since DNT is opt-in for ad networks it is about as useful as robots.txt. the good guys will honor it, but the bad guys - who users are really concerned about, will ignore it.
a better solution is to integrate tools to allow users to block third-party scripts, to fix bugs and improve cache handling headers that can be used to track users, and to not let any third-party scripts store any information on the client.
If you don't allow third-party scripts to store any information on the client, you break everyone's Google Analytics scripts. Then everyone will have to give out subdomains to analytics companies, ad networks, etc and we'll be right back where we started.
The thing is that as usual, there's no good or bad guys. The ones doing the tracking - which is in this case embedded in the websites - are not criminals who run botnets and crack servers, they're big, amoral companies like Google, Facebook, Twitter and some specialized firms.
These can be pressured (by public opinion, for example) into complying with DNT even if it's not their 'first instinct' to do so.
It is only gaining traction from people who want the bit explicitly turned off. People are lining up to pay $100 and change to prevent coca-cola.xxx and nike.xxx from being registered. Not a single person I've talked to in adult is seriously considering a move to .xxx
When the IP standard was defined, was this bit purposely left undefined? Is this newer RFC really a joke, and nothing but a joke? How come the IETF allows just-kidding RFCs? I'm puzzled...
Also, RFCs are not terribly heavyweight technical documents. They're essentially memos, not ISO standards. Any (demonstrably competent) person can submit a RFC, and if it becomes popular, then the idea enters the standards track, and new, better RFCs are issued based on it.
I had the same reaction. It seems like DNT is more notable for reducing interest and effort in actual solutions. However, the EFF (whose opinion on this I'd trust) appears to indicate DNT is complimentary with things like AdBlock and IE's TPL's:
It would be more interesting to know the adoption of this among website developers. And some use cases where it is beneficial for them (as I don't see any). As it is, it is quite useless. If the feature doesn't do anything, the numbers are just a consequence of the buzz done around it, nothing more.
There either needs to be user demands or laws to push it I think. Given that the average user doesn't really care in most cases though I think they are a long way from succeeding with it. Good to see them at least offering up something though.
Most of us on Hacker News, from what I can tell, are generally against legislating the Internet. But, that's exactly what DNT requires to be effective, since it provides no technical barrier against tracking: either websites are legislated into being required to honor it, or it has essentially no value to users. As much as privacy is important, I'm actually glad that Chrome doesn't support DNT. Hopefully that will give reason for a better technical solution to be developed.
I don't see that this would require legislating the internet. Instead, amendments to things such as data-protection, privacy or human rights legislation should be able to cover it.
This doesn't strike me as a legitimate difference (even just semantically). It doesn't matter if it's amended to existing legislation or passed as new law; both are the same from the perspective of "legislating the Internet."
If a realm of human activity exists in which unregulated behavior trends toward maximum social benefit, reasonable minds will contemplate whether or not appropriate regulation (and enforcement of same) might be beneficial.
Say: putting teeth into DNT, allowing for civil penalties (a border condition in which law and private enforcement both come into play), and civil penalties for egregious flouting of the law.
Working as a developer in an ad network I'm very interested in implementing this. However, said ad network doesn't currently provide an opt-out mechanism and Mozilla isn't doing a good job of providing me with arguments to take to management and convince them that a DNT opt-out is something they want. What do you think?
Why should people turn it on - when most people just don't care?
That's the same problem we have in the EU right now. The correct way to deal with cookies would be for people to enable or disable them in their browser, according to their personal preferences. Instead, the EU forces their cookie legislation on everybody, because most people are too lazy to fix their preferences.
Most people have no idea what a "cookie" is, nor how or why they should manage them. Calling people lazy for not managing them is the epitome of engineering arrogance. Browsers need better, more clear, interfaces for managing cookies and websites need to provide easily parses info on what each cookie is for before people will even be able to manage them.
