Or the risk of offending the biggest source of funding? Why does being tracked be the norm and you have to explicitly say don't track me? In real life you don't have to go to a government agency and register "I wish to not be stalked". What is wrong with saying it is the user's choice that they be tracked. Default is don't because that's how real life is.
(If you really really really care about a user's choice like you say you do then make the user make a choice. On first launch get the user's choice and refuse to work without being told what they'd prefer.)
Edit 1: I read the W3 draft on Do Not Track and seems like there is a section for "Explicit Consent Requirement".[0] Although whether the committee is influenced by corporation in way that the industry is tasked with policing itself is a different topic altogether.
Edit 2: Brain Smith from Mozilla responded with websites ignoring the flag if set by default. That's what Yahoo! did.[1] But that's the problem with any honor-based system.
> Or the risk of offending the biggest source of funding?
I (a Mozilla employee) can understand why people worry about this, because there does seem to be a conflict of interest here. But, I've never seen anything to indicate that we consider Google's payments to us in any security/privacy decision.
DNT is not the ultimate solution to tracking on its own. It is part of a solution.
Consider this:
Let's say you go buy a box of doughnuts and take it to work, open it, and leave it open on a table next to your desk. Some people will think "Hmm, I want one of those doughnuts but I'm not sure if it is OK to take one, so I won't" and other people will just assume that it is OK to take one. (Why else would there be an open box of doughnuts? And/or isn't it better to ask forgiveness than permission?)
Let's say you write "Do NOT take these doughnuts! They are mine!" on the box with a big fat marker. If somebody were to take a doughnut, they would be clearly in the wrong in that situation, according to any kind of mainstream social convention.
Lots of people will say that it is wrong to take a doughnut without explicit permission. But, many, many people see the situation as being open to interpretation.
Now, let's say the doughnut shop pre-printed "Do NOT take these doughnuts! They are mine!" on every box. You might argue that that is the same thing as the hand-written sign. But, I would bet that the pre-printed message would get drowned out as people would normally share doughnuts out of these pre-printed boxes: "Just ignore the box, they all say that; it doesn't mean anything." The pre-printed message becomes less and less meaningful, even though the words are clear, unambiguous, and explicit. And, worse, you may be discouraged from writing your handwritten ""Do NOT take these doughnuts! They are mine!" message on the box because, well, the box already says that. Effectively, that message pre-printed on the box is harmful, as its meaning is in the eye of the beholder--just like the open box sitting on the table with no message written on it at all.
Do you see how that could possibly be problematic? This is the problem that Sid and others at Mozilla are trying to solve. "DNT: 1" means it is clearly wrong to track this user because they've gone through special effort to tell you they don't want to be tracked.
Forcing the user to choose something and refusing to run if they don't, even when it's a non-essential setting like this? That's a terrible idea. I'm annoyed enough when browsers ask me if I'd like to set them as default; the last thing I want is a 10-page questionnaire of the browser's settings.
The problem with "Do Not Track" is that it is misnamed, and the entire debate has been misframed around that. The feature was dead in the water from the moment it was called that.
To the end user, the idea of being tracked sounds like being followed around by some stalker, and is about as enticing as having your home robbed. People, in general, don't understand either the bad (the extent to which web sites can build a deep profile on you) or the good (how much of the web that everyone loves is financed through targeted advertising). As such, how things are presented is tremendously important.
Imagine if it was called "Disable Ad Personalisation", or even, "Do Not Tip" where the notion of denying monetization to the web sites you use (which is what Do Not Track will do) is invoked. It would have a very different response, I think.
I'm thinking they named it that way on purpose. It has a lot of media coverage. It makes people more aware that they're losing the privacy they took for granted in the past, when using the web.
The feature seems to have been adopted by many browsers now so i'd say its mostly successful - but even if it wasn't, the media impact probably makes it successful for them, IMO
I think there's an easy solution to this: when one first launches Firefox (or another browser), it can prompt the user. Firefox already has a "know your rights" thing that comes up. Internet Explorer asks what search engine and other stuff you want to use. Having a "Do Not Track" option as part of that would be reasonable.
As for Mozilla and this letter, Do Not Track isn't legislated. Basically, it's a way for you to tell websites that you don't want to be tracked, but they have no obligation to follow your wishes. Some advertisers [citation needed] have indicated that they will follow Do Not Track if it's an opt-in system. A cursory search shows that Yahoo ignores the setting from IE10 because Microsoft made it a default (http://www.theregister.co.uk/2012/10/26/yahoo_to_ignore_ie10...). As the article notes, the W3C says that Do Not Track should be opt-in.
So, on the one hand, advertisers seem to be saying "if Do Not Track is a default setting, it isn't a user choice and we'll ignore it." If Mozilla makes it a default, it doesn't help anyone. However, I think browser makers could call their bluff by making it a very apparent option when starting the web browser.
I think Do Not Track should be the norm. However, it isn't. The norm is tracking. Once a norm has been established, it's hard to replace it with a new norm. Cigarettes would never get approved for sale if they were invented/discovered today. If subways were a new invention, it seems like they would be built with walls preventing people from being pushed onto the tracks. But norms were established and it's hard to move away from them.
In this case, I think there's an easy solution: explicitly asking on first launch. Browsers already ask to be the default, some try to tell you about rights, some ask you about search engines, etc. Just add Do Not Track to that process. Then we explicitly have a user opinion on the matter.
You can't just keep adding prompts every time there's a change, you'll end up creating a scenario where there must be a prompt for every change made. Default settings are needed just like any application.
I find this whole argument moot. DNT is binding neither in a legal nor in a technical sense. If you don't trust someone to handle your internet tracking history, why would you trust them to keep an informal promise, ESPECIALLY considering they have a get out of jail free card saying they accidently ignored your DNT header because they thought you were using IE 10?
Microsoft did right(for once) with making DNT default on IE. It exposes the DNT idea for what it is: Snake oil.
Do-Not-Track has been designed to represent the explicit choice of the user to not be tracked.
As per the DNT[1] draft :
6.2. User Interface RECOMMENDED
A user agent that implements Do Not Track SHOULD provide a user interface
for modifying preferences. The user interface design is left to the
user agent.
6.3. Default
A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
It MUST NOT transmit OPT-IN without explicit user consent.
Another important aspect, that I don't see mentioned much, is that DNT is only supposed to prevent third-party tracking. First-party remains unaffected.
Because it breaks websites. It blocked cookies for me on an FRAME (yes, I know) for a MasterCard SecureCode transaction for personal stuff on a local business site, and the website uses cookies to pass from one server to another and the transactions failed the following day when I enabled Do Not Track. Even companies like MasterCard cannot function with it enabled, how do we push smaller companies to get it done?
And this is why industry self-regulation will continue to fail.
Opt-out from privacy invasion is not sufficient. In Europe at least, it is politically and socially unacceptable that people have to opt-out. So as long as the industry comes up with half-assed protocols and self-regulation that is based on the assumption "we have the right to violate your privacy unless you stop us" instead of the other way around, this will continue to trigger ever stronger anti-tracking legislation.
And please don't think that the faltering so-called "cookie-law" will be the end of it. That was just the softest option, and just like with early anti-spam laws the industry chose to sabotage it instead of trying to make it work. I wouldn't be surprised if this ended with a full blown ban on any form of cross-site tracking.
Of course "do not stalk" should be the default. The whole notion that having your privacy violated by the marketing industry is somehow about individual choice is bullshit. It's as idiotic as "do not film me in the privacy of my own home" being opt-out and we're all Big Brother contestants by default.
Mozilla is claiming they do not want to enforce a preference for the user, and instead would like the user to make the choice. But Mozilla has previously enforced their preference for a number of different features:
* Mozilla has disabled java plugins and silverlight in the past to protect their users (from security vulnerabilities).
* Mozilla has enforced their preference for blocked popup windows in the past to protect their users (from annoying content).
The difference is that those preferences actually do something. DNT is just asking nicely to advertisers, it doesn't actually prevent tracking, so if everyone asks by default, it becomes meaningless.
The only way for a "Do Not Track" feature to be on by default is if it legally or technically prevents ad networks from tracking, otherwise it'll be ignored (see IE).
the problem is that Mozilla introduced do not track.
if they had both introduced the feature AND made it default, since following the hint is voluntary from the advertisement providers (ie server side decides to honor it or not), well, NONE would have followed it.
The situation with 3rd party cookies is different, because it's up to the client, not to the server side.
So, this has little to do with the Google search engine deal, in fact.
Putting aside my opinion on do-not-track, I think it's perfectly reasonable that it's off by default, simply because that is the current behavior of the browser. If they enabled it by default, they'd be changing it out from under current users.
> We won’t turn on Do Not Track by default because then it would be Mozilla making the choice, not the individual.
I don't buy that. They are making a choice either way, whether they enable or disable it by default. Just like they are making a choice about the hundreds of other options Firefox has. A few examples of how Mozilla thinks:
> JavaScript enabled by default. Why? Developers and designers can do some really awesome websites with it and we want users to have that experience.
> SSL enabled by default. Why? It improves your security.
> Do Not Track disabled by default. Why? Because we don't want to fuck with the people who are paying us (i.e. Google).
I always wonder why people don't have the courage to mention the elephant in the room - that a very significant part of Mozilla's revenue comes from Google's ability to track Firefox browser users. That, at least, deserves a mention.
