Do Not Track

From HandWiki
Short description: HTTP header field proposed in 2009


Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky.[1] Mozilla Firefox[2] became the first browser to implement the feature.

In 2020, a coalition of US-based internet companies announced the Global Privacy Control[3] header that spiritually succeeds Do Not Track header. The creators hope that this new header will meet the definition of "user-enabled global privacy controls" defined by the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR).[3] In this case, the new header would be automatically strengthened by existing laws and companies would be required to honor it.[4]

Operation

The DNT header accepts three values: 1 in case the user does not want to be tracked (opt-out), 0 in case the user consents to be tracked (opt-in), or null (no header sent) if the user has not expressed a preference. The default behavior required by the standard is not to send the header unless the user enables the setting via their browser or their choice is implied by the use of that specific browser.[5]

History

In 2007, several consumer advocacy groups asked the U.S. Federal Trade Commission to create a Do Not Track list for online advertising. The proposal would have required that online advertisers submit their information to the FTC, which would compile a machine-readable list of the domain names used by those companies to place cookies or otherwise track consumers.[6]

In July 2009, researchers Christopher Soghoian and Sid Stamm implemented support for the Do Not Track header in the Firefox web browser via a prototype add-on. Stamm was, at the time, a privacy engineer at Mozilla, while Soghoian soon afterward started working at the FTC.[7] One year later, during a U.S. Senate privacy hearing, FTC Chairman Jon Leibowitz told the Senate Commerce Committee that the commission was exploring the idea of proposing a "do-not-track" list.[8]

In December 2010, the FTC issued a privacy report that called for a "do-not-track" system that would enable people to avoid having their actions being monitored online.[9]

One week later, Microsoft announced that its next browser would include support for Tracking Protection Lists that block tracking of consumers using blacklists supplied by third parties.[10] In January 2011, Mozilla announced that its Firefox browser would soon provide a Do Not Track solution, via a browser header.[2] Microsoft's Internet Explorer 9,[11] Apple's Safari,[12] Opera[13] and Google Chrome[14] all later added support for the header approach.

In August 2015 a coalition of privacy groups led by the Electronic Frontier Foundation using W3C's Tracking Preference Expression (DNT) standard proposed that "Do not track" be the goal for advocates to demand of businesses.[15]

In January 2019, the W3C Tracking Protection Working Group was disbanded, citing "insufficient deployment of these extensions" and lack of "indications of planned support among user agents, third parties, and the ecosystem at large."[16][17] Beginning the following month, Apple removed DNT support from Safari, citing that it could be used as a "fingerprinting variable" for tracking.[18]

Internet Explorer 10 default setting controversy

When using the "Express" settings upon installation, a Do Not Track option is enabled by default for Internet Explorer 10 and Windows 8.[19] Microsoft faced criticism for its decision to enable Do Not Track by default[20] from advertising companies, who say that use of the Do Not Track header should be a choice made by the user and must not be automatically enabled. The companies also said that this decision would violate the Digital Advertising Alliance's agreement with the U.S. government to honor a Do Not Track system, because the coalition said it would only honor such a system if it were not enabled by default by web browsers.[21] A Microsoft spokesperson defended its decision however, stating that users would prefer a web browser that automatically respected their privacy.[22]

On September 7, 2012, Roy Fielding, an author of the Do Not Track standard, committed a patch to the source code of the Apache HTTP Server, which would make the server explicitly ignore any use of the Do Not Track header by users of Internet Explorer 10. Fielding wrote that Microsoft's decision "deliberately violates" the Do Not Track specification because it "does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization". The Do Not Track specification did not explicitly mandate that the use of Do Not Track actually be a choice until after the feature was implemented in Internet Explorer 10.[23] According to Fielding, Microsoft knew its Do Not Track signals would be ignored, and that its goal was to effectively give an illusion of privacy while still catering to their own interests.[24] On October 9, 2012, Fielding's patch was commented out, restoring the previous behavior.[25][26]

