More Choice and Control Over Online Tracking
01/23/2011 28 Comments
Do Not Track: Mozilla’s latest effort to put users in control of their web experience.
The web is evolving quickly in how information about people is collected, used and shared online. We believe it’s crucial to put people in control of their personal web interactions and experiences, as previously articulated in my post on our draft Privacy & Data Operating Principles. In particular, we’re seeking ways to provide Firefox users a deeper understanding of and control over the flow of personal information online.
We’re pleased to be able to share one of these efforts today in the area known as “Do Not Track,” which is best understood in current policy discussions to provide a way for people to opt-out of online behavioral advertising (OBA).
As the first of many steps, we are proposing a feature that allows users to set a browser preference that will broadcast their desire to opt-out of third party, advertising-based tracking by transmitting a Do Not Track HTTP header with every click or page view in Firefox. When the feature is enabled and users turn it on, web sites will be told by Firefox that a user would like to opt-out of OBA. We believe the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.
The Do Not Track header builds on the work the advertising networks have done to date without the cookie-based systems they make available to people online. The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn’t rely on user’s finding and loading lists of ad networks and advertisers to work. We’re not the only ones who think this approach makes sense. The FTC calls for a “more uniform and comprehensive consumer choice mechanism for online behavioral advertising. In addition, the HTTP header technique has been proposed before (see the good work by donottrack.us and the UBAO add-on).
The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective. Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.
My colleagues are posting our proposal to the Mozilla community today for discussion, along with the technical patch to be considered for implementation in Firefox. We are also committed to working with the technical community to standardize the header across the industry. We ask that sites and advertisers join with us to recognize this new header and honor people’s privacy choices just as they are with opt-outs for OBA.
Additional Posts from Mozilla on DNT
- The technical proposal (available here and here) was posted by my colleague, Sid Stamm. He’s also blogged about the technical specs here
- Another Mozilla colleague, Mike Hanson, has posted a technical analysis of Do Not Track problems and solutions
- Mozilla’s FAQ on DNT
It’s important to reiterate that while our initial proposal does not represent a complete solution, this is one step of many for us to see if the header approach can work and confirm that it will provide our users a more nuanced, persistent tool for communicating privacy choices on the web. A recent op-ed in the Wall Street Journal echos this, “Technology that further customizes browsing to be responsive to user needs and preferences is a benefit to consumers and makes their online time more efficient.” We believe the HTTP header is a constructive approach and one of the many areas we’re exploring to put users in control of their web experience.
About firstpersoncookie
Great !
Do you download this??
One of the nice things about the HTTP header approach is that no additional software is required for it to work, outside of downloading the header-enabled browser itself. The feature would be built into the browser, so users won’t need to find and install additional add-ons, cookies, extentions, plug-ins, lists, etc.
It is already included by Mozilla in Firefox 4 beta 11
Ha! more headers!
In case you didn’t notice yet, the more headers the browser sends, the higher the browsers fingerprint entropy.
In other words. More headers means better trackable browsers.
If you want to provide privacy for the user, you should send *less* information, not more.
Also, seen https://panopticlick.eff.org/ before?
See EFF’s post from Monday supporting the use of an HTTP header for Do Not Track.
I like the effort being made in this area but I don’t see how this scheme can be effective. Am I misunderstanding this or is this simply a request sent to advertisers via an http header asking them to not track me? Why couldn’t they simply ignore or decline my request? Am I the only one who sees the success rate of this as near zero?
Behavioral tracking is very lucrative. Why would advertisers stop doing it just because I asked them nicely? As annoying as cookies are, at least I have some measure of control over stopping the tracking. By not accepting a cookie I prevent the advertiser from tracking me. It makes my browsing experience less-than-ideal by popping up cookie dialogs but at least I retain control. With this scheme the advertisers are still in control.
Now if this scheme allowed me to actually stop the tracking with a browser setting, then that would be awesome.
No, you aren’t alone. Not only I am about as skeptical as you are and for about the same reasons, I believe that the sites least likely to obey a “Do Not Track” request are precisely the ones which track (and spam) most heavily, and against which I feel the most urge to protect myself.
To make sure I understand, online behavioral advertising (OBA) is when I search for something on site X, then I go to site Y, ads based on my behavior on site X show up, correct?
Are you saying that this method is better than your current solution? Tools-Options-Privacy-unclick “Accept third-party cookies”
Does this stop an analytics program from tracking your use on one site? For example, I have Google Analytics on my site to track visitors.
What does mean? Are you saying that to be fully effective, sites that use online behavioral advertising will have to honor a Do Not Track HTTP header?
This is much easier!
http://www.aboutads.info/choices/
Thanks for your questions. The answer to your first question is “yes.” As a place to start on the Do Not Track debate, we are thinking about OBA as using past behaviors online or offline to target an ad.
Your second question is a bit more complicated to answer, as we have users for whom disabling third party cookies is an acceptable solution for blocking ads. However, there are other uses for third party cookies that have nothing to do with ad targeting/delivery. Outright blocking impacts those users’ experience on the web. For those users who are OK with ads and recognize that many of the sites they visit rely on ad revenue to provide open access to content and services, but who are uncomfortable being tracked across sites, we believe the http header gives them a simpler, more unified and persistent way to communicate that preference.
In terms of analytics, we are not including that form of tracking in our current thinking.
Finally, yes, first party and third party sites will have to think about how they respond to a user sending the HTTP header for this to optimally work. Based on the response to our announcement over the last two days, I am optimistic we will see advertisers and sites responding to the header.
So where’s the solution for Mobile? Why can’t I simply add a web site to a white list and then it either sends the data or it doesn’t.
How do I really know if someone is honoring the DNT header?
Cheers,
Peter
5o9 Inc. Web tools for Mobile.
We are committed to exploring the possibility of implementing the Do Not Track HTTP header approach within Firefox Mobile. That discussion is already underway and it looks very promising. In terms of white lists and audit mechanisms, these are also ideas we are evaluating. However, it’s my understanding that we want to manage our scope on the first implementation of the header, allowing for users, developers, sites and third parties to evaluate its impact, and then provide additional enhancements over time.
How are we website/application implementors supposed to acknowledge it?
Vary: X-Do-Not-Track
or some sort of reverse Accept-Feature: flag?
While it’s a commendable proposal, despite major ad networks not playing along, it needs a more thorough definition. Foremost the ambiguity with the existing proposal should be cleared up.
We’ve kicked off a multi-stakeholder outreach effort to gather input and collaborate with a number of parties to flesh out our proposal. Further defining “tracking” will be a key task, how it’s expressed via Firefox, and what responses from website/application implementers would be helpful to users who have set the preference in their browser. We will be providing updates via our blogs, in the bugs, Twitter, and through various industry, technical and consumer groups currently engaged in the Do Not Track discussion.
Alex -
Using a header to opt-out of all tracking will cause a lot of overhead at the web server as all requests will need to be evaluated for this header – even requests for static files. This is especially the case for web Analytics providers that serve static js tracking libs to the browser.
Yes a tracking provider could re-architect their web server farm to segregate out their js tracking lib onto a separate infrastructure and then only evaluate requests to those special servers but that could be a big effort especially for the tens of thousands of sites that run open source web analytics software on the same single server that runs their web site.
Instead or in addition, why not use a protected global js variable to denote the browsers request to opt? Having access to a doNotTrack global would enable most tracking providers with an easy way to evaluate the browsers preference via the Dom – which is where most tracking software (google Analytics, omniture, Open Web Analytics) does it’s thing. I know for us (and I’m betting for others) that it would be much much easier to evaluate the Dom to decide if we should go into “no track” mode then having to hack the web server layer.
Happy to elaborate more.
Thanks for the feedback. We’ve had a lot of discussions on the additional overhead associated with the header approach. I would encourage you to join the technical discussion here and elaborate more on your suggestion.
Alexander, will the Do Not Track HTTP header also prevent affiliate network cookies to be written to end user’s machines?
Great! Just do it!
BrowserSpy now also supports the Do Not Track header.
Check if your browser sends the Do Not Track header here:
http://browserspy.dk/donottrack.php
Why do we have to ask anyone to “Please Do Not Track Me” ? Grow some gonads in your fruit of the loom, make an add-on to block this tracking. Privacy is what it is: Personal business ,no one has the need to know.
Which tracking exactly? Which of the hundreds of tracking methods, whose features being disabled would almost certainly stop you using the web as you do now? You need to give information to use functionality. How much you are prepared to give is not a ‘yes’ or ‘no’ question.
I would also argue in favor of opt-in. I don’t think that most people fully understand what’s going on and, because it sounds (and partially is) scary, they will *always* opt out. Also, traffic would be saved by sending less headers.
You need all parties to work together on this one, thus: Do advertisers have a platform where they can make the case for opting in?
Great to see Mozilla and others seeking to give users more control over the tracking of their online activities. However, how can an individual have confidence that advertisers will respect their wishes expressed via the HTTP header?
Is Mozilla addressing what accountability frameworks will be needed to police this approach? Is Mozilla going to support any specific self-regulatory schemes?
Abine’s Do Not Track Plus is addressing some of the issues above: http://www.abine.com/dnt/
@Axel – yes, us and others are considering ways to offer opt-in to users.
@Peter – top mobile platforms make this impossible right now.
Unfortunately, this voluntary approach is doomed to fail. Web advertisers need to learn from supermarkets, where consumers who share personal shopping habit information are essentially paid with significant discounts on products. How about a deal where your subscription to the Times or WSJ is paid by advertisers?
The policy questions are really tough but the technical aspects of conveying your request to a site and having the site confirm the request is pretty straightforward.
I recently implemented DNT on a few client sites and developed a simple tool to check the job. I made it public for others that are modifying websites or just want to see how many 3rd party tracking sites their favorite sites participate in.
See which sites are tracking me
Let me know what you think.
Nice, so Mozilla – working with Google – says it’s implemented “Do not track”??? Read the PP so you know that this means “do not track except maybe google and partners”!!!
Geez folks, read the fineprint.