When (major advertiser/website detected): Prompt user, "Warning: (Advertiser/website) insists on tracking you, and have made public statements affirming this position. Your privacy is not enforceable on this website."
more like class action or regulatory step in. in theory market transactions are based on mutual consent. if consent isn't respected, then that's a problem.
I actually ended up expanding on this a bit in a different comment thread, if you're interested. :) [1]
It's a tough position to be in because the thing that really gets heads turning is regulation, licensing, and fines, but...when it comes to website design (assuming we're not talking about illicit material) I get queasy at the idea of (the/any) government saying, "You're not running your website the right way! Pay us money!" Perhaps the few exceptions being something like: PII storage, or payment processing.
I dread the idea of anyone saying you have to, say, use a specific font type or whatever, you know? I don't want to put that burden on website owners, or complicate my own life.
I'd rather inform the end user, point out the biggest offenders, and leave them be. "Detect, inform, and move on." Big scary message[2] then leave it to the user to decide what they want to do. "Oh, they're going to track me? Let me look up that VPN-thingy I keep hearing my nephew talk about."
I don't think there's much support for specifying a specific font. I do think there is support for making companies do things that don't exploit users.
- "...But, for right now on the internet of today, a big part of the answer is online advertising. We started engaging in this space because the way the industry works today is fundamentally broken. It doesn’t put people first, it’s not privacy-respecting, and it’s increasingly anti-competitive. There have to be better options. Mozilla can play a key role in creating these better options not just by advocating for them, but also by actually building them..."
- "...We’ve been collaborating with Meta on this, because any successful mechanism will need to be actually useful to advertisers, and designing something that Mozilla and Meta are simultaneously happy with is a good indicator we’ve hit the mark..."
Etc. (You have to read these things *carefully*, because, the way Mozilla corpos write press, they obfuscate words to the point you can barely make out the sense from the noise).
Mozilla changed their goals over the last 5 years pretty drastically in an effort to chase revenue. It's a failing strategy assuming you want go remain a privacy focused organization.
Well it never worked, nothing of value was lost. Although, a little concerning in the light of many Mozilla's recent recruitment decisions and especially AI shilling focus
As a web developer i don't think i have ever supported this feature, but only because i never remembered to. It's a pretty easy feature to add, but unless browsers can force it, you're better off with uBLock.
No one (corporate) supports it unless it comes enabled by default with whatever compliance service/ plugin used on their sites.
The best combo I've found so far is Waterfox + uBO. I'm sure there are others, but this works well if you don't want to use a chromium based browser.
In my unpopular opinion it was a silly cart before the horse idea to begin with. I do not believe I need to be a lawyer to suggest there would first need to be a set of laws with some serious consequences if a company does not respect the header and can not prove it has respected the header when a court, legal team or the individual request proof. And that is only useful if the company is in a country that must respect such laws. Each country would need their own corresponding laws. And of course the devious companies would move their headquarters to some island nation.
By consequences I mean a percentage of their revenue vs profit which can be waved away by accountants is seized, donated to people affected by shady companies and all the leaders of the company must be marched through cities by shame nuns whilst citizens are permitted to throw rotten food and excrement at them. Anything short of this would just be the cost of doing business.
I understand that many people here have a bad taste of Mozilla's recent actions in many aspects. But the reality here is that this is at worst removing something that almost nobody respected. It was based on honor system and even in Switzerland they do have random inspections for honor system. Browsers never had any enforcement of this feature. And ironically it was used as additional data point of tracking privacy aware people who went out of the way to enable it.
Medium supported it for ages. Tools like Matomo came with support for it by default.
Firefox has implemented the replacement, Global Privacy Control. It has the exact same problems and isn't respected either, except even fewer websites have implementations that respect GPC.
It's not a real solution to the normalised cyberstalking websites practice today, but it's also not entirely useless.
GPC does not meet GDPR's requirements and cannot be used for gaining consent under GDPR. There already has been a browser signal in design that meets GDPR requirements for consent, but it was ignored. The industry instead rallied behind GPC.
There is only one choice being expressed by either protocol. One against data collection, the other against the sale of collected data.
DNT has legal standing in the EU, GPC has theoretical legal standing in the USA, where laws are more geared towards protecting data brokers. Removing a protocol because it doesn't work in the USA despite it being a legal opt-out in the EU is foolish; just send both headers, let local jurisdiction pick the which one is legally binding and which one can be ignored.
GPC has been standardised to never make it extendable beyond "Sec-GPC: 1" so there is no way for it to imply a set of choices in the future, without breaking backwards compatibility. The choices are limited by design.
Does it? All I've found is that it theoretically complies with California's decisions. I have yet to see that assumption make it through court. Meanwhile, DNT has the force of the GDPR behind it (https://gdprhub.eu/index.php?title=LG_Berlin_-_16_O_420/19).
the conversation / system is rigged. how it should have been done in a fair way:
1. assume the user by default does not want to be tracked and make do-not-track opt-out.
2. have it running for a few years and gradually increase the heat on the discussion that nobody respects it.
If it would've been done this way it would've been newsworthy and maybe would've been considered as something to enforce via regulation (at least in EU).
But as it stands do-not-track never had a chance to succeed - I believe that was by intention.
I’ll laugh with you, but once Google is gone, the first replacement will be ChatGPT and it already is $20pm (and apparently, ChatGPT is so good at organizing the world’s information that I’m paying for it)(Yes it was Google’s mission)(Yes they failed). 2030 will be fun.
proof is that musk first and only feature added to shitter post purchase fiasco was to detect firefox anti tracking feature and block the user! the fact the most shrewd person in the world acted on it is perfect proof it worked againt his goals (which now we know was to influence elections)
I have to second this. It's a voluntary rule used by a browser with the market share that looks more like a rounding error. If this is all somebody was using to depend on their online privacy then they need a class.
In that light removing it might push a few people to apply more protections to their browser and be an overall (if extremely minor) win for privacy.
Browsers need a "keep my cookies" button next to the url bar, separate cookie jar per domain, and then by default, delete all the cookies when you close the window. No EU cookie prompts would be needed, no "this feature does not work without third party cookies, no DNT, no nothing... silently accept all the cookies, and then delete them. (and other persistent storage too).
Want to stay logged in? Press the "keep the cookies for this domain" button by the url bar, and a separate cookie jar will be made just for example.org and persist there.
I already have my cookies sorted out... i'm talking about defaults and the EU cookie law, the DNT, etc. Instead of accepting cookies (eu cookie law prompts) on every goddamn site, this should be handled by the browser directly.
This is a common misconception with the "EU cookie prompts".
The EU does not require the use of "cookie prompts".
User consent is required to process a user's data for certain purposes+.
That may involve the use of a cookie, or it may not.
Whatever technological methods you use to process the user's data, and regardless of whether it happens on the client or server, you must ask for consent.
Having a system where cookies are not remembered between sessions would be no use, as the user's consent would still be needed while those cookies were set.
+Not everything needs consent, but things like tracking for advertising or analytics typically does. Even if you do it via IP address or local storage, you need to ask for consent - nothing to do with cookies.
Deprecated in 2018. Removed in 2024. That doesn't seem like a timeline to take anybody by surprise, for a thing that was used to do the exact opposite of its purpose.
So GPC is basically the same as DNT, but according to [1], "GPC improves on DNT in several ways:"
- Legal backing: Unlike DNT, GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals.
- Targeted approach: While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
- Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
But essentially, it's more or less the same.
So it seems it's less "Firefox removes DNT" and more "Firefox deprecates earlier ineffective version of GPC".
> GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals
Because it's off by default? It's the exact same thing, a header with a preset value.
> While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
My needs are not being tracked. The tracking is what comes before the selling. I don't want to opt out of selling, I want to opt out of tracking.
> Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
"Gaps in functionality"? The difference between GPC and DNT is that DNT sends "DNT: 1" and GPC sends "Sec-GPC: 1".
Companies that never respected DNT aren't going to respect GPC. The only difference here is that IE doesn't have GPC enabled by default, but it does have DNT enabled by default.
> Companies that never respected DNT aren't going to respect GPC.
It depends. While I agree that GPC is technically just a more complicated form of DNT, the major difference is that DNT is 100% optional for websites to honor, which is why they don't, but GPC becomes mandatory for nations that have reasonable laws around tracking. Companies operating in those nations will honor it because there are legal penalties if they don't.
Does this mean that if I set GPC, companies are not allowed to show me cookie banners under GDPR but just assume I hit whatever their "decline all tracking" button says?
The California Attorney General ruled that if a user presents a GPC signal, the company should update all of their backend systems to opt out of tracking in the same way as if the user clicked a "Do Not Sell My Personal Information" button.
About time. It has never achieved anything meaningful for protecting your privacy, if not helping the opposite by providing yet another signal to help uniquely identify a user and improve tracking.
Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why. I use Firefox with all possible protection mechanics -- "strict" tracking protection mode, uBlock origin, yet I cannot escape first-party tracking.
One striking example: These days browsers may expose how many cores your device's CPU has to websites. That alone could eliminate 80%-90% of users. Combined with user agent, IP, language etc you are pretty much uniquely identified.
What I'd love to see is a default JavaScript environment (ideally across all browsers, but at least in FF) that is sufficiently basic as to be identical for all users with an icon appearing in the address bar when a site wishes to use advanced features that might enable tracking, so that these can be enabled on a case-by-case basis.
> Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why.
The goal shouldn't be to appear non-unique. There are too many little things that will out you. Even if you somehow account for every single one of them today your next browser update could enable more and you can't trust that amiunique.org is looking at every identifying data point either. It's an arms race you're going to lose.
What you want is to be differently unique for each website you visit. Even better if you have JS disabled by default and sites can't collect 90% of the data points your browser exposes at all. The best protection you could get would be to change up IP addresses via VPN and randomize your user-agent and other tells.
You'd be surprised at how many websites work just fine with JS disabled, at least in terms of providing the content you want. Menus/navigation might not work, and I wouldn't even attempt online shopping without JS, but enough websites still manage to display basic text and images without JS that it's a surprising annoyance when they fail to.
Sticking out like a sore thumb isn't a problem as long as you look like a different person's sore thumb to the next website.
> Sticking out like a sore thumb isn't a problem as long as you look like a different person's thumb to the next website.