On April 3, 2015, Microsoft announced that starting with Windows 10, it would comply with the specification and no longer automatically enable Do Not Track as part of the operating system's "Express" default settings, but that the company will "provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so".[27]

Adoption

Very few advertising companies actually supported DNT, due to a lack of regulatory or voluntary requirements for its use,[28] and unclear standards over how websites should respond to the header. Websites that honor DNT requests include Medium and Pinterest.[29] Despite offering the option in its Chrome web browser, Google did not implement support for DNT on its websites, and directed users to its online privacy settings and opt-outs for interest-based advertising instead.[30] The Digital Advertising Alliance, Council of Better Business Bureaus and the Direct Marketing Association does not require its members to honor DNT signals.[31]

Use of ad blocking software to block web trackers and advertising has become increasingly common (with users citing both privacy concerns and performance impact as justification), while Apple and Mozilla began to add privacy enhancements (such as "tracking protection") to their browsers, that are designed to reduce undue cross-site tracking. In addition, laws such as the European Union's General Data Protection Regulation (GDPR) have imposed restrictions on how companies are to store and process personal information.[30][32]

Princeton University associate professor of computer science Jonathan Mayer, who was a member of the W3C's working group for DNT, argued that the concept is a "failed experiment".[30]

Global Privacy Control

Global Privacy Control (GPC) is a proposed HTTP header field and DOM property that can be used to inform websites of the user's wish to have their information not be sold or used by ad trackers.[33] GPC was developed in 2020 by privacy technology researchers such as Wesleyan University professor Sebastian Zimmeck and former Chief Technologist of the Federal Trade Commission Ashkan Soltani, as well as a group of privacy-focused companies including the Electronic Frontier Foundation, Automattic (owner of Tumblr and WordPress), and more.[3] The signal has been implemented by DuckDuckGo's privacy extension, The New York Times , and privacy browser Brave and is supported by Firefox creator, Mozilla as well as former California Attorney General Xavier Becerra.[34][35][36] GPC is a spiritual successor to the Do Not Track header that was created in 2009 but didn't find widespread success due to the lack of legislation that would require companies to legally respect the Do Not Track header.[37]

GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold.[38][39][40][41][42][43] In July 2021, the California Attorney General clarified through an FAQ that under law, the Global Privacy Control signal must be honored.[44][45]

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2-million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.[46]

