All posts tagged ‘DNT’

File Under: privacy, Web Standards

Microsoft, Apache Square Off Over Privacy Settings

Apache, the most common server on the web, is giving Microsoft’s Internet Explorer 10 a privacy smackdown. A newly submitted patch tells Apache to ignore IE 10′s controversial Do Not Track (DNT) settings.

The Do Not Track header is a proposed web standard for browsers to tell servers that the user does not want to be tracked by advertisers. When IE 10 is officially released, DNT will be supported by all the major web browsers (except Google Chrome), but only Microsoft has elected to turn on DNT by default. That means that all IE 10 users will be telling advertisers to back off, which some argue is not what DNT was intended to do.

The changes to Apache mean the server will ignore any DNT header sent if it’s sent by IE 10. That means IE users won’t be able to stop advertisers from tracking them around the web.

The changes to the Apache web server were written by Adobe’s Roy Fielding, one of the authors of the Do Not Track standard. Here’s Fielding’s reasoning for the patch:

The only reason DNT exists is to express a non-default option. That’s all it does. It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

It sounds like a conspiracy theory, but then Microsoft’s track record on the web means conspiracy theories have a ring of truth to them. The comments on GitHub point out any number of counter conspiracy theories as well — that Apache is doing this to protect advertisers, that DNT itself will only be supported as long as it’s off by default, and so on.

The only thing that really matters is this: Is Microsoft violating the DNT spec by turning it on by default?

Here’s what the spec says: “The goal of this protocol is to allow a user to express their personal preference regarding tracking … key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

That sounds like making “on” the default setting would be a no-no, since the user would not be making a choice to turn it on. But the spec continues:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”) (emphasis mine).

ComputerWorld has a screenshot of what the Internet Explorer 10 setup dialogs show regarding DNT. The user has two choices: Express settings and Customize. Choosing the Express option clearly states that it turns on the DNT header and would appear to comply with the wording of the current spec.

Mozilla has argued in the past that it doesn’t. Fielding obviously feels likewise.

Our take is that the whole thing is smoke and mirrors; DNT itself is highly flawed and who supports it and how is a moot point.

Asking advertisers not to set tracking cookies is like asking Cookie Monster not to eat them. It might work for a while, but it’s not a sound long-term strategy. In fact relying on anyone else to protect your privacy is, at this stage of the web, not a sound strategy. If you really want to stop advertisers from tracking you you’re going to have to do it yourself using add-ons like Ghostery or Do Not Track Plus. See our earlier post Secure Your Browser: Add-Ons to Stop Web Tracking, for more details on how to stop tracking without worrying about DNT.

File Under: privacy, Web Basics

Twitter Improves Privacy Options, Now Supports ‘Do Not Track’

Twitter has jumped on the “Do Not Track” privacy bandwagon.

The company recently confirmed that it supports the Do Not Track header, a user privacy tool originally created by Mozilla that is in the process of becoming a web standard. That means if you visit Twitter in any web browser that supports the Do Not Track header, you can opt out of the cookies Twitter uses to gather personal information, as well as any cookies set by third-party advertisers.

Behavioral tracking, as such practices are often called, is a common on the web. Advertisers use cookies to track your clicks, watching which sites you visit, what you buy and even, in the case of mobile browsers, where you go. Often the sites tracking you are not just the sites you’ve actually visited, but third-party sites running ads on those pages.

And it’s not just advertisers tracking your movements, social networks like Facebook and Twitter also follow you around the web. You may not realize it, but Twitter has been tracking your every move for some time. The company doesn’t make a secret of it either. In a blog post announcing Twitter’s new “tailored suggestions system” Twitters Othman Laraki writes, “we receive visit information when sites have integrated Twitter buttons or widgets.”

To be clear, not only is Twitter able to set cookies any time you visit its own domain, whenever you visit a website (like this one) with a “Tweet This” or similar button Twitter can see you there as well. This practice is hardly unique to Twitter; Facebook, Google+ and others are doing the same thing.

Most of the time the information gathered is used to create a better experience for users. In the case of Twitter’s new “tailored suggestions” feature the information is used to build a profile of what you like and then Twitter makes suggestions based on that profile. You can read about exactly what Twitter does with your info and how long it keeps it in the company’s privacy policy.

