
EFF, AdBlock and Others Launch New “Do Not Track” Standard - mirimir
https://threatpost.com/eff-adblock-and-others-launch-new-do-not-track-standard/114121
======
makecheck
Maybe there should be a standard to go the other way: a scheme to let web
sites communicate monetary requests to browsers in an "official" protocol.

A lot of this tracking only seems to exist for advertising schemes, which only
exist to monetize the page. We are years past the point where we should have
figured out how to make it easy to pay who you're looking at.

For instance, when you visit the page for Article X on news site Y, maybe Y's
response includes a header that says it requests a donation, with some
suggested value like "10 cents". And then, in some standard interface, the
browser would show this request (e.g. a small icon in the corner with a price,
including some given link on how to pay it). The request would require certain
things for security; e.g. use of HTTPS and being on the same domain as the
majority of the content.

And since blatant copy/paste stealing and re-posting to blogs, etc. is a
money-making scheme in itself, the browser might "protect" monetized pages in
some way; e.g. disable the copy/paste and printing functions unless the
donation interface is used to pay, to at least make it more difficult to
outright rip off web sites.

~~~
saidajigumi
And then you're right back into the great micropayments hole. No one has
"figured this out", in part because of the real-world payment logistics, and
and I'll pose another part: because it's a bad idea from a UX standpoint.

Having to _make a decision_ about whether to tip/donate to what would rapidly
become nearly every site on the Internet would be a terrible user experience.
"Decision energy" (aka willpower) is a scarce human resource; this would be an
unparalleled waste of it.

I wish there were a great alternative to ads as well, but I believe action-
required micropayments will always be a non-starter. The best we've got so far
are tools like Patreon and Bountysource's similar system. These can be viewed
as a kind of "preaggregated micropayments", which eliminate per-click decision
making via a user-configurable subscription.

> the browser might "protect" monetized pages in some way

It's already possible to disable copy on web pages. Some blog themes do this,
and I wish browsers would just unimplement it entirely. This is right up there
with lame DRM schemes, in that view source (or else curl) are still going to
work. Likewise, bots will be completely unaffected. Such an approach merely
annoys users with legitimate needs (e.g. who must to look up a word or
phrase), but will have zero impact on content piracy.

~~~
marcosdumay
A standard "tip" button on the browser may be an excellent feature. No
willpower or cognitive load added, you just know the button is there, and use
it when you decide to.

Not sure if it would generate any reasonable revenue, nor if it's actually
viable in the presence of our current financial institutions. But I can't see
any real downside.

~~~
robinson7d
That might be tricky because you'd have to determine how much "one tip"
(/click,submit) is. Even if a small amount was decided upon, I wonder if there
would be too much added stress along the lines of "is reading this worth the X
of a tip?" Which, also, is hard to know until you've actually consumed the
whole item, at which point a lot of people have probably linked somewhere
else, flowing their way across the web.

I think that this might be helped if it acted like playlists, or bookmarks,
where clicking the button would add the site to a list. Later you can opt to
donate to items on the list (or provide a single donation split evenly among
everything on the list).

Of course, I doubt many would actually use such a feature either.

~~~
kijin
Reddit Gold seems to be working fairly well.

It doesn't even have to be used by many people. Most people rarely click on
ads, and yet a lot of websites are doing just fine with ad revenue. You just
have to ensure that the small percentage of people who do click generate
enough money to compensate for hundreds of others who don't.

~~~
robinson7d
Reddit Gold is definitely a wonderful solution.

However, I was replying to a comment about a "donate" button on the browser,
and trying to keep within the problem that it is trying to solve, which is (at
least as far as I can tell) paying for the vast number of far smaller sites
that make up the internet.

------
jedberg
As someone who used to run a site that made money from tracking people by
showing them ads (and we tried really hard to make those ads unintrusive and
relevant), I have mixed feelings on this.

On one hand I totally get why people don't want to be tracked (I don't). On
the other hand, for many of these sites, this is their only source of revenue.

Whenever I ask, "is it ok for those sites to block you if you are running
adblock" usually people say "no, they need to find a different business
model!". But my question back is always: until they do find a new business
model, if they can survive by blocking people who use adblock, why shouldn't
they?

~~~
chimeracoder
> But my question back is always: until they do find a new business model, if
> they can survive by blocking people who use adblock, why shouldn't they?

In this day and age, Adblock is a necessity for nontechnical users. I
installed it on my parents' machines to protect them against drive-by-
downloads, malware, etc.

Someone may say, "I know my ad networks would never do anything of the sort".
But the fact is, ad networks get compromised, and even ad networks that have
strict policies for acceptable ads sometimes have bad actors slip through.
Even if it's not often, it's enough of a risk that it's simply not worth it.

FWIW, Reddit may be in a different situation, since I believe Reddit's ads are
self-hosted. In that sense, I'd view it more as analogous to sponsored user-
generated content, which I have other philosophical issues with, but don't
suffer from this problem.

~~~
iigs
This was it for me. I don't really care about the stupid "hit the monkey and
win" blinking animated .gifs, and lived with them for years without really
worrying, but in 2015 ad blockers aren't sunglasses, they're condoms.

Furthermore, I installed uBlock in Firefox for Android because ads were
getting so bad that it was essentially impossible to view some sites. It was a
last-ditch effort to offer the content one last chance to survive. If
publishers would prefer I not see their content at all, that's fine... I was
almost already there, anyway.

In response to jedberg's question: I personally don't mind but I don't believe
I'm as petulant and entitled as the typical loud mouthed redditor, but reddit
made that bed, and now they get to lay in it.

~~~
chimeracoder
> Furthermore, I installed uBlock in Firefox for Android because ads were
> getting so bad that it was essentially impossible to view some sites.

This in itself is enough of a reason for me to use Firefox on Android and
recommend it to everyone who uses Android.

There are a lot of other great things about it, but the fact that it allows
installation of extensions (and therefore allows adblocking for non-rooted
devices) is huge.

~~~
ionised
Agreed. Not sure why Firefox on Android has such a low user base but I
wouldn't consider anything else at this point.

I certainly would not use Chrome, despite its extensions.

~~~
davidgerard
Because Google actively work to make it a bad experience.

Look at GMail in Firefox Android. Now look at GMail in Chrome Android.

------
Nursie
This is still asking a dishonourable industry to honour a polite request, and
as such I don't see that it has any value.

I'm not sure why this voluntary code of practice stuff is still under
discussion. Defensive measures are the only thing that's ever going to work
because advertisers are actively hostile and forever trying to push boundaries
in their continuous attempts to grab your attention.

I propose a move in the other direction, I propose that tools like adblock and
noscript start to broadcast their presence in request headers. I would
perfectly happy to let a site owner know up-front that I will not be rendering
any of their advertising content, I will not be keeping and propagating any
tracking cookies (or cache entries or whatever) and they can choose whether or
not they still wish to serve my request. They could even present me with the
choice of disabling my blockers to see their site.

That way everyone knows what's going on, nobody feels either ripped off by
blockers or under attack from advertisers, job done.

------
manigandham
Ads are the only micropayment solution that has worked so far.

There are a few ideas out there to make things better (I'm currently working
on one) but it's a very long road that requires massive reach and coordination
between lots of major companies to work effectively at scale (as in the
internet and not just 5 sites). Biggest issue is that people just don't like
paying for content, or dealing with transactions (at the pace of website
access).

Also, I think people tend to forget but payments aren't really that much more
private than ads. In fact most ad networks don't know that much or it's very
confused (just go look up any of the info registries to see). Payments however
usually mean a central service + credit cards = name, age, address, purchase
history, etc.

~~~
lucaspiller
> Biggest issue is that people just don't like paying for content

I don't think people are ever going to be willing to pay for content in terms
of giving their money to the writer/publisher/etc, even if it's 1c. Look at
the app store as an example, if people aren't even willing to pay 99c for a
game that they dump 20+ hours of their life into (which can be done friction-
free in 2 taps), why would they pay to read an article with poor journalism
about something that doesn't really matter to them?

Giving up your privacy or agreeing to be shown big adverts for things
corporations want you to buy seems to be perfectly accepted outside of our
paranoid tech world. Next time you go to the supermarket look at how many
products you see placed strategically at the end of aisles, or how many people
have loyalty cards which give them discounts.

