Hacker News new | past | comments | ask | show | jobs | submit login
Yahoo ends support of “Do Not Track” (yahoopolicy.tumblr.com)
56 points by bpierre on May 1, 2014 | hide | past | web | favorite | 53 comments

Do Not Track has been effectively dead for 1.5 years. Very few advertising companies ever supported it due to Microsoft's decision to buck the spec and enable it by default for all IE10 users (a transparent attack on Google by a company whose own advertising business had just imploded in a $4B write-off).

The original agreement was carefully hashed out between advertisers and browser vendors with the understanding that only a small percentage of users would be opting out. When Microsoft reneged on that, the advertising industry backed out.

Whatever you think about online tracking, the voluntary nature of DNT and the complete lack of enforceability (there's no way, as a user, to determine whether a company is following DNT) made it pretty useless. True privacy protection needs to be on the client side (like script blocking or 3rd party cookie blocking), not on the server side.

> due to Microsoft's decision to buck the spec and enable it by default for all IE10 users

Did you ever install IE10? The screen gave users the option to configure everything but selected the most likely settings for many things, not just DNT: http://img.wonderhowto.com/img/21/42/63487287284459/0/yahoo-...

What level of "not by default" would have been acceptable to advertisers? I suspect they would be happy only if the option was disabled by default and hidden from view. An uninformed consumer is a trackable consumer.

I have. You have to click through to a separate screen to get the option to disable it. If you try that, it will warn you on the next screen that you are not using the recommended settings. Then variously using IE10 you will get prompted to use the recommended settings. Microsoft makes it pretty hard for an average person to disable it.

DNT was a voluntary standard, and the advertisers refused to buy in unless it was off by default (the vast majority of people will not change defaults, even if you make it easy for them). Microsoft violated that agreement to hurt Google, and as a result DNT is dead.

so, DNT can be recommended to you and your close ones, but not the general public? that is some entitlement you have going on there.

i applaud microsoft for protecting their customers, instead of selling them out like google does with android.

also, most big advertisers chose to ignore DNT only for IE. so no, it has not been dead for that long.

The whole point of DNT is that it is a voluntary measure by advertisers to avoid tracking people who don't want to be tracked.

Given that turning DNT on by default would essentially turn DNT on for everybody, supporting DNT in that scenario would have imploded the whole business model of the same advertisers.

Obviously they're not going to voluntarily decide to go out of business, so the advertisers then dropped support for DNT entirely.

Now no one gets the benefit of DNT, not even the privacy-conscious minority who actually cared about it.

Welcome to second and third-order effects...

we already beat that horse to death. it is not enable by default. it is SHOWN to the user to chose. and the checkbox is enabled by default, because, let's agree on this, microsoft did their homework and that is the best choice to recomend to their users.

it is never enabled against the user knowledge. it is just the correct default when it is presented to them.

and again, by no-one, you mean YOU. you are pissed off that everyone is not disabled on DNT and not even shown the option, and only you and other tech savvy people can benefit.

Yeah, it gave users an options buttons to change what would otherwise be the default express settings. So DNT was on by default. The ad industry wanted off by default.

And let's be fair, most people are going to agree to that long list of default settings even if the third bullet said "Sends 1 Bitcoin to Microsoft"

> The original agreement was carefully hashed out between advertisers and browser vendors with the understanding that only a small percentage of users would be opting out.

Source? How can those parties decide for users how many of them will opt out?

Very few users adjust the default settings of their software regardless of what they are.

Do not track, as defined, was pretty meaningless. See the section of the RFC listing the exceptions:

    9.3.  Exceptions

    As a general guideline, exceptions to Do Not Track are warranted when
    commercial interests substantially outweigh privacy and verification
    interests.  The following activities are excepted:

    1.  Tracking of users who have explicitly consented to tracking, such
        as by enabling a checkbox in a preferences menu on the first-
        party website of the tracking service.
    2.  Data obtained by a third party exclusively on behalf of and for
        the use of a first party.
    3.  Data that is, with high confidence, not linkable to a specific
        user or user agent.  This exception includes statistical
        aggregates of protocol logs, such as pageview statistics, so long
        as the aggregator takes reasonable steps to ensure the data does
        not reveal information about individual users, user agents,
        devices, or log records.  It also includes highly non-unique data
        stored in the user agent, such as cookies used for advertising
        frequency capping or sequencing.  This exception does not include
        anonymized data, which recent work has shown to be often re-
        identifiable (see [Narayanan09] and [Narayanan08]).
    4.  Protocol logs, not aggregated across first parties, and subject
        to a two week retention period.
    5.  Protocol logs used solely for advertising fraud detection, and
        subject to a one month retention period.
    6.  Protocol logs used solely for security purposes such as intrusion
        detection and forensics, and subject to a six month retention
    7.  Protocol logs used solely for financial fraud detection, and
        subject to a six month retention period.