The problem with such tracking is that it’s necessary for features we want, like smart, targeted suggestions — new users to follow, music you’ll likely enjoy, books you might want to read and so on — but it can also be used for decidedly less friendly purposes. As awareness of the downsides to such tracking become more well known a growing number of people are opting out of the tracking. The Mozilla Privacy blog reports that “current adoption rates of Do Not Track are 8.6 percent for desktop users of Firefox and 19 percent for Firefox Mobile users.”

To take advantage of Twitter’s new Do Not Track feature you’ll need to be using a web browser that supports the header. Currently that means Firefox, Opera 12+, Internet Explorer 9+ or Safari 5.1+. Chrome has pledged to add support for Do Not Track, but doesn’t just yet. For more information on protecting your online privacy, including tools like Ghostery, which go even further, blocking all tracking cookies, see our earlier post, Secure Your Browser: Add-Ons to Stop Web Tracking.

File Under: privacy, Web Basics

Yahoo Plans Support for ‘Do Not Track’ Web Privacy Tool

Yahoo has announced it will soon support the Do Not Track privacy header across its sprawling network of websites. Supporting Do Not Track means you will soon be able to easily tell Yahoo to stop tracking your movements around the web.

Behavioral advertising, as such tracking is known, is a common practice on the web. Advertisers use cookies to track your clicks, watching which sites you visit, what you buy and even, in the case of mobile browsers, where you go. Often the sites tracking you are not just the sites you’ve actually visited, but third-party sites running ads on those pages.

Much like the Do Not Call registry, the Do Not Track system offers a way to opt out of this third-party web tracking.

The Do Not Track header began life at Mozilla, but has since moved to the W3C where it was converted into a web standard by the Tracking Protection Working Group.

The Do Not Track header now works in every major desktop browser except Google Chrome, though none of them turn it on by default. Still, for privacy-concerned users savvy enough to enable Do Not Track, the header offers a quick and easy way to tell advertisers that you don’t want to be followed while you browse the web.

Numerous online advertising groups already respect the Do Not Track header and refrain from tracking users that enable it. Today’s announcement means that, starting this summer, you can add Yahoo to the list of companies that will stop tracking you if you’ve enabled Do Not Track in your web browser.

Of course, there are still many advertisers and websites that don’t yet support Do Not Track. If you’re concerned about your online privacy and don’t want to rely on the goodwill of advertisers, there are other, more aggressive steps you can take to limit how your tracked on the web. See our earlier post on browser add-ons that help stop web tracking for more details.

File Under: privacy

Secure Your Browser: Add-Ons to Stop Web Tracking

Ever wonder who’s tracking your online movements — watching the sites you visit, the links you click and the items you buy? Unless you’ve already taken active steps to stop the tracking, the answer is just about everyone.

Privacy advocates have been working to help raise awareness of the extent to which we are all tracked online. Browser makers like Mozilla have also been working to make consumers aware of what’s happening behind the scenes on the web. Mozilla created and popularized the Do Not Track header, which has now been adopted by all the major browsers. Firefox’s parent company also recently showed off its Collusion add-on as part of the TED 2012 conference.

Collusion is a Firefox add-on that helps you see exactly who is tracking your movements online. It doesn’t stop sites from tracking you, but after Collusion shows you what happens when you browse the web without any tracking protection, you’ll probably want to find something that can stop sites from tracking you.

Not all web tracking is bad. Some services rely on user data to function. For example, if you use Facebook and want to use the company’s ubiquitous Like buttons, Facebook needs to set cookies and keep track of who you are. The problem Mozilla wants to address with Collusion is the fact that most tracking happens without users’ knowledge or consent.

The screenshot below shows the number of websites Collusion found tracking me after I visited the top five most tracker-filled websites according to Privacy Score, namely The Drudge Report, El Paso Times, ReadWriteWeb, TwitPic and Merriam Webster. As a result of visiting just those five sites, according to Collusion, a total of 21 sites were made aware of my visit.

Collusion visualizes who's tracking your web browsing.

That sounds bad, and it is, but it may not even be the full picture. For comparison’s sake I loaded the same five sites and used the Do Not Track Plus add-on, which counted 47 sites with tracking bugs. Want another number? I repeated the test using the Ghostery add-on, which blocked 37 unique sites looking to track me. The variation in number of tracking elements detected is due to several factors, including what each system considers tracking. (Collusion for example, does not seem to count analytics or social buttons, while the others do.)

Even at the low end the numbers remain startling. Visiting five websites means somewhere between 21 and 47 other websites learn about your visit to those five.

If the extent of tracking bothers you there are some steps you can take to stop the tracking. The first would be to head to your browser preferences and turn off third-party cookies. Unfortunately, while that’s a step in the right direction (and you won’t lose any functionality the way you might with the rest of these solutions), some less scrupulous advertisers, including Google, have been caught circumventing this measure.

For a more complete solution you’ll need to use an add-on like Ghostery or Do Not Track Plus, both of which are available for most web browsers. The chief drawback to both of these solutions is that you may lose some functionality. To stick with the Facebook example used earlier, if Ghostery is blocking Facebook scripts then you won’t be able to use Like buttons. Fortunately both Ghostery and Do Not Track Plus allow you to customize which sites are blocked. I recommend blocking everything and then when you encounter something that isn’t working, click the Do Not Track Plus icon and edit the blocking options to allow, for example, Facebook so that Like buttons work (or Disqus so that comments work, etc.). That way you remain protected from the vast majority of invisible tracking, but can still enjoy the web services you choose to trust.

One final note about Webmonkey.com: There are 11 external scripts on this page. Four of them are for the social network buttons at the bottom of most posts. A fifth is for the Disqus comments system. There are also two analytics scripts, one from Google and one from Omniture. In addition to those seven functional scripts there are four ad network scripts from Brightcove, DoubleClick, Omniture and Lotame. (I can’t actually tell for sure what Lotame does, but it definitely collects data.) If you install the add-ons above Webmonkey will not be able to track you. If you don’t, it, like the rest of the web, will.

File Under: privacy, Web Standards

W3C Releases New Web Privacy Standard

The World Wide Web Consortium (W3C) has released the first draft of a new web standard aimed at improving online privacy. The W3C’s new Standard for Online Privacy is a set of tools that will ultimately enable your browser to stop sites from tracking your every move on the web.

The first draft of the new privacy standard revolves around the “Do Not Track” (DNT) HTTP header originally introduced by Mozilla as a part of Firefox 4. The DNT header — a bit of code sent every time your browser talks to a web server — can be used to tell websites you don’t want to be tracked. The goal is to give you an easy way to opt out of often invasive tracking practices like behavioral advertising.

Behavior advertising refers to the increasingly common practice of tracking your online behavior and using it to tailor ads to your habits. Advertisers use cookies to follow you around the web, tracking which sites you visit, what you buy and even, in the case of mobile browsers, where you go.

Some web browsers, including Internet Explorer and Chrome, offer an opt-out mechanism in the form of a cookie — add the cookie to your browser and participating sites won’t track your browsing. While the cookie-based approach is widely supported by advertisers, if you ever clear your browser’s cookies for any reason, your privacy settings are lost.

Mozilla’s original “Do Not Track” tool offered the same end result — broadcasting your privacy settings to advertiser’s servers — but instead of using a cookie, Mozilla’s DNT effort created a new HTTP header. The header offers a more robust and permanent solution than cookies and it’s easier for users to control via a simple browser preference.

Mozilla's basic overview of how the DNT header might work

Earlier this year Mozilla turned its DNT efforts over to the W3C where the Tracking Protection Working Group was formed. The working group thus far includes everyone from the major browser vendors to large websites like Google and Facebook. Consumer advocacy groups like Consumer Watchdog, the Electronic Frontier Foundation and even the U.S. Federal Trade Commission are also participating. This first draft of the new privacy standard is the groups’ first public release.

The new spec goes quite a bit further than Mozilla’s original definition of DNT, including sections to define how the header is transmitted, what URI servers should use to respond and how websites are to comply with the preference. Obviously, because this is just the first draft there are still many gaps in the spec.

The new privacy spec is only a first draft, but that’s not the main problem currently stopping DNT from becoming a real-world way to protect your privacy. The real problem is the advertisers. While many are already on board with the new DNT standard, so far few actually obey it. Skeptics often argue that the DNT header won’t truly protect your privacy because there’s no way to force advertising sites to obey it. That is true, and there will no doubt always be some bad apples on the web, but the advertising industry has a surprisingly good track record of self-regulation. Much of that record no doubt stems from fear that, without some degree of self-regulation, governments will step in to impose their own regulation on behalf of consumers.

The W3C’s new privacy standard effort is a long way from finished, and, because it relies on the voluntary participation of advertisers, it will likely never completely protect your privacy. Still, it’s a stronger means of opting out than cookies. Moreover, the existence of an official DNT standard blessed by the W3C just might convince more advertisers to support the initiative.

[Footprints photo by Vinoth Chandar/Flickr/CC]

See Also: