

Yahoo ends support of “Do Not Track” - bpierre
http://yahoopolicy.tumblr.com/post/84363620568/yahoos-default-a-personalized-experience/

======
necubi
Do Not Track has been effectively dead for 1.5 years. Very few advertising
companies ever supported it due to Microsoft's decision to buck the spec and
enable it by default for all IE10 users (a transparent attack on Google by a
company whose own advertising business had just imploded in a $4B write-off).

The original agreement was carefully hashed out between advertisers and
browser vendors with the understanding that only a small percentage of users
would be opting out. When Microsoft reneged on that, the advertising industry
backed out.

Whatever you think about online tracking, the voluntary nature of DNT and the
complete lack of enforceability (there's no way, as a user, to determine
whether a company is following DNT) made it pretty useless. True privacy
protection needs to be on the client side (like script blocking or 3rd party
cookie blocking), not on the server side.

~~~
dmethvin
> due to Microsoft's decision to buck the spec and enable it by default for
> all IE10 users

Did you ever install IE10? The screen gave users the option to configure
everything but selected the most likely settings for many things, not just
DNT:
[http://img.wonderhowto.com/img/21/42/63487287284459/0/yahoo-...](http://img.wonderhowto.com/img/21/42/63487287284459/0/yahoo-
ignores-ie10s-do-not-track-option-windows-8-stop-them-with-these-add-
ons.w654.jpg)

What level of "not by default" would have been acceptable to advertisers? I
suspect they would be happy only if the option was disabled by default and
hidden from view. An uninformed consumer is a trackable consumer.

~~~
necubi
I have. You have to click through to a separate screen to get the option to
disable it. If you try that, it will warn you on the next screen that you are
not using the recommended settings. Then variously using IE10 you will get
prompted to use the recommended settings. Microsoft makes it pretty hard for
an average person to disable it.

DNT was a voluntary standard, and the advertisers refused to buy in unless it
was off by default (the vast majority of people will not change defaults, even
if you make it easy for them). Microsoft violated that agreement to hurt
Google, and as a result DNT is dead.

~~~
gcb0
so, DNT can be recommended to you and your close ones, but not the general
public? that is some entitlement you have going on there.

i applaud microsoft for protecting their customers, instead of selling them
out like google does with android.

also, most big advertisers chose to ignore DNT only for IE. so no, it has not
been dead for that long.

~~~
mpyne
The whole point of DNT is that it is a voluntary measure by advertisers to
avoid tracking people who don't want to be tracked.

Given that turning DNT on by default would essentially turn DNT on for
everybody, supporting DNT in that scenario would have imploded the whole
business model of the same advertisers.

Obviously they're not going to voluntarily decide to go out of business, so
the advertisers then dropped support for DNT entirely.

Now _no one_ gets the benefit of DNT, not even the privacy-conscious minority
who actually cared about it.

Welcome to second and third-order effects...

~~~
gcb0
we already beat that horse to death. it is not enable by default. it is SHOWN
to the user to chose. and the checkbox is enabled by default, because, let's
agree on this, microsoft did their homework and that is the best choice to
recomend to their users.

it is never enabled against the user knowledge. it is just the correct default
when it is presented to them.

and again, by no-one, you mean YOU. you are pissed off that everyone is not
disabled on DNT and not even shown the option, and only you and other tech
savvy people can benefit.

------
ori_b
Do not track, as defined, was pretty meaningless. See the section of the RFC
listing the exceptions:

    
    
        9.3.  Exceptions
    
        As a general guideline, exceptions to Do Not Track are warranted when
        commercial interests substantially outweigh privacy and verification
        interests.  The following activities are excepted:
    
        1.  Tracking of users who have explicitly consented to tracking, such
            as by enabling a checkbox in a preferences menu on the first-
            party website of the tracking service.
        2.  Data obtained by a third party exclusively on behalf of and for
            the use of a first party.
        3.  Data that is, with high confidence, not linkable to a specific
            user or user agent.  This exception includes statistical
            aggregates of protocol logs, such as pageview statistics, so long
            as the aggregator takes reasonable steps to ensure the data does
            not reveal information about individual users, user agents,
            devices, or log records.  It also includes highly non-unique data
            stored in the user agent, such as cookies used for advertising
            frequency capping or sequencing.  This exception does not include
            anonymized data, which recent work has shown to be often re-
            identifiable (see [Narayanan09] and [Narayanan08]).
        4.  Protocol logs, not aggregated across first parties, and subject
            to a two week retention period.
        5.  Protocol logs used solely for advertising fraud detection, and
            subject to a one month retention period.
        6.  Protocol logs used solely for security purposes such as intrusion
            detection and forensics, and subject to a six month retention
            period.
        7.  Protocol logs used solely for financial fraud detection, and
            subject to a six month retention period.
    
        To ensure data allowed for only specific uses is adequately
        protected, functional entities SHOULD implement strong internal
        controls.
    

Basically every advertising network would fall under 2 or 3.

~~~
qwerty_asdf
Awesome, this is exactly what I was too lazy to Google and dig up on my own.
The plan pretty much shoots itself in the foot before it even leaves the
gates.

~~~
gcb0
ironically, yahoo is the ONLY big publisher adopting safeFrames. which
effectively blocks any ability of the ad to identify the user, or set cookies
as a fake-first-party.

~~~
tdurden
It is not really ironic. Yahoo! is the only/first one being honest about DNT
to date (that I am aware of). Yahoo! is just bowing out of a deeply flawed
spec.

~~~
gcb0
exactly why it is ironic!

they are the only one solving the privacy-while-showing-ads issue by using
safeframes. then they drop DNT because it is a fallacy for the most part.

but they write that announcement in the worst possible way and everyone goes
crazy.

~~~
tdurden
I misinterpreted your comment then! Thanks for the clarification.

------
_pius
"The privacy of our users is a top priority for us," Yahoo says as they end
support for users' privacy settings.

~~~
dshanahan
This. The comments on the post are priceless too.

------
skue
I used to feel that blocking online ads was freeloading, but I am increasingly
convinced that the online ads are a failed experiment and it's our duty to
kill them -- especially when the industry can't even follow through on
watered-down self-regulation like DNT.

The crazy thing is that major websites like Yahoo don't even know what ads
they are serving. And increasingly online ads are an attack vector for viruses
and malware. In January Yahoo was serving malware via their online ads.[1] And
in February Google did the same.[2]

And of course there are the major privacy issues with companies tracking us
online. I understand that online publishing is important and we clearly need a
strong press, but publishing really needs to find a new business model. Online
ads are not the solution.

[1]: [http://www.cnn.com/2014/01/05/tech/yahoo-malware-
attack/inde...](http://www.cnn.com/2014/01/05/tech/yahoo-malware-
attack/inde..).

[2]: [http://labs.bromium.com/2014/02/21/the-wild-wild-web-
youtube...](http://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube..).

~~~
fortyseven
Sure, kill them. I mean, as long as you realize that killing off online ads
essentially means opting in to a future where quality content is forced behind
a paywall as a matter of course.

And I say this as someone who loathes advertising and the creepy mentality
behind them. They're kind of necessary evil. Keeping a tighter rein on what
kinds of ads can be served would help tremendously. They need to eradicate
that stigma of them being a dangerous vector. Erf.

~~~
jaachan
Then we can invent in a proper paywall, something that works unintrusively.
And then users are the customers again, and we can get our internet back.

------
lucb1e
The important thing to note here is not that Yahoo! is so evil. It is that
they are probably one of the few companies in the world that are honest about
it. And surely after this outcry, or at least 3/5 comments here are talking
about needing warnings on "websites like these" or "now I have a reason to
block Yahoo's cookies", surely no other companies will publicly announce the
end of DNT support.

And besides, Do Not Track is a black box: they can do whatever the hell they
like while our browser merely requests "Would you please not track me even if
your site is entirely free and ad-supported?" Because it's not like they're
keeping databases on us purely for fun.

~~~
gcb0
meanwhile, other big publishers: what the hell is DNT?

------
meepmorp
The privacy of our users is and will continue to be a top priority for us.
Just not as long as it in any way might affect our current revenue streams.

~~~
mscarborough
Marissa Mayer is getting a little weird in the quest to show she has brought
some value to Yahoo.

She runs a company that cares about you and want the "best user experience",
so long as it doesn't hurt the bottom line at all. And the next rounds of
layoffs are probably not too far away, from everything I've heard.

