46 comments

[ 2.8 ms ] story [ 128 ms ] thread
I always wonder why people don't have the courage to mention the elephant in the room - that a very significant part of Mozilla's revenue comes from Google's ability to track Firefox browser users. That, at least, deserves a mention.
Actually that's all anyone seems to talk about, as you can see from the other comments on this story now that it's been a few more minutes.
I on the other hand always wonder why discussions so often degenerate to pointing out who's funding who without considering that, actually, the official explanation may be true. They are funded by Google, but they are not slaves to it. Also, even if their decision was influenced by a will not to offend their money source, their official explanation is reasonable and stands on its own.
We won’t turn on Do Not Track by default because then it would be Mozilla making the choice, not the individual.

That's just as true of leaving it turned off by default. What sort of idiots do you take us for?

Or the risk of offending the biggest source of funding? Why does being tracked be the norm and you have to explicitly say don't track me? In real life you don't have to go to a government agency and register "I wish to not be stalked". What is wrong with saying it is the user's choice that they be tracked. Default is don't because that's how real life is.

(If you really really really care about a user's choice like you say you do then make the user make a choice. On first launch get the user's choice and refuse to work without being told what they'd prefer.)

Edit 1: I read the W3 draft on Do Not Track and seems like there is a section for "Explicit Consent Requirement".[0] Although whether the committee is influenced by corporation in way that the industry is tasked with policing itself is a different topic altogether.

Edit 2: Brain Smith from Mozilla responded with websites ignoring the flag if set by default. That's what Yahoo! did.[1] But that's the problem with any honor-based system.

[0] http://lists.w3.org/Archives/Public/public-tracking/2012Jun/... [1] http://allthingsd.com/20121026/yahoo-dings-do-not-track-defa...

this.

it needs to ask you upon installation. no one will go digging through settings - that makes it practically worthless. "Cause knowledge is power!"

Forcing the user to choose something and refusing to run if they don't, even when it's a non-essential setting like this? That's a terrible idea. I'm annoyed enough when browsers ask me if I'd like to set them as default; the last thing I want is a 10-page questionnaire of the browser's settings.
> Or the risk of offending the biggest source of funding?

I (a Mozilla employee) can understand why people worry about this, because there does seem to be a conflict of interest here. But, I've never seen anything to indicate that we consider Google's payments to us in any security/privacy decision.

DNT is not the ultimate solution to tracking on its own. It is part of a solution.

Consider this:

Let's say you go buy a box of doughnuts and take it to work, open it, and leave it open on a table next to your desk. Some people will think "Hmm, I want one of those doughnuts but I'm not sure if it is OK to take one, so I won't" and other people will just assume that it is OK to take one. (Why else would there be an open box of doughnuts? And/or isn't it better to ask forgiveness than permission?)

Let's say you write "Do NOT take these doughnuts! They are mine!" on the box with a big fat marker. If somebody were to take a doughnut, they would be clearly in the wrong in that situation, according to any kind of mainstream social convention.

Lots of people will say that it is wrong to take a doughnut without explicit permission. But, many, many people see the situation as being open to interpretation.

Now, let's say the doughnut shop pre-printed "Do NOT take these doughnuts! They are mine!" on every box. You might argue that that is the same thing as the hand-written sign. But, I would bet that the pre-printed message would get drowned out as people would normally share doughnuts out of these pre-printed boxes: "Just ignore the box, they all say that; it doesn't mean anything." The pre-printed message becomes less and less meaningful, even though the words are clear, unambiguous, and explicit. And, worse, you may be discouraged from writing your handwritten ""Do NOT take these doughnuts! They are mine!" message on the box because, well, the box already says that. Effectively, that message pre-printed on the box is harmful, as its meaning is in the eye of the beholder--just like the open box sitting on the table with no message written on it at all.

Do you see how that could possibly be problematic? This is the problem that Sid and others at Mozilla are trying to solve. "DNT: 1" means it is clearly wrong to track this user because they've gone through special effort to tell you they don't want to be tracked.

It has nothing to do with Google's money.

Why not have the user decide the first time they launch the browser? They either choose to enable DNT or not.
the user don't care at that time - they probably have something more urgent to look at the first time they run their browser, and if you bombard them with questions, it gets annoying.

I agree with the default being ON (that is, DNT is turned on). The analogy with the doughnuts and pre-printed message isn't quite accurate in this case, because it is _clearly_ a better choice to not have tracking done on the user, whilst with a box of donuts, its not always clear cut whether sharing it or not is the right thing to do.

Every OS comes with a browser other than firefox by default (except certain flavours of Linux, but they could make the choice part of the install process). If the user needs to look at something on the internet right now, they won't go searching for firefox, downloading and installing it. Having one simple checkbox that takes half a minute to decide on won't make installs take all that longer. Or just display a configuration page the first time the browser starts up with a "you can set all these later too from <here>, btw" message.
That is a very good question/suggestion. It is a good idea to make the option easier to find. I definitely think it is important to educate more people about the issue.

There may some validity to the idea that "the journey is part of the gift"--that is, the harder the option is to find, the stronger the signal of user intent. But, I don't think the current balance in Firefox is correct. I'm not sure that a checkbox at startup is the right answer either. if you ask on Mozilla's dev-privacy mailing list [1], you might get a response from some somebody that has thought about it more than me. Then I'll get to learn about it too.

[1] https://lists.mozilla.org/listinfo/dev-privacy

Let's make this a bit more accurate.

Consider a world where your box of donuts WILL have donuts taken out of it, even if the box is closed, as soon as you walk away from the donut shop. As soon as you hit just about any website on the internet today, YOU WILL BE TRACKED. There's no maybe here, it's a virtual certainty. So this makes it accurate in your analogy.

In this world (call it Doughnet?), it makes sense to have the donut shop print a sign on the box in the event that the sign is sufficient to prevent people from ambushing you and taking your donuts. You could simply ask the donut shop to give you a blank box if you wish to have your donuts taken (opt-in donut sharing) rather than asking them to give you a box with the sign (opt-out donut sharing).

Nobody expects to have their privacy maliciously and constantly invaded. This is emphatically WRONG behavior. And so broadcasting to all parties that the user of your browser is willing to be tracked by default is precisely the wrong thing to do. I don't care what your motivations are, it's just wrong, period.

> Nobody expects to have their privacy maliciously and constantly invaded. This is emphatically WRONG behavior.

Nobody is disagreeing with either of those two statements. Like I said, DNT isn't Mozilla's final or only answer to the tracking problem.

> And so broadcasting to all parties that the user of your browser is willing to be tracked by default is precisely the wrong thing to do.

No browser does such a thing. Anybody that infers that the lack of a "DNT: 1" header implies that it is OK to track the user is using faulty logic. See http://en.wikipedia.org/wiki/Argument_from_ignorance#Absence....

Back to my analogy: I never said it was OK to take a doughnut without explicit permission. I just said it was obviously bad to take one when there is an explicit message saying it is bad to take one.

> We won’t turn on Do Not Track by default because then it would be Mozilla making the choice, not the individual.

I don't buy that. They are making a choice either way, whether they enable or disable it by default. Just like they are making a choice about the hundreds of other options Firefox has. A few examples of how Mozilla thinks:

> JavaScript enabled by default. Why? Developers and designers can do some really awesome websites with it and we want users to have that experience.

> SSL enabled by default. Why? It improves your security.

> Do Not Track disabled by default. Why? Because we don't want to fuck with the people who are paying us (i.e. Google).

Or, by turning it on by default, advertisers will completely ignore the setting, exactly as they are with Internet Explorer.
Why should they be honoring the header now? For them, implementing support for that standard are only expenses. There are no incentives to do so, and no punishment or repercussions if they don't.
> Why should they be honoring the header now?

The idea was that, given a significant enough amount of people turning it on, advertisers would take notice of it and react accordingly. If it's on by default it is meaningless.

It's a tool that enable users to send a message to advertisers that they are not okay with their practices. It was designed this way. It says you are okay with ads but not with the tracking.

> There are no incentives to do so, and no punishment or repercussions if they don't.