See also

References

  1. Soghoian, Christopher (2011-01-21). "The History of the Do Not Track Header". Slight Paranoia. http://paranoia.dubfire.net/2011/01/history-of-do-not-track-header.html. 
  2. 2.0 2.1 Julia Angwin (2011-01-21). "Web Tool On Firefox To Deter Tracking". Wall Street Journal. https://www.wsj.com/articles/SB10001424052748704213404576100441609997236. 
  3. 3.0 3.1 3.2 "Announcing Global Privacy Control: Making it Easy for Consumers to Exercise Their Privacy Rights" (in en) (Press release). 7 Oct 2020. https://globalprivacycontrol.org/press-release/20201007.html. 
  4. Goodin, Dan (2020-10-08). "Now you can enforce your privacy rights with a single browser tick" (in en-us). https://arstechnica.com/tech-policy/2020/10/coming-to-a-browser-near-you-a-new-way-to-keep-sites-from-selling-your-data/. 
  5. "Do Not Track- Universal Web Tracking Opt-Out". 
  6. "The History of the Do Not Track Header". Center for Democracy and Technology. 2007-10-31. https://www.cdt.org/privacy/20071031consumerprotectionsbehavioral.pdf. 
  7. Zetter, Kim (2009-08-17). "Outspoken Privacy Advocate Joins FTC". Wired News. https://www.wired.com/threatlevel/2009/08/soghoian-joins-ftc/. 
  8. Corbin, Kenneth (2010-07-28). "FTC Mulls Browser-Based Block for Online Ads". Internet News. http://www.internetnews.com/ec-news/article.php/3895496/FTC+Mulls+BrowserBased+Block+for+Online+Ads.htm. 
  9. Angwin, Julia (2010-12-02). "FTC Backs Do-Not-Track System for Web". Wall Street Journal. https://www.wsj.com/articles/SB10001424052748704594804575648670826747094. 
  10. Angwin, Julia (2010-12-07). "Microsoft to Add 'Tracking Protection' to Web Browser". Wall Street Journal. https://www.wsj.com/articles/SB10001424052748703296604576005542201534546. 
  11. Angwin, Julia (2011-03-15). "Microsoft Adds Do-Not-Track Tool to Browser". Wall Street Journal. https://www.wsj.com/articles/SB10001424052748703363904576200981919667762. 
  12. Nick Wingfield (2011-04-14). "Apple Adds Do-Not-Track Tool to New Browser". Wall Street Journal. https://www.wsj.com/articles/SB10001424052748703551304576261272308358858. Retrieved 2011-04-14. 
  13. Opera Desktop Team (2012-02-11). "Core update with Do Not Track, and mail and theme fixes". Opera blog. http://my.opera.com/desktopteam/blog/2012/02/10/core-dnt-mail-themes. 
  14. "Longer battery life and easier website permissions". Chrome blog. 2012-11-06. https://chrome.googleblog.com/2012/11/longer-battery-life-and-easier-website.html. 
  15. Abel, Jennifer (6 Aug 2015). "Privacy groups offer "Do Not Track" compromise; will online advertisers and publishers accept it?". ConsumerAffairs. http://www.consumeraffairs.com/news/privacy-groups-offer-do-not-track-compromise-will-online-advertisers-and-publishers-accept-it-080615.html. 
  16. "WG closed · w3c/dnt@5d85d6c" (in en). https://github.com/w3c/dnt/commit/5d85d6c3d116b5eb29fddc69352a77d87dfd2310. 
  17. Hill, Kashmir (2019-02-06). "Apple Is Removing 'Do Not Track' From Safari" (in en-US). https://gizmodo.com/apple-is-removing-do-not-track-from-safari-1832400768. 
  18. "Apple is removing the Do Not Track toggle from Safari, but for a good reason" (in en). 2019-02-07. https://www.macworld.com/article/3338152/apple-safari-removing-do-not-track.html. 
  19. "Internet Explorer 10 Released for Windows 7". PC Magazine. 13 Nov 2012. https://www.pcmag.com/article2/0,2817,2412077,00.asp. 
  20. Brendon Lynch (2012-08-07). "Do Not Track in the Windows 8 Setup Experience". Microsoft on the issues blog. http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx. 
  21. "Microsoft ticks off advertisers with IE10 'Do Not Track' policy". 1 Jun 2012. http://news.cnet.com/8301-10805_3-57445568-75/microsoft-ticks-off-advertisers-with-ie10-do-not-track-policy/. 
  22. "Microsoft's "Do Not Track" Move Angers Advertising Industry". Digits (The Wall Street Journal). https://blogs.wsj.com/digits/2012/05/31/microsofts-do-not-track-move-angers-advertising-industry/. 
  23. "Microsoft sticks to its guns, keeps Do Not Track on by default in IE10". 8 Aug 2012. https://arstechnica.com/information-technology/2012/08/microsoft-sticks-to-its-guns-keeps-do-not-track-on-by-default-in-ie10/. 
