
Why Doesn't Google Comply with Do Not Track? - aportnoy
https://support.google.com/chrome/answer/2790761
======
excalibur
I think it was well-understood from the start that "please don't track me"
requests had no teeth, and would be generally ridiculed and ignored by the
vast majority of sites with an incentive to do so.

~~~
Sylos
It could have had legal bearing, if Microsoft had not turned it on by default.

Before DNT, the way consent basically worked was that companies just assumed
you consented, and only if you specifically denied consent, they would have no
chance to defend that in court.

With DNT, if the user turned that on themselves, they would have clearly
signalled that they want this the other way around. Do Not Track me, unless I
specifically give you my consent. This would have made it hard for companies
to defend their behaviour in court.

With Microsoft turning it on by default, there was no way for companies to
know, if the user actually wanted privacy, or if they supposedly wanted to be
tracked, for whatever reason.

With the GDPR in place, you theoretically now need to get consent every time
(including implicit consent, e.g. when the user asks for something to be
shipped to their address, that means you can process their address). Most
companies don't yet keep to it, though.

~~~
wirrbel
Surely google can assume that browser settings represent the user'choice when
it fits Google's interest, and they can assume that browser settings don't
represent the user's choice when it fits their interest. But everyone knows
that google won't tolerate a privacy measure that is used by a majority of
users. Microsoft is not to blame for making privacy a default in their
browser. It's google who is ignoring that setting.

You cannot just assume the user did not actually want the default setting in
their browser.

~~~
Sylos
Oh yeah, as far as I remember, Google (and Facebook) said right away that they
would not support DNT, before it became default in IE.

With most webpages shipping code from Google/Facebook, that was also already
pretty bad for DNT.

------
freen
I wonder if I can append to every web request a header that has my personal
terms of service and if companies don't want to comply to MY terms, they can
simply refuse service.

Seems reasonable, right?

~~~
eslaught
Maybe this was intended as a joke, but if someone with legal experience can
reply, I'd be interested to know how far this can actually fly.

After all, companies frequently have "drive-by" EULAs that you "agree" to by
simply not leaving the site, so if that's legally binding, why is the reverse
not true?

~~~
seandougall
I certainly hope it was a joke. I don't personally want to see a Web where
every HTTP request has to be manually reviewed by a human, let alone a whole
legal department, before a response can be issued.

~~~
tagrun
And I certainly hope you're joking.

I also don't personally want to read a terms of service, let alone hire a
lawyer to tell me it's consequences for every HTTP request, before it gets
shoved down my throat one-sidedly in the form "if you're using this site you
agree everything our legal department wrote which gives us the right to
trample your rights however we like using all the legal loopholes out there,
and sometimes even beyond, and hey we'll also be forcing US laws on you even
if you're in a totally independent country while ignoring your hard-earned
rights protected by your country's laws", but it's somehow the standard
practice.

That kind attitude is a serious double standard going on for years, favoring
corporations and companies over the rights of individuals. So forgive me when
I find it very hard to sympathize with anything you said.

~~~
comex
In the US, at least, so-called “browsewrap” agreements, those that are linked
in a website footer and purpose to bind you simply for visiting a site, are
legally unenforceable. However, “clickwrap” agreements, where you get a text
box with the terms and have to click “agree”, _are_ enforceable – despite the
unlikelihood that even a single user read the terms before agreeing. I don’t
like either type, but it’s important to distinguish them. You won’t be bound
just for receiving an HTTP response, any more than you can bind someone else
by sending an HTTP request; there has to be a human in the loop knowingly
choosing to agree to _something_ , even if they don’t know what it is they’re
agreeing to.

That said, I don’t know much about how other countries’ legal systems treat
such agreements, but from what I’ve heard, they tend to be equally or more
restrictive of them, not less.

~~~
tagrun
> those that are linked in a website footer and purpose to bind you simply for
> visiting a site, are legally unenforceable.

