
Do Not Track is not respected on mozilla.org - therealunreal
https://bugzilla.mozilla.org/show_bug.cgi?id=858839
======
clarkevans
Mozilla uses Google Analytics _Premium Service_ ($150k/year) which includes a
contractual option to prevent secondary use of the visitor data. Therefore,
they see it as legally in the spirit of Do-Not-Track -- Google is a contractor
collecting the visitation data solely for the pleasure of Mozilla.

[https://bugzilla.mozilla.org/show_bug.cgi?id=858839#c21](https://bugzilla.mozilla.org/show_bug.cgi?id=858839#c21)
[https://groups.google.com/forum/?hl=en&fromgroups=#!search/m...](https://groups.google.com/forum/?hl=en&fromgroups=#!search/mozilla$20governance$20google$20analytics/mozilla.governance/9IQvIubDOXU/0tWVVlrUJ)

From the latter thread, Stacy Martin at Mozilla represents "Google Analytics
will not correlate or report on any customer data with any other data, they
will use Mozilla data only to provide and maintain the service for Mozilla,
and they will not share or use it for any other purpose."

EDIT: The contractual arrangement is relevant. Section 9.3 item 2 of the IETF
do-not-track draft draws has an exception for this very situation, "data
obtained by a third party exclusively on behalf of and for the use of a first
party".

[http://tools.ietf.org/html/draft-mayer-do-not-
track-00#secti...](http://tools.ietf.org/html/draft-mayer-do-not-
track-00#section-9.3)

~~~
belorn
See comment 16.

The bug report is not about the legal contractual agreement between Google and
Mozilla, but rather about user expectation from a _" do not track me"_ option.
Some users, maybe faulty or silly, consider a "do not track me" option to
simply mean, do not track me.

It doesn't mater if Google sign a service contract that Mozilla pays
$150k/year. "Do not track me" means, do not track me. It doesn't matter if
Google promise to not be evil. Do not track me still means, do not send
tracking data to Google. It doesn't even matter how extremely useful or good
intention Mozilla or Google has with the tracking data. "Do not track me"
really do mean, do not track me.

~~~
jasonlotito
Something to consider. In Firefox, the DNT options have a Learn More link that
answers the question:

"Do Not Track is a feature in Firefox that allows you to let a website know
you would like to opt-out of third-party tracking for purposes including
behavioral advertising. It does this by transmitting a Do Not Track HTTP
header every time your data is requested from the Web."

While you can debate whether that's the appropriate place for that
information, it's not as if Mozilla is hiding this information. It's easily
reached, and not at all intentionally hidden away. Nothing devious. Just a
question of how to appropriately display the information.

~~~
a3n
Then rather than call it "Do not track," it should be called something like
"Do not allow third party tracking."

When in doubt about naming something, name it what it is.

~~~
jasonlotito
The problem is, DNT isn't just a Firefox thing, but something that the
industry is attempting to adopt. So, DNT as a whole means something specific.
It's a shame that there is that disconnect, but it's not a Mozilla specific
problem.

Safari says even less about DNT (Ask websites not to track me) and the help
isn't much better, though they have a separate section for blocking 3rd party
cookies. But that's different from DNT.

This is a case where DNT as an industry standard means one thing to the
industry, and one thing to the uneducated public. Damned if they do, damned if
they don't.

------
Metatron
Do Not Track is silly.

For example: You come on to my site, I want to know how you're using it, I
don't want your personal details, I just want to see how you're interacting
with the site I've made for you. Why do I want to know? Well it depends on the
purpose of the site, but for the most part it is so that I can optimise and
improve what my site offers to you and others.

But you've politely requested that I don't track you. For starters this should
only ever be a polite request, not a forced rejection of any tracking scripts.
I have a right to track how people use my site. You have a right to privacy,
but that's got bugger all to do with you coming on to my site, once you've
made that choice you are within my domain, under my roof, living by my rules.
Until you leave of course.

Some sites may respect that request, but they're the kind of site who have no
need to track behaviour anyhow, and are likely not tracking to begin with.
kind of makes the request moot.

People get way too offended by analytics tracking when it's there for their
benefit. The internet would be one ugly place if webmasters and designers had
no clue how people were interacting with it. If you want to go back to the
dark ages then feel free to try. But you won't benefit from the advances we've
made or are yet to make because of large scale, anonymous tracking across the
web.

I've no respect for Do Not Track. It is a silly, backwards, progress-
endangering concept that should be burnt on a pyre.

