Hacker News new | past | comments | ask | show | jobs | submit login
Apple Is Removing 'Do Not Track' from Safari (gizmodo.com)
99 points by Varcht on Feb 6, 2019 | hide | past | favorite | 48 comments

The contempt that tracking companies showed to this feature killed it. But it also provides the perfect ethical justification for me blocking trackers and their ads. You didn't listen to me when I politely asked you to respect my privacy, so now it's scorched earth.

That's how I feel. We warned them that they should either fix their ads or we would take more drastic steps. They did not listen.

I was literally just talking about this with a friend last weekend. We were discussing if blocking ads was in effect stealing content from the people trying to monetize their content by running the ads in the first place. I said "I wouldn't mind just seeing a generic ad on a page that was shown to me at random, but the bastards try to track everything you do to better target you."

Save you from reading the article 1) Nobody obeys it 2) It's actually being used as a heuristic to track users through fingerprinting

If (2) was a huge issue for them, wouldn't removing the UA header help tremendously as well?

(Sure, you'd know it was an apple device, but that's still less than currently. It's also less if other browsers followed suit.)

The safari UA is fixed - there was a post or document at some point saying that it had basically become a tracking tool, so beyond the compatibility requirements it is no longer changing.

Similarly queryable font and plugin apis are fixed.

But DNT is simply a tracking metric - and was opposed by everyone with non-ad revenue (specifically it was offered up by the ad industry to avoid regulation).

iOS user agents aren't very identifying. Despite having multiple version numbers in them, all they pretty much tell you is 1) what type of ios device it is (eg. iphone or ipad) and 2) what ios version it is (mobile safari is updated along with ios, so the version numbers are pretty much the same for the same ios release). Considering that most ios users are up to date, you'll be hard pressed to squeeze more than a few bits of entropy from it.

>Considering that most ios users are up to date,

That's what makes it so valuable really. You get little to no entropy for a large portion of users, but you get a huge amount of entropy about the people who aren't.

So you get amazing entropy on my grandma, which is quite possibly not worth the processing time you spent to track her, in terms of ad revenue or marketing campaigns. Sure - that's probably not the case in most of the cases, but it sure pollutes your otherwise good dataset.

I think part of the advantage of DNT for fingerprinting is that it's a user set signal.

BTW you can query the WebGL render to identify CPU / GPU information for iOS devices which is slightly more useful than just the UA


> Froze the user-agent string to reduce web compatibility risk and to prevent its use for fingerprinting


> Freeze the version reported as User Agent to OS 10.13.4 (OS 11.3 on iOS) and WebKit 605.1.15 for User Agent purposes.

IMO 2) is a PR move. Removing 1 bit of data isn't going to do much for anti-fingerprinting.

It’s vastly more than 1 bit - if I recall correctly the amount of bits of info you get is something like log(1/P(event)) so if P(dnt==true) is less than 0.5 you accede 1 bit of information. It’s logically probably closer to 10bits of uniqueness assuming .01% of the population have it enabled.

The number of people who enable DNT is relatively small, so having it enabled is worth a lot more than 1 bit.

Easy solution; make DNT legally binding.

From the individual, company, and even political perspective, how is that easy?

Because it's the most effective solution to the problem.

    If I send DNT -> GDPR Opt Out of all tracking
IIRC this was discussed to be part of the GDPR but was kept out in favor of putting it in elsewhere at a later date.

You can bet Google et al will fight this tooth and nail.

They've already fought GDPR tooth and nail. Look how that turned out.


I hate comments like this...why can’t you just be charitable to the spirit of the point? Replace “Nobody obeys it” with “Almost nobody obeys it.” Happy? Now it’s true and we can move on.

What's a rule without enforcement but a burden to those who follow the rules? And in return the user trades some actual privacy for hopes of moral compliance.

so is apple lying when they cite the removal due to tracking logic using DNT since theres really no teeth to enforce the request to not track?

DNT was and always will be an example of how not to implement privacy settings

Who obeys it? I honestly can't think of a single site that I know of that actually obeys that header.

Medium will "block" twitter embeds until you click on them if you have DNT turned on.

Huh. Seems to me they should just do that for everybody instead of for people with DNT turned on.

DNT and any other technical solution that isn't on by default is a waste of time. The time for letting the ad-tech industry come up with PR non-solutions that don't change anything is over.

Congress needs to pass GDPR into law.

The problem with DNT was that some browser vendor turned it on by default, which made it be “a flag the user didn’t turn off” rather than “a reliable signal that this user has asked not to be tracked”.

One should assume that nobody likes to be tracked and therefore this should be the default option. But yeah, opt-out of privacy tools is never fine for adtech companies.

The problem with Do Not Track was that it wasn't a technical solution at all. It was begging. I'm honestly surprised anybody thought it would work.

It was a stupid premise to begin with. "Oh, please, here's all of my stuff, but I'm asking you to not track me. I trust you won't" vs "I don't trust you and block all 3rd party cookies and scripts from being accessed by my machine except those I know and trust and explicitly allow through"

It's like leaving your door unlocked and with a sign on it asking criminals to obey your privacy and not enter vs having a lock on the door and not allowing them through until they knock, you can verify who they are and decide at that point whether to open the door to them.

It's only a stupid premise if you take the feature for face value and assume that the people behind it expected it to magically solve all of the tracking problems on the web. Alternatively, consider that it's a great opportunity for all those companies that "value your privacy" to put up or shut up. Then tools like Privacy Badger [0] get to call out advertising companies that assert that they only track consumers because that's what consumers want while explicitly ignoring the industry standard opt out mechanism.

[0] https://www.eff.org/privacybadger/faq#How-does-Privacy-Badge...

You can do both though - limit the amount of information you do send _and_ ask those that do respect it not to track the information you _must_ send.

Its a completely pointless setting. No user would chose to be tracked and no tracker wants to shut down their business. You don't need a setting for it because everyone wants the same thing.

I have no issues with websites tracking my usage, as long as the tracking scripts aren’t making my browsing experience miserable. And, especially for things like affiliate links, I’d like to make sure that the people that influence my decision to purchase an item get some credit for it.

>I’d like to make sure that the people that influence my decision to purchase an item get some credit for it.

This is a negative user experience. Affiliate links mean that people try to recommend things they get paid to recommend rather than what they actually think is best

Look I think we all know which is more likely to work in practice. It's sad that Do Not Track never took off, but let's not pretend to be surprised.

W3C changed the DNT Candidate Recommendation to a "Note" now, and says that the working group is closed: https://github.com/w3c/dnt/commit/5d85d6c3d116b5eb29fddc6935... (the page is here: https://www.w3.org/TR/tracking-dnt/)

If the other major browsers follow suit in considering it "expired" and remove it, I'm curious what effect this will have on the requirement in the California Online Privacy Protection Act (CalOPPA) for sites to state how they respond to the signal (more info: https://iapp.org/news/a/how-should-i-respond-to-californias-...).

Will sites legally need to continue explaining how they respond to a signal that effectively no longer exists? Most of them already just said "we don't do anything based on this signal", but that will be even weirder.

It was a well intentioned toothless innovation that didn’t work. I’m pretty happy with Safari’s content filters (using FireFox Focus) that actually help me from being tracked.

1Bocker X is more efficient. I tried both that and Firefox Focus.

Not affiliated, just a happy customer.

> almost no websites actually honor the request not to be tracked because the government never forced them to comply with it.

Damnit Gizmodo. You had the first part right, that the setting is ignored, then you had to go and make up the reason. These blurred lines between reporting and opinion are the embodiment of fake news. There is a primary fact or two and then subjective garbage.

The way this is written makes it obvious that the author has an agenda altogether and dislikes the idea of this feature. It's written with a very condescending undertone. Nothing wrong with that of course, just might be nice to be transparent around it.

2 minutes I wont get back..

People do tend to dislike features that don't work.

A shame, although I can see the logic behind the decision. We use this on sites we build so we don't even need to show those visitors a cookie notice, and just assume they don't want Google Analytics turned on.

the "do not track" setting probably helps advertisers track users because it creates a more unique configuration/fingerprint... personally, I still use it in Firefox but probably should not since there are no consequences for them if they don't honor it.

Its true, I don't know why you are being downvoted

I haven't down voted but I would imagine it's because it's just repeating the article and some what obvious

if it is so obvious, why did hundreds of engineers decide to implement it anyways?

Leave it on whatever the default is on firefox. Thats the best way to avoid extra identification.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact