Sophos Cloud Optix
Google has finally added support for the DNT (Do Not Track) header to their latest developer build of Chrome. The modification is likely to make it into an official release of Google’s popular web browser before the end of the year.
Do Not Track is a feature that allows users to express a simple yes or no preference about being tracked online.
Chrome is the last of the major browsers to include support for Do Not Track and it means that 2013 is shaping up to be a very important year for web privacy.
The DNT preference tells browsers to send a signal (an HTTP header) to websites that says, simply, DNT:1 for “it’s not OK to track me” and DNT:0 for “it’s OK to track me”.
Currently websites are not obliged to obey these signals and at the moment it’s likely that most websites are functionally unable to obey them (with Twitter the honourable exception). So in practical terms DNT is not a viable way to protect your privacy online today and nor will it be in the near future.
As unpromising as that sounds Do Not Track has the backing of US and European governments and industry giants like Adobe, Microsoft, Google and Mozilla. For all it’s faults it is the only web privacy game in town.
Users can only express a DNT preference if they have the a browser that knows how to send the DNT header and that’s why support for DNT in Chrome, one the most popular browsers, is a small but important step forward.
So as of 2013 users of all the major web browsers will be capable of telling websites their tracking preference but only one browser, Microsoft’s IE10, will take the step of assuming users do not wish to be tracked by default.
Chrome, as well as other browsers like Safari and Firefox, will assume that you are expressing no preference about being tracked until you actively switch your DNT setting on or off. Expressing no preference leaves websites free to decide for you if you’d like to be tracked. At the time of writing the draft specification states (with my emphasis):
In the absence of regulatory, legal, or other requirements, servers may interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user's privacy expectations and cultural circumstances.
Putting the choice in the hands of website owners instead of web users is exactly where we are today so it’s probably safe to assume that expressing no preference will continue to be treated as a de facto DNT:0.
However if you upgrade to IE10 your situation will be even worse.
The draft Do Not Track specification explicitly forbids vendors from creating products with a DNT preference set by default. In such a situation websites are free to ignore DNT signals completely.
Accordingly The Apache Software Foundation, suppliers of the world’s most popular web server, have responded to Microsoft’s initiative by announcing that newer versions of their httpd web server will ignore all DNT headers from IE10.
So just as we get to announce that Google has finally joined the Do Not Track club and it seems like we have all the major players signed up – Microsoft, albeit for all the right reasons, appears to be leaving by the back door.
Photo by CMEarnest (Own work) [CC-BY-SA-3.0], via Wikimedia Commons
Woman with laptop on mountain image, courtesy of Shutterstock.
AVG antivirus has had a DNT web plugin for ages. I've been using it with Chrome and it seems to be moderately effective.
Of course I'm not daft enough to simply rely on a single security measure, but its nice to have it there.
The support is great, but if everyone is free to ignore it – or can't listen to it even if they want to – it seems inconsequential at this point ("… at the moment it's likely that most websites are functionally unable to obey [DNT:1 commands] … so in practical terms DNT is not a viable way to protect your privacy online today and nor will it be in the near future").
Are we then to presume that when a product like DNT+ (from Abine) says that it "blocked" thousands of tracking attempts (on IE), that it only ATTEMPTED to do so, or WOULD HAVE if it could have?
If so, what does one gain or lose – in any terms: privacy, performance, speed, etc. – by installing it now while it sounds like a placebo?
I don't know anything about DNT+ but I imagine it doesn't use the DNT standard to prevent tracking. I think the only thing they share is the name.
It's perfectly possible to create a tool which can prevent sites from tracking you by blocking sites from setting cookies, client-side storage, flash cookies etc.
So you can prevent sites from tracking you with but you're doing so by interfering with their functionality not by switching them to a non-tracking mode. It's hard to tell the good cookies from the bad so you might prevent a site that you want to use from working properly by blocking tracking like this. And the sites are still trying to track you, they just can't, they haven't suddenly become nice and cooperative.
The Do Not Track and DNT that I refer to in the article are colloquial titles for the specifications produced by the W3C's Tracking Protection Working Group (http://www.w3.org/2011/tracking-protection/).
Those specifications set out a much more cooperative situation where you are able to request that a site doesn't track you and that site respects your wishes.
M.
Mark:
You're correct. DoNotTrackPlus (DNT+) doesn't rely on the DNT standard to prevent tracking. It is a tool that does exactly what you describe in the second paragraph of your reply to DukesterTX's post.
The problem is that it (currently) supports only Chrome, Firefox, Safari, and Internet Explorer. If you use a browser that DNT+ doesn't support, it won't work…which is why I use Ghostery in SeaMonkey's Navigator, my browser of choice.
I don't track anyone with my website, but then I value my privacy and I assume others want me to treat theirs with the same respect. I'm sorry to say that commercial (and other sites) that do not honor my SeaMonkey browser's DNT setting don't operate by a similar golden rule. Since DoNotTrackPlus (so far) refuses to support SeaMonkey, I've installed the Ghostery add-on, and I can verify that it works in SeaMonkey. When it says it blocks something, it's blocked. Period.
Alas, Ghostery engenders the same kind of problem that the NoScript extension imposes—namely, that blocking 3pes elements and cookies can also disable the functionality of many websites. In that case, I often end up using a second browser (such as Safari) to access those sites, and then purge all the cookies at the end of a session. Fortunately, Ghostery's options include the ability to selectively enable or disable specific 3pes elements and cookies (the latter being organized into four categories: Advertising, Analytics, Trackers, and Widgets…which does make it easier to decide which ones to block).
Of course, it would be far easier if websites would simply honor the DNT setting…but I suspect that it's going to be a very long time until that happens. Jerks.
Every new computer purchaser should be informed that they should set up a standard user account for themselves on their new computer and leave the administrative account as an extra account for installing and fixes. Computer users should NOT utilize their Administrative account for every day online usage for security purposes. No one ever informs us of this. Instead kids are given laptops as presents and their computers are constantly infested. Why? Because they utilize the administrative account on their new laptop. Kids need to be protected, parents need to be informed to properly protect their children’s computers.
Some problems exist with sites that have the Facebook “F” on them. I utilize the NoScript and private browing with Firefox. If I visit a website that has a redirect to Facebook link, it locks up my computer with scripts, sometimes freezes. I am unable to utilize Internet Explorer at all due to error codes about allowing scripts. Some websites will not work unless you allow tracking cookies.
Re. the "Woman with laptop on mountain" image in the article: Wretched posture, horrifying ergonomics, craning her neck forward and down to peer at the screen, and she's wearing Cruel Shoes™ into the bargain…eeewww. It's painful to even look at her.
Good article, though. 😉