Being consistently unique is okay as long as the tracking party is simply generating programmatic hashes. But if you're always unique, but in a specific way, it doesn't matter. The total amount of entropy matters.
> I wouldn't even attempt online shopping without JS,
So, a nonstarter for basically all normal internet users.
I get by using no-script universally and it's rare that I need to allow JS for more than 2-3 domains to get a site fully functional. Usually it's limited to site, and site-cdn.
It's also nice that with no-script and uBlock origin that it only takes a couple clicks to whitelist something and even then you only need to do it once and it can remember it for the next time. You can also use add-ons like LocalCDN so that a lot of commonly used JS can be used without a remote connection.
I've yet to be banned by cloudflare but they will sometimes harass me with challenges that require JS to run.
Usually that's just an annoyance, but I often have to investigate questionable and outright malicious websites for work and some of them have started to use cloudflare so that you're forced to allow JS for the evil domain just to get past cloudflare's checks before you can even see the harmful website which then wants to use JS against you. Cloudflare is an affront to the philosophy of the internet and a menace.
There are two orthogonal issues. You're mainly talking about the need of making the tracking (for people who don't want to be tracked) impractical; what also needs to be done is to make it illegal.
I feel like DNT was a "rushed" (i.e. with no legal backing) attempt to achieve the latter.
> These days browsers may expose how many cores your device's CPU has to websites.
This information could be determined prior to the introduction of navigator.hardwareConcurrency.
I published a timing attack polyfill that derives this information and initially proposed the navigator.hardwareConcurrency API as a replacement for this timing attack polyfill.
In addition to the fundamental utility of this API, browser vendors also saw implementing this as a way to save battery life by making it no longer necessary for websites to benchmark user devices to determine this value.
> However, as we approach 2025, with growing concerns about online privacy and data protection, Mozilla believes that DNT is no longer an effective privacy measure. Many websites ignore the DNT signal. Therefore, Mozilla has removed the DNT signal from Firefox version 135.
This is spurious reasoning. "Many" is neither a percentage, or a basis for justification. Many people ignore speed limits - so what?
>The company recommends using the Global Privacy Control setting as an alternative to prevent websites from tracking user data.
>If you wish to ask websites to respect your privacy, [...] [t]his option is built on top of the Global Privacy Control (GPC). GPC is respected by increasing numbers of sites and enforced with legislation in some regions.
Increasing numbers? But then that means that "'Many' websites ignore it", right?
This reeks of early movements towards monetization of their shrinking userbase. It's genuinely disappointing. I used to like Firefox, and continue to use Thunderbird today. Good luck to the stragglers who decide to stick it out.
Websites don't just "ignore" DNT, they actively use DNT to improve tracking.
From a product perspective, this is an additional option in their settings page that is confusing and marginally useless. I work on creating user facing products as my job, and I 100% support this decision.
I'll be honest: nobody is going to stop Firefox because of this, because it does not affect their life in any way or manner.
Per oytis: "An obvious solution would be to turn it on by default"
I do agree with your point on people continuing to use Firefox in spite of this. Most people are not invested in the details, or don't care about security/privacy, or can't be bothered to figure out which other browser option is best for their use case.
My annoyance is more so on their behalf - that average people will probably be unaware of what security feature is being taken away from them. Do they care? Probably not. Will it change much for them? No. It irks me, however, that they no longer even have the option.
> It irks me, however, that they no longer even have the option.
I think the major point is that they don't have the option right now. The percentage of websites that honor DNT is a rounding error, so the existence of it -- at best -- gives the illusion of privacy protection. In my opinion, the illusion of security is worse than not having security but knowing it.
>The percentage of websites that honor DNT is a rounding error
Referring to my previous comment: "This is spurious reasoning. 'Many' is neither a percentage, or a basis for justification. Many people ignore speed limits - so what?" Privacy configurations are not a popularity vote. Instead, they are an implementation of software design. E.g. "No one" bothers with PGP, therefore it should be supported.
A more charitable description of DNT, instead of saying it is "not an option" would be that it is a privacy option that is poorly enforced - exceedingly so!
I will of course agree wholeheartedly that the effectiveness of that privacy option, which is independent of its implementation and design, is ineffective. I also agree that it has a theoretical potential to give a user "false optimism", because of its failure of enforcement, but I don't see that second point as being inherently harmful.
I suppose it comes down to whether you want to take a pill that has "reduced effectiveness" at fighting pancreatic cancer, or if you prefer the several seconds saved in not needing to swallow. In my mind, even if the pill sucks and has a failure rate of 99.7/100, it seems bizarre to snatch it away from someone who would like to take it anyway.
Unless you have a plan to make it useful it needs to go. Right now it is false advertising. If you can find someone and successfuly sue them for not honoring it great - but you still need to do a lot more (sue many others in many countries).
What need is that? Bad people with malicious intentions exist: therefore, remove something that functions properly.
DNT is not shilled by some privately-owned company that claims it will somehow, "Make users invisible online for the low, low price of (money)!" Instead, it is simply an HTTP header that some (many) websites ignore, or outright maliciously exploit for personal gain.
Computer Operating systems are not "false advertising" simply because certain programmers ignore standard practices outlined by the maintainers. It is not the fault of an Operating System if programmers refuse to adhere to the documentation on how something should be implemented. It's certainly not a sensible justification for Operating Systems "needing to go", just because people write bad or malicious software to abuse an OS's weaknesses.
