
Ask HN: Do you respect DNT in your personal websites? How? - r3bl
Yesterday, I have published some article (that is irrelevant to this discussion) up on my blog. In it, I&#x27;ve embedded a YouTube video. Now, it got me thinking. Even though I have configured my analytics service (Piwik) in such a way that it respects Do Not Track policy, embedding a YouTube video made me break my own, so far not heavily enforced, Do Not Track policy.<p>It got me thinking, and honestly, I have no clue how much time have I done it in the past by embedding third party content.<p>So, my question is: Do you respect DNT in your own personal blogs &#x2F; websites &#x2F; web app projects, and if so, how? Do you carefully inspect every source before embedding it, re-host everything and things like that, or are you using some sort of an automation tool that I am not familiar of that will force you to only embed content that respects DNT?<p>I should point out that I&#x27;m not aiming for a regular DNT is a good&#x2F;bad idea discussion, but for the practical examples on how someone, as a website owner, <i>could</i> respect the DNT idea if he wants to.
======
usernam
DNT is flawed. As an user, I have no way to verify that DNT is honored. As
such, I assume nobody respects DNT and proceed accordingly by taking my own
tracking countermeasures.

You can also assume DNT is pretty much ignored. For instance, if I set DNT and
I visit a website adhering with those EU cookie regulations, while I'm still
being shown that cookies are being used to track me and that by using the
website I agree (never mind that 3rd party cookies are already being sent)? I
already stated that I do not want to be tracked.

Oh, but maybe you would assume setting the DNT preference in the browser does
something _meaningful_ , such as disabling 3rd party cookies, disabling
beacons, ServiceWorkers and cache lifetime?

Nope. There is no point in honoring DNT: you are either tracking or not
tracking your users depending on which resources you're including on your
website. If you don't want to track your users, do not include 3rd party
resources. If you do include 3rd party resources, then it's it's up to the
3rd-party to honor DNT.

~~~
killjoywashere
Don't the countermeasures actually increase the specificity of your
fingerprint though?

~~~
problems
Not really, if you block the domains of the trackers or prevent their scripts
or remote content from running altogether there's no fingerprint for them to
get. That does only apply to 3rd parties though, but they are often the main
concern.

~~~
amenod
Also, if you are allowing / disallowing 3rd party scripts (and removing state
in between) you do not have a permanent fingerprint anyway.

But my assumption, even though I take every reasonable countermeasure I can
think of, is that G & co. still know a lot more about me than I would have
liked. But that's something no amount of technology will solve.

------
Sir_Cmpwn
I don't track people in the first place on my websites, but third party
content is a good point. I generally will self host all of my assets, but
occasionally embed a YouTube video or something. I should probably put it
behind a click-to-enable thing. I removed Disqus comments from my blog a while
ago, too, because a platform for flamewars isn't worth tracking visitors over.

~~~
hughw
A non-tracking, embeddable comments widget would be a Good Thing. I wonder if
anyone would pay $12 a year for that service, and whether that would be enough
to support it.

~~~
myrion
Well, you can use something like Isso, perhaps:
[https://github.com/posativ/isso](https://github.com/posativ/isso)

~~~
hughw
That's pretty good. I guess the idea that you would want cross-site identity
is, really, tracking. The only benefit to the user would be some universal
name and photo that remains the same across all sites. But that's a really
marginal benefit. This isso project gets 98% of usefulness.

------
sriku
This is a great question. I have to admit that the only effort I've taken thus
far is to minimize reliance of external parties. For example, on my utility
site, I don't use google/fb auth but have used Persona and recently rolled my
own auth ... and I keep very minimal summary analytics only.

Somehow I feel that the burden of starting a website today is kind of crazy -
analytics, comments (and the implied spam filtering), social media sharing
integration, onsite feedback, social logins, T&C, privacy policies, cookie
legalities, DNT, ... all apart from the content we actually want to put there,
even if only as individuals.

------
mikekchar
This is a bit of a lame answer, but generally I put any potentially tracking
content in javascript. I make sure my blog renders correctly without
javascript. Finally, I put a warning saying that if the user does not wish to
be tracked, then they should disable javascript for the site.

I can't really see any other obvious way to deal with it, unfortunately.

~~~
hellcow
You could also put `if (navigator.doNotTrack === "1") { return }` at the top
of your script.

[https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/d...](https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/doNotTrack)

~~~
amenod
If you do that, you might want to add a message saying that you disabled all
JS functionality on the site because of DNT, because it is not something users
would expect to happen. If I set DNT and go to youtube.com, I would expect to
see video anyway. The same for embedded videos on some blog.

I am not saying this is a bad way (it is much better than many others), just
that users should be made aware of the cause.

------
defanor
One option (which I'm using) is pretty simple: do not embed external content.
When I need to refer to a youtube-hosted video, I simply put a link. It's not
even because of DNT, but in an attempt to make lightweight and accessible
websites.

~~~
Royalaid
Is a good middle ground some like Reddit Enhancement suite does where you have
a link and clicking it will expand in line?

~~~
modin
Medium.com does this. I think it is a good middle ground.

~~~
mallaidh
Medium is hardly a paragon of lightweight page design, though.

------
scrollaway
I wrote a tiny middleware for Django which sets the DNT variable on the
request/response:
[https://github.com/HearthSim/HSReplay.net/blob/master/hsrepl...](https://github.com/HearthSim/HSReplay.net/blob/master/hsreplaynet/utils/middleware.py#L11-L28)

If dnt is set, Google Analytics isn't served:
[https://github.com/HearthSim/HSReplay.net/blob/8c1f2eb8cfda6...](https://github.com/HearthSim/HSReplay.net/blob/8c1f2eb8cfda64d1c8abcd805b7190a2666b434a/hsreplaynet/templates/footerjs.js#L2)

I completely agree that DNT is flawed but it doesn't cost me much to respect
it and the people who set DNT most likely block Google Analytics in one of
their extensions anyway. I would rather they see nothing has been blocked.

I also include a link to the EFF's Privacy Badger in our privacy policy,
alongside mentioning our DNT policy:
[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

------
soneil
Obviously not my own site, but an example I found which I thought handled this
well;

[https://www.adafruit.com/product/3410](https://www.adafruit.com/product/3410)

If you click the play icon under the product shot, and you have DNT enabled,
you'll get a modal:

"This embedded content is from a site (www.youtube.com) that does not comply
with the Do Not Track (DNT) setting now enabled on your browser.

Clicking through to the embedded content will allow you to be tracked by
www.youtube.com."

As much as I'm not a fan of modals, I can't think of anywhere else that's even
pretended to care about this.

~~~
r3bl
I have noticed at least two more sites doing the same, as far as YouTube
videos are concerned: Medium and DuckDuckGo.

They allow you to specifically override your DNT policy and watch the video
embedded, or open the YouTube video in a separate tab (which would make them
respect the DNT policy on their own website).

EDIT: I've also just remembered that I've seen some website (EFF, IIRC)
embedding youtube-nocookie.com URL (operated by Google itself, judging by the
certificate), which is used to embed a YouTube video without storing actual
third party cookies from Google (you're still making an external connection,
of course, but you're limiting third parties from storing and accessing
cookies). Wish I remembered that yesterday.

------
dinosaurs
I had to look this up - DNT stands for "Do Not Track". More here:
[https://en.wikipedia.org/wiki/Do_Not_Track_legislation](https://en.wikipedia.org/wiki/Do_Not_Track_legislation)

~~~
r3bl
I have edited my post so that it includes "Do Not Track" instead of DNT in the
first paragraph. Hope that will stop others from having to look it up.

~~~
andybak
That's very decent of you.

------
bArray
I think you would have to go as far as re-hosting a lot of "high-end" content
(such as YouTube), otherwise the JavaScript will surely be run as part of the
media providing system. If you try running YouTube with no script, you won't
get very far. I don't think re-hosting is technically legal though, which may
be your first problem. You could try contacting the content creator to ask to
duplicate their material, but more than likely this will be denied if they
have ads on their video. To be completely honest, from looking at Facebook
videos that have been re-uploaded from various sources, I think "fair use" is
just a case of adding some text and emoji at the top and bottom of the video -
so there's that.

A way you _could_ (in theory) get around this is by having the user view some
virtual web browser, so that Google still gets all that lovely advertiser time
but your server is the one making all the requests to their service. One issue
is if your site gets more than a few hits a minute, your server will probably
either kill over or start providing a terrible user experience if it wasn't
like that in the first place.

If you really want to respect DNT and don't want to affect user experience
(too much), I would have some JavaScript reveal code for the embedded content
- with a warning that the once they have clicked the button you can no longer
respect their DNT request. A DNT request could translate from `/index.html` to
`/index.html.dnt.html` for example, if you pre-process your pages to be
statically served.

------
jasonkostempski
No one, on either end, should waste any time encouraging such a useless thing.
I hate that my browser even has the option. No one wants to be tracked weather
they say it or not, and that should always be considered when building
websites.

~~~
underyx
Uh, I explicitly want to be tracked and actively try to make sure my data is
clean and plentiful. I've only ever seen positive outcomes to more tracking.

~~~
jasonkostempski
Then you should get a checkbox to indicate as such, not the other way around.

------
interfixus
I do not embed. I do not use external resources. And I fight an often
rearguard battle with my customers to let me act likewise on their behalf. No
third party fonts, js, css, or images. No Youtube, and most definitely no
Google Analytics.

------
akerro
I don't use GA, instead I have Piwik that's configured with to respect DNT.

~~~
awinter-py
me too but it's costly -- it suddenly means that the file size of my logs is a
more reliable metric for visitor count than the piwik dash.

I checked the DNT box on piwik because I care about privacy and why not,
right, but I don't think it's unethical to collect information about people
who are requesting free content over the web.

As a society we need to decide whether it's good to centralize our reading and
use it to target ads, but that's a different question than collecting a lot of
information on my piwik (which, as far as I know, doesn't report anything back
to G or FB).

------
lettergram
I honor it on my websites as best I can, and am in the process of even rolling
my own analytics to avoid using any third-party.

Long story short, there's no way to enforce DNT from an end user perspective.

From a web developer perspective, even if you roll everything yourself, its
difficult to actually track down everything that you could be accidentally
sharing. For example are you using a CDN? Does your host track this data, and
share it? Do you use a third part API somewhere in a library you decided to
use? So on, and so forth.

~~~
kuschku
Well, better prepare then.

June 2018 the new EU General Data Privacy Regulation comes into force.

And it requires that you allow users to do exactly that.

~~~
lettergram
Well, 80% of my users are US based, and I kind of doubt the EU can't do
anything to me in the US.

------
jacmoe
I have removed my Google Analytics tracking code from my sites, and have
abandoned Disqus in favour of a self-hosted commenting solution.

Since I am not setting any cookies, I have also removed the EU Cookie Policy
script (which, ironically, uses a cookie...)

I can do this, because I am writing my own content management system.

I probably should add a "You are not being tracked by this website" 'thingie'
?

I wrote a blog post about it, though..

~~~
a_imho
Go a step further and add a disclaimer like

 _You should enable your privacy extensions [url to extension /page how to set
up content blockers]_

------
thefreeman
I don't think your question really makes sense. The request to load the
embedded YouTube video will contain the same Do Not Track headers as the
requests loading your own site. It is up to the site owner to respect them (in
this case YouTube). It's not your responsibility to try to re-host content
from other sources in order to comply with the DNT request.

~~~
r3bl
If I really want to enforce a DNT policy on my website, it is absolutely my
responsibility to find a way to not embed a YouTube video by default, since I
do know that YouTube doesn't give a crap about a DNT policy. It is also in my
responsibility to not include original social sharing buttons, since they
break DNT.

It should also be my responsibility to add an option to break DNT upon user's
desire (for example, click-to-enable YouTube embed and click-to-enable sharing
buttons), and, if we take things to extreme, I should even be able to have a
small icon next to every single link that will tell the users if the website I
linked to respects DNT or not.

The DNT thing is broken completely for the end users, there's no point in
arguing about that. But, if I, as the website owner, want to respect it for my
viewers, I need some strategy on how to do so, which is exactly what this
question is about.

I firmly believe that:

1\. Enabling DNT by default is a bad idea, but the option should be there.

2\. If my visitor enables DNT on his own browser, and that decision was solely
made by the visitor (as in, not enabled by default which IE tried to do some
time ago), I should at least try respecting it as much as possible.

This Ask HN is specifically posted to see how can I accomplish #2.

~~~
STRML
I agree that the IE decision was practically braindead and killed the utility
of DNT. Because of it, we have no idea if the user actually specifically wants
DNT (and this may degrade the user experience, so it should be opt-in), or
their browser vendor simply decided for them.

------
amiller2571
I don't think you would have to re-host everything. One could place a
placeholder (image maybe) instead of the embedded content that says "Click to
activate third party resource. Caution, it may not respect DNT". Than if they
click, swap it out with the youtube video or whatever. Gives them the choice
to choose what they want to do.

------
SimeVidas
But how do you even know which origins are trackers, as a site owner? I know
that social networks like Facebook and Twitter are, but what about GitHub? I
guess, one way to find out is by viewing your site in Firefox w/ Tracking
Protection enabled, and checking if any requests were blocked.

------
pmlnr
My personal website is without js and cookies - no tracking. Stats from server
log.

~~~
amiller2571
Best way to do it :)

------
mfukar
I don't track people (any longer) and I don't check their DNT preference.
Shame is not an incentive for me - or any website code - to do so.

We should have moved away from privacy-theater by now.

------
inopinatus
The existing sandbox iframe attribute is inadequate. I would like a mechanism
to ensures private mode for the content in an iframe, even if private mode is
not otherwise enabled.

------
ptr_void
Just descriptive links + no js/other dependency for me.