If you're using a car it's taken for granted that you learn how this thing works. If you're using it without learning how it works, it's your own fault, if you have an accident.
Why should this be any different with computers? The risk that you pose to others is pretty low, so there shouldn't be any requirement to have a "license". But I wouldn't call it arrogance, if I'll assume that someone using the network has a minimum knowledge about how things work.
> If you're using a car it's taken for granted that you learn how this thing works.
Only to a point. I own a car and am perfectly competent to use it, but I have only the vaguest of understanding as to what things like spark plugs and catalytic converters do. I know what a manifold is in mathematics, and I suppose it's a bit similar in a car engine. I deem myself knowledgeable to open the bonnet and add windshield wiper fluid when that's low, but anything more complicated I'll take to a mechanic.
> If you're using it without learning how it works, it's your own fault, if you have an accident.
It's my fault if I drive without, say, learning how to operate the brake pedal, or learning how to turn on the turn signal. But if the accident is due to something wrong with the internals that I know very little about? I don't think any reasonable person believes that getting licensed to drive should require one to have the knowledge of an automobile mechanic.
This isn't the equivalent of spark plugs. It's the equivalent knowing how the windows work. If you drive around with the windows down while yelling at the person in the passenger, seat, don't be surprised if other people can hear you. And you can't use as a defense that you didn't know that you needed to have the windows up.
This is partially what the P3P standard was defined to help with, and the only browser that every seemed to do anything mildly meaningful with it was Internet Explorer. All IE did was refuse to set/keep cookies if either a P3P header wasn't provided or it didn't match the "user's preferences" (which the user never looked at or understood), so it just ended up causing headaches for web developers who at first tried to figure out which parts of the site's privacy policy matched the codes in the header value. When they found out that didn't work, they just copied the value of Google's P3P header. So many sites' privacy and data collection policies didn't match what they were asserting in the P3P headers, because otherwise, the site didn't work.
I disagree. I have no problem with a cookie that sets a completely anonymous option, or which tells the server that I'm on a certain state, or that I've been here already so don't show me X, show my Y instead.
I only dislike tracking cookies.
Browsers have no way of deciding which cookies are tracking and which aren't, and disabling them all causes all kinds of problems, including with sessions. Legislation, on the other hand, is less 'blind' and lets websites using cookies for functionality the user required and/or is informed of (like sessions, preferences and such) without letting websites perform unauthorized tracking.
DNT is like putting a note atop your plain text file asking unintended recipients to ignore the contents. What browsers need is something akin to encryption, where you're not asking for compliance, you're denying access.
How can you tell it works? How do you know the bot owners aren't returning to crawl those parts with User-Agent strings that impersonate ordinary users?
It is completely voluntary and unenforceable, but works very well.
Ha! It works very well: for Google, and Yahoo. They use informative user-agents, and respect robots.txt directives. They have to, they're large corporations, with shareholders.
This is all the traffic from this IP, with no lines skipped. You might notice that it doesn't request CSS, or any of the linked images, or favicon.ico. Nor does it populate the referral header fields, which of course it would be doing if it was actually Firefox, and there was actually a human clicking on these links. It doesn't even bother requesting a robots.txt, which I don't have anyway.[1] Do a whois check on the IP, and we get:
Codero's a dedicated server host. This is a spambot, looking for email addresses. Visit the IP in a browser, and you see a site selling fake Tiffany jewelry.
And yet, it seems to be some sort of meme in the enterprise world to have these sorts of things in every single email:
"Please note - This e-mail and any files transmitted with it may contain confidential or privileged information which is protected by legislation, copyright & the code of practice covering personal information. It is intended solely for the use of the individual or entity to whom it is addressed. If you have received this e-mail in error, please notify the originator. Any disclosure, copying, alteration, distribution, publication or the taking of action in reliance on the contents may be an offence."
as a random example. Bonus points for using it it in a footer, where almost by definition, you've read the email before seeing it.
I'm sure there's some legal justification for doing so, but it still strikes me as pretty stupid.