Think of a scenario where a site is maliciously tracking you, where a forced
browser level request could to not track be sent, and maybe we'll talk. But
then again I'll probably just retort that any malicious tracking will have a
way around such a forced request, and so it's pointless.

Do Not Track is snake oil for the conscientious objector.

~~~
Nursie
>> _I have a right to track how people use my site._

But you don't have a right to say what runs on my computer, or make it tell
you what I'm doing. This is where our perceived rights collide.

>> _once you 've made that choice you are within my domain, under my roof,
living by my rules._

No, my computer, my browser, my roof, my rules.

>> _People get way too offended by analytics tracking when it 's there for
their benefit._

No, people get offended when you try to turn their computer into a device that
spies on them. And we get more offended that this sort of stuff happens
without most people even being aware its going on. They may or may not object
to it, but right now they don't even know.

And it's so lovely of you to have made the decision for me that it's to my
benefit, so I don't have to worry about pesky things like privacy concerns, or
having control over my own computing.

>> _Do Not Track is snake oil for the conscientious objector._

This is about the only thing we agree on. It's pointless and it was never
going to achieve anything.

~~~
bad_user
> _No, my computer, my browser, my roof, my rules_

His website.

Seriously, people should be warned that they are tracked, the purpose for
which they are tracked and what exactly is tracked. Google Search for example
is giving warnings lately, that you have to manually dismiss (probably because
of EU laws) and I view that as being progress.

On the other hand demanding of publishers to not track you while you're on
their property is unreasonable. Of course, you can complain about it, you can
stop using such services or websites and so on. Voting with your wallet (or
eyeballs) still works, even on the web.

I also view the "Do Not Track" header as a good thing, because it's an
automated way for publishers to respect your wishes, should they choose to do
that. But customers must also understand that this header represents a kind
request, nothing else and we shouldn't make it something else, as that's a
slippery slope.

~~~
bloopletech
Actually, I can use your site and benefit from it, while simultaneously
blocking your ability to track me. It's called Ghostery (and similar browser
extensions).

I use Ad-Block Plus and Ghostery for all my web browsing, and have both Ad-
Block Plus set to block _all_ ads and Ghostery set to block _all_ tracking
scripts.

These extensions do not make 'polite requests'; they directly control the
browsing experience to my benefit.

I (and my extensions) control my browsing experience, not you.

(You can argue that this is unfair, but in the long run I believe the outcome
will be a better business model for sites to make money.)

~~~
thezilch
You do know that sites will track you without javascript or ads? As well, do
you browse without cookies and images, as those extensions will not help you
there? And without session IDs in URIs, since you seem to want the web to
return to byzantine times?

> I believe the outcome will be a better business model for sites to make
> money

Sites will make less money without use of cookies, images, and support of
encoding sessions into URIs. You ARE welcome to use the web without these
things, but it is going to mean you are not a customer of many entities,
because your kind are vanishingly small in number.

You might be interested in the Firefox section of
[http://crunchbang.org/forums/viewtopic.php?id=24722](http://crunchbang.org/forums/viewtopic.php?id=24722),
if your serious about your privacy and security.

~~~
bloopletech
I think a number of different issues are being conflated here.

Secondly, in my ordinary web browsing, I'm not trying to avoid all tracking
whatsoever - I'm much more interested in blocking the 99.9% low-hanging fruit
of commercial 3rd-party tracking. If I really was paranoid / needed to prevent
tracking completely, I'd use a much more sophisticated setup.

Given that context, the fact that some people may be trying to embed image web
bugs on a bunch of pages isn't nearly as important or interesting; AFAIK most
commercial 3rd-party trackers are javascript-based these days. Same applies
for straight cookies - blocking the 3rd-party javascript usually prevents
these begin set in the first place.

> since you seem to want the web to return to byzantine times? > without use
> of cookies, images, and support of encoding sessions into URIs

I'm not advocating for that at all - there is a continuum between only viewing
raw HTML and running every bit of 3rd-party javascript someone decided to
throw into the page.

My comment was bascially arguing that there _is_ a continuum, and that it is
possible to block the vast majority of 3rd-party trackers, _without_ having to
turn of JS completely, do anything really paranoid.

My whole comment, essentially, was about _avoiding_ turning off JS etc., and
still maintaining a level of control over my browsing experience. I actually
develop web applications for a living, so it would be a bit silly of me to say
that we shouldn't have sessions support!

> > I believe the outcome will be a better business model for sites to make
> money

What I was referring to here, is that if ads and 3rd-party tracking are
blocked, then sites will have to create new revenue streams to operate with -
and if that means paying directly for good content, then I look forward to
supporting that business model.

I think your annoyance is misplaced. I develop rails apps for a living, so I
am aware of the importance of js, sessions etc. - I'm merely stating that I
can have my cake (blocking 3rd-party trackers) and eat it (still use the next)
too.

~~~
thezilch
But the post I responded to is wrong. Blocking third party trackers does not
block my hosting of the JS file; this is only discouraged for most trackers.
Most trackers also have a gif-pixel option and by default (eg. quantcast) or a
server-to-server option (eg. kissmetrics). I was merely pointing out your
conclusions are wrong about Firefox, extensions, or HTTP headers preventing
the capabilities of trackers. And again, you are very welcome to not be
tracked online; that is very much within your right; you are just spreading
falsehoods. Have a look at evercookie, for example.

------
jeremysmyth
There's a large effective difference between "do not track" as it is outlined
in the bug, and how many people see it (see, for example, comment 16 in the
report, and then comment 25)

Specifically, it's to do with _third party_ cookies, not any particular site.

If I visit someone's website, I'm usually perfectly happy for them to record
my visit and my actions. If, on the other hand, I visit their website and some
invisible actor (say, an advertiser) also tracks me, then it becomes
insidious, especially if that other invisible actor is active on multiple
sites.

This gets a bit blurred when you've got large vendors with multiple presences.
For example, years ago when you logged into Hotmail, you'd be briefly
redirected via passport.com (then live.com), and then directed back to
Hotmail. Similarly, going to Microsoft's web page, or MSN's, or Technet, or
any other site in the Microsoft stable, would redirect via the same site. This
gave them single-sign-on, but also allowed them to "track" your activity
across the entire network. That behaviour is used by many other large
organisations such as Google.

However, it's also made its way into other large sites like Facebook and
Twitter, because sites like that have "social media buttons" appearning on
sites that aren't served by those sites but are served by Facebook and
Twitter, so becoming third-party objects, and doing the same sort of pervasive
insidious tracking across multiple domains and web properties.

The thing is, Google Analytics (as mentioned in the article) is such a
pervasive ubiquitous invisible actor, but it's damn useful, so lots of people
want to use it. The problem is that it's a third party object, and it's of
massive benefit to Google too, not just the site owner.

So, where "do not track" fails is in distinguishing between "tracking" that's
acceptable to many people, and "tracking" that's somewhat more invisible and
pervasive. Switching it all off is harmful to the internet, but until it's
sold correctly, it won't be acceptable otherwise.

~~~
Silhouette
_The thing is, Google Analytics (as mentioned in the article) is such a
pervasive ubiquitous invisible actor, but it 's damn useful, so lots of people
want to use it. The problem is that it's a third party object, and it's of
massive benefit to Google too, not just the site owner._

Several web font services now fall into that category as well. The problem
from a user's point of view is that you can block Google Analytics or Facebook
Like buttons without any loss of functionality you probably wanted, but
blocking Typekit or Google Web Fonts will often mess up the rendering of a
page.

This changes the rules fundamentally. Before, with free services where you
weren't the customer but the product, you could opt out by simply not using
the service. Now, even with services where you really are the customer and
maybe you really are paying for it, you can't opt out of the potentially
intrusive third party service without opting out of or significantly degrading
the main service you wanted to use as well.

This is a tricky area. Those third party services are pervasive precisely
because they are useful to people who build the web sites that users enjoy,
and if they're being given away for free, they have to fund themselves
somehow. I also don't have much sympathy for people who don't load up
someone's web site as it was presented to them but then complain that it
doesn't look right or work properly (see also: not running JS, complaining
that you can't want Flash content on your iPad, etc). In some respects, these
third party services are almost certainly beneficial to users, too, because
they act as CDNs that probably improve performance and lower bandwidth
requirements compared to having every site self-host the same common material.

On the other hand, privacy matters. We have drifted into a situation where
this kind of ubiquitous monitoring is widely used by site owners, but many of
them probably don't even realise the implications for their users' privacy, or
just don't care. We have rules about data protection and spamming and the like
to deal with similar situations in slightly different contexts, and maybe it's
time we had some rules about tracking by services that are incorporated
indirectly on other people's web sites and possibly without a visitor's
knowledge.

