Do Not Track
|Security Access Control methods|
The Do Not Track (DNT) header is the proposed HTTP header field
DNT that requests that a web application disable either its tracking or cross-site user tracking (the ambiguity remains unresolved) of an individual user. The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky. Efforts to standardize Do Not Track by the W3C in the Tracking Preference Expression (DNT) Working Group did not make it past the Candidate Recommendation stage and ended in September 2018 due to insufficient deployment and support.
The header field name is
DNT and it currently accepts three values:
1 in case the user does not want to be tracked (opt out),
0 in case the user consents to being tracked (opt in), or null (no header sent) if the user has not expressed a preference. The default behavior required by the standard is not to send the header unless the user enables the setting via their browser or their choice is implied by use of that specific browser.
In 2007, several consumer advocacy groups asked the U.S. Federal Trade Commission to create a Do Not Track list for online advertising. The proposal would have required that online advertisers submit their information to the FTC, which would compile a machine-readable list of the domain names used by those companies to place cookies or otherwise track consumers.
In July 2009, researchers Christopher Soghoian and Sid Stamm created a prototype add-on for the Firefox web browser, implementing support for the Do Not Track header. Stamm was, at the time, a privacy engineer at Mozilla, while Soghoian soon afterward started working at the FTC. One year later, during a U.S. Senate privacy hearing, FTC Chairman Jon Leibowitz told the Senate Commerce Committee that the commission was exploring the idea of proposing a "do-not-track" list.
One week later, Microsoft announced that its next browser would include support for Tracking Protection Lists, that block tracking of consumers using blacklists supplied by third parties. In January 2011, Mozilla announced that its Firefox browser would soon provide a Do Not Track solution, via a browser header. Microsoft's Internet Explorer, Apple's Safari, Opera and Google Chrome all later added support for the header approach.
In August 2015 a coalition of privacy groups led by the Electronic Frontier Foundation using W3C's Tracking Preference Expression (DNT) standard proposed that "Do not track" be the goal for advocates to demand of businesses.
Internet Explorer 10 default setting controversy
When using the "Express" settings upon installation, a Do Not Track option is enabled by default for Internet Explorer 10 and Windows 8. Microsoft faced criticism for its decision to enable Do Not Track by default from advertising companies, who say that use of the Do Not Track header should be a choice made by the user and must not be automatically enabled. The companies also said that this decision would violate the Digital Advertising Alliance's agreement with the U.S. government to honor a Do Not Track system, because the coalition said it would only honor such a system if it were not enabled by default by web browsers. A Microsoft spokesperson defended its decision however, stating that users would prefer a web browser that automatically respected their privacy.
On September 7, 2012, Roy Fielding, an author of the Do Not Track standard, submitted a change to the source code of the Apache HTTP Server, which would make the server explicitly ignore any use of the Do Not Track header by users of Internet Explorer 10. Fielding asserted that Microsoft's decision "deliberately violates" the Do Not Track specification because it "does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization." The Do Not Track specification did not explicitly mandate that the use of Do Not Track actually be a choice until after the feature was implemented in Internet Explorer 10. Fielding pointed out that Microsoft knew its false signals claiming that users had chosen Do Not Track would be ignored, and that its goal was to effectively give an illusion of privacy while still catering to their own interests. On October 9, 2012, Fielding's patch was commented out, restoring the previous behavior.
On April 3, 2015, Microsoft announced that as of Windows 10, it would comply with the specification and no longer enable Do Not Track as part of the operating system's "Express" default settings, but that the company will "provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so".
When a web browser requests content or sends data using HTTP, it can include extra information optionally in one or more items called "headers". Do not track adds a header (DNT: 1), indicating that the user does not want to be tracked. The browser user has no control over whether the request is honoured or not.
There are no legal or technological requirements for the use of DNT. Websites and advertisers may either honor or ignore DNT requests. The Digital Advertising Alliance, Council of Better Business Bureaus and the Direct Marketing Association does not require its members to honor DNT signals. There are organizations such as DataNeutrality that are involved in setting DNT guidelines for private companies involved in data collection.
Microsoft itself does not obey the DNT header, stating "Because there is not yet a common understanding of how to interpret the DNT signal, Microsoft services do not currently respond to browser DNT signals."
- Do Not Track legislation
- Common non-standard request headers
- HTTP cookie#Privacy and third-party cookies
- Direct Marketing Association
- Better Business Bureau
- Evil bit
- Soghoian, Christopher. "The History of the Do Not Track Header". Slight Paranoia. Retrieved 22 February 2012.
- "W3C Tracking Protection Working Group". www.w3.org.
- Schunter, Matthias (6 November 2018). "Final version of the note". public-tracking (Mailing list).
- "Tracking Preference Expression (DNT)". w3c.github.io.
- Julia Angwin (2011-01-21). "Web Tool On Firefox To Deter Tracking". Wall Street Journal. Retrieved 22 February 2012.
- IEBlog (2010-12-07). "IE9 and Privacy: Introducing Tracking Protection"
- Nick Wingfield (2011-04-14). "Apple Adds Do-Not-Track Tool to New Browser". Wall Street Journal. Retrieved 2011-04-14
- Opera Desktop Team (2012-02-11). "Core update with Do Not Track, and mail and theme fixes". Opera.com. Retrieved 2012-02-10
- "Longer battery life and easier website permissions". Google. 2012-11-06. Retrieved 2012-11-06
- "The History of the Do Not Track Header" (PDF). Center for Democracy and Technology. 2007-10-31. Retrieved 22 February 2012.
- Zetter, Kim (2009-08-17). "Outspoken Privacy Advocate Joins FTC". Wired News. Retrieved 2009-11-20.
- Corbin, Kenneth (2010-07-28). "FTC Mulls Browser-Based Block for Online Ads". Internet News. Retrieved 2009-11-20.
- Angwin, Julia (2010-12-02). "FTC Backs Do-Not-Track System for Web". Wall Street Journal. Retrieved 22 February 2012.
- Angwin, Julia (2010-12-07). "Microsoft to Add 'Tracking Protection' to Web Browser". Wall Street Journal. Retrieved 22 February 2012.
- Angwin, Julia (2011-03-15). "Microsoft Adds Do-Not-Track Tool to Browser". Wall Street Journal. Retrieved 22 February 2012.
- "Longer battery life and easier website permissions". 2012-11-06. Retrieved 2012-11-07
- Abel, Jennifer (6 August 2015). "Privacy groups offer "Do Not Track" compromise; will online advertisers and publishers accept it?". consumeraffairs.com. Retrieved 10 August 2015.
- November 13, 2012 (November 13, 2012). "Internet Explorer 10 Released for Windows 7". PC Magazine. Retrieved December 22, 2012.
- Brendon Lynch (2012-08-07). " "Do Not Track in the Windows 8 Setup Experience". Microsoft on the issues blog.
- "Microsoft ticks off advertisers with IE10 'Do Not Track' policy". CNET. Retrieved 8 September 2012.
- "Microsoft's "Do Not Track" Move Angers Advertising Industry". Digits. The Wall Street Journal. Retrieved 8 September 2012.
- "Apache does not tolerate deliberate abuse of open standards · apache/httpd@a381ff3". GitHub. Retrieved 2016-01-02.
- "Apache does not tolerate deliberate abuse of open standards · apache/httpd@a381ff3". GitHub. Retrieved 2016-01-03.
- "Microsoft sticks to its guns, keeps Do Not Track on by default in IE10". Ars Technica. Retrieved 14 May 2013.
- "Apache Web software overrides IE10 do-not-track setting". CNET. Retrieved 8 September 2012.
- "Apache Won't Override Do-Not-Track Headers". MediaPost Communications. Retrieved 22 December 2012.
- "Keep this in, but commented out: also provide a little · apache/httpd@3dd6fb6". GitHub. Retrieved 4 July 2017.
- "Microsoft rolls back commitment to Do Not Track". Computerworld. IDG. Retrieved 3 April 2015.
- "Do Not Track- Universal Web Tracking Opt-Out". Retrieved 2011-04-11
- "Here's The Gaping Flaw in Microsoft's 'Do Not Track' System For IE10". Business Insider. Retrieved 8 September 2012.
- "Digital Advertising Alliance Gives Guidance to Marketers for Microsoft IE10 'DO NOT TRACK' Default Setting". Retrieved 10 October 2012.
- "Microsoft Privacy Statement: How to Access & Control Your Personal Data, Learn More". Retrieved 2016-05-12.