  24. "Apache Web software overrides IE10 do-not-track setting". http://news.cnet.com/8301-1023_3-57508351-93/apache-web-software-overrides-ie10-do-not-track-setting/. 
  25. "Apache Won't Override Do-Not-Track Headers". MediaPost Communications. 9 Oct 2012. http://www.mediapost.com/publications/article/184855/apache-wont-override-do-not-track-headers.html. 
  26. "Keep this in, but commented out: also provide a little · apache/httpd@3dd6fb6". https://github.com/apache/httpd/commit/3dd6fb6882ae2b453c90d51e777e88bc420a0cb1. 
  27. "Microsoft rolls back commitment to Do Not Track". IDG. 3 Apr 2015. http://www.computerworld.com/article/2905551/microsoft-rolls-back-commitment-to-do-not-track.html. 
  28. "Here's The Gaping Flaw in Microsoft's 'Do Not Track' System For IE10". http://www.businessinsider.com/heres-the-gaping-flaw-in-microsofts-do-not-track-system-for-ie10-2012-8. 
  29. Bacchus, Arif (15 Oct 2018). "Millions of People Use 'Do Not Track' Tool Which Does Nothing". Designtechnica Corporation. https://www.digitaltrends.com/computing/do-not-tracking-tools-do-nothing/. 
  30. 30.0 30.1 30.2 "'Do Not Track' Privacy Tool Doesn't Do Anything". 2018-10-15. https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324. 
  31. "Digital Advertising Alliance Gives Guidance to Marketers for Microsoft IE10 'DO NOT TRACK' Default Setting". http://www.aboutads.info/blog/digital-advertising-alliance-gives-guidance-marketers-microsoft-ie10-%E2%80%98do-not-track%E2%80%99-default-set. 
  32. Fleishman, Glenn (2019-03-17). "How the tragic death of Do Not Track ruined the web for everyone" (in en-US). https://www.fastcompany.com/90308068/how-the-tragic-death-of-do-not-track-ruined-the-web-for-everyone. 
  33. "Global Privacy Control — Take Control Of Your Privacy" (in en). https://globalprivacycontrol.org/. 
  34. "'Do Not Track' Is Back, and This Time It Might Work" (in en-us). Wired. ISSN 1059-1028. https://www.wired.com/story/global-privacy-control-launches-do-not-track-is-back/. Retrieved 2020-12-27. 
  35. "Now you can enforce your privacy rights with a single browser tick" (in en-us). Ars Technica. https://arstechnica.com/tech-policy/2020/10/coming-to-a-browser-near-you-a-new-way-to-keep-sites-from-selling-your-data/. 
  36. "Global Privacy Control emerges as latest attempt to let netizens choose whether they want to be tracked online" (in en-us). The Register. https://www.theregister.com/2020/10/10/global_privacy_control/. 
  37. "Global Privacy Control Protocol Aims to Pick Up Where Do Not Track Left Off" (in en). https://duo.com/decipher/global-privacy-control-protocol-aims-to-pick-up-where-do-not-track-left-off. 
  38. "Tech-publisher coalition backs new push for browser-level privacy controls" (in en-US). https://social.techcrunch.com/2020/10/07/tech-publisher-coalition-backs-new-push-for-browser-level-privacy-controls/. 
  39. Shankland, Stephen. "Privacy push could stop some annoying website pop-ups and online tracking" (in en). https://www.cnet.com/news/privacy-effort-could-stop-some-annoying-website-popups-and-online-tracking/. 
  40. "Global Privacy Control initiative aims to help consumers exercise privacy rights" (in en-us). https://iapp.org/news/a/global-privacy-control-initiative-hopes-to-help-consumers-exercise-ccpa-rights/. 
  41. "DuckDuckGo, EFF, and others just launched privacy settings for the whole internet" (in en-us). Fast Company. https://www.fastcompany.com/90561555/global-privacy-control-duckduckgo-eff-mozilla. 
  42. "California Consumer Privacy Act (CCPA)" (in en). 15 Oct 2018. https://oag.ca.gov/privacy/ccpa. 
  43. "View Document - California Code of Regulations". https://govt.westlaw.com/calregs/Document/I9F7919AD86BF4B00B8C036D35725B846?transitionType=Default&contextData=%28sc.Default%29. 
  44. "CCPA update: Businesses must immediately support the Global Privacy Control (GPC) signal" (in en). 2021-07-21. https://transcend.io/blog/ccpa-gpc-update/. 
  45. "California Consumer Privacy Act (CCPA)" (in en). 2018-10-15. https://oag.ca.gov/privacy/ccpa. 
  46. "Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act" (in en). 2022-08-24. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement. 

External links