
"Do Not Track" HTTP header supported by IE, Opera, FF, Safari but not Chrome - TomAnthony
http://en.wikipedia.org/wiki/Do_not_track_header
======
willscott
I still haven't heard a cogent explanation of what this is supposed to do.

"Do Not Track" sounds nice, but seems no easier to scope than the initial
problem of excessive information collection. I think it's safe to say that I
want companies to 'track' me in order to keep me logged in for a session.
Likewise, I hope that my bank keeps logs of visitors, so that it can respond
to abuse / hacking attempts. Is this aimed only at behavioral advertising, or
is it meant to have a broader scope?

It seems like the technical execution is almost misguided without having the
policy discussion first and figuring out what it is we disagree with. Without
that, I don't feel like this is going to draw a strong enough line to separate
people abusing tracking from the legitimate uses.

~~~
zobzu
Do not track me for advertisement, statistics, etc. is the intent.

~~~
nl
_statistics_

WTF? So analytics packages will somehow have to exclude these browsers from
all reports? Some reports? Can you count impressions from these users?

~~~
zobzu
How that's "wtf"? If I don't want companies to make statistics using what _I
do_ that sounds perfectly legitimate to me.

Now then again DNT is an intent, the vendor does whatever he likes, and can
support DNT for other features and still have statistics. There's no list of
things you can do or not do. There's no agreement either. It's just the user
indicating that they don't want to be tracked in any way.

~~~
einhverfr
It's a wtf because you can't draw any good lines on statistics. Web server
admins have legitimate reasons to track (i.e. log) all requests to some extent
against their web sites. We have good tools to help analyse a lot of this.

Consider a real world equivalent. Suppose you walk into a bookstore and buy a
book with cash. The store might not be able to track you individually but they
can track how many people visited, how many books they sold, etc. You can't
say that's not legitimate.

So I could see an argument that the line that should be drawn is one that
involved tracking cookies, but that is quite a narrow exclusion regarding
statistics of individual users. You can still get pretty good stuff from the
access log and there's no case to be made that DNT means Do Not Log.

~~~
zobzu
Statistics != "logging"

Then again anyone is free to track/not track, stat/not stat (so far at least)
and only "not track" subset of their data (as long as they don't lie)

Then again there's a few privacy-aware websites who do logging and some stats
but on pseudonymized IPs which is also a pretty decent compromise.

~~~
einhverfr
But what about mining statistics from logs?

------
4ad
The "Do Not Track" HTTP header is useless, equivalent to a "Do not Steal from
Me" T-shirt. It is also harmful because it gives users a false feeling of
protection and security. The question should not be why Chrome didn't
implement it, but why Opera and Firefox did.

~~~
rjd
It will make all the difference in a court case when you have specifically
denied consent and someone has continued to do something.

If you want to get pedantic about it just being text, all law is just text,
books upon books, but its the enforcement that counts. This opens the door for
enforcement of other laws.

~~~
paulgb
You're not denying consent, you're sending some non-standard bytes to their
server which will be lost as soon as the request is processed. Without
legislation, do not track is just an honor system.

~~~
wpietri
You're mixing levels of analysis here. You might as well say, "He didn't vote;
he just used some sort of chemical-containing stick to make marks on a thin
slice of a tree." Your point about legislation being needed would be stronger
without that.

~~~
paulgb
My point isn't about levels of abstraction, it's about standardized
communication protocols. Making marks on a thin slice of a tree conveys a vote
exactly because that's what the government decided the way to make a vote
would be. If I write my vote in hieroglyphic etchings on an old shoe and post
it to the first lady, I can't expect my vote to be counted.

~~~
wpietri
Effective communication is about what people agree on. Government recognition
is one avenue for that, but it often follows the populace rather than leading
it.

------
Jimmie
I can hear it now "Of course not, why would an ad company sabotage itself?".

Wikipedia says Chrome is set to support the header by the end of this year
(2012).

Wikipedia's source:
[http://online.wsj.com/article/SB1000142405297020396080457723...](http://online.wsj.com/article/SB10001424052970203960804577239774264364692.html)

