[liberationtech] Do Not Track Dangerous and Ineffective

Wed Feb 13 10:57:57 PST 2013

Dear LibTech,
I've written a blog post about a problem with web privacy practice that's
been bothering me for a long time. I think there needs to be a discussion
about Do Not Track — there are many problems with this privacy standard and
some of its implications may in fact be substantially dangerous.

My blog post is accessible here: http://log.nadim.cc/?p=112

------------

"Do Not Track" Dangerous and Ineffective

In 2009, before I became seriously involved in web security, a standard
called Do Not Track was proposed, standardized by the W3C in 2011, and
implemented in Internet Explorer, followed by Mozilla Firefox and Google
Chrome.

Do Not Track is supposed to prevent websites from tracking your activity
online, probably for advertising purposes. It works by making your browser
politely ask every website you visit to not set tracking cookies and so on.

There are real, dangerous problems with this approach and I really cannot
believe it was ever taken seriously. Now that it’s implemented and
standardized so widely, it’s become a serious threat to how Internet
privacy is perceived.

The main problem with Do Not Track is that it lulls users into a completely
false sense of privacy. Do Not Track works by simply asking the websites
you’re visiting not to track you — the websites are completely free to
ignore this request, and in most cases it’s impossible for the user to find
out that their Do Not Track request was in fact discarded. When the user
therefore enables Do Not Track on their browser, they are lulled into a
false belief that they are no longer being tracked, even though from a
security perspective, the tracking prevention that Do Not Track presents is
useless.

In fact, Google’s search engine, as well as Microsoft’s (Bing), both ignore
the Do Not Track header even though both companies helped implement this
feature into their web browsers. Yahoo Search also ignored Do Not Track
requests. Some websites will politely inform you, however, of the fact that
your Do Not Track request has been ignored, and explain that this has been
done in order to preserve their advertising revenue. But not all websites,
by a long shot, do this.

Do Not Track is not only ineffective: it’s dangerous, both to the users it
lulls into a false belief of privacy, and towards the implementation of
proper privacy engineering practice. Privacy isn’t achieved by asking those
who have the power to violate your privacy to politely not do so — and thus
sacrifice advertising revenue — it’s achieved by implementing client-side
preventative measures. For browsers, these are available in examples such
as EFF’s HTTPS Everywhere, Abine’s DoNotTrackMe, AdBlock, and so on. Those
are proper measures from an engineering perspective, since they attempt to
guard your privacy whether the website you’re visiting likes it or not.

Do Not Track needs serious revision, replacement or simply removal. As it
is right now, its only discernible function is to promise users with little
to moderate computer knowledge (most of the world) that they’re browsing in
privacy, while in reality discouraging them from adopting real privacy
solutions that work. Web privacy and security engineers need to have a
discussion about this.

NK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130213/d7b148a4/attachment.html>