~~~
Nursie
>> Giving up your privacy or agreeing to be shown big adverts for things
corporations want you to buy seems to be perfectly accepted outside of our
paranoid tech world.

No, I really don't think it is.

More and more non-tech people I know are running ad blockers these days. And
for tracking I think there are probably three groups of people, those that
know and object, those that know and don't care and those that don't know. The
last group being by far the largest, so it's difficult to predict what they
might think if they knew they were constantly being recorded and profiled.

~~~
lucaspiller
> More and more non-tech people I know are running ad blockers these days

As others have pointed out in this thread, an ad-blocker is like a condom in
2015 to protect you from malware, it's not just to claim back your privacy.
Whenever I setup / fix a non-technical person's computer I always install it -
even fairly legitimate sites have the "Download this to make your PC faster!"
ads.

The point about people not knowing is a good one. Rather than focussing on
building better ad-blocking technology, maybe we should focusing on educating
people and getting DNT and such written into law?

------
joosters
Why are third party scripts allowed at all if a site is honoring 'do not
track'?

For instance, the EFF page about DNT -
[https://www.eff.org/pages/understanding-effs-do-not-track-
po...](https://www.eff.org/pages/understanding-effs-do-not-track-policy-
universal-opt-out-tracking) has an analytics link embedded in it. This fetches
a pixel gif from [https://anon-
stats.eff.org/piwik.php?idsite=1&rec=1&url=http...](https://anon-
stats.eff.org/piwik.php?idsite=1&rec=1&url=https%3A//www.eff.org/pages/understanding-
effs-do-not-track-policy-universal-opt-out-
tracking&action_name=Understanding%20EFF%E2%80%99s%20Do%20Not%20Track%20Policy%3A%20A%20Universal%20Opt-
Out%20From%20Tracking%20%7C%20Electronic%20Frontier%20Foundation&urlref=https%3A%2F%2Fthreatpost.com%2Feff-
adblock-and-others-launch-new-do-not-track-standard%2F114121)

Why is this still allowed? What analytics are even useful when DNT is being
honored? Could there be a google analytics style service that could honor DNT
then?

~~~
seba_dos1
This is Piwik, open source self-hosted analytics, and it does honor DNT by
default.

~~~
joosters
I trust that it is honoring DNT, but I can't see what use it can be if that is
so. What more can it be doing over & above the weblogs that my original
request would have created?

~~~
seba_dos1
Nothing, it ignores your request. It doesn't ignore it when DNT is disabled.
As Piwik ignores DNT requests by itself, I guess nobody bothered to disable
the snippet on server side when DNT is detected.

~~~
dogma1138
The problem is that DNT isn't verifiable DNT should be done in browser and in
the original website by not loading the tracking scripts at all.

ATM how it goes is that the DNT header is attached to outgoing requests and
you "hope" that the 3rd party is discarding them.

~~~
allendoerfer
You do know, that you do not need a dedicated tracking script to track you
serverside?

~~~
dogma1138
Eh? they know that some one accessed resource X from IP address Y that's not
tracking.

~~~
seba_dos1
They know that someone accessed resource X from IP address Y from browser Z
with language preferences A, encoding preferences B, SSL cipher suites C (when
https is used), DNT preferences D, sometimes also protocol support E (when
upgrading to SPDY or HTTP/2.0), having a TCP/IP fingerprint of OS F. I guess I
still haven't covered it all.

------
ikeboy
Why not link to [https://www.eff.org/pages/understanding-effs-do-not-track-
po...](https://www.eff.org/pages/understanding-effs-do-not-track-policy-
universal-opt-out-tracking) directly? This has pretty much zero relevant info
about what the new standard does.

------
astrobe_
I appreciate the effort but DNT will remain an opt-in for me, not a weak opt-
out based on purely on trust. That means Adblock, Ghostery, Noscript, and
whatever is required to ensure that websites don't collect data about me when
I don't want to. I want to choose to whom I give my data; because I also may
want to do that when I trust or want to support a website.

This is all about _principles_. When I say "no" it means _no_. Especially in
this times of guerilla wars against privacy. We have to win this fight,
because privacy is one of the fundamental human rights.

~~~
jedberg
Honest question: Would you be ok if a website blocked your access because you
were running those, since they interpret it as stealing, by denying them the
data that makes them money?

~~~
astrobe_
Honest answer: it's already happening in a way since I do run an Adblocker and
Noscript and a custom hosts file etc. like many others do. This leads to minor
inconveniences already. But it's an acceptable trade off.

I don't consider it "stealing" because there is no explicit agreement that I
benefit from contents in exchange of my data. Yeah, it's somewhat
hypocritical, but both sides are.

If YouTube for instance blocks me tomorrow because I block its ads? I think I
would consider a subscription if offered and if it lets me to keep using my
blocking devices.

~~~
eropple
How are content providers being hypocritical?

------
stephengillie
It's nice to see they're taking another try at this. But I don't expect
anything server-side to realistically work. If you outlaw online tracking,
then only outlaws will track people online. And we know many outlaws download
videos, music, and games, so what's to stop many outlaws from continuing to
track?

I don't see an end to the browser-side escalation of Adblock/uBlock, Ghostery,
HTTPS Everywhere, uMatrix, etc.

~~~
joosters
I'm not worried about outlaws tracking me, it's the thousands of legitimate,
legal tracking companies that worry me!

~~~
stephengillie
Edit: there's not even a law! It's just a voluntary agreement. How many of
them will just ignore the agreement and keep doing business as usual? Why
wouldn't they?

~~~
joosters
Far fewer. And it will make it more difficult for them to sell their analytics
data on to legitimate companies when it is easily shown that they are breaking
the law.

I don't get your objection. Are you really complaining that if a law/agreement
isn't 100% effective then it is worthless?

~~~
stephengillie
My objection is that I don't understand how it will work this time. I don't
expect tracking companies to voluntarily obey a setting that loses them money;
I don't expect people to act economically illogical.

And why would other industry members voluntarily lose money by ignoring DNT
results? Do you really think advertisers care what their products think?

The only way we've got this attention is with widespread use of adblocking
software.

~~~
joosters
Oh, I agree with you, I doubt that analytics companies will voluntarily sign
up to this new code of practice.

Your talk of 'outlaws' meant, to my eyes, a more hypothetical situation where
some form of DNT was passed in to law. At the moment, companies that ignore
DNT are not outlaws.

------
mangecoeur
To encourage adoption and enforce DNT ad-blockers like AdBlock could agree to
relax ad blocking by default on sites which genuinely honor DNT. This way
sites have an incentive to do the right thing.

Of course for tracker-blocker add ons nothing should change since a DNT
respecting site shouldn't fall foul of a tracker block.

------
0x0
Is this just like P3P? Because that was a failure of a standard if I ever saw
one. Web devs blindly copypasting random P3P headers just to get third party
widgets to load properly. Or even setting headers like "not a P3P policy" with
less than honest side effects. Like Google does:
[https://support.google.com/accounts/answer/151657?hl=en](https://support.google.com/accounts/answer/151657?hl=en)

~~~
makomk
P3P was a train wreck because no-one actually set their own policies and the
UI to do so was hidden and ridiculously complex, so the only reason anyone
ever used it was by accident due to using IE, and it broke stuff like single-
sign-on with the default policies unless sites actively worked around it.

------
dmitrygr
Still voluntary compliance = still toothless. How about the agreement between
users and site to the tune of "you honor DNT or I block every little bit of
your ads"?

------
tracker1
What I want is adblock/ublock/ghostery for my phone... I swear it's worse than
the popover/under ads in the 90's if you happen to click on the wrong
clickbait article from your phone.

For that matter, just make browsers not allow an iframe within another
iframe... that should reduce a lot of the problems with ad/tracking networks.
What's really annoying are the ads that block content, but have the weird /A
logo that you can click to report that the ad is used to block content...WTH.

The problem is the funding for the biggest browser is from an ad company, and
a lot of the funding from one of the other largest is as well.

~~~
slrz
> What I want is adblock/ublock/ghostery for my phone.