~~~
3825
Would it satisfy the bug reporter if we show a HTTP 401 _unauthorized_ for
anyone who has DNT turned on?

~~~
username223
I'm not the reporter, but I'd be fine with that.

------
supermatt
"Do not track" in its present (non-)state is a farce. It should be implemented
at the browser level.

My ideas on DNT:

If a user specifies "do not track" in their browser-global or site-specific
settings then ALL requests to third party domains should simply be blocked.

This could be backed up by a site-provided manifest (potentially containing a
comment for each ones justification, or a flag to say if its required or
optional) to 'whitelist' 3rd party domains that they require it. There should
be a browser feature to view this whitelist and 'uncheck' any sites you
disagree with.

In fact, IMHO, thats the way modern browsers should work anyway - it would
certainly solve a huge number of other issues (XSS, etc).

~~~
pornel
> ALL requests to third party domains should simply be blocked.

It's too late to do that. There's lots of websites relying on 3rd party CDNs
for non-tracking purposes (CloudFront, Google-hosted jQuery, etc.)

Filtering on domain name alone won't prevent traffic from going through 3rd
parties — tracking companies can ask websites to set up DNS CNAME for them or
they'll use top-level HTTP redirects (like google.com uses to track SERP
clicks).

And "my mom" isn't going to be able to vet list of domains. She'll call me and
ask me to "fix" the computer so that "Log in with Facebook" works and there
are no scary technical questions.

~~~
supermatt
> It's too late to do that. There's lots of websites relying on 3rd party CDNs
> for non-tracking purposes (CloudFront, Google-hosted jQuery, etc.)

Undoubtedly - hence the site-defined manifests for third parties.

------
strictfp
It's another case of bad naming. The feature should be called something less
absolute like "do not track me across websites" or "track me less".

------
znowi
I'm with the bug author on this: "do not track" should mean _do not track_.
And it explicitly mentions _analytics_ on the DNT site.

 _Do Not Track is a technology and policy proposal that enables users to opt
out of tracking by websites they do not visit, including analytics services,
advertising networks, and social platforms_

[http://donottrack.us/](http://donottrack.us/)

However, Wikipedia says that the exact definition of what constitutes tracking
is not yet clear.

 _The Do Not Track (DNT) header is the proposed HTTP header field DNT that
requests that a web application disable either its tracking or cross-site user
tracking (the ambiguity remains unresolved) of an individual user._

[https://en.wikipedia.org/wiki/Do_Not_Track](https://en.wikipedia.org/wiki/Do_Not_Track)

------
3825
This is an interesting topic. Should I deliver different experiences depending
on DNT header?

~~~
ronaldx
Yes.

If you choose to send an e-mail newsletter to your users, you should (at
least) be obliged to provide an unsubscribe option - providing two different
experiences.

If you choose to track your users, you should (at least) be obliged to assume
that DNT users have opted-out of this tracking and be responsible for not
tracking them.

~~~
eli
That does not seem apples to apples. Should I provide an "opt-out" of all
advertising for people who just don't like looking at ads?

~~~
ronaldx
In the EU, the two situations I described are both legal obligations
(regarding collection of personal data, the legal obligation is probably
stronger than I described).

[I have understood that this is not the same in the US and the situation is
therefore murky and EU law is not respected on the internet as a whole.]

What you described is not a legal obligation, although I personally think you
should provide the option to opt-out of ads - I know of several sites that do
and this makes a positive difference to me as a user.

~~~
Silhouette
_In the EU, the two situations I described are both legal obligations_

What EU law requires a web site to check for and act on DNT?

~~~
ronaldx
None: the website requires explicit opt-in permission to collect personal data
in the first place, making opt-out DNT largely irrelevant.

e.g. from
[http://www.theregister.co.uk/2012/01/27/time_running_out_for...](http://www.theregister.co.uk/2012/01/27/time_running_out_for_do_not_track_system/)
[Peter Hustinx, the European Data Protection Supervisor] said that the DNT
system "although valuable" seemed to "fall short of the" of the requirements
for obtaining lawful consent set out in the EU's Privacy and Electronic
Communications Directive.

~~~
Silhouette
_None: the website requires explicit opt-in permission to collect personal
data in the first place, making opt-out DNT largely irrelevant._

It's nowhere near as simple as that, either in theory or in practice.

~~~
ronaldx
Can you be more specific?

In practice, I agree there are several problems: it is common industry
practice to ignore data protection concerns (led by example of large US
corporations) and EU member states have neither the intent nor the means to
enforce the law. What's more, the recent cookie directive debacle makes the EU
seem confused and toothless.

