

Firefox: Why we won’t enable Do-Not-Track by default - jm3
https://blog.mozilla.org/privacy/2011/11/09/dnt-cannot-be-default/

======
ashishgandhi
Or the risk of offending the biggest source of funding? Why does being tracked
be the norm and you have to explicitly say don't track me? In real life you
don't have to go to a government agency and register "I wish to not be
stalked". What is wrong with saying it is the user's choice that they be
tracked. Default is don't because that's how real life is.

(If you really really really care about a user's choice like you say you do
then make the user make a choice. On first launch get the user's choice and
refuse to work without being told what they'd prefer.)

Edit 1: I read the W3 draft on Do Not Track and seems like there is a section
for "Explicit Consent Requirement".[0] Although whether the committee is
influenced by corporation in way that the industry is tasked with policing
itself is a different topic altogether.

Edit 2: Brain Smith from Mozilla responded with websites ignoring the flag if
set by default. That's what Yahoo! did.[1] But that's the problem with any
honor-based system.

[0] [http://lists.w3.org/Archives/Public/public-
tracking/2012Jun/...](http://lists.w3.org/Archives/Public/public-
tracking/2012Jun/att-0095/compromise-proposal-pde-tl-jm.html) [1]
[http://allthingsd.com/20121026/yahoo-dings-do-not-track-
defa...](http://allthingsd.com/20121026/yahoo-dings-do-not-track-default-and-
search-partner-microsoft/)

~~~
briansmith
> Or the risk of offending the biggest source of funding?

I (a Mozilla employee) can understand why people worry about this, because
there does seem to be a conflict of interest here. But, I've never seen
_anything_ to indicate that we consider Google's payments to us in any
security/privacy decision.

DNT is not the ultimate solution to tracking on its own. It is part of a
solution.

Consider this:

Let's say you go buy a box of doughnuts and take it to work, open it, and
leave it open on a table next to your desk. Some people will think "Hmm, I
want one of those doughnuts but I'm not sure if it is OK to take one, so I
won't" and other people will just assume that it is OK to take one. (Why else
would there be an open box of doughnuts? And/or isn't it better to ask
forgiveness than permission?)

Let's say you write "Do NOT take these doughnuts! They are mine!" on the box
with a big fat marker. If somebody were to take a doughnut, they would be
__clearly __in the wrong in that situation, according to any kind of
mainstream social convention.

Lots of people will say that it is wrong to take a doughnut without explicit
permission. But, many, many people see the situation as being open to
interpretation.

Now, let's say the doughnut shop pre-printed "Do NOT take these doughnuts!
They are mine!" on every box. You might argue that that is the same thing as
the hand-written sign. But, I would bet that the pre-printed message would get
drowned out as people would normally share doughnuts out of these pre-printed
boxes: "Just ignore the box, they all say that; it doesn't mean anything." The
pre-printed message becomes less and less meaningful, even though the words
are clear, unambiguous, and explicit. And, worse, you may be discouraged from
writing your handwritten ""Do NOT take these doughnuts! They are mine!"
message on the box because, well, the box already says that. Effectively, that
message pre-printed on the box is harmful, as its meaning is in the eye of the
beholder--just like the open box sitting on the table with no message written
on it at all.

Do you see how that could possibly be problematic? This is the problem that
Sid and others at Mozilla are trying to solve. "DNT: 1" means it is __clearly
__wrong to track this user because they've gone through special effort to tell
you they don't want to be tracked.

It has nothing to do with Google's money.

~~~
cremnob
Why not have the user decide the first time they launch the browser? They
either choose to enable DNT or not.

~~~
chii
the user don't care at that time - they probably have something more urgent to
look at the first time they run their browser, and if you bombard them with
questions, it gets annoying.

I agree with the default being ON (that is, DNT is turned on). The analogy
with the doughnuts and pre-printed message isn't quite accurate in this case,
because it is _clearly_ a better choice to not have tracking done on the user,
whilst with a box of donuts, its not always clear cut whether sharing it or
not is the right thing to do.

~~~
anonymous
Every OS comes with a browser other than firefox by default (except certain
flavours of Linux, but they could make the choice part of the install
process). If the user needs to look at something on the internet right now,
they won't go searching for firefox, downloading and installing it. Having one
simple checkbox that takes half a minute to decide on won't make installs take
all that longer. Or just display a configuration page the first time the
browser starts up with a "you can set all these later too from <here>, btw"
message.

------
zmmmmm
The problem with "Do Not Track" is that it is misnamed, and the entire debate
has been misframed around that. The feature was dead in the water from the
moment it was called that.

To the end user, the idea of being tracked sounds like being followed around
by some stalker, and is about as enticing as having your home robbed. People,
in general, don't understand either the bad (the extent to which web sites can
build a deep profile on you) or the good (how much of the web that everyone
loves is financed through targeted advertising). As such, how things are
presented is tremendously important.

Imagine if it was called "Disable Ad Personalisation", or even, "Do Not Tip"
where the notion of denying monetization to the web sites you use (which is
what Do Not Track will do) is invoked. It would have a very different
response, I think.

~~~
zobzu
I'm thinking they named it that way on purpose. It has a lot of media
coverage. It makes people more aware that they're losing the privacy they took
for granted in the past, when using the web. The feature seems to have been
adopted by many browsers now so i'd say its mostly successful - but even if it
wasn't, the media impact probably makes it successful for them, IMO

------
mdasen
I think there's an easy solution to this: when one first launches Firefox (or
another browser), it can prompt the user. Firefox already has a "know your
rights" thing that comes up. Internet Explorer asks what search engine and
other stuff you want to use. Having a "Do Not Track" option as part of that
would be reasonable.

As for Mozilla and this letter, Do Not Track isn't legislated. Basically, it's
a way for you to tell websites that you don't want to be tracked, but they
have no obligation to follow your wishes. Some advertisers [citation needed]
have indicated that they will follow Do Not Track if it's an opt-in system. A
cursory search shows that Yahoo ignores the setting from IE10 because
Microsoft made it a default
([http://www.theregister.co.uk/2012/10/26/yahoo_to_ignore_ie10...](http://www.theregister.co.uk/2012/10/26/yahoo_to_ignore_ie10_do_not_track/)).
As the article notes, the W3C says that Do Not Track should be opt-in.

So, on the one hand, advertisers seem to be saying "if Do Not Track is a
default setting, it isn't a user choice and we'll ignore it." If Mozilla makes
it a default, it doesn't help anyone. However, I think browser makers could
call their bluff by making it a very apparent option when starting the web
browser.

I think Do Not Track should be the norm. However, it isn't. The norm _is_
tracking. Once a norm has been established, it's hard to replace it with a new
norm. Cigarettes would never get approved for sale if they were
invented/discovered today. If subways were a new invention, it seems like they
would be built with walls preventing people from being pushed onto the tracks.
But norms were established and it's hard to move away from them.

In this case, I think there's an easy solution: explicitly asking on first
launch. Browsers already ask to be the default, some try to tell you about
rights, some ask you about search engines, etc. Just add Do Not Track to that
process. Then we explicitly have a user opinion on the matter.

~~~
nej
You can't just keep adding prompts every time there's a change, you'll end up
creating a scenario where there must be a prompt for every change made.
Default settings are needed just like any application.

------
LinXitoW
I find this whole argument moot. DNT is binding neither in a legal nor in a
technical sense. If you don't trust someone to handle your internet tracking
history, why would you trust them to keep an informal promise, ESPECIALLY
considering they have a get out of jail free card saying they accidently
ignored your DNT header because they thought you were using IE 10?

Microsoft did right(for once) with making DNT default on IE. It exposes the
DNT idea for what it is: Snake oil.

------
Monkeyget
Do-Not-Track has been designed to represent the _explicit_ choice of the user
to not be tracked. As per the DNT[1] draft :

    
    
      6.2.  User Interface RECOMMENDED
      A user agent that implements Do Not Track SHOULD provide a user interface 
      for modifying preferences.  The user interface design is left to the 
      user agent.
    
      6.3.  Default
      A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
      It MUST NOT transmit OPT-IN without explicit user consent.
    

Another important aspect, that I don't see mentioned much, is that DNT is only
supposed to prevent third-party tracking. First-party remains unaffected.

[1] <http://tools.ietf.org/html/draft-mayer-do-not-track-00>

~~~
abalone
Uh.. doesn't it say OPT-OUT is an acceptable browser default?

~~~
scotty79
Yes. Also defaults matter.

Countries that have opt-in default on organ donations have at most around 30%
of consent.

Those that have opt-out have above 90% consent.

<http://blogs.lse.ac.uk/politicsandpolicy/archives/11953>

Basically Mozilla is saying: "It your decision to not be tracked." and
thinking "But we think you should allow everyone to track you if you don't
mind that much."

------
616c
Because it breaks websites. It blocked cookies for me on an FRAME (yes, I
know) for a MasterCard SecureCode transaction for personal stuff on a local
business site, and the website uses cookies to pass from one server to another
and the transactions failed the following day when I enabled Do Not Track.
Even companies like MasterCard cannot function with it enabled, how do we push
smaller companies to get it done?

~~~
KNoureen
Are you trolling us? DnT is a HTTP header sent by the browser, it does not
block or delete cookies.

On another note, cookies are domain specific, which means that a cookie can't
be accessed by another domain.

------
onemorepassword
And this is why industry self-regulation will continue to fail.

Opt-out from privacy invasion is not sufficient. In Europe at least, it is
politically and socially unacceptable that people have to opt-out. So as long
as the industry comes up with half-assed protocols and self-regulation that is
based on the assumption "we have the right to violate your privacy unless you
stop us" instead of the other way around, this will continue to trigger ever
stronger anti-tracking legislation.

And please don't think that the faltering so-called "cookie-law" will be the
end of it. That was just the softest option, and just like with early anti-
spam laws the industry chose to sabotage it instead of trying to make it work.
I wouldn't be surprised if this ended with a full blown ban on any form of
cross-site tracking.

Of course "do not _stalk_ " should be the default. The whole notion that
having your privacy violated by the marketing industry is somehow about
individual choice is bullshit. It's as idiotic as "do not film me in the
privacy of my own home" being opt-out and we're all Big Brother contestants by
default.

------
mozmoz
This does not make any sense.

Mozilla is claiming they do not want to enforce a preference for the user, and
instead would like the user to make the choice. But Mozilla has previously
enforced their preference for a number of different features:

* Mozilla has disabled java plugins and silverlight in the past to protect their users (from security vulnerabilities).

* Mozilla has enforced their preference for blocked popup windows in the past to protect their users (from annoying content).

* Mozilla has enforced their preference for the handeling of cookies to protect their users (from privacy violations). [https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-...](https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-smarter-about-third-party-cookies/)

Why not disable tracking features to protect your users (from privacy
violations)?

Their explanation does not make sense.

~~~
icebraining
The difference is that those preferences actually do something. DNT is just
asking nicely to advertisers, it doesn't actually prevent tracking, so if
everyone asks by default, it becomes meaningless.

The only way for a "Do Not Track" feature to be on by default is if it legally
or technically _prevents_ ad networks from tracking, otherwise it'll be
ignored (see IE).

------
zobzu
the problem is that Mozilla _introduced_ do not track.

if they had both introduced the feature AND made it default, since following
the hint is voluntary from the advertisement providers (ie server side decides
to honor it or not), well, NONE would have followed it.

The situation with 3rd party cookies is different, because it's up to the
client, not to the server side.

So, this has little to do with the Google search engine deal, in fact.

~~~
kbuck
Putting aside my opinion on do-not-track, I think it's perfectly reasonable
that it's off by default, simply because that is the current behavior of the
browser. If they enabled it by default, they'd be changing it out from under
current users.

------
wereHamster
> We won’t turn on Do Not Track by default because then it would be Mozilla
> making the choice, not the individual.

I don't buy that. They are making a choice either way, whether they enable or
disable it by default. Just like they are making a choice about the hundreds
of other options Firefox has. A few examples of how Mozilla thinks:

> JavaScript enabled by default. Why? Developers and designers can do some
> really awesome websites with it and we want users to have that experience.

> SSL enabled by default. Why? It improves your security.

> Do Not Track disabled by default. Why? Because we don't want to fuck with
> the people who are paying us (i.e. Google).

~~~
JohnTHaller
Or, by turning it on by default, advertisers will completely ignore the
setting, exactly as they are with Internet Explorer.

~~~
wereHamster
Why should they be honoring the header now? For them, implementing support for
that standard are only expenses. There are no incentives to do so, and no
punishment or repercussions if they don't.

~~~
boq
> Why should they be honoring the header now?

The idea was that, given a significant enough amount of people turning it on,
advertisers would take notice of it and react accordingly. If it's on by
default it is meaningless.

It's a tool that enable users to send a message to advertisers that they are
not okay with their practices. It was designed this way. It says you are okay
with ads but not with the tracking.

> There are no incentives to do so, and no punishment or repercussions if they
> don't.

Except for adblock. If the only option to avoid tracking is to block ads, then
that is what will be used.

~~~
chii
> Except for adblock. If the only option to avoid tracking is to block ads,
> then that is what will be used.

Therefore, browsers should come, by default, with an adblock feature (or
simply, just bundle the adblock plugin). This DNT business is purely just lip
service.

------
ghshephard
I always wonder why people don't have the courage to mention the elephant in
the room - that a very significant part of Mozilla's revenue comes from
Google's ability to track Firefox browser users. That, at least, deserves a
mention.

~~~
djcapelis
Actually that's all anyone seems to talk about, as you can see from the other
comments on this story now that it's been a few more minutes.

------
utopkara
This is bs. I consider myself far more computer literate than the masses. Yet,
I wasn't aware that the iOS safari had the capability of DNT. I accidentally
found out about it while playing with the settings on my development device.
DNT is a relatively new capability, which used to be handled with plugins such
as Ghostery. Browser vendors should teach their users about this shiny new
feature, otherwise it is practically useless, as it will not protect those who
need it the most.

------
yiransheng
How about determine the default setting in a random fashion?

DNT = Math.random()> p ? on : off

------
anigbrowl
_We won’t turn on Do Not Track by default because then it would be Mozilla
making the choice, not the individual._

That's just as true of leaving it turned off by default. What sort of idiots
do you take us for?

------
nwh
Internet explorer has made any effect that DNT might have had completely
useless. It's much more effective just to nuke the stuff locally with
Ghostery.

------
gpvos
That was 2011. While Mozilla still will not turn on DNT by default, they are
now going to block most third-party cookies by default, which to a large
extent has the same effect:
[https://blog.mozilla.org/privacy/2013/02/25/firefox-
getting-...](https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-
smarter-about-third-party-cookies/) . (Edit: typo.)

------
boq
I don't get it. There is no point at all to let DNT be on by default anyway.
What is all the noise about? What did I miss?

------
wfunction
The fact that he repeats himself so often is more than enough to get the point
across.

------
skrebbel
Reading the headline, I kind of expected the entire blog post to consist of
"Because we're funded by Google".

------
bitgossip
This is from 2011. Is that on purpose?

------
kibwen
This is from 2011.

