They know it’s not true, but it’s sort of a white lie and we get awesome, usually, functionality.