

IE10's 'Do-Not-Track' Default Dies Quick Death - mproud
http://www.wired.com/threatlevel/2012/06/default-do-not-track/

======
pippy
The whole concept of DNT is just stupid. It's misleading users and won't work.

By telling users you have better privacy simply because your browser adds a
random header tag onto requests you're misleading them. Sites have no
obligation to obey it and it will give users a false sense of security.

We already have proven, well defined method of DNT already: private browsing.
This works by simply removing resources after the session ends. There's no
reliance on servers, so it will always work.

~~~
Animus7
> Sites have no obligation to obey it and it will give users a false sense of
> security.

Until appropriate legislation comes into play. It worked reasonably well with
the Do Not Call lists.

~~~
mbrubeck
Or if a large portion of the industry decides to voluntarily adopt the
standard, to counter the _threat_ of legislation.

A number of large ad networks have already announced support for DNT. Sure,
there will always be sites that ignore the header, but there's also a
realistic chance that it _will_ give users a meaningful choice about how their
behavioral data is used by many of the biggest sites they use most often.

~~~
rbanffy
If a large portion of the industry adopts it and that prevents legislation,
the end users have an even more false sense of security.

------
clhodapp
I apologize in advance that this will probably end up looking a bit like a
rant.

I'm sorry, but what is the deal with web-based _tracking_? I see comments like

> Whenever you visit a website with an ad, DoubleClick knows you looked at
> that article, and uses that to build a profile about your preferences. I
> don't think when your average joe reads an article that it is fair that
> their preferences are being tracked in this way.

and I honestly wonder how this sentiment can be so common, given the realities
of our current society (note: this comment is not meant to say anything bad
about that comment's author, it's just a convenient example of a trend in the
discourse on this topic).

First, we give up many "rights" as tradeoffs for other things that we want. We
have the right to the pay from our jobs, but that doesn't mean that we are
entitled to get things from the store for free. We have to give up ownership
rights of our money in order to trade it for goods and services. We have the
right to free speech, but that doesn't mean that someone can't ask us to leave
their home or other property if we say something that upsets them. We give up
our right to say whatever we want by going onto someone else's property. This
sort of situation is so common that it would be impossible for me to list all
of the times in which we are faced with it here. However, this argument would
not be complete unless I also stated that web-based tracking is in exactly
this category: someone has set up a situation where your computer can exchange
data with their server. However, in doing so, it is possible that they will
notice that you have done so and keep a record of this fact. In other words,
if you, through your computer, communicate with a company or individual, _that
company or individual may know that you communicated with them and what the
contents of those communications were_. You are giving up your right not to be
known to have performed a behavior by a set of potential witnesses in exchange
for _performing that behavior in front of those witnesses_. It's unreasonable
to say that, just because you are communicating through computerized agents
the other party should not be able to keep a record of your exchange.

Second, it is unfathomable (edit: To me. Please, tell me how your opinion
differs) that this could be an issue for people because this is the state in
which we constantly live. Every time you leave your house, your neighbors may
take notice. Every time you go to the store, your actions are recorded
(tracked!) by security cameras. The clerk knows what you bought and may
recognize you as a regular customer. If you use a credit or loyalty card, the
store keeps keeps a log (tracks) your purchases and builds a demographic
profile. At a casino, the floor manager watches you gamble over security
cameras. If they notice you winning a lot, they may ask you to leave for the
day. I could go on like this all day. The point is that there are _all kinds_
of times where we are tracked and where the only way to opt out is not to have
dealings with the tracking entity or to not go out in public. There are all
kinds of businesses built around or supplemented by tracking people. It seems
to me that the tracking-things-you-witness ship has already sailed and if
people wish to bring it back into harbor, they will first need to establish a
reasonable test that makes it clear when tracking is actually abusive. It
seems very unlikely to me that any test that wasn't specifically designed to
do so would label all internet-based tracking as abusive, as some people seem
to do, while calling these other behaviors OK.

Am I wrong? Am I just an asshole?

~~~
lla0ajj
I think you're just upset because DNT might affect your income?

Tracking does not mean looking at server logs (or by analogy, reviewing
security camera footage), it means things like cookies, Flash cookies, beacons
and KISSmetrics.

Chances are DNT idea will have little effect. People raised issues with
cookies back in the 1990's and in rerospect it hasn't impeded websites from
tracking. People were forced to opt-in to cookies and everyone became
desensitised to them over time. Now people don't even think about not
accepting cookies. Tracking has gotten very aggressive though. Some of the
behavioral tracking ideas are really pushing the limits.

DNT is hardly a draconian measure. Be glad that the web is still very much
unregulated in comparison to meatspace.

~~~
ericflo
What browser forces you to opt-in to cookies?

~~~
Wilya
Try to turn cookies off and see what still works.

Some people still build sites that have basic functionality with JS off.
Nobody bothers to do the same for cookies.

~~~
lla0ajj
Exactly. There was a time when the idea of users accepting/rejecting cookies
on a per-site basis seemed plausible (though it might be annoying for the
user), but those days seem long gone. Cookies are on by default and my guess
is few users change those settings. DNT might be viewed as another attempt,
however futile it may seem, at giving users some choice.

It's true a good portion of the web still works well without Javascript. This
seems like a good thing as Javascript can be a mixed blessing. Enabling it
comes with both benefits and risks. Like cookies, a user could selectively
choose which scripts to allow, one at a time (remember the embedded Java
applet days?), but this can quickly become more trouble than it's worth.

Perhaps a difference of JS from cookies is that with Javascript the user might
sometimes see what the actual benefits are and they might be more enticing
than those of cookies, e.g., "To see this cool doodad, you need to enable
Javascript." It is very clear what the benefit will be: the doodad.

Contrast this with "To use this site you must have cookies enabled." Terms
like "provide a better user experience" might be used to describe the need to
enable cookies. But the specifics are usually absent.

If all websites were reasonable, and no one abused their ability to manipulate
and track end users, things like DNT would probably not be necessary. But we
know that's not the case.

------
ars
Turning on DNT by default is a great way to ensure it will be utterly ignored.

So I quite support the requirement that people explicitly enable it.

Remember the DNT is voluntary - but if everyone does it by default, then there
is nothing left to track, so websites will have no interest in paying
attention to the flag.

~~~
melvinmt
> then there is nothing left to track

Isn't that the whole point? Websites may not have interest in tracking
disabling policies, but a lot of people do. Maybe these advertising companies
ought to incentivize users to opt-in to sell their data instead of the other
way around.

~~~
coopdog
The whole business model is that users don't care if they're tracked, so let's
track them (and others) and do things for them that we couldn't before

I can see Google fully implementing DNT on the basis that users don't care,
and for the few that do they're happy to comply

But making it default to on, especially if no one gives a damn is the death
knell to the whole business model

Suddenly you have to pay for everything.

Although I would be interested in using DNT if out had more granular control
to block certain entities

~~~
ars
> Suddenly you have to pay for everything.

I wonder if we'll see sites who honor the header, but require that it be off
in order to access content.

~~~
Achshar
Na.. that will be too much work for the user, plus disabling DNT will mean
it's disabled for everyone, not just the said website. It also does not make
alot of sense, disabling DNT does not make site any money directly. So it will
only raise suspicion in a casual user's minds, that why would the site need to
track him/her when there is no apparent monetary profit to the site.

Instead they can show a banner that DNT is enabled and when it is disabled,
the banner is gone.

------
awaythrow
Good for privacy litigation. "My client had DNT in her browser set to 'on' and
the company intentionally ignored this and tracked her actions on the web,
vioalting her right to privacy and causing monetary damages in the amount of
$________."

Web developers might hate it, but DNT could be potentially good for end-users
who want to make privacy claims. It's just one extra header. A few extra
bytes. Meanwhile things like XML and JSON, which add considerable bloat to web
responses, are accepted without any complaint.

~~~
lotu
On the other hand now every single line of code that gets changed has to
reviews by a lawyer to make sure it is compliant with the DNT legislation. And
if your a startup, the best way to take you down is probably a couple of
frivolous DNT lawsuits.

