Mozilla is wasting no time putting its proposed “Do Not Track” HTTP header onto the web. The latest Firefox nightly builds now include support for the new header and it may even make the final release of Firefox 4, due later this month. The new HTTP header, which Mozilla announced last week, is designed to tell online advertisers to stop tracking your web browsing habits.
If you’d like to see how Mozilla has implemented the header, grab the latest Firefox nightly build. There have been a few changes since Mozilla first announced its plan, including renaming the header to simply “DNT.”
To turn the header on, open Firefox’s preferences panel and select the Advanced tab (eventually Mozilla will add the option to the more appropriate Privacy tab). There you’ll see a new option to “Tell websites I do not want to be tracked.” Of course even if you turn the header on today and broadcast “DNT: 1″ to the web, it won’t do anything.
For the header to actually protect your privacy, websites and online advertisers will have to support it. While there’s plenty of debate as to whether they ever will, it definitely won’t happen until the feature is widely available. Mozilla is hoping that including the new header in Firefox 4 will spur advertisers to support it.
For now, broadcasting “DNT: 1″ will be, as Alexander Fowler, the Global Privacy and Public Policy Leader at Mozilla, puts it, “akin to displaying EFF’s Blue Ribbon campaign.”
The current plan is to test the privacy header in the next beta release of Firefox 4 and then, assuming there are no bugs, roll it out with the final release of Firefox 4 later this month.
But if OpenID is a failure, it’s one of the web’s most successful failures.
OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.
OpenID promised to solve two problems. First, it would offer an easy way to log in to any website without needing to create a new account. And, second, it would enable you to have a consistant identity across the entire web. This worked well with the limited audience of bloggers and tech-savvy users that were part of the original vision.
But then as the vision of OpenID grew to encompass, well, everything, it became bogged down in the details. Despite widespread support, there is no uniform user experience. Every site that supports OpenID does it slightly differently, which only further confuses the majority of people.
The main reason no one uses OpenID is because Facebook Connect does the same thing and does it better. Everyone knows what Facebook is and it’s much easier to understand that Facebook is handling your identity than some vague, unrecognized thing called OpenID. That’s why, despite the impressive sounding billion URLs and 50,000 sites supporting OpenID, it pales next to Facebook Connect. Facebook Connect has been around less than half the time of OpenID and yet it’s been adopted by some 250,000 websites, is available to the hundreds of millions of Facebook users and has the advantage of Facebook’s brand familiarity.
Facebook also added a key ingredient that helped drive other sites to adopt Facebook Connect — sharing user data. One of the reasons more sites support Facebook Connect is that they get a piece of the user pie.
Web publishers never warmed to OpenID since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher. That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.
The OpenID Connect proposal aims to solve this shortcoming by using OAuth to allow publishers to request more information from a user when they log in using OpenID. But so far there has been very little support for OpenID Connect. Facebook Connect is still far more popular.
Government sites are also looking to use OpenID rather than tie themselves to Facebook. And the Obama administration has announced plans for an Internet identity system that sounds a lot like OpenID, though the exact details have yet to be revealed.
Eventually OpenID will likely disappear from the web, not because it was a failure, but because identity will be managed in other ways. Mozilla is hard at work putting identity in the browser. It’s not hard to envision Firefox managing your OpenID credentials for you, just as it does today with your passwords. In that sense OpenID may end up like RSS (another tool routinely declared dead), invisibly powering features behind the scenes, essential, but unnoticed. Eventually online identity may even come full circle and move back into the real world — chips in your phone, tokens that generate random codes or biometric devices.
The legacy of OpenID may well be that it was ahead of its time, but that hardly makes it a failure.
Not to be outdone by Mozilla, Google has released a new add-on for its Chrome web browser that allows users to opt-out of online advertising tracking. While Mozilla’s privacy tool is still just a proposal, and involves a new HTTP header, Google’s add-on uses the more practical, cookie-based approach and works today.
The Keep My Opt-Outs add-on works like a very persistant cookie, but this one is working in your favor. The add-on uses Chrome’s internal cookie APIs to set the opt-out flag for each advertising network that participates in the opt-out program created by the ad industry. Not only is it easier than setting those cookies yourself, the add-on ensures that, even if you clear the rest of your cookies, the opt-out cookies remain intact.
