Mozilla Proposes 'Do Not Track' HTTP Header

MozTrack writes "The emergence of data mining by third party advertisers has caused a national debate from privacy experts, lawmakers and browser supporters. Mozilla's Firefox, a popular browser company, has proposed a new feature that will prevent people's personal information from getting mined and sold for advertising. The feature would allow users to set a browser preference that will broadcast their desire to opt-out of third party, advertising-based tracking. It would do this via a 'Do Not Track' HTTP header with every click or page view in Firefox."

Great idea but not likely to happen

[InsaneProcessor]

Advertisers and tracking services will fight this to the bitter end.

Re:Great idea but not likely to happen

[ByOhTek]

Or ignore it. I'd think it'd be fairly trivial to ignore that header, especially if there is a least one country that doesn't legally require it to be honored (and even without that, they'll probably still ignore it in countries where it is illegal).

They won't fight it, they laugh at it.

Re:Great idea but not likely to happen

[kellyb9]

Along the same lines, this would probably make the issue worse. Based on that tag, people are going to simply assume security and privacy where there is none.

Re:Great idea but not likely to happen

[Tisha_AH]

I see where Mozilla is coming from. They are looking at how many folks do not like being tracked and the popularity of programs like Adblock Plus, NoScript, etc...and are trying to add some of that functionality into the browser. Not a bad idea as there are significant numbers of folks who do not put any enhancements into their Firefox install other than some dumb toolbar. As Firefox will appeal to more and more non-technical types there would be some benefit to adding that functionality up front.

You can bet that the IE crowd will say that their browser works better and only compare the base load of Firefox.

The "do not track" header is a fine idea but it will only work for those sites that play by the rules.

Most don't.

Even with the additional "don't track header" capability I will not throw caution to the winds. I will continue to use Adblock Plus, NoScript and a few other tools.

Re:Great idea but not likely to happen

[Nemyst]

It's ironic, though. It's indeed almost certain that header will never catch on, yet by doing so advertisers are just shooting themselves in the foot. They're giving AdBlock and NoScript traction. They're pissing off the geeks, who often have a sizable influence in the realm of technology within their circle of friends. Instead of having a header that would be normally disabled and would get turned on in specific cases (say, through private browsing options), they're getting people to use tools that are turned on by default and never get turned off.

It's their loss in the end.

Re:

[Protoslo]

Assuming you keep your plugins updated, you are already sending the X-Do-Not-Track header with all of your requests. Since NoScript 2.0.9.x, it can be configured with noscript.DoNotTrack.{enabled, exceptions, forced}, and the default is enabled.

The maintainer of NoScript says [hackademix.net]:

As stupid as it may sound (why parties who are interested in tracking you would comply?), a mean to clearly express your will of not being tracked is going to be useful, especially when backed by law or industry self-regulation, as explained here [33bits.org]. Therefore it seems in the interest of NoScript users and privacy-concerned netizens in general to participate in this effort.

I'm not sure that I agree with the rationale (legislation about HTTP headers? No thank you!), but at least there is one. He also responded [hackademix.net] to the Firefox proposal.

Re:

[bhcompy]

Not to mention that it can be used to prevent access to sites. I've been on sites that block access if you use Adblock or NoScript. Not sure how they recognize it(because I never tried to look), but they do

Re:

[Anonymous Psychopath]

Not to mention that it can be used to prevent access to sites. I've been on sites that block access if you use Adblock or NoScript. Not sure how they recognize it(because I never tried to look), but they do

Objectively, if I'm funding my site with advertising and you block it, why should you be allowed to access my content?

Re:

[Anonymous Coward]

That is a valid point, but isn't any more objective than the OP.

Though if they refuse to click on any ads, then why would it matter if you show it to them? Aren't all ads based upon the click, and not just the view these days?

Personally, I don't see the problem with either view as long as it is stated up front (with a page that says you must turn off adblock to see this content, or such). I skip those sites as not worth my time, but I don't begrudge them their choice.

Re:

[MarkRose]

No. Often the money is only made by the advertiser when there's a click (unless it's some brand awareness campaign), but most places still charge for the space on a CPM basis. So when you block ads, the publisher loses more than the advertiser.

Re:

[Crimson Wing]

Some ad services pay based on impressions/views, not clicks. The payout is significantly lower per impression than per click, but the ratio of "people who let them load, whether they click or not" to "people who click" can sometimes make pay-by-impression more valuable.

Re:

[icebike]

Objectively, if I'm funding my site with advertising and you block it, why should you be allowed to access my content?

Well its certainly your right to withhold the page until the ads are downloaded (even until they are displayed if you want a high rate of instant exits).

But this isn't a war you can win in the long run. Browsers or plugins will always find a way to defeat your ads, and the harder you try to push them into your reader's faces the less successful you will be.

Whether it the tools simply skip downloading your ads or downloads the ads in the background, people are not going to watch intrusive ads.

The "Skip thi

Re:

[Anonymous Psychopath]

Objectively, if I'm funding my site with advertising and you block it, why should you be allowed to access my content?

Well its certainly your right to withhold the page until the ads are downloaded (even until they are displayed if you want a high rate of instant exits).

But this isn't a war you can win in the long run. Browsers or plugins will always find a way to defeat your ads, and the harder you try to push them into your reader's faces the less successful you will be.

Whether it the tools simply skip downloading your ads or downloads the ads in the background, people are not going to watch intrusive ads.

The "Skip this welcome page" ad sites have found their bandwidth utilization up, and their customer click-exits growing faster than their content delivery.

Not many people block Google Ads, because they are usually topical and un-intrusive. But any method to insure I read your ads is bound to fail.

I get your argument, truly. Personally, I run an ad blocker, I don't host a commercial web site, and I've never earned $1 off Internet advertising.

Point remains, though, something has to pay for all this free content we enjoy. Right now that something is primarily advertising. I suppose micropayments could replace advertising if it came to that.

Slashdot lets me off the hook for ads, probably just because I've been around so long (thanks!).

Re:

[spazdor]

Objectively, if I'm funding my site with advertising and you block it, why should you be allowed to access my content?

The same reason that Safeway doesn't get to forcibly insert the free swiss-cheese sample in your mouth after you accept it from the lady at the kiosk.

If you're giving something away for free, you can deny it on any basis you like (which means, of course, if you've determined by your own methods that someone's dropping your ads you're always fine to decline them service in the first place), but once it's given out, there are actually some strings you can't attach. One of those strings, is whether the perso

Re:

[Anonymous Psychopath]

Bad news, if you need advertising to fund your site then it's clear the content is worthless.

You are referring, of course, to sites like Slashdot, Google, etc? The overwhelming majority of all Internet content is advertising-supported.

Re:

[Anonymous Coward]

Along the same lines, this would probably make the issue worse.

Just one more point of information for tracking. See: https://panopticlick.eff.org/ for how trackable you are. What they really need is a "whitewash" extension or setting by Mozilla that gives everyone the same settings for user agent, plugins, headers, etc. If everyone appears the same, no one is unique.

Re:Great idea but not likely to happen

[fredjh]

Agreed... opt out is BS, it should ALWAYS be opt-in, and default browser behavior should be to NOT send such information at all.

Re:Great idea but not likely to happen

[jimicus]

Not to send what exactly? Were browsers to not send cookies by default, they'd break an awful lot of websites for the majority of their users. It's fairly fundamental to HTTP that it's not stateful between requests - cookies allow applications to work around that issue.

Re:

[simplypeachy]

You haven't seen what happens when you visit a web site - say with a youtube video, a flash advert, four or five social networking widgets or logos, analytics, plain old and flash cookies, even geolocation.

It's breathtaking and disturbing. Give Privoxy a try and see just who's watching :-)

Re:

[Hatta]

Then don't use HTTP. HTTP is for documents, not apps. It's not that abandoning cookies will break sites, it's those sites that have broken the internet by requiring us to use crappy hacks around intentional limitations of these protocols.

Re:

[commodore6502]

I think you're too pessimistic. The "Do Not Call" list was effective in stopping telemarketers, even though they are not required to obey that list if they are outside the US. This "Do Not Track" header could be similarly effective.

>>>Mozilla's Firefox, a popular browser company,

Don't forget Mozilla Netscape, Mozilla Seamonkey (firefox/thunderbird/composer merged), and Mozilla Camino for Macs..... also popular browser "companies". ;-)

Re:

[Lazareth]

The very key difference being that telemarketers were calling from within the same country as their targets. Internet advertisement and data mining is completely different to telemarketing.

Re:

[TaoPhoenix]

"Hi. This is the American Embassy in ____. For every user you track we will impose international trade sanctions on your country for one day. Bye."

Re:

[hedwards]

I think you're too pessimistic. The "Do Not Call" list was effective in stopping telemarketers, even though they are not required to obey that list if they are outside the US. This "Do Not Track" header could be similarly effective.

I think that's the problem. It would cut down on the tracking by more or less legitimate firms, but it wouldn't do anything about the ones that are offshore and lacking in scruples.

And the offshore ones are the ones causing the biggest headaches at present with spam.

Re:

[Drathos]

The "Do Not Call" list was effective ...

The "Do Not Call" list is not effective. In fact, it made it worse for me because I went from getting two or three calls from telemarketers a week to five or six calls a day from all the loopholes (politicos, "charities," and surveys) which quadruples during election season. The loopholes used the list to farm numbers.

Re:

[TheRealGrogan]

Especially since it will be ignored by "default". You can arbitrarily inject headers into requests, but the web servers and sites people are running won't recognize them until they are taught to.

Also, last time I checked, the Mozilla foundation wasn't in any sort of law making position so the chances of it being "legally required" in any country, let alone all countries, are pretty slim. Especially when the resident evil, Microsoft, will be against it. (For their "partners" and themselves)

No, I'm afraid the

Re:

[SCHecklerX]

Yup. Looks like Mozilla is taking the "Evil Bit" seriously, and creating their own "Good Bit".

Cute.

Re:

[GreatBunzinni]

Or ignore it.

This.

An option is only as good as the power that is bestowed upon a user/program/protocol to enforce that wish. No matter how many flags a browser sticks into a HTTP header, if the people developing and/or running a server simply do not have any intention to follow through that request than that header becomes absolutely meaningless.

This issue is even more problematic once we acknowledge the fact that the user does not nor he can have any clue regarding what goes on in a server and what is being done with

Re:

[Rhaban]

What about a "do not track - please" header?

Re:Great idea but not likely to happen

[gstoddart]

Advertisers and tracking services will fight this to the bitter end.

Or, ignore it and use it as one more piece of data about you.

They're more likely to disregard it than to fight it.

Re:

[anyGould]

Advertisers and tracking services will fight this to the bitter end.

Nah, they'll just ignore it - it's just a header, and has no mechanics for ensuring that the reciever (a) gets it, (b) knows what it means, or (c) does anything in particular with it.

Re:

[Rob Riggs]

They won't ignore it, necessarily. But they may charge more to people they cannot (read: "choose not to") track. Just look at every major grocery chain in the U.S. and their loyalty cards: this can of Chicken Noodle Soup costs $1.00, or $0.67 for those with a loyalty card.

O RLY?

[DragonWriter]

Advertisers and tracking services will fight this to the bitter end.

Google, as well as other major online ad and tracking services, already support [blogspot.com] "Do Not Track" mechanisms with similar functionality.

Re:

[Unequivocal]

Plus an alternative is already being proposed for a federal rule or regulation: http://www.ftc.gov/opa/2010/12/dnttestimony.shtm [ftc.gov]

I like their way better which would work along the lines of a the central "do not call" registry. I register in one place and advertisers must wash their lists against these users. With an http header, I think the burden is higher to implement b/c you have to integrate it into your webstack. With a registry, you can keep all the data, but must wash it before you use it give it to t

Time for the checklist!

[Safety Cap]

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) crowd-sourced

approach to preventing users from being tracked. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which will vary from state to state and country to country)

(x) It does not provide an adequate method of enforcement
( ) Nobody will spend eight months sitting in dull planning meetings to do it
( ) No one will be able to find the guy
(x) It is defenseless against rogue websites
(x) It tries to stop a fundamentally broken cookie model
(x) Users of the web will not put up with it
( ) The government will not put up with it
(x) Advertisers will not put up with it
( ) Requires too much cooperation from unwilling sources
(x) Requires immediate total cooperation from everybody at once
( ) Many advertisers cannot afford to lose what little business they have left
( ) Anyone could anonymously destroy anyone else's career or business
( ) Users are too stupid to know they're being tracked anyway

Specifically, your plan fails to account for

(x) Browsers' unwillingness to change to suit something that will be circumvented in days
( ) The existence of programmers for hire
(x) The W3C
( ) Sources' proven unwillingness to "go direct"
( ) The difficulty of changing all those websites
( ) How few people actually care
(x) The vast majority of "programmers" are unable to even code in semantically-correct HTML
( ) Unpopularity of weird new headers
(x) Unstoppable moneyed Kung-Fu
( ) Legal liability of vigilante sites
( ) The training required to be even an craptaculous web monkey
(x) Users hate pop-ups
( ) The necessity of ignoring laws from other countries
(x) Americans' huge distrust of anyone not from their country/state/city/block
( ) Reluctance of governments and corporations to be held to account by two guys with a blog
( ) Inability of random people on the internets to demand anything
( ) How easy it is for corporations to manipulate unemployed sweaty shut-ins
( ) Rupert Murdoch
( ) Pron
( ) Hulu
(x) Technically illiterate politicians
( ) The tragedy of the commons
(x) Craigslist

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to visit Drudge, Slashdot and Democracy Now without seeing those Cash for Gold ads
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don’t think it would work.
(x) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Maybe you should actually visit reality every fortnight or so

Re:

[Rhaban]

Did you check the boxes pseudo-randomly?
Because it looks like you did.