Before going to other countries: are you referring to a very recent local
Florida state law (after Vitacost.com, Inc. v. James McCants, found with a
quick search), or is there an even newer federal US law?

> That said, I don’t know much about how other countries’ legal systems treat
> such agreements, but from what I’ve heard, they tend to be equally or more
> restrictive of them, not less.

Given no such law existed even in Florida until last year, I'd be more
cautious before extrapolating this internationally.

~~~
comex
I'm a bit confused what you mean. There is no law, but quite a bit of
precedent in various U.S. jurisdictions, including from the federal appeals
courts of two different circuits, as listed on Wikipedia:

[https://en.wikipedia.org/wiki/Browse_wrap](https://en.wikipedia.org/wiki/Browse_wrap)

The Vitacost case you mentioned is not listed there but, looking at the
decision, seems to be a straightforward application of two of the precedents
(Nguyen v. Barnes & Noble and Hubbert v. Dell); it doesn't disagree with them.

I did forget one complication when writing my previous post, which is, at
least according to the aforementioned Hubbert v. Dell, there are _some_
circumstances where a browse-wrap agreement may be enforceable:

> In 2005, the Illinois Appellate Court ruled in favor of a browse-wrap
> agreement in Hubbert v. Dell Corp. In this case consumers of Dell products
> were repeatedly shown the words "All sales are subject to Dell's Term[s] and
> Conditions of Sale", including a conspicuous hyperlink, over a series of
> pages. The court found that this repeated exposure and visual effect would
> put a reasonable person on notice of the "terms and conditions".

But that's fairly different from a typical browse-wrap agreement.

------
21
Just try to enable Do Not Track in Chrome. See the scary long warning you need
to accept. It makes you think you are going to get hacked or something if you
accept it. You also need to click the "Confirm" button, which typically is
reserved for serious stuff that has real effects.

> _Enabling "Do Not Track" means that a request will be included with your
> browsing traffic. Any effect depends on whether a website responds to the
> request, and how the request is interpreted. For example, some websites may
> respond to this request by showing you ads that aren't based on other
> websites you've visited. Many websites will still collect and use your
> browsing data - for example to improve security, to provide content,
> services, ads and recommendations on their websites, and to generate
> reporting statistics._

No other privacy setting has such a scary warning.

~~~
ridiculous_fish
If Google doesn't honor DNT, why would they bother trying to scare off users
from setting it?

~~~
deogeo
So that if legislation is ever considered to curb their spying, they can say
to congress "98% of users are OK with being tracked, according to their Do Not
Track settings, so there's no reason to pass any laws!"

~~~
quickben
And increase profits in the meantime.

------
kanon
Just to add to this, in Matomo (Formerly Piwik. I always have to lookup their
new name. It's one of the worst name changes I've ever witnessed. I'm sorry
but I had to say it.) you have the ability to comply with DNT requests and
even anonymize them in a specific way.

~~~
mtmail
Same for [https://usefathom.com/](https://usefathom.com/) (listed in their
privacy policy).

------
crunchyfrog
I think the main reason Google decided not to support DNT is that Microsoft
turned it on by default in IE. Microsoft did this knowing full well that
Google would be put between a rock and a hard place: either implement DNT and
instantly start losing a ton of money or ignore DNT and look like the bad guy.
Meanwhile Microsoft could sit on their high horse since it wouldn't cost them
any money.

I suspect Google would have respected DNT if Microsoft had made it opt-in as
it was intended.

~~~
dane-pgp
Surely the correct counter-move for Google would have been to say "We will
respect the DNT flag in all browsers except IE".

~~~
lotu
Maybe depends on how they though it would play out in the media. Unfortunately
the whole opt-in vs. opt-out is too complicated to be explained in most
reporting. Google might have worried that not respecting Do Not Track for IE
could be interpreted as an Anti-Mircrosft move that would run afoul of
monopoly law.

~~~
TeMPOraL
> _Unfortunately the whole opt-in vs. opt-out is too complicated to be
> explained in most reporting._

Is it really? Let me try:

You're going down the street while eating some cookies, and suddenly you meet
a friend.

Opt-in: A friend sees your cookies, and asks, "Can I have one?"

Opt-out: A friend starts taking and eating your cookies, and says, "Tell me if
you want me to stop."

------
stordoff
Are there any major websites that _do_ support DNT? I note for instance Hacker
News does not:

> Our Site currently does not respond to “Do Not Track” (DNT) signals and
> operates as described in this Privacy Policy whether or not a DNT signal is
> received.

~~~
davidfischer
\- Medium ([https://medium.com/.well-known/dnt-
policy.txt](https://medium.com/.well-known/dnt-policy.txt))

\- EFF ([https://www.eff.org/.well-known/dnt-
policy.txt](https://www.eff.org/.well-known/dnt-policy.txt))

\- Read the Docs ([https://readthedocs.org/.well-known/dnt-
policy.txt](https://readthedocs.org/.well-known/dnt-policy.txt))

Sites that implement DNT should respond to either /.well-known/dnt-policy.txt
or /.well-known/dnt/ or both.

Responding to /.well-known/dnt/ means a site has implemented the W3's Tracking
Preference Expression ([https://www.w3.org/TR/tracking-
dnt/](https://www.w3.org/TR/tracking-dnt/)). This doesn't necessarily mean
much as there's no agreed standard of what complying with DNT means. However,
it typically implies that the site does _something_ different for users with
DNT enabled vs. disabled.

Responding to /.well-known/dnt-policy.txt is typically stricter and means a
site adhere's to the EFF's guidelines ([https://github.com/EFForg/dnt-
guide](https://github.com/EFForg/dnt-guide)) for DNT. This has rules for how
long data is retained, which data can be retained, specifications around
anonymizing data, and security precautions.

Disclaimer: I worked on Read the Docs' DNT implementation.

~~~
danShumway
Props to Medium, because not only does it respect DNT, it pretty rigorously
follows the advice about blocking third-party embeds if they don't respect
it.[0]

Medium is not always on my good side, and I think the site has some problems,
but at least somebody working there does really care about privacy, and I
regularly notice and appreciate their work.

DuckDuckGo as well, but I would have a problem if they _didn 't_ respect DNT.
Medium is the site where they really didn't have to care, but they did anyway.

[0]: [https://github.com/EFForg/dnt-
guide#a-embedly](https://github.com/EFForg/dnt-guide#a-embedly)

------
dabitude
As far as I remember, one of the main problems with DNT is that most its users
actually didn't enable it intentionally (because there are browsers that
enable it by default).

Edit: internet explorer used to do that
([https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...](https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer_10_default_setting_controversy))

~~~
AnaniasAnanas
> because there are browsers that enable it by default

Can't speak for others but I do not enable it because doing so could lead to
me being tracked as the majority has it disabled. This is also the reason that
the tor browser also has it disabled.

I am not aware of any popular browsers that enable it by default in this day
and age.

~~~
dabitude
This is what I had in mind:
[https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...](https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer_10_default_setting_controversy)

~~~
danShumway
Okay, but:

> _On April 3, 2015, Microsoft announced that as of Windows 10, it would
> comply with the specification and no longer enable Do Not Track as part of
> the operating system 's "Express" default settings, but that the company
> will "provide customers with clear information on how to turn this feature
> on in the browser settings should they wish to do so"._

So for the specific browsers that do follow the standard, like Edge, Chrome,
and Firefox, why doesn't Google respect the flag for those browsers now? I
know that Google has the ability to detect which browser I'm using, because
they tell me to install Chrome every time I visit their homepage.

I'm seeing IE mentioned all over the place here, but it what it looks like is
that one bad actor was just the excuse the advertising industry needed to
mass-ignore the setting on every browser, everywhere, regardless of whether or
not they violated the standard.

~~~
it_can_be_done
>why doesn't Google respect the flag for those browsers now? They need your
data to personalize ads and make money out of it. It's Google's business
model. It doesn't matter which browser you are using.

------
threatofrain
In my view "DNT" just increases the ability to track you.

~~~
51lver
It's not about blocking trackers. It's about sending a message...

~~~
mirimir
Yes, and messages make one more unique, no?

------
berbec
“It is difficult to get a man to understand something, when his salary depends
on his not understanding it.”

― Upton Sinclair

------
pfortuny
“Most websites (...) do not change their behavior”.

That is: fuck off. In plain English.

But is is for your benefit. Really.

------
danielrm26
Because their entire business model is based on tracking you.

------
nojvek
Just pass a goddamn law, any website that doesn’t respect “Do Not Track”
headers will get fined like GDPR.

That’s why we have regulation.

~~~
it_can_be_done
GDPR already states you can't track without user consent so just make a
complaint.
[https://news.ycombinator.com/item?id=18633090](https://news.ycombinator.com/item?id=18633090)

------
jokoon
I wonder if the there could be a section in the GDPR that would forbid
websites to track their users if they have such option turned on, and if it's
legally feasible.

------
arcticwombat
Simple, money.

DNT is optional, you're "asking" to not be tracked.

Google makes money off of tracking you, so it's not going to just up and not
do that because you asked nicely.

------
jaytaylor
Truly respecting DNT would undermine Google's core business and the cash cow
that is AdWords, by reducing the amount and / or quality of user activity data
fed into the platform.

Such a change goes too much against the Alphabet Corporation's own self-
interest and well-being for it to be voluntarily offered.

As with many things in Western Civilization, it traces back to capitalism and
the unfortunate incentives it can encourage.

~~~
seanhunter
100% right. They don't respect do not track because they don't believe they
have to, it's in their interests not to, and they don't behave according to an
ethical framework that would lead them to do things that contradict their
direct short-term interests.

~~~
anticensor
In this case, respecting DNT also contradict user's short term desires as it
leads to longer manual search on retrieved results.

~~~
justtopost
If the user desires to be tracked, they dont set the flag. You can't reframe a
'no' into 'but they clearly were asking for it'. Thats pretty messed up.

------
prepend
There’s a two part solution- 1) deprecate DNT, add Consent To Track (CTT).
Allow users to set to Y. Default is blank or unset. 2) two year testing period
to see how sites respect user intent. If sites continue to track when CTT !=
Y, then enact regulation

------
stewbrew
Does the GDPR change anything in this respect when users made their intentions
explicit?

------
sys_64738
Google is an advertising company so it's in their money making interests to
spy on you and follow you everywhere. Isn't that what a stalker does?

------
soared
> use your browsing data to improve security, provide content, services, ads
> and recommendations on their websites, and generate reporting statistics.

------
andirk
Here I am on Brave browser and most of those tricky hacks are not possible. I
don't know why everyone doesn't use it.

------
deytempo
Side Note: Isn’t it just dandy that Google security researchers are the ones
finding all the PhD level zero days now a days? Like I’m sure they never use
them before reporting them...

~~~
comex
> Like I’m sure they never use them before reporting them...

That would be highly illegal. And while Google has been accused of various
things over the years, like the Wi-Fi sniffing thing, actively exploiting
someone else’s system would be on another level entirely. Of course, the same
smarts that make complex exploits achievable can also make them harder to
detect – but only to a point. It’s almost impossible to bring the risk to
zero.

------
anticensor
It would break personalised search results.

~~~
justtopost
Good? I can turn off DNT of that is a problem for me.

------
it_can_be_done
First contact Google and let them know they violate your privacy and GDRP via
this form:
[https://support.google.com/policies/contact/general_privacy_...](https://support.google.com/policies/contact/general_privacy_form).
When they refuse to change anything, make complaint to your national
authorities: [https://ec.europa.eu/newsroom/article29/item-
detail.cfm?item...](https://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612080).