~~~
gcb0
she learned at google that this matters little. just see android announcing to
you carrier that you use tethering, or the fact that google employers actively
REMOVE features from chromium that impact adsense revenue such as disabling
referrer, etc.

~~~
MichaelGG
Chrome's options for DNT are hilarious. For every other option, like spelling,
they give you an order of (Yes, No) when you check the box to enable the
option. For spelling correction, they encourage you to enable it with the
phrasing.

For DNT, they have a lengthy explanation of how tracking is still done and
totally helps your experience. Then the _reverse the order_ of the buttons so
the default is to cancel out of the operation.

Seems unlikely this was implemented as an accident.

------
ghshephard
Microsoft effectively destroyed "Do Not Track" by making it the default in
their browser, and therefore destroying any notion of "intent" by the user.
The day Microsoft made it the default was the day I immediately knew that the
Yahoo/Google's of the world would stop supporting it in the future. Clever
move by Microsoft in the embrace/extend/extinguish cycle.

~~~
baddox
Why does one choice of default "destroy intent," while the other doesn't? Why
do you assume the default setting of allowing tracking is the correct one?

~~~
benologist
More importantly, why is "on by default" supposed to be "bad" when the entire
system is designed to protect people's privacy?

Microsoft don't sound like the problem.

~~~
jaachan
DNT is not designed to protect everyone's privacy, it was meant a way to grow
a clear sign that people don't want to be tracked. If browsers really wanted
to protect people's privacy, they'd block 3rd party cookies by default and
show 1st party cookies as a warning.

~~~
benologist
All good points.

------
eli
FYI, if you don't want Yahoo ads to track you, they offer an opt-out.
[https://info.yahoo.com/privacy/asia/yahoo/opt_out/targeting/...](https://info.yahoo.com/privacy/asia/yahoo/opt_out/targeting/details.html)

You can opt-out of pretty much all the major ad networks at once, in fact:
[http://www.networkadvertising.org/choices/?partnerId=1](http://www.networkadvertising.org/choices/?partnerId=1)

It's been like that for years. I'd submit that as evidence that the ad
industry is willing and able to accommodate people who don't want to be
tracked on an opt-out basis.

~~~
Istof
You have to keep that cookie on all your devices for all ad companies? no
thanks, I would rather block all ads.

~~~
eli
Well, DNT was supposed to be the alternative.

You can inspect the cookie. Yahoo's is literally "optout=1"

------
reuwsaat
Yahoo ends support of "Do Not Track". Fast Lanes for sale. Facebook is using
my data for advertising outside it's walled garden... sigh. Give me back my
old 56k modem. I miss my old internet.

------
rmrfrmrf
The title doesn't even make sense. The default was _always_ to track users.
Yahoo could have made this sound a lot less disingenuous if they had spun
ending Do Not Track support as "this 'standard' is weak, hard for users to
understand, and not guaranteed to be implemented by anyone, giving the average
browser user a false sense of security."

This post just makes it seem like one of the higher-ups realized that Yahoo's
missing out on a chunk of data that everyone else gets and decided to go for a
"quick win".

------
MikusR
Browsers should have some sort of warning message when visiting sites like
these.

~~~
lucb1e
You mean like the European cookie law? Yeah that worked out great.

~~~
forgottenpass
Implementing that must have been fun. "You mean you got it watered down so
much that all we have to do to continue as usual is make our users hate
government even more? lol"

------
taariqlewis
I never had a reason to ban all Yahoo! cookies on my browsers, until today.

~~~
lucb1e
The fact that they supported it at all was relatively exceptional. You'd
better block cookies on all other domains before they, _gasp_ , place more
tracking cookies!

------
jimktrains2
Did DNT ever have any support beyond verbal promises? I personally feel that
it was always useless and never really trusted anyone saying they "honoured"
it.

------
qwerty_asdf
But has there ever been a precise specification of what it means to "track" a
user? Does "track" have any finite meaning, or is it just an open-ended plea
from the user for everyone to pretend that certain events never happened?

To speak of "tracking" one might mean:

    
    
      A. Thou shalt not cookie a user.
      
      B. Thou shalt not record plain text log files on a 
         server-side file system, regarding the nature of these 
         requests. Thou shalt not persist discrete information 
         to a relational database, with respect to these 
         particular HTTP requests.
    
      C. Thou shalt not inspect which IP address HTTP POST 
         requests originate from, and treat them differently, if 
         a user proclaims "no tracksies". GET requests will be 
         treated as read-only requests for static resources. If 
         the static resources change, I wish to play no part in 
         such events.
    
      D. Thou shalt neither inspect ANY HTTP requests (PUT, 
         DELETE, POST or GET), nor serve individualized 
         resources, regardless of any particular attributes 
         present in the request. Thou shalt only keep the 
         specific data I tell you to keep, and destroy 
         everything else related to my requests. At a later 
         point in time, I reserve the right to become 
         irrationally angry about your having kept the *some* of
         the data I told you to keep, because, technically 
         speaking, the DO-NOT-TRACK header is all encompassing, 
         and supercedes all other instructions. I also reserve 
         the right to get angry if *your* system does not 
         perform according to *my* expectations, whatever those 
         expectations may be, at any particular time.
    
      E. Thou shalt not provide me with any uniquely 
         identifiable information. I do not wish to receive 
         information which has not already been provided to 
         anyone else. Please do not transmit unique information 
         to me over the wire or over the air. Doing so will 
         change the state of my system in a unique way, which 
         I'll eventually have to answer to. If I receive non-
         standard resources and information from you, my service 
         provider and local authorities, may use this against 
         me, and derive other information from these details. I 
         may be penalized for knowing or having things other 
         people do not. 
    
      F. This never happened. I don't exist. You don't exist. We
         don't know each other. There was never any /index.html 
         or /default.htm available here. I never asked for it, 
         and if anyone did ask for it, you just said "404". You 
         don't know how many people were looking for that file, 
         or whether it was 5KB or 17MB at any particular time.
    

One can easily understand how a user might urgently want for one or all of
those, or even more stringent restrictions to be adhered to, under certain
circumstances, but in some cases, the very nature of the beast is for a given
server or cluster to maintain a certain degree of situational awareness,
regarding the current state of user activity requested.

Beyond even that, in most cases, for a user to simply request the common
courtesy of being forgotten might be unrealistic and completely ineffective
from the outset.

    
    
       "Please don't track me, but here's my ID and password, now log me into my account."
    

I can think of several ways to interpret that. Worse yet, the fact that a user
may have cookies turned on, and has sent the request in plain text, across ten
other systems beyond my own control (all of which should also respect the
user's wishes) completely defeats any realistic expectations of non-
disclosure.

An honor system is certainly an admirable aspiration, but sending "do not
track" requests by default also creates a general atmosphere of noise from
users who may or may not be cognizant of the true nature of their actions.

The knee-jerk idea that cookies are bad isn't good enough. The idea that you
can simply ask people to "be nice" also isn't good enough.

Dumb people are always going to be their own worst enemies, by playing the
role of low hanging fruit to be preyed upon.

I've always felt that "do-not-track" requests were bullshit, just like the
European cookie law was a silly white wash. (servers remember data, it's what
they do. businesses exploit their customers for a profit, it's what they do.)

Just like having to opt into a "do-not-call" registry is bullshit. (no one
wants to be cold-called by telemarketers, so why is this an opt-in thing?)

Just like anti-virus software is bullshit. (hey, how about you just don't
execute code indiscriminately? doesn't that work too?)

The list goes on...

------
secfirstmd
Wait...people still use Yahoo? :)

~~~
eli
Second only to Google in terms of desktop web traffic, if you believe
Comscore:
[https://www.comscore.com/Insights/Press_Releases/2014/3/comS...](https://www.comscore.com/Insights/Press_Releases/2014/3/comScore_Media_Metrix_Ranks_Top_50_US_Desktop_Web_Properties_for_February_2014)

Roughly the size of Facebook and LinkedIn combined.

~~~
secfirstmd
Yeh but thats misleading as worldwide it's about 5% of total.

[http://searchengineland.com/google-worlds-most-popular-
searc...](http://searchengineland.com/google-worlds-most-popular-search-
engine-148089)