Re:

[Crudely_Indecent]

Advertisers and tracking services will fight this to the bitter end.

I doubt that.

This would paint a target on the heads (so to speak) of the people they most want to track! Everyone else is already submitting to their intrusive behavior. The people most likely to fall for this scheme are likely using other methods to hide their identities.

Seriously! This is like putting up no trespassing signs. If someone really wants to trespass, they will.

The best bet is to take the advice of Darryl Zero [wikipedia.org] and lie about everything.

Re:Great idea but not likely to happen

[geminidomino]

But you cannot deny this is a good start

Yes, you can. It'd be stillborn, at best.

If this gets implemented, the marketroids ignore it.
If it gets legislated, the marketroids pay the custom-built law fees to make sure it's completely useless (a la "[You ]CAN SPAM")

End result: Delta = 0

Re:

[hedwards]

CAN SPAM wasn't useless, it's been far more useful than doing nothing. It just turns out that there's a limit to what legislation in America can do with a problem which originates outside our borders.

CAN SPAM has however cut down on people outside of organized crime spamming.

Re:

[hedwards]

Doubtful. While it pays better to use ads that are targeted based upon tracking, I doubt that many sites are going to be doing that. Google will doubtless support the change pretty quickly, and with them the rest of the ad industry. Haven't you noticed all that JavaScript that gets loaded from another server for ads?

Re:

[idontgno]

Worse yet... they'll treat it as another piece of marketing demographic metadata, tagging the sucker (I mean browser user) as concerned with privacy and security... a perfect mark (I mean potential customer) for antivirus software, network security products, and privacy protection services.

Re:

[spazdor]

Or, it speeds their decline from relevance if (big if) this functionality turns out to create a noticeably better browsing experience, and the sandlot browser-makers are able to provide a killer feature which the big two refuse to support.

WAT?

[Anonymous Coward]

"Mozilla's Firefox, a popular browser company"

Why bother

[wiredlogic]

What would be the point. It isn't enforceable and even if laws were passed, you can circumvent it by tracking from an offshore server.

Re:

[winkydink]

What would be the point. It isn't enforceable and even if laws were passed, you can circumvent it by tracking from an offshore server.

Sure. As long as you don't want to do business in the US.

Re:Why bother

[TheEyes]

What would be the point. It isn't enforceable and even if laws were passed, you can circumvent it by tracking from an offshore server.

Sure. As long as you don't want to do business in the US.

People still do business in the US?

Right...

[Pojut]

...because the do not call list totally works.

All kidding aside, I'm sure something like this would work for a little while, but just like the do not call list, advertisers will find some way around it. By the way...advertisers? When you call me or spam me via email, I make sure to AVOID your products...and I'm confidant I'm not the only one.

Re:

[Pojut]

Confident, even!

Re:

[Phrogman]

You are not the only one. When I get saturated with advertising for a product - I remember the product, and avoid buying it afterwards. So they achieve their goal of having me remember their product, but they also piss me off so much I won't ever be a customer.

Advertising is just Capitalist propaganda.

Re:

[Lazareth]

Unfortunately, while you're not alone, you're still a statistic anomaly. Bad exposure is still exposure. Statistics shows that it is way better to piss off a few who abhor aggressive advertisement anyway in favour of many people remembering your product. So long as you don't do anything distinctly alienating to your target group, you're golden if they first think of your product before any other product when considering bying that kind of product.

Re:

[Fwipp]

99.999999%? I didn't realize there were less than a hundred people that cared. It'd be nice if this vocal minority would calm down, and let the rest of us rest our ears a while.

Re:Right...

[Belial6]

While the 'Do Not Call List' has not been 100% effective, it had turned the tide dramatically. The number of telemarketing calls I get went from 2-3 every day before the list was implemented to 2-3 per month after. That's not bad. Of course, that is not counting the political spam that got a free pass on the 'Do Not Call List'.

As much as people here on Slashdot like to complain that this flag would do no good, and point to the 'evil bit' proposal as a joke, they seem to forget the robots.txt that seems to have been pretty darn effective. Specifically telling sites that you do not agree to be tracked sets a non-legal boundary to start a discussion. Illegal is not the same as evil. It is perfectly acceptable to avoid businesses because of evil behavior. Right now, you can't really get a consensus on tracking being evil. Most people would be able to agree that tracking someone when they explicitly requested not to be tracked is evil. While being directly and demonstrably linked to a specific evil act might not matter to the small website, bigger sites might find it less appealing. If, and this is a big 'if', ad revenue drops more from bad publicity for tracking than it does from using non-tracking advertising, larger sites might choose to use the non-tracking version.

There seems to be a weird myth on the internet that one must track to advertise, even though TV, magazines, billboards, etc, etc... have been advertising for generations without tracking. Somehow, even people that should know better have fallen for the "it's totally different because it's ON A COMPUTER" when it comes to ads.

Re:

[harks]

I've never gotten a telemarketer call in the years I've been on the list.

Re:

[EdIII]

The DNC totally works. The question is why does it work.

Speaking from experience here, the last time I checked a single infraction of the DNC cost $50,000. You have be able to show you checked that number you called against the DNC within the last 30 days, although I think it has recently been squeezed down to 2 weeks.

First thing you may be thinking is.... "Oh but they will just move all of the calls to an offshore call center". They already did this a long time ago. It is much cheaper to operate a call

Good idea

[Anrego]

The problem is that sites would be justified (imo) to then not offer you service based on this.

“We support this site with ad revenue. Tracking is part of that. No Tracking, no service”.

This is fine really. People aren’t entitled to web content. In many cases your privacy is what you are trading for it, and you should be made aware of this and have the option to decline. This kind of header (and possibly others like it) would let you specify in what you are ok with, and let a site then decide whether it’s enough to grant you access.

The problem is that people don’t like this... they want the privacy _and_ the content.. so people would probably just go back to using ad-blockers and cookie deleters as soon as they start getting rejected access messages.

Of course the opposite could happen as well. Web traffic could plummet as everyone enables the feature.. causing a site owner to re-think whether web tracking makes sense for them.

Personally I don’t mind being tracked. Somewhere out there, someone has a very detailed profile of what makes me tick.. and really it’s not doing me much harm that I can see. I read an article about raising my new pet dog and I every other ad I see for the next 2 weeks is about obedience training.. creepy but doesn’t hurt me. This is a personal decision however, and I think people do have the right to be paranoid about their data and should have the option to opt out.

Re:

[eepok]

This was my initial response. Ad revenue is what makes the interest free (beer and speech). The site producers can pay little/no out of pocket expense to pay for hosting due to ad revenue and since they're not requiring SPECIFIC sponsorship, they do not have to follow the whims of their sponsors with their content.

I want my privacy but fully understand the value of advertising for the internet I love. So, I allow tracking... until I turn off my browser... when all my cookies and temp files are wiped. That's

Re:

[Americano]

Good points. A lot of the "online tracking" that people seem to get so wound up about is simply allowing advertisers to target interested people with their advertisements more directly. If I spend a lot of time researching and reading about guitars (something I did recently), and I end up seeing lots of ads related to music - lessons, instrument sales, instrument service, sheet music... I really don't see a problem with that.

There are a handful of sites that I would pay a subscription fee of a few bucks a

Re:

[Hatta]

A lot of the "online tracking" that people seem to get so wound up about is simply allowing advertisers to target interested people with their advertisements more directly.

Yes, it allows the advertisers to lie more effectively so they can bilk you out of more of your money than they could otherwise.

If I spend a lot of time researching and reading about guitars (something I did recently), and I end up seeing lots of ads related to music - lessons, instrument sales, instrument service, sheet music... I really

Re:

[Jahava]

The problem is that sites would be justified (imo) to then not offer you service based on this.

“We support this site with ad revenue. Tracking is part of that. No Tracking, no service”.

This is fine really. People aren’t entitled to web content. In many cases your privacy is what you are trading for it, and you should be made aware of this and have the option to decline. This kind of header (and possibly others like it) would let you specify in what you are ok with, and let a site then decide whether it’s enough to grant you access.

The problem is that people don’t like this... they want the privacy _and_ the content.. so people would probably just go back to using ad-blockers and cookie deleters as soon as they start getting rejected access messages.

Not necessarily. By adding support for the header, an opportunity is created to write into law that advertisers (and content providers) must not track requests with this header present. Failure to do so can be penalized similarly to the "do not call" registry, with fines and/or jailtime. However, people who avoid advertisements via ad-blocking software will not be beneficiaries of such a law, and, accordingly, will never have a legally-binding guarantee that they aren't being tracked.

Like you said, advertis

Re:

[Captain Hook]

Identifiable tracking and displaying adverts on a web page are different things, I have no problem with ads being displayed on a website so long as they aren't popups/unders, I don't even mind too much the idea of any one site keeping a record of what interests me within the site. For example, I don't have a problem with Slashdot knowing I tend to read stories which have been tagged YRO, Politics and to a lesser degree Gaming and using that information to tailor adverts from the ad networks.

It's the trac

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Hazelfield]

I don't agree with you. In fact, I think we should have legislation that explicitly forbids arbitrary collecting and tracking of private information.

We're on a dangerous path if we allow anything as long as it's voluntary. Don't like to be tracked? Just don't visit the site! But what happens when more and more sites come with privacy policies that you don't agree with? You might not be able toavoid them all. Chances are you're required to have a Facebook or Google account to keep your job, and suddenly i

Re:

[Anrego]

Oh I'm sure lots of advertisers would just ignore the header.. and probably even use it as a datapoint, but if enough of the really big ones (aka google) implement it, would really take the teeth out of online tracking.

Re:

[Anrego]

I somewhat disagree, but it's irrelevant. You could enable this header and happily browse the puritan internet.

I agree.. most sites who's primary purpose is to drag you in so you can see their wall of ads tend to suck, and some of the best source of information have a /~someusername/ in the URL ..

But there are several sites that really do dump the money back into producing content and/or paying the insane bandwidth/hardware costs that come from running a really popular site. There are even a few that I pay

RFC 3514

[barko192]

Basic idea seems the same, right? http://www.faqs.org/rfcs/rfc3514.html [faqs.org]

Re:

[coolsnowmen]

I don't even have to click the link- That is exactly what I was thinking. In fact it makes trackers jobs easier. Even if the user refused all cookies and flash cookies etc, a browser is almost uniquely identifiable by all the other stuff it sends with each request: plugin versions, browser ID strings, ip, every thing you don't allow to be sent, and now this. Every element you add to this vector increases an intelligent company's ability to track you weather you like it or not.

Re:

[PseudonymousBraveguy]

no no no, it's almost, but not quite, entirely unlike the EVIL-bit. The Do-Not-Track header is set by the client, so it would be more like a PLEASE-DO-NOT-ATTACK-bit in every message to a possible attacker.

Pointless

[Angst Badger]

All this will do is provide another data point for marketers.

Re:Pointless

[Pojut]

I can hear the board meeting now.

"Well sir, our numbers indicate fourty-six million people out there are using the "do not track" header...we think that's a great base to start our 'Tired of Being Targeted?' ad campaign..."

Re:

[Pojut]

On an unrelated note, the PDF you linked to in your sig is pretty good! I myself have been using short(really short, lol) stories as practice for a larger story arc I'm writing. Each story focuses on a specific writing technique, just so I can tool around with it. I currently have one of them up on Scribd...free to read, free to download (although I still need to add the CC stuff to it.) Check it out, if you like.

It's about a zombie slowly coming back to life. [scribd.com] There's zero dialogue throughout all three

Re:

[Pojut]

That was the inspiration for my post :)

Re:

[Jonner]

How could something that creates a point be pointless?

Great idea!

[Locke2005]

This will obviously be just as effective as the IP header evil bit proposed in RFC 3514 [ietf.org]!

Don't track me bro

[Culture20]

The "don't tase me bro" kid got tased anyway.

"Mozilla's Firefox"

[supersloshy]

Mozilla's Firefox, a popular browser company

...Do I even need to say what is so wrong with this?

Eh, I will anyways:

• Mozilla is a non-profit organization (though they do have a subsidiary named Mozilla Corporation, the profits from that go directly to Mozilla Foundation)
• Firefox is a browser, not a browser company; they're thinking of Mozilla Corp/Foundation

Given how popular Google and Wikipedia are these days, mess-ups like this should have completely vanished by now.

Already exists.

[Civil_Disobedient]

They've already developed a "DO NOT TRACK" bit, but you might have missed it because it's labeled different: it's called "DO NOT VISIT."

Why do people get so fundamentally stupid about the web in particular? If, for example, every store you visit tracked your comings & goings and your purchase history, would you still scream bloody murder? NO, because they all already do this and nobody seems to give a rat's ass. But on the Big, Scary Internet the rules are somehow all different.

Re:Already exists.

[Mr. Slippery]

If, for example, every store you visit tracked your comings & goings and your purchase history, would you still scream bloody murder? NO, because they all already do this and nobody seems to give a rat's ass.

Pardon? I would indeed be upset if every store I visited tracked my comings and goings and purchase history, especially of they coordinated with other stores to build a profile in order to figure out how best to manipulate my purchasing preferences. That's why I usually pay cash, and never use one of those "please spy on me" (a.k.a. "customer loyalty") cards at any chain store.

There are a handful of independent businesses that I frequent where I know the owners or employees and they know me and my preferences -- great, that's a symmetric and respectful relationship. Doubleclick sneaking cookies on to my browser so they can sell my habits to the highest bidder, is not.

Re:

[Zangief]

Because advertising is annoying.

Believe me, if I could wear magical glasses that adblocked ads in real life, I fucking would.

Re:

[Jonner]

If someone at Wal*Mart headquarters knew every time I entered or exited a Wal*Mart anywhere in the world regardless of whether I bought anything and how I paid for it, that would freak me out. They do not have the technology and/or manpower to do that. Even if they have centralized access to all security camera footage from every store in the world (which is extremely unlikely), software cannot easily tell when the same person appears on different cameras.

Though a retail store or chain can certainly track m

Already exists?

[mukund]

Using Firefox + Adblock Plus + NoScript:

No. Time Source Destination Protocol Info
          27 3.918190 10.4.12.92 216.34.181.48 HTTP GET /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1

Frame 27 (582 bytes on wire, 582 bytes captured)
Linux cooked capture
Internet Protocol, Src: 10.4.12.92 (10.4.12.92), Dst: 216.34.181.48 (216.34.181.48)
Transmission Control Protocol, Src Port: 34619 (34619), Dst Port: http (80), Seq: 1, Ack: 1, Len: 514
Hypertext Transfer Protocol
        GET /story/11/01/24/1657252/Mozilla-Proposes-Do-Not-Track-HTTP-Header HTTP/1.1\r\n
        Host: tech.slashdot.org\r\n
        User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Fedora Firefox/3.6.12\r\n
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
        Accept-Language: en-us,en;q=0.5\r\n
        Accept-Encoding: gzip,deflate\r\n
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
        Keep-Alive: 115\r\n
        X-Do-Not-Track: 1\r\n
        Referer: http://slashdot.org/ [slashdot.org]\r\n
        Connection: keep-alive\r\n
        Cache-Control: max-age=0\r\n
        \r\n

Oh and Slashdot, how the heck am I supposed to post on your system when I'm behind my ISP's NAT and someone else has already beat me to it?

Re:

[prichardson]

Oh and Slashdot, how the heck am I supposed to post on your system when I'm behind my ISP's NAT and someone else has already beat me to it?

Look for an ISP that gives you a real IP address?

Oh NO!

[Arancaytar]

Spammer: "How shall we ever continue our illegal data-mining now that people can ask us nicely not to abuse their privacy?

Our evil plan is foiled!"

Seriously?

[mounthood]

This seems like a bad joke - the "Evil bit" but for http headers. It must be a political move, trying to set the boundary for debate.

If this is serious it's a terrible idea: it'll be on by default for everything so it's not a compromise (and could therefore be done with laws banning the tracking); all older software that doesn't send this header would be fair game; sites will simply refuse content unless you turn it off (see AdBlock).

How long before this is a fee based service?

[realsilly]

If airlines can charge a passenger for luggage to fly with them for your vacation, how long before websites or browsers sell you this as a service or charge it as a fee to use their service.

I detest that everywhere I turn there is some sort of Advertising shoved down my throat. And as a citizen of the US, I would like to see the citizens stand up for our civil rights a bit more and tell the corporations and the government to back the heck off. It reminds me of the movie Wall-E. As you see Wall-E traverse

Re:

[Reziac]

I think this huge expansion of the ad industry is inversely proportional to other industry that produces actual goods for sale -- we've lost so much of that to the 3rd world, there's nothing left to sell but *potential future sales*.

Size matters

[Anonymous Coward]

It doesn't have to be 100% effective. The biggest trackers are Google and Facebook. They are large companies that need to comply with the law and with standards.

Obviously something like this is useless if even Facebook ignores it but otherwise it would be quite a handy supplement to my array of NoScript/Adblock+/Ghostery. Sure, many smaller, less reputable companies will ignore it but when it comes to tracking, size matters.

Much simpler way

[shish]

If you don't want anyone to know your IP address, just stick 0.0.0.0 into the IP "source" field. Just as realistic, and far more effective than spamming your details then politely asking people to forget them.

Evil Bit

[The MAZZTer]

With a penalty behind it (a la Do Not Call) it could work, otherwise it's about as effective as the TCP packet evil bit.

Personally I would encourage people to proactively block advertisers using existing tools such as AdBlock and NoScript. That way you don't have to trust the advertisers not to track you.

Re:

[udoschuermann]

Re: Penalty ... You know they violated the Do Not Call list when you get a spam call.

But when and how are you going to find out that they tracked you anyway? And who is going to check their databases, verify that you actually didn't want to be tracked at the time they received that HTTP header, and then holds them accountable?

Penalty or no penalty, it'll work as well as the spam crawlers honoring the /robots.txt file ... anyone remember that one?

It's a politcial solution, not a technical one

[guanxi]

This is a great idea. Other posters are right that website operators won't be technically forced to respect the Do Not Track request, but this is a political solution, not a technical solution, and politics is how this needs to be resolved.

Currently, users have no voice. They can't tell websites not to track them except by cumbersome means such as sending emails to the operators. Even then, it's only one email from one user. Website operators can assume that there's no desire for privacy -- in fact it's something they publicly argue.

But clicking the DNT checkbox is much easier. Now the websites are confronted with millions of users, maybe hundreds of millions, requesting 'Do Not Track me'. Ignoring their reasonable requests would be bad for business, for reputation, and most importantly, for politics. If the websites don't comply to a reasonable request from a large number of their constituents, legislators will pass laws to force them. If most websites do comply, then the few who don't will be the odd ones out and face even greater risks to their business.

Just as importantly, DNT raises awareness. I know of few typical end users who are aware of tracking or understand its importance and implications. DNT will at least make them aware that tracking is an issue and that it's important enough that somebody with authority someplace thought they should be able to opt out of it.

(I don't think there's a technical solution to tracking. The value of tracking the (1 billion?) people on the web is great enough that any security measure will be overcome.)

Re:

[guanxi]

Where does the internet legislature live?

A very good point. Major companies that want to do business in a jurisdiction will be pressured to comply. Smaller websites local to the jurisdiction might not want to fall too far afoul of the public or the law (though how can we catch them?). Small websites outside the jurisdiction? I don't know that this solution applies to them. However, it doesn't need to be a perfect solution to be worthwhile.

First, bring back the solutions we had

[MobyDisk]

I would like to restore the privacy options we already had, that have been eroded:
- Stop browsers from accepting 3rd-party cookies by default (I'm looking at YOU Firefox!)
- Clear cookies daily. This used to be a Firefox option, now unavailable. If logging in once a day is too often, you misunderstand the concept of "password"
- Any plug-ins need to follow these same rules. Ex: Flash "cookies"

Like X-No-Track

[La Gris]

X-No-Archive despite the X is the admitted standard on Usenet to opt out of post archive. But nowadays, I won't bet two cents on a such "standard" gaining consensus.

They're only doing this to avoid regulation.

[northstarlarry]

Like Microsoft last month, and other browser makers soon to follow, Mozilla is only doing this so that the FTC doesn't force them to [google.com]. The FTC proposed this and essentially said to everyone "Do this on your own or we'll write a spec for it and you won't like it."

This won't really stop anything

[Dracos]

This is a passive measure which relies on the second party for compliance, much like robots.txt. You can put as many denials as you want in there, but the "bad bots" will ignore it, if they even request it at all. The data miners will do the same, it would be in their interest to ignore this header.

Personally, I'll keep adding lines to my hosts file.

They know

[sjames]

The thing is, They Know we don't want to be tracked, tagged, folded, spindled, and mutilated. Just like telemarketers know you don't want their call, junk mailers know you don't want their paper stuffing your box etc etc. They just don't give a rat's ass because they're psychopathic corporations. If they thought they could get away with it they would roast your child on a spit for a nickel and Wall Street would reward them handsomely when they pointed out that the supply of children was nearly inexhaustible

Insurance?

[phyrexianshaw.ca]

I assume Insurance companies would LOVE a "do not track" header. they just start tracking who uses it, and increase their rates!

Better than cookies

[yuhong]

Google has an opt-out in ad preferences that is based on HTTP cookies. Unfortunately they are easily deletable by accident. This HTTP header don't have this problem.

Not as stupid as some people claim

[kasperd]

I have heard much more stupid suggestions on how to improve privacy. One suggestion in the past was that websites had to offer users a way to opt out of having cookies stored on their computer. The reason that is much more stupid is that there is no other way to store information about the user opting out than by doing it through a cookie.

You could still implement it, but it wouldn't do the user any good. Once they decide to opt out, the webserver could tell the browser to delete all cookies, and they co

Ghostery

[metrometro]

Regarding all the "WON"T WORK" statements, can someone explain why this isn't already provided by the excellent Ghostery extension? For example: It's running now, set up to run without notifications and block all known bugs. To me, it's mostly invisible. Hovering on a status bar icon tells me that it's blocked Slashdot's use of Google Analytics and Doubleclick scripts.

I appreciate the effort by Mozilla to drumbeat this issue (ahem [drumbeat.org]) but I'm not sure I get it.