Do Not Track header implementations Considered Harmful
The Do Not Track HTTP header is a mechanism that, whenever you visit a website, kindly asks a web server to not track you. It is supposed to become a universal opt-out mechanism that works on all advertising networks to increase your online privacy. This should replace the current practice where you need to set a separate opt-out cookie for every network.
It is currently implemented by three Firefox add-ons: a ‘dedicated’ add-on, NoScript and AdBlock Plus. Sounds great? There are some problems with these add-ons:
- Implementations currently do nothing against tracking. As the description of the ‘dedicated’ add-on clearly warns, no advertising network is currently supporting the mechanism and track you anyway. So it is purely for demonstration. An add-on that adds extra HTTP headers to outgoing requests isn’t even an impressive demonstration. However, NoScript and AdBlock Plus are not distributed for demonstration purposes. It would make more sense for them to wait until the mechanism is actually useful.
- Opt-out makes consumers a little easier to track. Since the Panopticlick experiment of the Electronic Frontier Foundation (EFF), Firefox has been working to reduce the fingerprint of HTTP requests. Ironically, creating new HTTP request headers for opting-out makes you in practice a little easier to track. It has to be said that nowadays your fingerprint is very detailed anyway, but it seems counter-productive to roll out implementations while the previous problem still exists.
- Tracking is not defined. A missing definition of tracking is quite a problem if you tell web servers to not track you. The project itself gives no definition, but has a server configuration page that describes how you can exclude consumers who opted-out from being added to the access log. That is, besides difficult from a security perspective, a extremely stringent definition of tracking. It is naive to assume that the industry will agree with this definition. In general, the industry will probably not agree on any definition, certainly not on international scale. If all companies are allowed to use their own definition, then the opt-out behaves differently for each companies and it is thus no longer universal, which was the purpose of the project. This raises the question why we are rolling out technology that has yet to be defined.
- Opt-out for behavioural advertising is useless. On a technical level, the add-ons send two HTTP headers:
X-Do-Not-TrackandX-Behavioral-Ad-Opt-Out. If you are not tracked, it is quite impossible to receive behavioural advertisements, and if you opt-out of behavioural advertisements, then why do you still want to be tracked? There is no reason at all to define two separate headers as they will always be used together. The implementations seem to be aware of this and do not provide an option to only send one of the two. The existence of two headers seems to be a technical ‘solution’ to partially address the philosophical problem of the definition of tracking. - Opt-out by default is no opt-out. If you install the ‘dedicated’ add-on, then you know that you are opting-out. If you use AdBlock Plus, then it depends on your filter subscriptions what companies receive the header, so you opt-out by choosing a particular subscription that probably states in the description that you are opting-out. However, NoScript has got the brilliant idea that they know their end-users and can decide on their behalf that they want to opt-out without telling them or allowing them to decide otherwise. (The possibility to opt-out of opting-out is hidden in
about:config.) So NoScript tries to change the opt-out model into an opt-in model: this undermines the purpose. - Opt-out will not be supported voluntarily. When people started blocking advertisements, most web sites didn’t start blocking these people. This has been used as an argument that people using this new opt-out mechanism will not be blocked either. However, that doesn’t mean it will work. When advertisements were blocked, not much happened, and this made it a success. If now nothing happens either, it will make the opt-out a failure. So will they voluntarily support opt-out? According to the Federal Trade Commission (FTC), the industry has failed to regulate itself to protect consumers. Why would that suddenly change? The fact that NoScript users are practically forced to opt-out without knowing so, will certainly not help the industry to respect the opt-out.
- Opt-out is not required by law. The FTC wants to use legislation to force support for the mechanism. That is probably the way to go to make it work. However, then the technology needs to serve the law, not the other way around. Distributing implementations now doesn’t seem practical, since the current implementations may be incompatible with the law that is not written yet. You cannot demand or expect the law to be modelled after your implementation.
- The law might not be effectively enforced. If the law is approved, then this technology is finally getting somewhere. However, the law will need to be effectively enforced. Despite several lawsuits filed by the FTC, the Safe Harbor principles that are supposed to provide privacy protection to European data stored in American clouds, is in practice a complete failure. So hopefully the enforcement will be better in this case.
The Do Not Track header would certainly be a good mechanism to protect privacy after it is incorporated into a law that is enforced. But until then, civil liberties organisations like EFF will need to lobby for that. The universal opt-out problem is currently an issue for these lobbyists, not for programmers and certainly not for end-users (unless they want to help lobbying).