To be clear, I am hardly saying DNT is a good option, precisely because so many websites have ignored or abused it in the past. I am simply saying DNT should be an option, and that it should be one that is enabled by default.
>If you can find someone and successfuly sue them for not honoring it great - but you still need to do a lot more (sue many others in many countries).
If DNT is removed as being an option, what need would there be for such a law to be created in the first place? You said you support the idea of a law being made - shouldn't you be for DNT remaining, then? I hope that doesn't mischaracterize your point but it's a little confusing, it sounds like you're saying you: support the premise of DNT, want a law to enforce DNT...and you don't want DNT as a configuration option in Firefox.
I didn't say a law needs to be created. however if there is no enforcement of this header it is useless. Law is the only way I can come up with to enforce this (courts just implies there is some existing law - would this header field be considered a contract for example?), but if you can come up with something else I'm open to that. However so far is has not been enforced to do what it claims to do and nobody is making progress on changing that.
The problem is that there is no, and can be no enforcement mechanism. Unless you live behind a great firewall of [country] or are only accessing the web through your employer's corporate network.
Operating a motor vehicle on public roads requires a license and vehicle registration in most jurisdictions. These rules are not always observed, but there are enforcement mechanisms in place.
There is no website licensing body, and kind of can't be without making everything worse.
You raise some good points! I was going back and fourth about the speed limit analogy since cops do pull people over for speeding. I was trying to think of some thing that is supposed to be followed, but is commonly ignored without consequence. Perhaps the 6' social distancing recommendations during lockdown would work better? There was an expectation that people follow it, but actually adhering to it differed wildly depending on where you were.
Returning to the point, I suppose the question might be what enforcement would even look like, as you mentioned. Some governmental organization ala DMV? Seems excessive. A professional organization of some sort, similar to IEEE? Probably not. Perhaps just a "watch dog" organization like a sister organization to the EFF, specifically focused on reporting which sites honor, and dishonor DNT.
Personally, I would prefer the last, with some kind of check that could help indicate in the browser visually to the user whether the site honors DNT. Similar to (or tied into) the lock symbol for HTTPS would be nice. Outside of that, it seems like such a niche and fringe thing that, unless enabled by default, would fall on deaf ears. I don't see myself endorsing some kind of financial penalty, simply because I think it would hurt small websites. And also because website stuff is confusing and stressful enough already. I personally think a kind of visual "name and shame" to the end user, along side improved support to support DNT would be optimal.
I.e. Hot dog on a stick in one hand, dog poop on a stick in the other hand.
...And subsequently, GPC began to act in a way that I'm not thrilled about. https://en.wikipedia.org/wiki/Do_Not_Track#Global_Privacy_Co... It comes off reeking of a pretext to confine the nature of how websites, and the internet at large, are allowed to operate.
Personally, and this is not backed up by any legal framework or anything, I think it is and should be the user agent's responsibility not to leak any info to any parties that the user doesn't want. And that's why I think having the dominant browser being maintained by the operator of the largest advertising network is kind of a problem.
> It irks me, however, that they no longer even have the option.
You can use an extension to set the header if you really want it. I think that's an okay level of difficulty for something so misleading and ineffective.
Mozilla makes it increasingly difficult to support Firefox. I'm beginning to realize the only solution there is an entirely different governing body than Mozilla like most of the Firefox derivatives are now. Sigh.
Maybe so, but this particular move seems unambiguously good. DNT is a net negative and is misleading. Its only practical effect is to add another bit of entropy to shady fingerprinting mechanisms.
Browsers have such a low switching cost. I like Firefox because it has seemed aligned with me against web advertisements. Not even privacy, per se, but web advertisements specifically. If it stopped being that, I might as well go back to Chrome, which works a lot better on a lot of websites. Not saying Firefox is evil now, just saying there is nothing keeping me around if I get the sense that it's changing in ways I don't prefer.
Sunsetting this feature doesn't indicate Firefox has changed their opinions. DNT was never effective, and provided a false sense of security. No tracking company respected it, so it just became a meaningless setting.
I think the browser should behave differently when Do Not Track is enabled. Instead of whatever it does now, it should be updated so that when the user selects it the browser automatically installs uBO, privacy badger, etc. After all, that's what the user really needs to have the browser respect their wishes of not being tracked.
So rather than eliminate it with another thing that is nothing more than a name changes, it should just become useful
I always though something like ublock origin should be built in with a standard format for the block list rules so people could just use different rules lists if they wanted to.
It would be nice to have a feature for enable/disable javascript per site also.
That already exists in forms of privacy protection settings on browsers. DNT was a very specific feature. Privacy protections were not removed, DNT was removed.
I think you are intentionally missing the gist of the post, but here goes anyways. DNT was a very clear signal by the user that nobody respected. So instead of accepting it being useless and throwing it away, just change how the browser behaves when the user enables the option by updating the browser in a way that will actually prevent tracking.
What I’m trying to say is, that’s already the default running mode of a modern browser with the maybe exception of ad blockers on some. They already come with all privacy protections that don’t compromise compatibility. DNT, being a specific feature enabled by a very few people, doesn’t make sense to be reshaped into entirely something else like ad blocking (which is way beyond tracking protection and not necessarily mutually exclusive with it) or disabling of third party cookies (which has auth related consequences).