In theory, however, data protection seems pretty clear to me:
[http://europa.eu/legislation_summaries/information_society/d...](http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm)

Intended reform makes the situation even more clear:
[http://ec.europa.eu/justice/newsroom/data-
protection/news/12...](http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm) I particularly recommend "How will the data
protection reform affect social networks?", which discusses the requirements
of 'privacy by default' and 'privacy by design'.

~~~
Silhouette
Businesses collect personal data without explicit consent all the time. Think
of records when you buy something by card, for example. Not only is the
subject of the data not required to give explicit consent for keeping a record
of this transaction, but they also have no right in law to have such data
deleted, and indeed businesses may not be able to delete it within the law
given their obligations to maintain adequate tax records. If you pay for
something by card, it's implicit that you agree to this.

For something closer to the tracking we're talking about, it is normal to
maintain server logs that show visits to your site, and to record various
information that is voluntarily sent by browsers as part of HTTP requests.
There's obviously some debate about how much IP addresses represent personal
identification, but clearly in practice they can identify individuals under
some circumstances. That doesn't mean someone has to ask you for permission to
see your IP address when you visit their site, because obviously that would
make no sense technically.

Obviously there are implications to keeping some of this data or using it for
other purposes, but as I said, this is where things aren't always clear even
in theory. Some issues really are black and white, but you quickly get into
what is fair or reasonable or implicitly permitted by data subjects and what
is crossing that line and should require explicit consent.

In practice, it's even worse, because we have silly things like the infamous
EU cookie rules that are almost universally disliked by users (they make the
experience of using web sites worse), almost universally ignored by business
(who don't want the overheads of implementation and don't want their users'
experience to be worse), and as far as I know universally unenforced by
regulators (who would in many cases have to start by going after their own
governments for flagrant violation). While possibly well-intentioned, such
poorly conceived rules just bring data protection law into disrepute while
alienating almost everyone. They also demonstrate that realistically there are
few risks to flagrantly ignoring the rules as a business, which is hardly
going to help with promoting good practice.

------
nly
Instead of the useless EU cookie legislation, we should have had legislation
that enshrined explicit privacy preferences in to data protection law.

When I signup to a website I'm expected to agree to their Privacy Policy. Both
site owner and visitor expect that policy, provided that it's legal, to be
somewhat enforceable in court. When I'm just visiting, why is there no such
equivalent?

The problem with DNT isn't that it can be ignored, it's that it can be ignored
without penalty. People who think purely technical solutions (including
Ghostery, NoScript, Adblock etc.) are the answer are ignoring the reality of
how easy it is to fingerprint and track users on the web.

------
Boldewyn
The discussion is good and also a great example for Mozilla caring (especially
that it is discussed in the open for all to see).

------
teeja
That discussion is full of the usual run-arounds.

The man scored a major point, and Mozilla has chosen to run away from it. The
DNT flag, so far, looks just like the worthless piece of promotional fluff and
3-card Monte it is. ESPECIALLY if Mozilla chooses to run away from it.

We're going to need _laws_ to protect us from the continual government AND
corporate riot of people-tracking. The People don't like it, and once they get
done with NSA in Congress, they might as well get busy on making tracking OPT-
IN. Including cookies, browser finger-printing, stashing stuff in browser
cache (disk AND memory), and the hundreds of other ways these geniuses have
evolved to invade the social communication space to promote their bottom line.
We badly need to have this discussion as a nation. Because its starting to run
over our boot-tops.

Tracking could be limited to dot-coms. Then let the People decide whether to
keep dot-coms in their bookmarks, or leave the rats to go down with their ship
of fools.

------
lnanek2
So maybe the text in the UI jut needs to be changed to be more accurate.
Instead of "Do Not Track", something along the lines of "Request No Tracking
Across Sites" or "Request No Cross-Site Tracking". This clarifies that it
isn't the browser stopping tracking, it is the browser asking the sites not
to, which they may or may not implement. It also clarifies that what is being
requested not to happen is using the same identifier across sites and between
different parties.

On an unrelated note, I'm really impressed with the Persona login on that
site. When I first saw it I thought, oh no, not another username and password.
Why can't they just use social login where I already have accounts? But all I
had to enter was my gmail address, approve the usage, and I was done. No extra
username and password even though I've never used Persona before. No need to
confirm an email. It worked out really well.

------
teamjimmyy
I don't get it. Why is this different from inspecting your web logs? Sure you
lose the first-party cookie aspect, but I bet you can get awful close just
looking at the request IPs. There's "tracking" inherent in how everything
works, so why does it matter if collection is contracted to a 3rd Party?

Does the poster expect the web server to not write a log line because he sent
a DNT header too?