Doesn't Firefox on Android give you exactly that? I never used the Android
version but at least with its Maemo predecessor the ability to use Adblock
Plus et al. was a given and really good to have.

------
Kenji
"Do not track" is completely useless. Somewhat ironically, it actually has the
opposite effect: The "Do not track" boolean contributes to your digital
fingerprint.

~~~
sidarape
"The 'Do not track' boolean contributes to your digital fingerprint."

I always thought that and that's why I didn't turn it on.

~~~
joosters
Unfortunately, there's probably enough data to identify you anyway, regardless
of DNT setting: [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
gruez
I feel that the methodology of that site reports your browser as more unique
than it really is. For one, it doesn't take into account that plugins/browsers
are constantly getting updated. This causes the user-agent string and the
plugin names to constantly change, causing the site to report more entropy
than there really is. For instance, I'm using firefox on windows 8.1. Based on
the market share of windows 8.1 (13%) and firefox (11%), the chance that
another browser has the same user-agent should be 1 in 70. However
panopticlick reports 1 in 943.29. Similarly, panopticlick reports that 1 in
7596.81 uses the latest version of the NPAPI flash plugin.

~~~
hansjorg
It's a proof of concept. The numbers are dependent upon people visiting that
page. As they say in their FAQ:

> The quality of data that we get from this project is definitely decreased as
> a result of the fact that the design of the website encourages people to
> play with their browser configurations. A lot of people are doing things
> like turning off javascript, entering private browsing mode, or deleting
> cookies just to see what effects those actions have on uniqueness.

> We'd have gotten better data by putting these tests in an invisible corner
> of a high-traffic website, but that simply isn't the EFF way when it comes
> to running an experiment like this

------
kofejnik
I solved the tracking problem very easily with just three Chrome profiles:

1\. Gmail work, gmail personal, chrome profile linked to gmail. Some work
sites (clicking links from work emails). No other use.

2\. Facebook + Vk only, not logged in, ublock origin, only session cookies
enabled (exception - facebook).

3\. All other browsing, ublock origin, only session cookies, not logged in

With right-click profile switching, it's really not much more hassle than
switching between windows.

~~~
redwards510
How do you know that works?

~~~
joosters
You could take a look at the cookies / local storage used by each profile. If
I understand the situation right, profile 1 would keep cookies forever, so if
you saw countless cookies by multiple tracking companies, you'd know that you
forgot to switch profiles at some point.

~~~
chii
A large advertising company would have enough resources to code up browser
profiling tool that can almost uniquely identify you from various performance
characteristics such as canvas render. Those separate profiles only serves the
illusion of privacy IMHO.

------
WireWrap
Are they announcing the launch of the not quite finalized W3C Tracking
Protection Group recommendations (see the last call working drafts, bottom
left, [http://www.w3.org/2011/tracking-
protection/](http://www.w3.org/2011/tracking-protection/))?

The 1.0 of their dnt-policy.txt
([https://raw.githubusercontent.com/EFForg/dnt-
policy/master/d...](https://raw.githubusercontent.com/EFForg/dnt-
policy/master/dnt-policy-1.0.txt)) which points to one of those drafts
([http://www.w3.org/TR/tracking-dnt/](http://www.w3.org/TR/tracking-dnt/))?

------
forrestthewoods
Anything that can simply be ignored is worse than worthless. It's worse
because it's actively harmful in the cases, the numerous cases, where the tag
is simply ignored.

Ghostery + AdBlock. No regrets.

------
RexRollman
This will fail. If we want freedom from tracking, we will have to take it;
they are not going to give it to us.

------
gamesbrainiac
I feel that this would not deter companies from tracking. People would still
use disconnect and adblock to make sure that their search queries are not
being tracked. I myself am considering getting a VPN since a lot of sites
track according to mac address.

------
Dysprosium
> it’s still a voluntary policy

All has been said.

------
dzhiurgis
Google somehow manages to escape their own browser settings. I set the Chrome
flag to 'Do not track', but when I go to their site settings I have to
additionally disable tracking.

------
yuhong
Thinking about it, there is the European "cookie law". Too broad, but DNT can
be included in similar laws.

