Do Not Track Does Not Conquer

By Nathan Willis
October 17, 2012

At times it can seem like protecting one's online privacy is a Sisyphean struggle. Even when the software industry listens to the concerns of privacy advocates, the site owners and secretive data-collectors who profit from pillaging private information are quick to find every loophole and work-around in existence to regain their access to profitable data. Such seems to be the case with the Do Not Track HTTP header (DNT), which has garnered support from browser vendors — plus a steady stream of assaults aimed at undermining it, courtesy of advertisers.

Preferences, browsers, and intent

Although "opt out" mechanisms for web tracking have been discussed for years, the DNT HTTP header approach was first proposed by Mozilla's Mike Shaver. It has subsequently been developed under the stewardship of the World Wide Web Consortium's (W3C) Tracking Protection Working Group. According to the latest draft of the specification, DNT is an optional HTTP header field that can take either 0 or 1 as a value, where 1 indicates that the user prefers not to be tracked, and 0 indicates that the user prefers to allow tracking. The key issue, however, is that the header is intended to represent a user preference — which most interpret to mean a conscious choice on the user's part — and it must not be sent at all if the user has not expressed such a preference to the browser.

Initially Mozilla was the only browser vendor behind DNT, but Opera added support in July in Opera 12, as did Apple a few weeks later in Safari 6. Google added support in Chromium on September 13. In all four browsers, the DNT setting must be manually enabled in the application preferences. Mozilla contended from quite early on that this is a critical facet of making DNT a workable solution. If DNT were enabled automatically or by default, it would no longer represent "a choice made by the person behind the keyboard", but one made by the browser vendor.

The decision was controversial — after all, reasoned critics, who in their right mind wants to be tracked? But Mozilla stood firm, and eventually the other browser makers followed suit. Until June 2012, that is, when Microsoft announced that Internet Explorer (IE) 10 (which is scheduled to ship with Windows 8) would present the DNT option as a check-box shown to the user during installation, with the do-not-track option selected by default.

But enabling DNT by default violates the specification, opponents argued, and strips it of its meaning. And if the DNT header does not reflect an actual user's decision, the argument goes, advertisers will be justified in ignoring it. Apache's Roy Fielding objected strongly enough that he committed a change that causes the web server to un-set the DNT header when it is sent by IE 10. Fielding is a member of the W3C Tracking Protection Working Group, and his log message for the commit said that "Apache does not tolerate deliberate abuse of open standards". He elaborated on that interpretation in the inevitable argument that followed on GitHub, calling Microsoft's decision broken because it violates the specification's requirement that the DNT header default to "unset." Apache, he said, "has no particular interest in what goes in the open standard -- only in that the protocol means what the WG says it means when the extra eight bytes are sent on the wire."

Conspiracy theorists might suspect that Microsoft's decision is a subtle ploy to undermine DNT entirely to curry favor with advertisers and other user-tracking firms. If so, the advertising world is doing an excellent job of maintaining a cover story; the Association of National Advertisers (ANA) publicly criticized the decision in an open letter to Microsoft management.

Step right up

Regardless of what happens on the browser and server fronts, DNT still relies on voluntary compliance on behalf of site administrators and service providers — and, by extension, compliance that matches up with what the user intends. The meaning of DNT might seem to be straightforward, but the people who make their money tracking users cannot be forced to agree. In September, Ed Bott at ZDNet reported that the Interactive Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA) "devised their own interpretation" of DNT, under which they would continue to collect information, but would refrain from using that information to deliver targeted ads to the browser. Presumably that restraint lasts only for the duration of the browsing session in which DNT is sent.

Lest anyone propose a "Do Not Target Ads" HTTP header that IAB and DAA might conversely interpret as a reason to stop collecting tracking information, remember that nothing obligates advertisers or other information brokers to react to the header at all. Grant Gross at IDG said at least one site, a "tech-focused think tank" called the Information Technology and Innovation Foundation (ITIF), has unilaterally decided it will simply ignore the DNT header, and its site will report that fact to visitors.

Other members of the advertising business have embarked on their own campaigns to nip DNT in the bud. In June, the US Senate held hearings about tracking and DNT in particular. As the Electronic Frontier Foundation (EFF) observed, ANA representative Bob Liodice testified at the hearings that DNT would undermine cybersecurity, including "issues such as online sexual predators and identity theft". The Senate did not seem to buy Liodice's argument (Senator Jay Rockefeller, chairman of the Committee on Commerce, Science, and Transportation, declared the cybersecurity argument "a total red herring"), although the EFF noted that online tracking does raise important law enforcement questions in addition to its advertising angle.

Most recently, DNT critics gathered at the W3C Tracking Protection Working Group meeting in Amsterdam, where the Direct Marketing Association (DMA) proposed that an exception be added to the DNT specification for "marketing." The EFF blog entry about the meeting quotes the DMA representative as saying:

Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested. DNT should permit it as one of the most important values of civil society.

Such an "exception" would seem to cover the precise tracking scenario for which DNT is designed, and indeed other members of the working group fought back. Fielding accused DMA of "raising issues that you know quite well will not be adopted". The EFF views DMA's participation in the meeting as an attempt to undermine or derail the specification-writing process. That is a bit of a judgment call, but it is clear from the latest traffic on the working group's mailing list that DMA, DAA, and other advertising groups are not meshing well with the software industry representatives who typically account for the bulk of W3C participation. In recent weeks there have been multiple threads about redefining basic terms like "service provider" and "user agent" that indicate (at the very least) a culture clash.

On the plus side, there have been sites and web services that have voluntarily announced their intention to comply with DNT; Twitter is the highest-profile. But the specification is far from completion, and as recent events show, voluntary compliance will only take care of a subset of the data-collecting entities on the web today. In the GitHub comment linked to above, Fielding speculated that the long-term ploy of DNT advocates was to get widespread adoption, then to push for mandatory compliance through legislation. Whether that will happen is anyone's guess; the US Federal Trade Commission (FTC) has endorsed DNT, which in addition to the US Senate hearings might provide enough evidence to make the advertising industry wary.

Implementing a campaign of "good enough for most" self-regulation would be one path to avoiding such government oversight, and derailing or gutting the specification could be effective, too. At the moment, the advertising business seems to be pursuing both tactics. It is up to the W3C and privacy advocates to respond, but at least for the time being the only guaranteed way for users to safeguard their privacy remains the do-it-yourself approach: Tor, NoScript, Adblock Plus, and so on. A world where user-tracking is simply not an issue sounds nice — it just doesn't sound likely in the near-term.

Index entries for this article
Security	Privacy
Security	Web browsers

to post comments

Do Not Track Does Not Conquer

Posted Oct 18, 2012 12:04 UTC (Thu) by AndreE (guest, #60148) [Link] (4 responses)

It's seems despite all my time at university studying Plato, Descarte, Mill, Kant, Wittgenstein, Foucault, et. al., I failed to learn that targeted advertising was one of the corner stones of civil society.

I also didn't realise that man has an a priori predisposition to being tracked. And that NOT tracking him without his explicit permissions intrudes upon one of his fundamental freedoms.

Well, at least standards compliance is held in high regard.

Do Not Track Does Not Conquer

Posted Oct 18, 2012 13:34 UTC (Thu) by njwhite (guest, #51848) [Link] (3 responses)

Well said.

The idea in the spec that default behaviour should be "please track me" seems dumb. I know it's technically more "I don't mind if you do," but the history of the web thus far makes it pretty clear that that's how it should be interpreted. To spin any alternative to this as "reducing user choice" is ludicrous.

I presume the defaults are really that way in order to preemptively placate the advertising industry, but I wish they were honest about that.

But whatever, I have zero faith in "voluntary compliance" with this stuff. Or government mandated compliance, for that matter.

Technologists have to be bold and accept that tracking is basically always dangerous and a bad idea, and design systems around that. It sucks that at present it's only technically savvy people who can protect themselves reasonably, and no amount of voluntary good behaviour by industries who are so morally dubious, and derive their income from tracking, is going to change that.

Do Not Track Does Not Conquer

Posted Oct 18, 2012 19:01 UTC (Thu) by iabervon (subscriber, #722) [Link] (1 responses)

We don't need a header to specify that the user wants the default site behavior. It only makes sense to send any header at all if the browser actually has some information that the server doesn't have (whether that's user preference or browser capabilities). Sites will continue to do what they're presently doing for users who don't do anything explicitly. They'll only change their behavior for users who do something explicitly, which means that, in order for this header to be worthwhile, it must be possible for users to make the setting more restrictive than the default. Changing the default site behavior is a legitimate goal, but it's not a technical goal that can be accomplished with a protocol extension. The value of a protocol extension is to let requests be different from each other, so that sites can treat them in different ways and comply with actual desires.

If you want sites to pay any attention to any new header, it must be in the site's interest to do so; otherwise, they'll ignore it in ways that are just hard to notice. In order to get sites to actually respond to the DNT header, you need a substantial portion of the people who set it to 1 to watch for site being inappropriately knowledgeable and avoid them and tell their friends the site is creepy. If the general population isn't going to contribute to enforcement like that, it'll be meaningless if it's the default.

Do Not Track Does Not Conquer

Posted Oct 19, 2012 10:32 UTC (Fri) by AndreE (guest, #60148) [Link]

This is pretty obvious.

Which makes Mozilla completely illogical and transparent rhetoric about the user's true desires all the more galling.

Do Not Track Does Not Conquer

Posted Oct 20, 2012 7:19 UTC (Sat) by erwbgy (subscriber, #4104) [Link]

I presume the defaults are really that way in order to preemptively placate the advertising industry, but I wish they were honest about that./p>

Nope. The point of the default being 0 is so that it is clear that the user set the DNT value and not the browser vendor. That way it specifies an actual user preference that advertisers will find harder to ignore.

Setting the default to 1 like IE is doing makes it no longer a preference that the user has explicitly stated and advertisers can just ignore it saying: "the user didn't specify DNT, they just happen to be using IE".

Do Not Track Does Not Conquer

Posted Oct 18, 2012 16:21 UTC (Thu) by ThinkRob (guest, #64513) [Link] (10 responses)

It's the evil bit. Only this time it wasn't proposed on 1 April, and nobody seemed to realize the humor in having a completely voluntary "please don't do bad stuff" standard with no mechanism for determining compliance.

How anybody thought this would have any meaningful effect is a source of much amusement.

Do Not Track Does Not Conquer

Posted Oct 18, 2012 17:49 UTC (Thu) by rillian (subscriber, #11344) [Link] (9 responses)

The copyright lobby has been fairly successful in hanging legal enforcements on an "evil bit". Do Not Track has similar advantages.

Expressing a clear user preference both removes the argument that that person wants desires tracking by default, and provides a place to hang privacy legislation, which really can compel corporate behaviour.

Do Not Track Does Not Conquer

Posted Oct 20, 2012 18:15 UTC (Sat) by giraffedata (guest, #1954) [Link] (8 responses)

Though no one has said it, I see clear implications that some believe nobody wants to be tracked, and that advertisers know that. Well, that isn't true. Advertisers believe users prefer targeted advertising to random advertising and I know that's not an unreasonable belief, because I do. I hate random advertising, and I would notice a degradation if I switched to a browser that told advertisers I'd prefer random ads.

Do Not Track Does Not Conquer

Posted Oct 20, 2012 18:55 UTC (Sat) by sfeam (subscriber, #2841) [Link] (4 responses)

There was a fascinating article in the NYT earlier this year documenting that advertisers correctly know that shoppers hate to be targeted. To work around this they deliberately mix random ads with targeted ads so that the targeting isn't so obvious. Why do the shoppers hate being targeted? The article uses a real example of Target (the company) being so clever that it could figure out when a shopper was newly pregnant and therefore it would send ads for baby clothes, diapers, etc. But the shoppers' reaction tended to be OMG, how did they find out I'm pregnant!?. This did not achieve the desired increase in sales of baby gear.

Do Not Track Does Not Conquer

Posted Oct 20, 2012 20:28 UTC (Sat) by giraffedata (guest, #1954) [Link] (3 responses)

There was a fascinating article in the NYT earlier this year documenting that advertisers correctly know that shoppers hate to be targeted.

OK, I read it and what one advertiser really concluded was this:

We have the capacity to send every customer an ad blooklet, specifically designed for them, that says, "Here's everything you bought last week and a coupon for it." ... With the pregnancy products, though, we learned that some women react badly.

That's a long way from saying advertisers know everyone hates targeted ads. In fact, it makes a good case for advertisers wanting a credible "do not track" header from browsers. Maybe with that, they could filter out those women who would react badly.

(The article also talked about public relations fallout, which again might be counteracted if prospects had a way to shut off the targeting, even if they rarely use it).

Do Not Track Does Not Conquer

Posted Oct 21, 2012 10:23 UTC (Sun) by bosyber (guest, #84963) [Link] (2 responses)

your quote:
"Here's everything you bought last week and a coupon for it."
shows a fundamental issue with those targeted ads (heh, originally I found I wrote attacks, hm):

Why would people want an ad for something they bought already? Hardly ever unless it is only about weekly shopping. And then they don't need to be enticed to buy it as it is already on their shopping list, evidently. For one-time-only buys it is just as useless for the opposite reason.

In my experience, that makes it more annoying - yes targeted, but too late/useless. To make it useful, they'd need to predict buys. And that can be pretty creepy, like with the pregnancy stuff. If they get it right, which is really hard.

The Amazon 'other people that looked at/bought this also bought Y' is occasionally useful, when the items deal with a specific well defined topic (say learning about a certain programming language), but even there it has a lot of misses. For fiction it can be really off-putting even.

Do Not Track Does Not Conquer

Posted Oct 21, 2012 17:27 UTC (Sun) by giraffedata (guest, #1954) [Link] (1 responses)

Why would people want an ad for something they bought already?

Maybe I didn't include enough context, but I'm sure what the advertiser was talking about was consumables, such as groceries and cleaning supplies.

I can easily believe coupons for those work, because without the coupon, the person might delay restocking, and consequently consuming, or might go to a different store to restock.

Obviously, the system isn't perfect. Sometimes the price you pay for sending someone a coupon that works is you have to send him 5 that don't. Amazon kept pressing me to buy a certain model of garbage can for a month after I bought it - from Amazon. But I know the program that did that works on average.

Do Not Track Does Not Conquer

Posted Oct 22, 2012 6:32 UTC (Mon) by bosyber (guest, #84963) [Link]

Okay, I see, that might work then. Though as you say, it still is tricky to get right.

I suppose that we live in different areas (I live in the Netherlands) - I know hardly anyone who seriously uses coupons - sure we may watch what the advertising leaflets of the grocery stores have on offer and it might have some influence on where we buy what, but to be honest, the weather and other activities have more influence. Different experiences for different people I guess :)

Do Not Track Does Not Conquer

Posted Oct 20, 2012 19:39 UTC (Sat) by viro (subscriber, #7872) [Link]

Then your adblock config obviously needs fixing. As far as I'm concerned, any ad delivered to me is (a) targeted incorrectly and (b) demonstrates a failure of filtering on my side...

Do Not Track Does Not Conquer

Posted Oct 22, 2012 9:04 UTC (Mon) by njwhite (guest, #51848) [Link] (1 responses)

It's just lucky that collecting and sharing massive quantities of information about a person's habits and beliefs isn't dangerous. Oh wait...

Besides which, targetted advertising is still advertising. It still is intended to get you to make a less rational decision than you would otherwise. It's just more tailored to you. So more effective. So better at manipulating you.

I can't really understand why anybody would want targetted advertising. I kind of presume they can't have really thought about the implications very hard. Do argue with me, though ;)

Do Not Track Does Not Conquer

Posted Oct 22, 2012 20:33 UTC (Mon) by giraffedata (guest, #1954) [Link]

targeted advertising is still advertising. It still is intended to get you to make a less rational decision than you would otherwise.

That is a very narrow view of advertising. There is one kind of advertising that is intended to get you to make a less rational decision, but there is plenty of advertising that is intended to educate you so you can make a better rational decision. Many times the education is simply letting you know the product is available. Other times, it's telling you something you didn't know about the product. In some cases, advertising brings your attention to a feature of the product you would otherwise overlook in your rational decision-making process.

The basic educational aspect of ads sometimes gets lost in the creative ways the ad must present the information in light of the audience's limited mental capacity -- advertisers are fighting for every millisecond of your thinking time and byte of your memory -- but that doesn't change the ad's objective.

I can't really understand why anybody would want targeted advertising. I kind of presume they can't have really thought about the implications very hard. Do argue with me, though ;)

No one can argue with you unless you get more specific than you have so far about those implications.

Do Not Track Does Not Conquer

Posted Oct 18, 2012 21:18 UTC (Thu) by blitzkrieg3 (guest, #57873) [Link] (5 responses)

When do not track first came out I remember it was google's response to a Mozilla developer that came up with a sort of ad-blocker for cookies. Does anyone remember this? Or am I making this up?

Do Not Track Does Not Conquer

Posted Oct 19, 2012 1:12 UTC (Fri) by Tobu (subscriber, #24111) [Link] (4 responses)

Are you thinking of Google's "analytics opt-out" addon? And yeah, I suspect there are ways to get some genuine client-side protection against third-party tracking (by shutting down ipc between origins, be it through cookies or whatever — a page accessing another origin's cookies through an iframe would either block or get cookies namespaced by the outer origin).

Do Not Track Does Not Conquer

Posted Oct 19, 2012 5:35 UTC (Fri) by cpeterso (guest, #305) [Link] (3 responses)

The Ghostery add-on for Firefox and Chrome is an effective client-side "tracker blocker."

Do Not Track Does Not Conquer

Posted Oct 21, 2012 5:50 UTC (Sun) by branden (guest, #7029) [Link] (2 responses)

Ghostery?

No thanks.

Do Not Track Does Not Conquer

Posted Oct 22, 2012 9:05 UTC (Mon) by njwhite (guest, #51848) [Link]

Good spot, I didn't know that. (yay for having such information buried in smallprint)

Do Not Track Does Not Conquer

Posted May 30, 2015 21:40 UTC (Sat) by Kamilion (subscriber, #42576) [Link]

Woo, good thing I didn't actually click on that link, but just hovered over it to see where it went.
If I *HAD* gone, I might actually have been bound by their EULA! But as it is, I've never seen it, and it's not presented upon installation; so I can treat it as if it doesn't exist and isn't enforceable.

Right now there's a number of choices.
I use a combination of extensions.
Ghostery is pretty popular.
http://disconnect.me/ is another popular one.
Even the EFF's weighed in: https://www.eff.org/privacybadger

But what I've had the best luck with so far is uMatrix:
https://github.com/gorhill/uMatrix/wiki

And it's 'younger brother', uBlock Origin.
https://github.com/gorhill/uBlock

However, uMatrix is a heck of a sledgehammer, and it's easy to put holes in the drywall of a lot of sites.
https://github.com/gorhill/uMatrix/wiki/Using-uBlock-with...

Both uBlock Origin and uMatrix are open source GPLv3.

Yes, that's right, I'm using five extensions to try and keep my privacy high and bandwidth low.
Privacy Badger eats cookies, disconnect.me destroys annoying social networking buttons, uBlock Origin isolates all the domains serving malware, and uMatrix keeps me from tripping over advertiser-redirects when clicking links.

On second thought, I rarely see ghostery doing anything anymore, and it's actively conflicting with disconnect.me and causing ignorable extension errors like this:

"This extension failed to redirect a network request to about:blank because another extension (Ghostery) redirected it to data:application/javascript;base64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30="

Maybe it's time I gave ghostery the boot; I've cycled out all of my other extensions over time as new ones were introduced, or performance was improved (uBlock Origin has definitely reduced memory usage over AdblockChrome) in some way.

Time to open Ghostery up in notepad++ and apply ye olde reverse engineering talent against it... I can probably figure out how to dump the settings I've cultivated into a text file suitable for loading in uBlock Origin...

Do Not Track Does Not Conquer

Posted Oct 20, 2012 11:17 UTC (Sat) by paulj (subscriber, #341) [Link] (3 responses)

So, why was DNT not made a tri-state - "Default", "Yes", "No"?

Do Not Track Does Not Conquer

Posted Oct 20, 2012 16:06 UTC (Sat) by alonz (subscriber, #815) [Link] (2 responses)

Because (a) it would have made the spec more complicated, and (b) the authors of the DNT spec believed browser implementors will actually read the spec (including non-technical overview sections) and make rational decisions?

Do Not Track Does Not Conquer

Posted Oct 20, 2012 18:08 UTC (Sat) by giraffedata (guest, #1954) [Link] (1 responses)

The header does not direct the server to do anything, so "default" doesn't make any sense. The three states provided for in the spec are: "I prefer not to be tracked," "I prefer to be tracked," and no information about the user's preference. The latter is encoded by not sending the header, and is the only sensible thing for a browser to do without active directions to the contrary from the user.

And giving the user the chance to uncheck a checked box isn't active enough. An advertiser would be justified in considering the header not credible if a major web browser were known to work that way.

Do Not Track Does Not Conquer

Posted Oct 20, 2012 19:12 UTC (Sat) by paulj (subscriber, #341) [Link]

Duh, of course. I must have had some major malfunction in the semantic parser in my brain when reading this article. Somehow I got the impression that Mozilla and Chrome were also sending the header without user-involvement, sending "Track" by default.

It's optional, so "Don't send" is an option and it's already tri-state. Of course :).

Do Not Track Does Not Conquer

Posted Oct 29, 2012 9:07 UTC (Mon) by sustrik (guest, #62161) [Link]

DNT reminds me of "Evil Bit" in reverse.