~~~
generj
IP logs aren't sufficiently unique: my IP changes as I move my laptop around,
it is shared with several other persons at work and home, and my IP at each of
these locations changes.

Most DNT is concerned with Javascript, which has the ability to be very
intrusive than mere web logs. Analytics services started with web logs, but
quickly transitioned to Javascript, because I can track a cookie much better
than an IP address, and get more information besides.

It's inherently different when contracted to a 3rd Party.

Third-party vendors are opposed because it would be the equivalent of giving
_all_ of the IP logs from a majority of the Internet to a single user (in this
case, Google Analytics). The ability to discover trends on particular users
than becomes massively possible in a way that simply doesn't exist with 1st
Party tracking. The siren's call to monetize this data is ever present, so we
seek to not allow the collection in the first place.

~~~
teamjimmyy
I'll say here what I said in the other reply, but briefly.

There's a difference between a 3rd party doing the analytics and a 3rd party
cookie. GA can (and should) use a 1st party cookie for this, which would make
it impossible for them to correlate between sites. As a bonus, turning off 3rd
party cookies also breaks ad retargeting, which makes everything better.

At that point, it's the same as Mozilla doing it themselves, but your concerns
about JS being more potentially intrusive is valid.

note: i may be wrong about GA using 1st party cookies. if so, that's really
not cool.

~~~
generj
GA does use 1st party cookies. There is still concern that with sufficient
statistical analysis, Google can still track users across multiple sites.
"Anonymous" data frequently turns out to be very personally identifying.

In particular, comparing behaviors and IP addresses used in Google products
and captured in Google Analytics would be very easy.

Likewise, Google knows a super-majority of site entrances from their search
engine, and a correlation is trivial given that most users are logged in for
search. To wit: if I perform a search with a unique referrer, and that unique
referrer is then captured with my Google Analytics user cookie, then I can be
readily identified as a person. Doubleclick and other Google services share
this issue.

Others do use Third Party Cookies. Mozilla is threatening to turn off 3rd
Party cookies entirely, which has caused no small amount of concern from ad
companies. See this post, one in a series of hilariously over the top
diatribes from the Interactive Advertising Bureau:
[http://www.iab.net/iablog/2013/06/mozilla-kangaroo-cookie-
co...](http://www.iab.net/iablog/2013/06/mozilla-kangaroo-cookie-court.html)

~~~
teamjimmyy
Yeah, I saw the bit about turning off all 3rd party cookies, which made me
happy as I already do that myself.

As for the ubiquity and potential for data sharing among Google services, I
suppose I hadn't though that entirely through. I know there was one analytics
company claiming it could track individuals between devices using some fancy
statistics, but I assumed it was snake oil (it was not GA claiming that).

Anyway, I hear ya, and thanks. I can see a case against GA specifically,
though I have a hard time swallowing it against _all_ analytics. I suppose
it's a question of trade-offs that people are willing to make.

------
Radle
Thanks for the link i just installed a "do not track plugin". Fuck Google

Plugin: ([https://addons.mozilla.org/en-
us/firefox/addon/donottrackplu...](https://addons.mozilla.org/en-
us/firefox/addon/donottrackplus/))

------
diminoten
I genuinely don't understand all the hatred out there for advert companies
tracking user purchase trends. Can someone explain to me why I should care
about this?

~~~
natch
I think it's more a hatred of (perceived or real) trickery, deception, and
weasel words, in this case. From an organization that should be a model for
others to follow.

------
lucb1e
The very fact that the website must support DNT is its only and fatal flaw.
Why should we trust websites to honor DNT when we keep sharing information
with them?

~~~
jimktrains2
I agree entirely. IF I send a request, I expect that request to be stored. If
I don't want to make the request, I won't make the request (noscript,
ghostery, and AdBlock+ go a long way to that).

DNT is a pointless 8 bytes that has no real, enforceable meaning.

~~~
generj
We can have our cake and eat it too.

Send the DNT header flag, but purposefully edit analytics requests. Thus,
providers must honor DNT requests or risk a poisoned well of data.

This is not theoretical, I have a Chrome plugin which does this to Google
Analytics requests, and am increasingly tempted to release it to the world.

------
meapix
I don't think they can do this though. They can however disable javascript.