Except for adblock. If the only option to avoid tracking is to block ads, then that is what will be used.

> Except for adblock. If the only option to avoid tracking is to block ads, then that is what will be used.

Therefore, browsers should come, by default, with an adblock feature (or simply, just bundle the adblock plugin). This DNT business is purely just lip service.

I think this could potentially be a worthwhile outcome. Advertisers ignore it, eventually someone manages to explain successfully to enough people with clout that this is a bad thing, and hopefully something is done to require advertisers to respect the setting.
the problem is that Mozilla introduced do not track.

if they had both introduced the feature AND made it default, since following the hint is voluntary from the advertisement providers (ie server side decides to honor it or not), well, NONE would have followed it.

The situation with 3rd party cookies is different, because it's up to the client, not to the server side.

So, this has little to do with the Google search engine deal, in fact.

Putting aside my opinion on do-not-track, I think it's perfectly reasonable that it's off by default, simply because that is the current behavior of the browser. If they enabled it by default, they'd be changing it out from under current users.
(comment deleted)
I don't get it. There is no point at all to let DNT be on by default anyway. What is all the noise about? What did I miss?
I think there's an easy solution to this: when one first launches Firefox (or another browser), it can prompt the user. Firefox already has a "know your rights" thing that comes up. Internet Explorer asks what search engine and other stuff you want to use. Having a "Do Not Track" option as part of that would be reasonable.

As for Mozilla and this letter, Do Not Track isn't legislated. Basically, it's a way for you to tell websites that you don't want to be tracked, but they have no obligation to follow your wishes. Some advertisers [citation needed] have indicated that they will follow Do Not Track if it's an opt-in system. A cursory search shows that Yahoo ignores the setting from IE10 because Microsoft made it a default (http://www.theregister.co.uk/2012/10/26/yahoo_to_ignore_ie10...). As the article notes, the W3C says that Do Not Track should be opt-in.

So, on the one hand, advertisers seem to be saying "if Do Not Track is a default setting, it isn't a user choice and we'll ignore it." If Mozilla makes it a default, it doesn't help anyone. However, I think browser makers could call their bluff by making it a very apparent option when starting the web browser.

I think Do Not Track should be the norm. However, it isn't. The norm is tracking. Once a norm has been established, it's hard to replace it with a new norm. Cigarettes would never get approved for sale if they were invented/discovered today. If subways were a new invention, it seems like they would be built with walls preventing people from being pushed onto the tracks. But norms were established and it's hard to move away from them.

In this case, I think there's an easy solution: explicitly asking on first launch. Browsers already ask to be the default, some try to tell you about rights, some ask you about search engines, etc. Just add Do Not Track to that process. Then we explicitly have a user opinion on the matter.

(comment deleted)
You can't just keep adding prompts every time there's a change, you'll end up creating a scenario where there must be a prompt for every change made. Default settings are needed just like any application.
Because it breaks websites. It blocked cookies for me on an FRAME (yes, I know) for a MasterCard SecureCode transaction for personal stuff on a local business site, and the website uses cookies to pass from one server to another and the transactions failed the following day when I enabled Do Not Track. Even companies like MasterCard cannot function with it enabled, how do we push smaller companies to get it done?
Are you trolling us? DnT is a HTTP header sent by the browser, it does not block or delete cookies.

On another note, cookies are domain specific, which means that a cookie can't be accessed by another domain.

This is bs. I consider myself far more computer literate than the masses. Yet, I wasn't aware that the iOS safari had the capability of DNT. I accidentally found out about it while playing with the settings on my development device. DNT is a relatively new capability, which used to be handled with plugins such as Ghostery. Browser vendors should teach their users about this shiny new feature, otherwise it is practically useless, as it will not protect those who need it the most.
The problem with "Do Not Track" is that it is misnamed, and the entire debate has been misframed around that. The feature was dead in the water from the moment it was called that.

To the end user, the idea of being tracked sounds like being followed around by some stalker, and is about as enticing as having your home robbed. People, in general, don't understand either the bad (the extent to which web sites can build a deep profile on you) or the good (how much of the web that everyone loves is financed through targeted advertising). As such, how things are presented is tremendously important.

Imagine if it was called "Disable Ad Personalisation", or even, "Do Not Tip" where the notion of denying monetization to the web sites you use (which is what Do Not Track will do) is invoked. It would have a very different response, I think.

I'm thinking they named it that way on purpose. It has a lot of media coverage. It makes people more aware that they're losing the privacy they took for granted in the past, when using the web. The feature seems to have been adopted by many browsers now so i'd say its mostly successful - but even if it wasn't, the media impact probably makes it successful for them, IMO
The fact that he repeats himself so often is more than enough to get the point across.
Internet explorer has made any effect that DNT might have had completely useless. It's much more effective just to nuke the stuff locally with Ghostery.
Do-Not-Track has been designed to represent the explicit choice of the user to not be tracked. As per the DNT[1] draft :

  6.2.  User Interface RECOMMENDED
  A user agent that implements Do Not Track SHOULD provide a user interface 
  for modifying preferences.  The user interface design is left to the 
  user agent.

  6.3.  Default
  A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
  It MUST NOT transmit OPT-IN without explicit user consent.
Another important aspect, that I don't see mentioned much, is that DNT is only supposed to prevent third-party tracking. First-party remains unaffected.

[1] http://tools.ietf.org/html/draft-mayer-do-not-track-00

Uh.. doesn't it say OPT-OUT is an acceptable browser default?
Yes. Also defaults matter.

Countries that have opt-in default on organ donations have at most around 30% of consent.

Those that have opt-out have above 90% consent.

http://blogs.lse.ac.uk/politicsandpolicy/archives/11953

Basically Mozilla is saying: "It your decision to not be tracked." and thinking "But we think you should allow everyone to track you if you don't mind that much."

I find this whole argument moot. DNT is binding neither in a legal nor in a technical sense. If you don't trust someone to handle your internet tracking history, why would you trust them to keep an informal promise, ESPECIALLY considering they have a get out of jail free card saying they accidently ignored your DNT header because they thought you were using IE 10?

Microsoft did right(for once) with making DNT default on IE. It exposes the DNT idea for what it is: Snake oil.

This is from 2011. Is that on purpose?
Reading the headline, I kind of expected the entire blog post to consist of "Because we're funded by Google".
How about determine the default setting in a random fashion?

DNT = Math.random()> p ? on : off

This does not make any sense.

Mozilla is claiming they do not want to enforce a preference for the user, and instead would like the user to make the choice. But Mozilla has previously enforced their preference for a number of different features:

* Mozilla has disabled java plugins and silverlight in the past to protect their users (from security vulnerabilities).

* Mozilla has enforced their preference for blocked popup windows in the past to protect their users (from annoying content).

* Mozilla has enforced their preference for the handeling of cookies to protect their users (from privacy violations). https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-...

Why not disable tracking features to protect your users (from privacy violations)?

Their explanation does not make sense.

The difference is that those preferences actually do something. DNT is just asking nicely to advertisers, it doesn't actually prevent tracking, so if everyone asks by default, it becomes meaningless.

The only way for a "Do Not Track" feature to be on by default is if it legally or technically prevents ad networks from tracking, otherwise it'll be ignored (see IE).

And this is why industry self-regulation will continue to fail.

Opt-out from privacy invasion is not sufficient. In Europe at least, it is politically and socially unacceptable that people have to opt-out. So as long as the industry comes up with half-assed protocols and self-regulation that is based on the assumption "we have the right to violate your privacy unless you stop us" instead of the other way around, this will continue to trigger ever stronger anti-tracking legislation.

And please don't think that the faltering so-called "cookie-law" will be the end of it. That was just the softest option, and just like with early anti-spam laws the industry chose to sabotage it instead of trying to make it work. I wouldn't be surprised if this ended with a full blown ban on any form of cross-site tracking.

Of course "do not stalk" should be the default. The whole notion that having your privacy violated by the marketing industry is somehow about individual choice is bullshit. It's as idiotic as "do not film me in the privacy of my own home" being opt-out and we're all Big Brother contestants by default.