------
martingordon
Does the current spec take into account that unscrupulous ISPs (I'm thinking
about hotel WiFi in particular) can strip the header before forwarding a
request to a server?

~~~
lotu
It says they shouldn't do that. But you are never going to see enforcement,
stripping headers can be sold as "security" to hotels who have no clue what
they are doing.

------
mparlane
Now imagine if Chrome made incognito browsing the default and you had to
access a submenu to get a cookie keeper. Disrupt the web!

~~~
eli
I don't think google is going to be the one leading the charge against
targeted advertising.

~~~
mparlane
I realise this, I used Chrome as the example as I imagine it has the largest
audience of users here. I wish I could set incognito per site. I.e. opt in to
cookie keeping. e.g. set cookie_keeping=true for gmail.com.

------
TomGullen
Honest question, why do people care if they are being tracked? The amount I
care is quite far off from the amount everyone else seems to care, could
someone educate me on why I need to care more?

~~~
BitMastro
The same for me. Why should I care if I'm tracked? And if I don't want to be
tracked I'll use private browsing (it's not just for porn, you know?). If I
want even more privacy I'll use a clean vm, or if I'm going paranoid I could
use an anonymous proxy or similar.

~~~
JoeAltmaier
Consider bubbling, e.g. Google returns search results consistent with your
previous clickthroughs. You end up seeing only results you agree with; it
insulates your searching experience from disturbing foreign ideas like
evolution or liberalism.

Tracking can be done by servers, using a workstation signature (ip/port,
installed software versions etc, been discussed in other posts), it doesn't
require your client station's consent (cookies).

~~~
BitMastro
Yet, when I look for "python", I'm not interested in snakes. When I look for
"eclipse", it's almost sure that I'm not looking for astrological phenomena or
(spare me!) books. It's incredibly useful to write "cinema" without having to
specify which city I'm obviously in. The point is: I want to be bubbled. In
almost every situation, apart from reading opinions, it is the right thing to
do for me. In my humble opinion, the bubbling effect is overrated and (should
be) avoidable with private browsing. Am I wrong?

------
rurounijones
So instead IE10, on first run should just pop up a very scary looking dialog
filled with text on why the user should choose the "do not let websites track
me" button instead of the "Let websites track me" one.

It is not default, the user has to choose.

------
ggchappell
An issue sidestepped by this article is whether the statement in the second
paragraph is correct:

> ... tech and ad companies who say they comply with Do Not Track could simply
> ignore the flag set by IE 10 and track those who use that browser.

That doesn't quite work. Web servers don't know what browser is on the other
end of a connection. Yes, they know the "User-Agent:" line, but that is not
the same thing.

Claiming to follow a privacy standard, but then ignoring it based on a
conclusion reached via fallible means, is a bit scary. It strikes me as the
beginning of a slippery slope, regardless of what position Microsoft
ultimately takes with IE 10.

~~~
Animus7
So don't forge your headers.

I don't see how this would be slippery at all.

~~~
eli
The parent's point is that some of those IE10 users aren't just stuck with a
default, they really did intend to turn DNT on.

~~~
adgar
Which is why DNT makes zero sense to be on by default.

------
Cogito
What is the situation if a user agent, on installation/upgrade, asks a user to
update their DNT status but in doing so defaults to on? The user has to
explicitly agree to turning this setting on (as they have to accept the
configuration before proceeding), and is able to turn it off, but most people
will just click through anyway.

~~~
ars
If too many people turn on DNT websites will start ignoring it.

~~~
lwat
Most websites will just ignore it from day 1 anyway.

------
jcampbell1
This is sad. DNT is may be a good thing.

Whenever you visit a website with an ad, DoubleClick knows you looked at that
article, and uses that to build a profile about your preferences. I don't
think when your average joe reads an article that it is fair that their
preferences are being tracked in this way.

We should survey the public and ask: "Do you think it is okay that internet ad
companies use the type of article you read to target ads that are more likely
relevant to you?"

That is a reasonable question that gets to the crux of the issue. Retargeting
and profile targeting may be borderline unethical, but Google and I both make
good money doing it. I am not sure it is right, but we both have a vested
interest in making sure we can continue.