~~~
cooldeal
Even if what you said is true, it's definitely interesting that the browser
that is on the forefront of implementation of almost every new web feature is
about a year behind on only this one while all the other major browsers have
already implemented it.

~~~
chc
It might have to do with the fact that most Web technologies do something
useful while this just sends an extra header that pretty much every site they
visit will ignore. I wouldn't prioritize it either at this point in time. This
is a movement that needs support from site maintainers, not browser
implementors.

------
nzmsv
As far as I can tell, this official extension for Chrome has been available
since January of last year and supports the header:
[http://googlepublicpolicy.blogspot.ca/2011/01/keep-your-
opt-...](http://googlepublicpolicy.blogspot.ca/2011/01/keep-your-opt-
outs.html)

------
shaggyfrog
Since no one's mentioned Ghostery yet, I highly recommend it as a way to opt-
out of all sorts of stupid tracking mechanisms on the Web.

<http://www.ghostery.com/>

------
rmc
This is misleading. The important actors in the "who supports Do Not Track" is
not browsers but websites. "Browser support" just means "we'll tell the
website that you'd rather not be tracked". If every browser sent this header,
and every website ignored it, it would be a complete failure.

So what, if any, websites support the "Do Not Track" header?

~~~
leocassarani
Twitter, for one:
[http://www.theregister.co.uk/2012/05/18/twitter_signs_do_not...](http://www.theregister.co.uk/2012/05/18/twitter_signs_do_not_track/)

------
nigma
On the other hand Google provides browser extensions that lets you opt-out
from advertising cookies and Google Analytics tracking. These are not vastly
popular though, each at around 100k installs for the Chrome version.

<https://www.google.com/ads/preferences/html/opt-out.html>

<https://tools.google.com/dlpage/gaoptout>

------
rickmb
Opting out of a privacy violation that should not take place to begin with is
insane.

Also, way too little way too late.

Ten years ago this might have been seen as constructive contribution towards
industry self-regulation. Now it's just a sick joke that won't do anything to
change the fact that tracking without explicit permission will be illegal in
many parts of the world.

------
plaes
Will be also supported by Epiphany (default GNOME browser):
[http://git.gnome.org/browse/epiphany/commit/?id=f7a3fca8a8e0...](http://git.gnome.org/browse/epiphany/commit/?id=f7a3fca8a8e03a5362d14e55613ac6d4103978fb)

------
kevinsd
Given that Google is perhaps the only company whose main business is online
ads and ads relevance is crucial, it is natural that they cannot give up the
opportunity of tracking profile of ads viewers as easily as other companies.

------
nikcub
DNT does not work based on trust and if somebody is going to track you they
are going to track you regardless of if you send them a HTTP header asking not
to, or not

(the tl;dr of the spec is that it adds this HTTP header to all requests:

    
    
        DNT: 1
    

it can be set to 1 or 0).

There is also a large risk here of creating a false sense of security amongst
less knowledgable users. We should be teaching users cookie control, plugin
and request blocking as part of using the web, not an 'install once, forget
forever' solution that doesn't work.

DNT is also adding _more_ entropy to HTTP requests, making you easier to
identify or profile. You get less privacy. Think about how much an advertiser
would love to know that you are privacy conscious, that puts you in a certain
socio-economic group.

I am a huge privacy nut and advocate but DNT will not work. The only way to
fix this is better third party blocking and controls in browsers.

I have been meaning to flesh out a blog post against DNT for a while, since I
keep getting emails asking to comment on media stories about it being adopted.

~~~
mike-cardwell
"We should be teaching users cookie control, plugin and request blocking as
part of using the web, not an 'install once, forget forever' solution that
doesn't work."

Doomed to failure. Users shouldn't need to know this stuff, and the vast
majority never will. Even if it is taught and tested at school. There are
plenty of things we _could_ do to improve privacy, but much of it will cause
the major browser vendors to make less money, so is unlikely to happen.

1.) Tie all cookies to the domain in the address bar. No more third party
cookie tracking.

2.) Tie all cache entries to the domain in the address bar. Gets rid of
numerous tracking tricks at the cost of increasing bandwidth usage a little.

3.) Get rid of HTTP referrers. Completely. It's none of your business which
site I was on before yours.

These three things alone would make a _huge_ difference. It's the low hanging
fruit that we need to get before we tackle the more difficult problems.

I think there's too much money involved though. The above improvements would
definitely hit Microsofts and Googles bottom lines. But hey, there's no
problem with insanely rich advertisers controlling the major browsers right.
No conflict of interests there.

EDIT: I agree with all of your other points regarding DNT. Just not the user
education one.

EDIT2: Another one:

4.) Make all cookies, session cookies. I configured my browser to delete all
cookies on exit ages ago, and the web still works fine. I might have to type
in my username each time I go to login to sites instead of having it auto-
filled, but that's a good trade off. Besides, browser plugins like LastPass
solve that problem better.

~~~
nikcub
I wrote a Chrome extension to do what you describe, it breaks almost the
entire web. I am experimenting with a generic rule set with a view of forking
Chrome with a better default privacy and security policy.

I totally agree that users shouldn't need to know the details, but there are
some things, like third-party cookies, that needs to be explained and
simplified. A bit like not clicking on an exe email attachment.

I think the equivalent could be that users white-list websites, or 'install'
them, if they trust them, which allows those sites to execute third-party
cookies. Everything else would be 'incognito' by default.

But I am not entirely sure what would work, hence my experimentation at the
moment. I know that the answer definitely isn't DNT.

~~~
Revisor
How does it break the web and what has the most breaking impact in your
experience?

~~~
mike-cardwell
I can't imagine a way that #1, #2 or #4 would be able to "break the web".
Worse case scenario is they add a tiny amount of overhead. #3 might cause a
tiny minority of websites to stop working, but they'd get fixed quickly if #3
was implemented.

------
idleworx
The Do Not Track movement and its whole premise is useless. I've blogged about
why this is so a while ago: [http://blog.idleworx.com/2012/02/do-not-track-
movement-is-us...](http://blog.idleworx.com/2012/02/do-not-track-movement-is-
useless.html)

------
jnorthrop
This will only be useful if governments enforce it. The US has included it for
consideration in the US Privacy Bill of Rights[1] and the EU may enforce it as
well[2]. But until there is some form of punishment for not complying with DNT
it is essentially window dressing.

[1][http://www.whitehouse.gov/sites/default/files/privacy-
final....](http://www.whitehouse.gov/sites/default/files/privacy-final.pdf)

[2][http://ec.europa.eu/justice/data-
protection/article-29/docum...](http://ec.europa.eu/justice/data-
protection/article-29/documentation/other-
document/files/2012/20120301_reply_to_iab_easa_en.pdf)

------
revelation
Why would Chrome not support a meaningless header sent by the client?

You are asking Schneier to implement security by obscurity with emphasis on
the obscurity part. Hell, you are asking the same people that sent a "This is
not a P3P policy" P3P policy.

Now I don't know if they think, as do I, that all of this is just meaningless
extra traffic on the wire, or that they are evil and don't want to commit to
privacy guarantees. No way to tell.

~~~
hmottestad
Anyone sent in a RFC for using code 666 for "Server is evil and does not
support Do Not Track headers".

~~~
__ted__
The IETF does have a network-layer solution to that.

<http://www.ietf.org/rfc/rfc3514.txt>

------
lsiebert
Hmm... Somebody could presumably bake it into chromium

------
btian
but will be incorporated by the end of 2012

------
SoftwareMaven
The real question isn't whether Google's browser supports this, it's whether
Google's servers support this. It may be that Google isn't adding it to the
browser until it can commit to it on the server.

~~~
joejohnson
Allowing people to opt out of tracking would _decrease_ the load on Google's
servers.

~~~
jrochkind1
Well, sure, and if everybody installed effective ad blocking software so they
never saw a google ad, that would decrease the load on google's servers too.

------
lampe
the thing is why should it be supported if the website is tracking you any
way?

its just a request to not track me but i don't can see if its really not
tracking me.

------
TazeTSchnitzel
Jesus' words (or Lincoln's, if you wish) apply here:

"If a house be divided against itself, that house cannot stand."

------
commonersense
If you disable Cookies and Javascript you will stop probably 90% or more of
tracking. How much tracking is done without using Cookies and without
Javascript? KISSMetrics? What else?

~~~
Teapot
Without JS and Cookies the web is too crippled. It's not an option for most
people. DNT tries to fix this on a more legal level than technical.

------
armini
If that's not evil then I don't know what is.