The conflation of semantics isn’t worth it, and may even be harmful. I totally disagree with the proposal.
"Do Not Track" was a good standard, but on the today's global Internet, unenforceable without serious push back against non-compliant sites from either government regulators and/or consumers. In other words, privacy theater that misled users into thinking it made them safer. It has also been suggested that DNT signals are used by some advertisers in profiling users. But removing DNT suspiciously seems like a capitulation, and will short-circuit any existing efforts to use it to protect consumer privacy. Maskawanian is right, this was inevitable once Mozilla decided to become an ad company (as was their adding the deceptively named Privacy-Preserving Ad Attribution feature earlier this year). I think it's time for people concerned about privacy to consider alternatives to Mozilla.
Removing this feature harms user agency. This will result in Firefox users having to deal with more annoying consent prompts.
Transcend Consent Management's default configuration opts users out of every unessential tracking purpose (and suppresses automatic consent prompts) whenever DNT is enabled, but only opts users out of "Sale/sharing of info" when only GPC is enabled.
Removing this centralized privacy signal means some users cannot express full opt outs to Transcend Consent Management by default without having to interact with annoying banners.
I believe this change was steamrolled without taking in proper consideration and feedback from the web community. Mozilla made this change so fast that barely anyone noticed the issue before it got closed[1]. To add insult to injury, they've
configured their Bugzilla to disallow further comments from non-Mozilla employees after issues are closed.
I shared similar feedback with the Chrome team in 2023 when they were proposing to remove DNT[2]. They considered my feedback and currently DNT is still in Chrome, with its removal indefinitely postponed.
That nobody respects is is a false statement. Some do. Also that header permits users to signal sites if they want or not to be tracked, avoiding cookie popups.
Edit: I just saw that Firefox supports GPC, which seems a better alternative to DNT.
But others use it as a signal. You are easier to track by the dishonerable with it. Meanwhile the honerable were probably not tracking as much [no way to tell but a reasonable guess]
You might be easier to track with it, but it is not hard to end up with a unique signature anyway. I can already be uniquely identified, so sending "Do Not Track" only has potential upsides. I have seen websites that claim to honor it so it seems to be doing something and I wish they wouldn't remove it.
I looked into GPC, and I'm not sure if it's much better. From the implementation notes[0]:
GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to a user on its website based on that user’s previous activity on that same site).
GPC also appears to use the same tracking signals as DNT, so it has the exact same potential for abuse, as far as I can tell. Maybe I'm missing something, but unless there's legal power behind this, I'm not sure if it's better.
Counter: It does, because some organizations and webmasters did respect it.
The other option, Mozilla should have done, is shame companies that did not respect it. A continually updated list, a notification when browsing a site that did not, etc, but the problem comes from this being a vendor issue and that it would not be 100% accurate.
Shaming is the only way this would have worked out, but they didn't, but for the ones who did this out of being a decent organization, they now no longer have a standard to base it on.
Where is this information about respecting come from? What tools or metrics do we have out there to observe it was being respected or not? Is it your feeling or do you have anything to back up what you're saying?
No idea, which is why I mentioned it's a vendor related issue.
They could have stood up a regulatory-ish body, or group, that organizations could sign onto, and/or an accreditation organization that does audits to ensure they are following DNT.
Could have also done the simplest thing, the most error-prone, but still something tangible, and said "If you support DNT, add it a DNT-HEADER tag, and if it comes out that an org as using it and didn't follow it, then we will name and shame you". Just like we did with forcing HTTPS, the red icon did the heavy lifting there.
The decision to /not/ do so, seems to be a choice they willingly made, because all three of those options are potentially obvious security and methods of 'protecting the \'net' or 're-wilding the \'net' while also adding another revenue stream to ensure they have the financial bandwidth and personel to make This A Thing, as it should be.
That it should exist because one (and there's probably not many) consent managers actually understands and uses this flag is not a strong point in support of that feature.
There's better ways to protect your privacy that don't rely on a best effort voluntary flag that you send to advertisers and hope they accept it.
Separately, privacy signals are being required by law in some regions. If we're going to have browser level privacy signals in the first place, we might as well support and use them as intended.
269 comments
[ 2.9 ms ] story [ 244 ms ] threadWhen (major advertiser/website detected): Prompt user, "Warning: (Advertiser/website) insists on tracking you, and have made public statements affirming this position. Your privacy is not enforceable on this website."
It's a tough position to be in because the thing that really gets heads turning is regulation, licensing, and fines, but...when it comes to website design (assuming we're not talking about illicit material) I get queasy at the idea of (the/any) government saying, "You're not running your website the right way! Pay us money!" Perhaps the few exceptions being something like: PII storage, or payment processing.
I dread the idea of anyone saying you have to, say, use a specific font type or whatever, you know? I don't want to put that burden on website owners, or complicate my own life.
I'd rather inform the end user, point out the biggest offenders, and leave them be. "Detect, inform, and move on." Big scary message[2] then leave it to the user to decide what they want to do. "Oh, they're going to track me? Let me look up that VPN-thingy I keep hearing my nephew talk about."
