Do Not Track Ineffective and Dangerous, Says Researcher 207
Seeteufel writes "Nadim Kobeissi, security researcher, describes the Do Not Track standard of the W3C as dangerous. 'In fact, Google's search engine, as well as Microsoft's (Bing), both ignore the Do Not Track header even though both companies helped implement this feature into their web browsers. Yahoo Search also ignored Do Not Track requests. Some websites will politely inform you, however, of the fact that your Do Not Track request has been ignored, and explain that this has been done in order to preserve their advertising revenue. But not all websites, by a long shot, do this.' The revelations come as Congress and European legislators consider to tighten privacy standards amid massive advertiser lobbying. 'Do not track' received strong support from the European Commission."
meanwhile... (Score:2, Interesting)
Many of us here have been saying DNT is a bad idea since it first appeared (and often, on slashdot, we've been downmodded for it). The right way to do this is NOT to depend on the good will of the remote side. Even you passed laws that demand compliance, the data collection will just move out of the jurisdiction of those laws, and anyway, the companies involved will buy themselves exceptions and find creative loopholes. You can't win, that way.
You CAN avoid giving them much data in the first place. You don't have to load their web bugs, their trackers, accept their cookies, or flash objects, and you can obscure your user agent string, and if you're really paranoid, even your IP address. Don't give them the data, and they can't track you with it, or at least, can't tie it to any real world identity.
And it goes without saying, don't use bloody Facebook.
"Good will" (Score:3, Interesting)
Anything that leaves your privacy on the "good will" of the companies is inefficient to protect my privacy.
If I do want to protect it, I'll use tools like Ghostery and DNT+ where I can choose *myself* what info I send, and not rely on them honoring the DNT.
I know I will be flagged "flame" but honestly the DNT looks a lot like the "evil bit" to me.
It's not about whether the site honors it or not (Score:4, Interesting)
For me, I don't care whether the site honors that header or not. If they're going to abuse tracking, they're not likely to suddenly come over all ethical and change their servers to not track. What the DNT header does is give a standard, recognized signal present in every single browser request that I do not consent to tracking. It's like the fence with the locked gates and "Private Property - No Trespassing" signs around a property: it's not going to keep trespassers out, but it's a clear and more importantly legally-recognized demarcation. If they jump over the fence onto my land and get in trouble because of being there, the court's going to look at the fact the land was clearly posted and tell them "Sorry, we don't accept your claim that you didn't know it was private property.". With the DNT header, no Web site can claim they didn't know I didn't consent to tracking. They can't claim implicit consent, because there's explicit non-consent in the very request they serviced. And this is why the advertisers are making such a play to get the DNT header dismissed and abandoned. Up to now they've taken the position of "You must consent as a condition of access, you accessed so we can assume your consent.". As long as there's no standard way of saying "I do not consent.", they can get away with that. But with a standard DNT header they can't argue that it's infeasible to check every possible way of not consenting. There's just one, and it's not ambiguous. The counter-argument of "If they don't want to allow access to those who don't consent, why did they not simply return an HTTP error when they saw the DNT header?" becomes rather more convincing.
The secret the advertisers don't want to state up front is that they don't want to require consent to tracking. They just want to track everybody whether they consent or not. Anything that provides a clear, unambiguous message to them about consent or lack thereof is a threat to that position, because it makes it harder for them to argue a basis for their assuming consent.
And a message to every Web-site and ad-network operator out there: if you're serious, stop whining and configure your servers to return 403 Forbidden to every request with the DNT header set. It's not that hard.
Re:Most advertisers are still stuck in the 1970's. (Score:4, Interesting)