    To ensure data allowed for only specific uses is adequately
    protected, functional entities SHOULD implement strong internal
Basically every advertising network would fall under 2 or 3.

Awesome, this is exactly what I was too lazy to Google and dig up on my own. The plan pretty much shoots itself in the foot before it even leaves the gates.

ironically, yahoo is the ONLY big publisher adopting safeFrames. which effectively blocks any ability of the ad to identify the user, or set cookies as a fake-first-party.

It is not really ironic. Yahoo! is the only/first one being honest about DNT to date (that I am aware of). Yahoo! is just bowing out of a deeply flawed spec.

exactly why it is ironic!

they are the only one solving the privacy-while-showing-ads issue by using safeframes. then they drop DNT because it is a fallacy for the most part.

but they write that announcement in the worst possible way and everyone goes crazy.

I misinterpreted your comment then! Thanks for the clarification.

"The privacy of our users is a top priority for us," Yahoo says as they end support for users' privacy settings.

This. The comments on the post are priceless too.

I used to feel that blocking online ads was freeloading, but I am increasingly convinced that the online ads are a failed experiment and it's our duty to kill them -- especially when the industry can't even follow through on watered-down self-regulation like DNT.

The crazy thing is that major websites like Yahoo don't even know what ads they are serving. And increasingly online ads are an attack vector for viruses and malware. In January Yahoo was serving malware via their online ads.[1] And in February Google did the same.[2]

And of course there are the major privacy issues with companies tracking us online. I understand that online publishing is important and we clearly need a strong press, but publishing really needs to find a new business model. Online ads are not the solution.

[1]: http://www.cnn.com/2014/01/05/tech/yahoo-malware-attack/inde....

[2]: http://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube....

Sure, kill them. I mean, as long as you realize that killing off online ads essentially means opting in to a future where quality content is forced behind a paywall as a matter of course.

And I say this as someone who loathes advertising and the creepy mentality behind them. They're kind of necessary evil. Keeping a tighter rein on what kinds of ads can be served would help tremendously. They need to eradicate that stigma of them being a dangerous vector. Erf.

Then we can invent in a proper paywall, something that works unintrusively. And then users are the customers again, and we can get our internet back.

The important thing to note here is not that Yahoo! is so evil. It is that they are probably one of the few companies in the world that are honest about it. And surely after this outcry, or at least 3/5 comments here are talking about needing warnings on "websites like these" or "now I have a reason to block Yahoo's cookies", surely no other companies will publicly announce the end of DNT support.

And besides, Do Not Track is a black box: they can do whatever the hell they like while our browser merely requests "Would you please not track me even if your site is entirely free and ad-supported?" Because it's not like they're keeping databases on us purely for fun.

meanwhile, other big publishers: what the hell is DNT?

The privacy of our users is and will continue to be a top priority for us. Just not as long as it in any way might affect our current revenue streams.

Marissa Mayer is getting a little weird in the quest to show she has brought some value to Yahoo.

She runs a company that cares about you and want the "best user experience", so long as it doesn't hurt the bottom line at all. And the next rounds of layoffs are probably not too far away, from everything I've heard.

It's not a surprise, really - Yahoo is a business that thrives on data about advertising targets, much like Google. "Don't be evil," is as much a bunch of marketing bullshit that'll be thrown out the window the moment it becomes inconvenient for the real goal of the enterprise.

I just find the apparent need to hide behind bromides such as these distasteful, particularly when they're not merely empty little phrases, but empty little phrases that are directly contradicted by the actions and interests if the organization that employs them.

she learned at google that this matters little. just see android announcing to you carrier that you use tethering, or the fact that google employers actively REMOVE features from chromium that impact adsense revenue such as disabling referrer, etc.

Chrome's options for DNT are hilarious. For every other option, like spelling, they give you an order of (Yes, No) when you check the box to enable the option. For spelling correction, they encourage you to enable it with the phrasing.

For DNT, they have a lengthy explanation of how tracking is still done and totally helps your experience. Then the reverse the order of the buttons so the default is to cancel out of the operation.