I on the other hand always wonder why discussions so often degenerate to pointing out who's funding who without considering that, actually, the official explanation may be true. They are funded by Google, but they are not slaves to it. Also, even if their decision was influenced by a will not to offend their money source, their official explanation is reasonable and stands on its own.
This is bs. I consider myself far more computer literate than the masses. Yet, I wasn't aware that the iOS safari had the capability of DNT. I accidentally found out about it while playing with the settings on my development device. DNT is a relatively new capability, which used to be handled with plugins such as Ghostery. Browser vendors should teach their users about this shiny new feature, otherwise it is practically useless, as it will not protect those who need it the most.
Internet explorer has made any effect that DNT might have had completely useless. It's much more effective just to nuke the stuff locally with Ghostery.
That was 2011. While Mozilla still will not turn on DNT by default, they are now going to block most third-party cookies by default, which to a large extent has the same effect: https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-... . (Edit: typo.)
[+] [-] ashishgandhi|13 years ago|reply
(If you really really really care about a user's choice like you say you do then make the user make a choice. On first launch get the user's choice and refuse to work without being told what they'd prefer.)
Edit 1: I read the W3 draft on Do Not Track and seems like there is a section for "Explicit Consent Requirement".[0] Although whether the committee is influenced by corporation in way that the industry is tasked with policing itself is a different topic altogether.
Edit 2: Brain Smith from Mozilla responded with websites ignoring the flag if set by default. That's what Yahoo! did.[1] But that's the problem with any honor-based system.
[0] http://lists.w3.org/Archives/Public/public-tracking/2012Jun/... [1] http://allthingsd.com/20121026/yahoo-dings-do-not-track-defa...
[+] [-] briansmith|13 years ago|reply
I (a Mozilla employee) can understand why people worry about this, because there does seem to be a conflict of interest here. But, I've never seen anything to indicate that we consider Google's payments to us in any security/privacy decision.
DNT is not the ultimate solution to tracking on its own. It is part of a solution.
Consider this:
Let's say you go buy a box of doughnuts and take it to work, open it, and leave it open on a table next to your desk. Some people will think "Hmm, I want one of those doughnuts but I'm not sure if it is OK to take one, so I won't" and other people will just assume that it is OK to take one. (Why else would there be an open box of doughnuts? And/or isn't it better to ask forgiveness than permission?)
Let's say you write "Do NOT take these doughnuts! They are mine!" on the box with a big fat marker. If somebody were to take a doughnut, they would be clearly in the wrong in that situation, according to any kind of mainstream social convention.
Lots of people will say that it is wrong to take a doughnut without explicit permission. But, many, many people see the situation as being open to interpretation.
Now, let's say the doughnut shop pre-printed "Do NOT take these doughnuts! They are mine!" on every box. You might argue that that is the same thing as the hand-written sign. But, I would bet that the pre-printed message would get drowned out as people would normally share doughnuts out of these pre-printed boxes: "Just ignore the box, they all say that; it doesn't mean anything." The pre-printed message becomes less and less meaningful, even though the words are clear, unambiguous, and explicit. And, worse, you may be discouraged from writing your handwritten ""Do NOT take these doughnuts! They are mine!" message on the box because, well, the box already says that. Effectively, that message pre-printed on the box is harmful, as its meaning is in the eye of the beholder--just like the open box sitting on the table with no message written on it at all.
Do you see how that could possibly be problematic? This is the problem that Sid and others at Mozilla are trying to solve. "DNT: 1" means it is clearly wrong to track this user because they've gone through special effort to tell you they don't want to be tracked.
It has nothing to do with Google's money.
[+] [-] kbuck|13 years ago|reply
[+] [-] leeoniya|13 years ago|reply
it needs to ask you upon installation. no one will go digging through settings - that makes it practically worthless. "Cause knowledge is power!"
[+] [-] zmmmmm|13 years ago|reply
To the end user, the idea of being tracked sounds like being followed around by some stalker, and is about as enticing as having your home robbed. People, in general, don't understand either the bad (the extent to which web sites can build a deep profile on you) or the good (how much of the web that everyone loves is financed through targeted advertising). As such, how things are presented is tremendously important.
Imagine if it was called "Disable Ad Personalisation", or even, "Do Not Tip" where the notion of denying monetization to the web sites you use (which is what Do Not Track will do) is invoked. It would have a very different response, I think.
[+] [-] zobzu|13 years ago|reply
[+] [-] mdasen|13 years ago|reply
As for Mozilla and this letter, Do Not Track isn't legislated. Basically, it's a way for you to tell websites that you don't want to be tracked, but they have no obligation to follow your wishes. Some advertisers [citation needed] have indicated that they will follow Do Not Track if it's an opt-in system. A cursory search shows that Yahoo ignores the setting from IE10 because Microsoft made it a default (http://www.theregister.co.uk/2012/10/26/yahoo_to_ignore_ie10...). As the article notes, the W3C says that Do Not Track should be opt-in.
So, on the one hand, advertisers seem to be saying "if Do Not Track is a default setting, it isn't a user choice and we'll ignore it." If Mozilla makes it a default, it doesn't help anyone. However, I think browser makers could call their bluff by making it a very apparent option when starting the web browser.
I think Do Not Track should be the norm. However, it isn't. The norm is tracking. Once a norm has been established, it's hard to replace it with a new norm. Cigarettes would never get approved for sale if they were invented/discovered today. If subways were a new invention, it seems like they would be built with walls preventing people from being pushed onto the tracks. But norms were established and it's hard to move away from them.
In this case, I think there's an easy solution: explicitly asking on first launch. Browsers already ask to be the default, some try to tell you about rights, some ask you about search engines, etc. Just add Do Not Track to that process. Then we explicitly have a user opinion on the matter.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] nej|13 years ago|reply
[+] [-] LinXitoW|13 years ago|reply
Microsoft did right(for once) with making DNT default on IE. It exposes the DNT idea for what it is: Snake oil.
[+] [-] Monkeyget|13 years ago|reply
[1] http://tools.ietf.org/html/draft-mayer-do-not-track-00
[+] [-] abalone|13 years ago|reply
[+] [-] 616c|13 years ago|reply
[+] [-] KNoureen|13 years ago|reply
On another note, cookies are domain specific, which means that a cookie can't be accessed by another domain.
[+] [-] onemorepassword|13 years ago|reply
Opt-out from privacy invasion is not sufficient. In Europe at least, it is politically and socially unacceptable that people have to opt-out. So as long as the industry comes up with half-assed protocols and self-regulation that is based on the assumption "we have the right to violate your privacy unless you stop us" instead of the other way around, this will continue to trigger ever stronger anti-tracking legislation.
And please don't think that the faltering so-called "cookie-law" will be the end of it. That was just the softest option, and just like with early anti-spam laws the industry chose to sabotage it instead of trying to make it work. I wouldn't be surprised if this ended with a full blown ban on any form of cross-site tracking.
Of course "do not stalk" should be the default. The whole notion that having your privacy violated by the marketing industry is somehow about individual choice is bullshit. It's as idiotic as "do not film me in the privacy of my own home" being opt-out and we're all Big Brother contestants by default.
[+] [-] mozmoz|13 years ago|reply
Mozilla is claiming they do not want to enforce a preference for the user, and instead would like the user to make the choice. But Mozilla has previously enforced their preference for a number of different features:
* Mozilla has disabled java plugins and silverlight in the past to protect their users (from security vulnerabilities).
* Mozilla has enforced their preference for blocked popup windows in the past to protect their users (from annoying content).
* Mozilla has enforced their preference for the handeling of cookies to protect their users (from privacy violations). https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-...
Why not disable tracking features to protect your users (from privacy violations)?
Their explanation does not make sense.
[+] [-] icebraining|13 years ago|reply
The only way for a "Do Not Track" feature to be on by default is if it legally or technically prevents ad networks from tracking, otherwise it'll be ignored (see IE).
[+] [-] zobzu|13 years ago|reply
if they had both introduced the feature AND made it default, since following the hint is voluntary from the advertisement providers (ie server side decides to honor it or not), well, NONE would have followed it.
The situation with 3rd party cookies is different, because it's up to the client, not to the server side.
So, this has little to do with the Google search engine deal, in fact.
[+] [-] kbuck|13 years ago|reply
[+] [-] wereHamster|13 years ago|reply
I don't buy that. They are making a choice either way, whether they enable or disable it by default. Just like they are making a choice about the hundreds of other options Firefox has. A few examples of how Mozilla thinks:
> JavaScript enabled by default. Why? Developers and designers can do some really awesome websites with it and we want users to have that experience.
> SSL enabled by default. Why? It improves your security.
> Do Not Track disabled by default. Why? Because we don't want to fuck with the people who are paying us (i.e. Google).
[+] [-] JohnTHaller|13 years ago|reply
[+] [-] ghshephard|13 years ago|reply
[+] [-] djcapelis|13 years ago|reply
[+] [-] TeMPOraL|13 years ago|reply
[+] [-] utopkara|13 years ago|reply
[+] [-] yiransheng|13 years ago|reply
DNT = Math.random()> p ? on : off
[+] [-] anigbrowl|13 years ago|reply
That's just as true of leaving it turned off by default. What sort of idiots do you take us for?
[+] [-] nwh|13 years ago|reply
[+] [-] gpvos|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] boq|13 years ago|reply
[+] [-] wfunction|13 years ago|reply
[+] [-] skrebbel|13 years ago|reply