1. Chrome is the only major browser not to support the Do Not Track header. Google is also the browser vendor whose bottom line would be most impacted if users could easily opt out of tracking. Coincidence?
While I welcome folks from the Chrome team to weigh in on the reasons for this, my own understanding is that adoption of this feature is being blocked by Google's Mountain View based policy team, and is not a decision that is in the hands of engineers.
Compare this to Chrome's absolutely spectacular record in the area of security, where folks like Adam Langley and Chris Evans have been able to ship innovative features that haven't worked their way through the standards process. Examples include HTTPS certificate pinning (that recently led to the discovery of MiTM attacks against Iranian users using the DigiNotar certs).
In the area of security, Chrome's engineers deploy whatever they think will help users. In the area of privacy, Google's lawyers and lobbyists are calling the shots.
(Also, there still isn't a working API to let others support DNT in Chrome. An API exists, I think, but it is quite buggy, AFAIK)
2. Blocking 3rd party cookies by default. Apple defaults to blocking 3rd party cookies, Chrome does not. Both are derived the same webkit core (yes, I know there is different code now), but when Google decided to create Chrome, they went with a different default than the one that Apple had already used -- one that hasn't led to websites breaking for Apple users.
Again, which browser vendors' bottom line would suffer if Chrome users could not easily be tracked? Google.
Let me be clear - I don't think that Chrome is engaging in any sneaky shenanigans to directly track users. No, that would be too obvious. Instead, Chrome just makes it easy for Google's other services to track users, when they stick with the deaults.
The Chrome team has already addressed this issue. The problem with Do Not Track is that it isn't clear what it blocks and what it does not. It is also pretty useless as most websites that survive using ads will never support the Do Not Track headers, so it's a faux solution to the problem. Google already offers a browser extension (Firefox, Chrome and IE) to block Google Analytics. Last but not least, there is a dashboard on Google to know what Google ads know about you and the possibility to delete this information.
I think what's really bad is that DNT headers offer a false sense of privacy when in fact no websites respect the headers. Google's alternative solutions have the upside of being very clear about what they accomplish for your privacy.
Instead of supporting a header that millions of consumers are already sending, you instead offer a browser add-on for analytics, and "keep my opt outs" for ad network opt out cookies.
The signal sent by a consumer setting the DNT flag in their browser is just as clear as a consumer installing your analytics opt out plugin, or obtaining the doubleclick opt out cookie.
You could, right now, respect the DNT header as you currently respect your own opt out mechanisms, but you don't.
I get that Google is not a charity. I get that Do Not Track (or any other mechanism that makes it easy for consumers to avoid tracking) threatens your bottom line. What I would prefer though, is honesty.
Please just admit that you want to make it difficult for consumers to opt out, and that a single, easy to use mechanism built into the browser is something you want to avoid at all costs, even if that means you are ignoring millions of consumers' intent.
2. Google's participating openly in http://www.w3.org/2011/tracking-protection/ to work out what DNT means in a detailed sense, so that when users send a header, either via a checkbox or via an extension, there's agreement about what the practical impact is. I'm not sure it's reasonable to expect much more than that right now.
Keep My Opt Outs is largely political propaganda, or if you will, privacy theater. It gives your DC people something to talk about when they testify before Congress or the FTC. It allows them to say, "look, we do offer users the ability to opt out", while knowing that few users will seek it out and turn it on.
Compare, for example, the 5% of Firefox users who have enabled DNT, vs. the 62k users of KMOO. That number of users is pathetic, given how many people use Chrome.
2. Since when does something need to have gone through the standards process for Google to ship it in Chrome?
Consider, for example, what Adam Langley wrote when he added support for DNSSEC certificates to Chrome:
"I'm also going to see how it goes for a while. The most likely outcome is that nobody uses [this feature] and I pull the code out in another year's time." See: http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
Google's approach to security (and in many other areas) is to iterate, quickly, see what works, and if it doesn't, kill it off.
Likewise, Chrome supports an early draft of WebSockets. The spec isn't finalized yet though. Google added support to a draft spec, and then will update Chrome to the final spec once it is done. See: http://blog.chromium.org/2010/06/websocket-protocol-updated....).
It seems to only be in the area of privacy where Google wants to wait until technologies have gone through the slow standardization process. In the mean time, while you wait for things to work their way through the W3C, Google's ad business continues to build detailed behavioral profiles on Internet users.