While it works, Google’s approach is something of a hack. The add-on intercepts and rewrites cookies, which is not exactly an ideal solution. Still, if you’re a Chrome user and you’ve been looking for a way to stop advertising cookies today, the Keep My Opt-Outs add-on has you covered.
Keep My Opt-Outs also makes a viable alternative to ad-blockers, particularly for those concerned that ad-blocking add-ons are denying their favorite sites much needed revenue. Provided you don’t mind a few advertisements here and there, using the new add-on in conjunction with some smart cookie settings, you can support your favorite sites without forfeiting your privacy. And for those that do use ad blockers, keep in mind that just because the ad is not shown, doesn’t always mean it can’t set cookies.
In the long term, Mozilla’s header-based approach to stopping cookie-based tracking is a better solution, and we expect, if the idea catches on, Chrome and other browsers will support it as well. For those who want something that works today, Google’s new add-on fits the bill.
While the new header is just a proposal at the moment, Mozilla already has some code ready and is considering adding the feature to future versions of Firefox. The current plan is to create a new preferences option that would allow you to opt-out from tracking. Check the box in the preferences and Firefox will start sending the do-not-track header each time you request a new page.
Interestingly, the header Mozilla proposes is not the same as the “X-Do-Not-Track” proposal, which is already implemented in Firefox add-ons NoScript and Adblock Plus. For more details on how Mozilla’s new HTTP header will work, see Mozilla developer Sid Stamm’s blog post.
Like Mozilla’s proposed privacy icons, the problem with the new header is getting third-party ad sites to obey it. Mozilla calls it a “chicken and egg” problem and hopes to jumpstart the idea by including the header in future releases of Firefox. At that point it would be up to third party websites to support the header and, as Mozilla puts it, “honor people’s privacy choices.”
Mozilla has taken the lead among browser vendors to make a site’s privacy settings more explicitly visible. It’s doing so by proposing visual cues in the browser that indicate what level of privacy you’re currently browsing at, and what pieces of your personal data the site you’re currently visiting is sharing with the rest of the web.
The idea behind Raskin’s proposal is that the browser is the most logical place to display identity and privacy information to the user as they click around on the social web. The end goal is to produce a set for warnings similar to the way that Firefox (and other browsers) currently handle phishing attack warnings, using visual icons and simple language to explain what you’re getting into when you load a page with a different level of privacy or security.
For the active social web user, keeping track of which bits of your data are public and which are private on different sites is a chore. Some websites share your photos, status updates, your list of friends, who you’re following and other data default. Some share nothing. The rest are somewhere in the middle.
Part of the problem is the privacy policies themselves. They are complex, mind-numbingly long legal documents. We routinely ignore them, breezing past them by clicking “I agree.” Once clicked, your rights are compromised, and you may not be able to fully restore them.
A set of icons in the browser, to quickly and easily allow users to know what will happen to their data, means that users don’t need a law degree to know what’s happening to their images, status updates and other data.
The big difference between privacy icons and the phishing warnings your browser already offers, is that these icons are targeted at the websites themselves. The biggest counter-argument to Raskin’s proposal is that there’s nothing stopping a site from displaying these icons and then doing the opposite.
In other words, sites using the icons maliciously would face legal consequences. Of course differences in international laws mean enforcing such violations would be complex.
Still, as Raskin points out, privacy policies are fast becoming a selling point for many sites. Nearly every site we’ve tested lately has some sort of large, obvious banner that proudly proclaims the site will never share your data. Those are the kinds of sites, says Raskin, that would adopt privacy icons.
But it’s still unlikely any site would ever adopt the negative icons. If you’re sharing everything users give you with anyone who pays for it, you probably don’t want to advertise that. So the privacy icons actually become most useful when they aren’t present. Of course, as Raskin writes, “people don’t generally don’t notice an absence; just a presence.”
The solution to that problem is to make the privacy icons machine readable. The workflow would be something like this: You visit a website and decide to sign up. When Firefox encounters the sign-up form, it looks for the privacy icon. If it finds it, Firefox displays it. If Firefox doesn’t see an icon it warns you that your information may be shared using the negative icon. Either way, you know where you stand.