[1] https://news.ycombinator.com/threads?id=registeredcorn#42380...
[2] https://i.imgur.com/W885J9X.png
That wouldn't fly in the EU though because tracking is supposed to be opt in so enabling by default is fine.
The only way that anything like this can possibly succeed is through legislation.
???
https://www.mozilla.org/en-US/advertising/
https://blog.mozilla.org/en/mozilla/digital-advertising-priv...
- "...We’ve been collaborating with Meta on this, because any successful mechanism will need to be actually useful to advertisers, and designing something that Mozilla and Meta are simultaneously happy with is a good indicator we’ve hit the mark..."
https://old.reddit.com/r/firefox/comments/1e43w7v/a_word_abo...
Etc. (You have to read these things *carefully*, because, the way Mozilla corpos write press, they obfuscate words to the point you can barely make out the sense from the noise).
By consequences I mean a percentage of their revenue vs profit which can be waved away by accountants is seized, donated to people affected by shady companies and all the leaders of the company must be marched through cities by shame nuns whilst citizens are permitted to throw rotten food and excrement at them. Anything short of this would just be the cost of doing business.
Firefox has implemented the replacement, Global Privacy Control. It has the exact same problems and isn't respected either, except even fewer websites have implementations that respect GPC.
It's not a real solution to the normalised cyberstalking websites practice today, but it's also not entirely useless.
See: https://www.dataprotectioncontrol.org/
DNT has legal standing in the EU, GPC has theoretical legal standing in the USA, where laws are more geared towards protecting data brokers. Removing a protocol because it doesn't work in the USA despite it being a legal opt-out in the EU is foolish; just send both headers, let local jurisdiction pick the which one is legally binding and which one can be ignored.
GPC has been standardised to never make it extendable beyond "Sec-GPC: 1" so there is no way for it to imply a set of choices in the future, without breaking backwards compatibility. The choices are limited by design.
But as it stands do-not-track never had a chance to succeed - I believe that was by intention.
proof is that musk first and only feature added to shitter post purchase fiasco was to detect firefox anti tracking feature and block the user! the fact the most shrewd person in the world acted on it is perfect proof it worked againt his goals (which now we know was to influence elections)
I would say this needs to start with a law, more or less.
In that light removing it might push a few people to apply more protections to their browser and be an overall (if extremely minor) win for privacy.
Want to stay logged in? Press the "keep the cookies for this domain" button by the url bar, and a separate cookie jar will be made just for example.org and persist there.
The EU does not require the use of "cookie prompts".
User consent is required to process a user's data for certain purposes+.
That may involve the use of a cookie, or it may not.
Whatever technological methods you use to process the user's data, and regardless of whether it happens on the client or server, you must ask for consent.
Having a system where cookies are not remembered between sessions would be no use, as the user's consent would still be needed while those cookies were set.
+Not everything needs consent, but things like tracking for advertising or analytics typically does. Even if you do it via IP address or local storage, you need to ask for consent - nothing to do with cookies.
Mozilla buying out an adtech company: https://blog.mozilla.org/en/mozilla/mozilla-anonym-raising-t...
Mozilla has also been lending its credibility and whitewashing Meta's "PET" measuring standards at W3C. More on this, from Mozilla: https://blog.mozilla.org/en/mozilla/privacy-preserving-attri...
- Legal backing: Unlike DNT, GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals.
- Targeted approach: While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
- Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
But essentially, it's more or less the same.
So it seems it's less "Firefox removes DNT" and more "Firefox deprecates earlier ineffective version of GPC".
[1]: https://www.cookiebot.com/en/global-privacy-control/
Because it's off by default? It's the exact same thing, a header with a preset value.
> While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
My needs are not being tracked. The tracking is what comes before the selling. I don't want to opt out of selling, I want to opt out of tracking.
> Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
"Gaps in functionality"? The difference between GPC and DNT is that DNT sends "DNT: 1" and GPC sends "Sec-GPC: 1".
Companies that never respected DNT aren't going to respect GPC. The only difference here is that IE doesn't have GPC enabled by default, but it does have DNT enabled by default.
It depends. While I agree that GPC is technically just a more complicated form of DNT, the major difference is that DNT is 100% optional for websites to honor, which is why they don't, but GPC becomes mandatory for nations that have reasonable laws around tracking. Companies operating in those nations will honor it because there are legal penalties if they don't.
The California Attorney General ruled that if a user presents a GPC signal, the company should update all of their backend systems to opt out of tracking in the same way as if the user clicked a "Do Not Sell My Personal Information" button.
Legal backing obviously isn't reason enough for Mozilla to support a feature.
And GPC isn't even compatible with GDPR.
Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why. I use Firefox with all possible protection mechanics -- "strict" tracking protection mode, uBlock origin, yet I cannot escape first-party tracking.
One striking example: These days browsers may expose how many cores your device's CPU has to websites. That alone could eliminate 80%-90% of users. Combined with user agent, IP, language etc you are pretty much uniquely identified.
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/h...
Low script rather than no script, if you will.
The goal shouldn't be to appear non-unique. There are too many little things that will out you. Even if you somehow account for every single one of them today your next browser update could enable more and you can't trust that amiunique.org is looking at every identifying data point either. It's an arms race you're going to lose.
What you want is to be differently unique for each website you visit. Even better if you have JS disabled by default and sites can't collect 90% of the data points your browser exposes at all. The best protection you could get would be to change up IP addresses via VPN and randomize your user-agent and other tells.
There's two gigantic issues with that:
1. Most websites won't work
2. Most people like websites to work, and so they have JS turned on. If you don't, you'll stick out like a sore thumb.
Sticking out like a sore thumb isn't a problem as long as you look like a different person's sore thumb to the next website.
Being consistently unique is okay as long as the tracking party is simply generating programmatic hashes. But if you're always unique, but in a specific way, it doesn't matter. The total amount of entropy matters.
> I wouldn't even attempt online shopping without JS,
So, a nonstarter for basically all normal internet users.
Usually that's just an annoyance, but I often have to investigate questionable and outright malicious websites for work and some of them have started to use cloudflare so that you're forced to allow JS for the evil domain just to get past cloudflare's checks before you can even see the harmful website which then wants to use JS against you. Cloudflare is an affront to the philosophy of the internet and a menace.
I feel like DNT was a "rushed" (i.e. with no legal backing) attempt to achieve the latter.
This information could be determined prior to the introduction of navigator.hardwareConcurrency.
I published a timing attack polyfill that derives this information and initially proposed the navigator.hardwareConcurrency API as a replacement for this timing attack polyfill.
In addition to the fundamental utility of this API, browser vendors also saw implementing this as a way to save battery life by making it no longer necessary for websites to benchmark user devices to determine this value.
This is spurious reasoning. "Many" is neither a percentage, or a basis for justification. Many people ignore speed limits - so what?
>The company recommends using the Global Privacy Control setting as an alternative to prevent websites from tracking user data.
>If you wish to ask websites to respect your privacy, [...] [t]his option is built on top of the Global Privacy Control (GPC). GPC is respected by increasing numbers of sites and enforced with legislation in some regions.
Increasing numbers? But then that means that "'Many' websites ignore it", right?
This reeks of early movements towards monetization of their shrinking userbase. It's genuinely disappointing. I used to like Firefox, and continue to use Thunderbird today. Good luck to the stragglers who decide to stick it out.
From a product perspective, this is an additional option in their settings page that is confusing and marginally useless. I work on creating user facing products as my job, and I 100% support this decision.
I'll be honest: nobody is going to stop Firefox because of this, because it does not affect their life in any way or manner.
I do agree with your point on people continuing to use Firefox in spite of this. Most people are not invested in the details, or don't care about security/privacy, or can't be bothered to figure out which other browser option is best for their use case.
My annoyance is more so on their behalf - that average people will probably be unaware of what security feature is being taken away from them. Do they care? Probably not. Will it change much for them? No. It irks me, however, that they no longer even have the option.
I think the major point is that they don't have the option right now. The percentage of websites that honor DNT is a rounding error, so the existence of it -- at best -- gives the illusion of privacy protection. In my opinion, the illusion of security is worse than not having security but knowing it.
Referring to my previous comment: "This is spurious reasoning. 'Many' is neither a percentage, or a basis for justification. Many people ignore speed limits - so what?" Privacy configurations are not a popularity vote. Instead, they are an implementation of software design. E.g. "No one" bothers with PGP, therefore it should be supported.
A more charitable description of DNT, instead of saying it is "not an option" would be that it is a privacy option that is poorly enforced - exceedingly so!
I will of course agree wholeheartedly that the effectiveness of that privacy option, which is independent of its implementation and design, is ineffective. I also agree that it has a theoretical potential to give a user "false optimism", because of its failure of enforcement, but I don't see that second point as being inherently harmful.
I suppose it comes down to whether you want to take a pill that has "reduced effectiveness" at fighting pancreatic cancer, or if you prefer the several seconds saved in not needing to swallow. In my mind, even if the pill sucks and has a failure rate of 99.7/100, it seems bizarre to snatch it away from someone who would like to take it anyway.
DNT is not shilled by some privately-owned company that claims it will somehow, "Make users invisible online for the low, low price of (money)!" Instead, it is simply an HTTP header that some (many) websites ignore, or outright maliciously exploit for personal gain.
Computer Operating systems are not "false advertising" simply because certain programmers ignore standard practices outlined by the maintainers. It is not the fault of an Operating System if programmers refuse to adhere to the documentation on how something should be implemented. It's certainly not a sensible justification for Operating Systems "needing to go", just because people write bad or malicious software to abuse an OS's weaknesses.
To be clear, I am hardly saying DNT is a good option, precisely because so many websites have ignored or abused it in the past. I am simply saying DNT should be an option, and that it should be one that is enabled by default.
>If you can find someone and successfuly sue them for not honoring it great - but you still need to do a lot more (sue many others in many countries).
If DNT is removed as being an option, what need would there be for such a law to be created in the first place? You said you support the idea of a law being made - shouldn't you be for DNT remaining, then? I hope that doesn't mischaracterize your point but it's a little confusing, it sounds like you're saying you: support the premise of DNT, want a law to enforce DNT...and you don't want DNT as a configuration option in Firefox.
The problem is that there is no, and can be no enforcement mechanism. Unless you live behind a great firewall of [country] or are only accessing the web through your employer's corporate network.
Operating a motor vehicle on public roads requires a license and vehicle registration in most jurisdictions. These rules are not always observed, but there are enforcement mechanisms in place.
There is no website licensing body, and kind of can't be without making everything worse.
Returning to the point, I suppose the question might be what enforcement would even look like, as you mentioned. Some governmental organization ala DMV? Seems excessive. A professional organization of some sort, similar to IEEE? Probably not. Perhaps just a "watch dog" organization like a sister organization to the EFF, specifically focused on reporting which sites honor, and dishonor DNT.
Personally, I would prefer the last, with some kind of check that could help indicate in the browser visually to the user whether the site honors DNT. Similar to (or tied into) the lock symbol for HTTPS would be nice. Outside of that, it seems like such a niche and fringe thing that, unless enabled by default, would fall on deaf ears. I don't see myself endorsing some kind of financial penalty, simply because I think it would hurt small websites. And also because website stuff is confusing and stressful enough already. I personally think a kind of visual "name and shame" to the end user, along side improved support to support DNT would be optimal.
I.e. Hot dog on a stick in one hand, dog poop on a stick in the other hand.
Reading through the Wikipedia article, it sounds this is largely what was already done with DNT, and failed. https://en.wikipedia.org/wiki/Do_Not_Track#History
...And subsequently, GPC began to act in a way that I'm not thrilled about. https://en.wikipedia.org/wiki/Do_Not_Track#Global_Privacy_Co... It comes off reeking of a pretext to confine the nature of how websites, and the internet at large, are allowed to operate.
You can use an extension to set the header if you really want it. I think that's an okay level of difficulty for something so misleading and ineffective.
I will stop using Firefox because of this.
Many German sites actually follow DNT, because German courts only recently ruled DNT to be legally binding.
Mozilla removing a feature that has even gotten legal support has to be an absolute clown take.
Since you are said a lot of websites do you have any examples? I have actually encounter more problems with Safari than Firefox.
So rather than eliminate it with another thing that is nothing more than a name changes, it should just become useful
It would be nice to have a feature for enable/disable javascript per site also.
The conflation of semantics isn’t worth it, and may even be harmful. I totally disagree with the proposal.
Transcend Consent Management's default configuration opts users out of every unessential tracking purpose (and suppresses automatic consent prompts) whenever DNT is enabled, but only opts users out of "Sale/sharing of info" when only GPC is enabled.
Removing this centralized privacy signal means some users cannot express full opt outs to Transcend Consent Management by default without having to interact with annoying banners.
I believe this change was steamrolled without taking in proper consideration and feedback from the web community. Mozilla made this change so fast that barely anyone noticed the issue before it got closed[1]. To add insult to injury, they've configured their Bugzilla to disallow further comments from non-Mozilla employees after issues are closed.
I shared similar feedback with the Chrome team in 2023 when they were proposing to remove DNT[2]. They considered my feedback and currently DNT is still in Chrome, with its removal indefinitely postponed.
1. https://bugzilla.mozilla.org/show_bug.cgi?id=1928087
2. https://issues.chromium.org/issues/41440843#comment12
It doesn't, because nobody respects it.
It is actually harmful to have a feature that misrepresents its efficiency to users, especially when it comes to privacy and security.
Nobody should ever feel that they will not be tracked because they enabled do-not-track, because it's wrong.
Removing it is the right thing to do because of this.
Edit: I just saw that Firefox supports GPC, which seems a better alternative to DNT.
GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to a user on its website based on that user’s previous activity on that same site).
GPC also appears to use the same tracking signals as DNT, so it has the exact same potential for abuse, as far as I can tell. Maybe I'm missing something, but unless there's legal power behind this, I'm not sure if it's better.
[0]: https://w3c.github.io/gpc/
The other option, Mozilla should have done, is shame companies that did not respect it. A continually updated list, a notification when browsing a site that did not, etc, but the problem comes from this being a vendor issue and that it would not be 100% accurate.
Shaming is the only way this would have worked out, but they didn't, but for the ones who did this out of being a decent organization, they now no longer have a standard to base it on.
~ genuinely curious about statics on the subject.
They could have stood up a regulatory-ish body, or group, that organizations could sign onto, and/or an accreditation organization that does audits to ensure they are following DNT.
Could have also done the simplest thing, the most error-prone, but still something tangible, and said "If you support DNT, add it a DNT-HEADER tag, and if it comes out that an org as using it and didn't follow it, then we will name and shame you". Just like we did with forcing HTTPS, the red icon did the heavy lifting there.
The decision to /not/ do so, seems to be a choice they willingly made, because all three of those options are potentially obvious security and methods of 'protecting the \'net' or 're-wilding the \'net' while also adding another revenue stream to ensure they have the financial bandwidth and personel to make This A Thing, as it should be.
There's better ways to protect your privacy that don't rely on a best effort voluntary flag that you send to advertisers and hope they accept it.
Separately, privacy signals are being required by law in some regions. If we're going to have browser level privacy signals in the first place, we might as well support and use them as intended.
Major sites like Geizhals.de actively use it.
It's been ruled to legally be considered rejection of tracking by German courts (Az.: 16 O 420/19)
Does every feature need 100% market share to be viable?