The longer the W3C takes, from Google's perspective, the better.
Look - I get that it must be frustrating to be a privacy engineer working on Chrome, when upper management won't let you deploy serious privacy enhancing features to users. I get that it must be embarrassing to work on the only browser that doesn't support Do Not Track (usually, IE is last to the party). What I don't get, is why you tout features like KMOO and Google's involvement in the W3C process as though you expect them to be taken seriously.
Google is not committed to enabling users to easily protect themselves from Google's widespread collection of their private data. To argue otherwise is foolish.
On my home network, Google, Facebook, and Twitter compete for the most web tracking next to my ISP's own capabilities. Traffic weighted, Facebook is now the leader in my household.
"So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox, Internet Explorer, and Safari, which we just learned is actually a step beyond NAI's baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest's sake, it's worth noting that Google falls into this category)."
When a consumer visits Google's opt out page (where you obtain a doubleclick.net opt out cookie), or gets one via the NAI, the doubleclick.net tracking ID is deleted.
Google does not support the DNT header.
Chrome's cookie code isn't derived from other code in WebCore; it's implemented in the platform layer. And it's intended to be as compatible as possible with the majority of the web. As for the privacy implications of third-party cookies, I think Michal covered the reality of the situation extremely well: http://lcamtuf.blogspot.com/2010/08/cookies-v-people.html
As a Firefox user who disables 3rd party cookies, this actually does break some sites. Signing in with your Google account to various blogs becomes impossible. Buying tickets online to the local puppet theater becomes impossible. That sort of thing.
Firefox takes a totally different approach to blocking cookies than IE/Chrome/Safari.
Firefox blocks the setting and transmission of cookies by/to 3rd parties.
The other browsers just block the setting of new cookies by 3rd parties.
An example of what this means:
A Safari or Chrome/IE user who has turned on 3rd party cookie blocking visits facebook.com in a 1st party manner (by visiting the facebook home page). He/she then visits CNN, where facebook is present as a 3rd party (via the like button). Even though that user has opted to block 3rd party cookies, their stored facebook cookies will be transmitted to facebook when it acts as a 3rd party, because the cookies were first set as a 1st party.
In comparison, when a Firefox user who has turned on 3rd party cookie blocking visits CNN, facebook has no idea who they are.
No one is visiting doubleclick.net as a 1st party, which means if Google turned on the Chrome/Safari style 3rd party cookie blocking, it wouldn't be able to track users for behavioral advertising (interestingly, Facebook could still do so). Were this to happen, I guess Google could always move away from using doubleclick.net and put everything under the google.com domain, which would get around this.
Mozilla's method of 3rd party cookie blocking does indeed cause collateral damage, which AFAIK, is why Mozilla hasn't turned it on.
Google doesn't have the same excuse for allowing 3rd party cookies, since Apple users don't suffer broken sites when they browse. (If the Flash fiasco has shown us anything, it is that websites will bend to Apple's will, and change whatever breaks in order to allow Apple users to visit their sites).
Regulating the technology is, and always will be, a waste of time. If people don't want the tracking done, they need to outlaw it, regardless of technology implementation.
Well, sure, but that's not relevant for purposes of this discussion. ;) The fact that I use the browser and turn off third-party cookies is the relevant part.
> The other browsers just block the setting of new cookies
> by 3rd parties.
Ah, interesting. That significantly reduces the value of that setting, as you point out.
I suppose we could look into blocking the setting of such cookies by default and only the sending when the pref is flipped. I'll file a bug, thanks!
Simple as that.
In the area of security, Google recognizes the importance of setting safe defaults. See: "99.99% of Chrome users would never change the default settings. (The percentage is not an exaggeration.)"
Having an option to block 3rd party cookies, but then hiding it in the chrome://flags/ menu is essentially worthless for most users.
Privacy enhancing technologies need to be easy to use, preferably, enabled by default.
I agree on the cookies issue, though. Things like "Allow local data to be set (recommended)" make me kind of sad.
Notice that "allow local data to be set" and "block third party cookies" are not mutually exclusive settings in preferences...which is good, because they can be and tend to be used for very different purposes.
If you want to block all data from being stored, that's fine (and web APIs are great in that they are designed to be individually denied and let a page detect that they have been), but I definitely disagree that first party storage enabled by default (and even "recommended") is lamentable.