33 comments
[ 2.7 ms ] story [ 74.7 ms ] threada better solution is to integrate tools to allow users to block third-party scripts, to fix bugs and improve cache handling headers that can be used to track users, and to not let any third-party scripts store any information on the client.
These can be pressured (by public opinion, for example) into complying with DNT even if it's not their 'first instinct' to do so.
http://en.wikipedia.org/wiki/April_Fools%27_Day_RFC
Also, RFCs are not terribly heavyweight technical documents. They're essentially memos, not ISO standards. Any (demonstrably competent) person can submit a RFC, and if it becomes popular, then the idea enters the standards track, and new, better RFCs are issued based on it.
https://www.eff.org/deeplinks/2011/03/tracking-protection-li...
I'm against bad laws.
I'm for good laws.
If a realm of human activity exists in which unregulated behavior trends toward maximum social benefit, reasonable minds will contemplate whether or not appropriate regulation (and enforcement of same) might be beneficial.
Say: putting teeth into DNT, allowing for civil penalties (a border condition in which law and private enforcement both come into play), and civil penalties for egregious flouting of the law.
Tracking people using DNT? This is quite ironic.
That's the same problem we have in the EU right now. The correct way to deal with cookies would be for people to enable or disable them in their browser, according to their personal preferences. Instead, the EU forces their cookie legislation on everybody, because most people are too lazy to fix their preferences.
Why should this be any different with computers? The risk that you pose to others is pretty low, so there shouldn't be any requirement to have a "license". But I wouldn't call it arrogance, if I'll assume that someone using the network has a minimum knowledge about how things work.
Only to a point. I own a car and am perfectly competent to use it, but I have only the vaguest of understanding as to what things like spark plugs and catalytic converters do. I know what a manifold is in mathematics, and I suppose it's a bit similar in a car engine. I deem myself knowledgeable to open the bonnet and add windshield wiper fluid when that's low, but anything more complicated I'll take to a mechanic.
> If you're using it without learning how it works, it's your own fault, if you have an accident.
It's my fault if I drive without, say, learning how to operate the brake pedal, or learning how to turn on the turn signal. But if the accident is due to something wrong with the internals that I know very little about? I don't think any reasonable person believes that getting licensed to drive should require one to have the knowledge of an automobile mechanic.
Browsers have no way of deciding which cookies are tracking and which aren't, and disabling them all causes all kinds of problems, including with sessions. Legislation, on the other hand, is less 'blind' and lets websites using cookies for functionality the user required and/or is informed of (like sessions, preferences and such) without letting websites perform unauthorized tracking.
Well, robots.txt is a simple text file that politely asks robots to not spider parts of your website.
It is completely voluntary and unenforceable, but works very well.
Everybody else ignores it. Why would they listen?
Live example:
This is all the traffic from this IP, with no lines skipped. You might notice that it doesn't request CSS, or any of the linked images, or favicon.ico. Nor does it populate the referral header fields, which of course it would be doing if it was actually Firefox, and there was actually a human clicking on these links. It doesn't even bother requesting a robots.txt, which I don't have anyway.[1] Do a whois check on the IP, and we get: Codero's a dedicated server host. This is a spambot, looking for email addresses. Visit the IP in a browser, and you see a site selling fake Tiffany jewelry.1: http://www.archiveteam.org/index.php?title=Robots.txt
"Please note - This e-mail and any files transmitted with it may contain confidential or privileged information which is protected by legislation, copyright & the code of practice covering personal information. It is intended solely for the use of the individual or entity to whom it is addressed. If you have received this e-mail in error, please notify the originator. Any disclosure, copying, alteration, distribution, publication or the taking of action in reliance on the contents may be an offence."
as a random example. Bonus points for using it it in a footer, where almost by definition, you've read the email before seeing it.
I'm sure there's some legal justification for doing so, but it still strikes me as pretty stupid.