Seems unlikely this was implemented as an accident.

Microsoft effectively destroyed "Do Not Track" by making it the default in their browser, and therefore destroying any notion of "intent" by the user. The day Microsoft made it the default was the day I immediately knew that the Yahoo/Google's of the world would stop supporting it in the future. Clever move by Microsoft in the embrace/extend/extinguish cycle.

Why does one choice of default "destroy intent," while the other doesn't? Why do you assume the default setting of allowing tracking is the correct one?

More importantly, why is "on by default" supposed to be "bad" when the entire system is designed to protect people's privacy?

Microsoft don't sound like the problem.

DNT is not designed to protect everyone's privacy, it was meant a way to grow a clear sign that people don't want to be tracked. If browsers really wanted to protect people's privacy, they'd block 3rd party cookies by default and show 1st party cookies as a warning.

All good points.

The default setting should be "No Intent" - I neither make claims as to whether I wish to be tracked/have personalization, nor do I make claims as to whether I do not. A browser should not bake in any claims about what I desire.

A browser should protect my privacy, give me tools to filter out content (images, ads, off site material), protect my browsing history, etc...

This is all besides the point - when every browser sends a flag that states "Do Not Track" - then "Do Not Track" loses all meaning.

Because one choice of default was the agreed to by the parties that decided on DNT as a mechanism, and one was the opposite of that. That is, the choice of default was a central part of the intent.

Its not a matter of "correct", its a matter of what people bought into when the initially decided to support DNT.

Do you mean that when average users use a web site, they intend to be tracked?

The setting has to be either on or off by default. I think that most users, if asked, would like for it to be off. The only reason to leave it to "on" involves advertising doublethink, a.k.a. bullshit.

The reason to be off by default is that you needed the advertisers and publishers to voluntarily agree to honor the DNT flag. They can signficantlly make more money by targeting users based on tracking data (a targeted ad might be worth 10X a non targeted ad). Now you might not like that but, DNT is not a law, following it is completely 100% optional. You could probably even lie and say you follow when you really don't and there is little that could be done (I'm not a lawyer btw).

The advertisers agreed that as long as the flag had to be set manually by the user the would honor it. They made that agreement because it would not impact their revenue significantly. It would be very presumptuous to expect them to voluntarily destroy their own business. Because DNT is optional you need the advertisers and publishers to agree about it. So by making DNT on by default in IE advertisers walked away from the agreement and their is nothing we could do to stop them effectively killing DNT.

Now you mention most users don't want to be tracked, but what are they getting in exchange for being tracked? If you asked the average user would you allow your self to be tracked online to use Facebook I be most would say yes. How about you allow yourself to be tracked on line for 1 free latte at Starbucks/month? Again I think most would say yes.

FYI, if you don't want Yahoo ads to track you, they offer an opt-out. https://info.yahoo.com/privacy/asia/yahoo/opt_out/targeting/...

You can opt-out of pretty much all the major ad networks at once, in fact: http://www.networkadvertising.org/choices/?partnerId=1

It's been like that for years. I'd submit that as evidence that the ad industry is willing and able to accommodate people who don't want to be tracked on an opt-out basis.

You have to keep that cookie on all your devices for all ad companies? no thanks, I would rather block all ads.

Well, DNT was supposed to be the alternative.

You can inspect the cookie. Yahoo's is literally "optout=1"

Yahoo ends support of "Do Not Track". Fast Lanes for sale. Facebook is using my data for advertising outside it's walled garden... sigh. Give me back my old 56k modem. I miss my old internet.

The title doesn't even make sense. The default was always to track users. Yahoo could have made this sound a lot less disingenuous if they had spun ending Do Not Track support as "this 'standard' is weak, hard for users to understand, and not guaranteed to be implemented by anyone, giving the average browser user a false sense of security."

This post just makes it seem like one of the higher-ups realized that Yahoo's missing out on a chunk of data that everyone else gets and decided to go for a "quick win".

Browsers should have some sort of warning message when visiting sites like these.

You mean like the European cookie law? Yeah that worked out great.

Implementing that must have been fun. "You mean you got it watered down so much that all we have to do to continue as usual is make our users hate government even more? lol"

I never had a reason to ban all Yahoo! cookies on my browsers, until today.

The fact that they supported it at all was relatively exceptional. You'd better block cookies on all other domains before they, gasp, place more tracking cookies!

they support safeFrames (like a few other small sites like deviantart). ads cant set cookies at yahoo.com even if they wanted. they render in a cross domain iframe. so they cant do it even if the adserver is compromised.

they are morons for not mentioning this on that announcement. basically, they are just ignoring DNT for the few in house ads that run on front page and such. which being in house, already can track you.

Did DNT ever have any support beyond verbal promises? I personally feel that it was always useless and never really trusted anyone saying they "honoured" it.

But has there ever been a precise specification of what it means to "track" a user? Does "track" have any finite meaning, or is it just an open-ended plea from the user for everyone to pretend that certain events never happened?

To speak of "tracking" one might mean:

  A. Thou shalt not cookie a user.
  B. Thou shalt not record plain text log files on a 
     server-side file system, regarding the nature of these 
     requests. Thou shalt not persist discrete information 
     to a relational database, with respect to these 
     particular HTTP requests.

  C. Thou shalt not inspect which IP address HTTP POST 
     requests originate from, and treat them differently, if 
     a user proclaims "no tracksies". GET requests will be 
     treated as read-only requests for static resources. If 
     the static resources change, I wish to play no part in 
     such events.

  D. Thou shalt neither inspect ANY HTTP requests (PUT, 
     DELETE, POST or GET), nor serve individualized 
     resources, regardless of any particular attributes 
     present in the request. Thou shalt only keep the 
     specific data I tell you to keep, and destroy 
     everything else related to my requests. At a later 
     point in time, I reserve the right to become 
     irrationally angry about your having kept the *some* of
     the data I told you to keep, because, technically 
     speaking, the DO-NOT-TRACK header is all encompassing, 
     and supercedes all other instructions. I also reserve 
     the right to get angry if *your* system does not 
     perform according to *my* expectations, whatever those 
     expectations may be, at any particular time.

  E. Thou shalt not provide me with any uniquely 
     identifiable information. I do not wish to receive 
     information which has not already been provided to 
     anyone else. Please do not transmit unique information 
     to me over the wire or over the air. Doing so will 
     change the state of my system in a unique way, which 
     I'll eventually have to answer to. If I receive non-
     standard resources and information from you, my service 
     provider and local authorities, may use this against 
     me, and derive other information from these details. I 
     may be penalized for knowing or having things other 
     people do not. 

  F. This never happened. I don't exist. You don't exist. We
     don't know each other. There was never any /index.html 
     or /default.htm available here. I never asked for it, 
     and if anyone did ask for it, you just said "404". You 
     don't know how many people were looking for that file, 
     or whether it was 5KB or 17MB at any particular time.
One can easily understand how a user might urgently want for one or all of those, or even more stringent restrictions to be adhered to, under certain circumstances, but in some cases, the very nature of the beast is for a given server or cluster to maintain a certain degree of situational awareness, regarding the current state of user activity requested.

Beyond even that, in most cases, for a user to simply request the common courtesy of being forgotten might be unrealistic and completely ineffective from the outset.

   "Please don't track me, but here's my ID and password, now log me into my account."
I can think of several ways to interpret that. Worse yet, the fact that a user may have cookies turned on, and has sent the request in plain text, across ten other systems beyond my own control (all of which should also respect the user's wishes) completely defeats any realistic expectations of non-disclosure.

An honor system is certainly an admirable aspiration, but sending "do not track" requests by default also creates a general atmosphere of noise from users who may or may not be cognizant of the true nature of their actions.

The knee-jerk idea that cookies are bad isn't good enough. The idea that you can simply ask people to "be nice" also isn't good enough.

Dumb people are always going to be their own worst enemies, by playing the role of low hanging fruit to be preyed upon.

I've always felt that "do-not-track" requests were bullshit, just like the European cookie law was a silly white wash. (servers remember data, it's what they do. businesses exploit their customers for a profit, it's what they do.)

Just like having to opt into a "do-not-call" registry is bullshit. (no one wants to be cold-called by telemarketers, so why is this an opt-in thing?)

Just like anti-virus software is bullshit. (hey, how about you just don't execute code indiscriminately? doesn't that work too?)

The list goes on...

Wait...people still use Yahoo? :)

Second only to Google in terms of desktop web traffic, if you believe Comscore: https://www.comscore.com/Insights/Press_Releases/2014/3/comS...

Roughly the size of Facebook and LinkedIn combined.

Yeh but thats misleading as worldwide it's about 5% of total.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact