Do Not Track is not respected on mozilla.org

140 pointsby therealunrealalmost 12 years ago

16 comments

clarkevansalmost 12 years ago

Mozilla uses Google Analytics Premium Service ($150k/year) which includes a contractual option to prevent secondary use of the visitor data. Therefore, they see it as legally in the spirit of Do-Not-Track -- Google is a contractor collecting the visitation data solely for the pleasure of Mozilla.<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=858839#c21" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=858839#c21</a> <a href="https://groups.google.com/forum/?hl=en&fromgroups=#!search/mozilla$20governance$20google$20analytics/mozilla.governance/9IQvIubDOXU/0tWVVlrUJ" rel="nofollow">https://groups.google.com/forum/?hl=en&fromgroups=#!search/m...</a>From the latter thread, Stacy Martin at Mozilla represents "Google Analytics will not correlate or report on any customer data with any other data, they will use Mozilla data only to provide and maintain the service for Mozilla, and they will not share or use it for any other purpose."EDIT: The contractual arrangement is relevant. Section 9.3 item 2 of the IETF do-not-track draft draws has an exception for this very situation, "data obtained by a third party exclusively on behalf of and for the use of a first party".<a href="http://tools.ietf.org/html/draft-mayer-do-not-track-00#section-9.3" rel="nofollow">http://tools.ietf.org/html/draft-mayer-do-not-track-00#secti...</a>

评论 #6133131 未加载

评论 #6133173 未加载

评论 #6133676 未加载

Metatronalmost 12 years ago

Do Not Track is silly.For example: You come on to my site, I want to know how you're using it, I don't want your personal details, I just want to see how you're interacting with the site I've made for you. Why do I want to know? Well it depends on the purpose of the site, but for the most part it is so that I can optimise and improve what my site offers to you and others.But you've politely requested that I don't track you. For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site. You have a right to privacy, but that's got bugger all to do with you coming on to my site, once you've made that choice you are within my domain, under my roof, living by my rules. Until you leave of course.Some sites may respect that request, but they're the kind of site who have no need to track behaviour anyhow, and are likely not tracking to begin with. kind of makes the request moot.People get way too offended by analytics tracking when it's there for their benefit. The internet would be one ugly place if webmasters and designers had no clue how people were interacting with it. If you want to go back to the dark ages then feel free to try. But you won't benefit from the advances we've made or are yet to make because of large scale, anonymous tracking across the web.I've no respect for Do Not Track. It is a silly, backwards, progress-endangering concept that should be burnt on a pyre.Think of a scenario where a site is maliciously tracking you, where a forced browser level request could to not track be sent, and maybe we'll talk. But then again I'll probably just retort that any malicious tracking will have a way around such a forced request, and so it's pointless.Do Not Track is snake oil for the conscientious objector.

评论 #6132886 未加载

评论 #6132909 未加载

评论 #6132905 未加载

评论 #6133200 未加载

评论 #6134391 未加载

评论 #6135312 未加载

jeremysmythalmost 12 years ago

There's a large effective difference between "do not track" as it is outlined in the bug, and how many people see it (see, for example, comment 16 in the report, and then comment 25)Specifically, it's to do with third party cookies, not any particular site.If I visit someone's website, I'm usually perfectly happy for them to record my visit and my actions. If, on the other hand, I visit their website and some invisible actor (say, an advertiser) also tracks me, then it becomes insidious, especially if that other invisible actor is active on multiple sites.This gets a bit blurred when you've got large vendors with multiple presences. For example, years ago when you logged into Hotmail, you'd be briefly redirected via passport.com (then live.com), and then directed back to Hotmail. Similarly, going to Microsoft's web page, or MSN's, or Technet, or any other site in the Microsoft stable, would redirect via the same site. This gave them single-sign-on, but also allowed them to "track" your activity across the entire network. That behaviour is used by many other large organisations such as Google.However, it's also made its way into other large sites like Facebook and Twitter, because sites like that have "social media buttons" appearning on sites that aren't served by those sites but are served by Facebook and Twitter, so becoming third-party objects, and doing the same sort of pervasive insidious tracking across multiple domains and web properties.The thing is, Google Analytics (as mentioned in the article) is such a pervasive ubiquitous invisible actor, but it's damn useful, so lots of people want to use it. The problem is that it's a third party object, and it's of massive benefit to Google too, not just the site owner.So, where "do not track" fails is in distinguishing between "tracking" that's acceptable to many people, and "tracking" that's somewhat more invisible and pervasive. Switching it all off is harmful to the internet, but until it's sold correctly, it won't be acceptable otherwise.

评论 #6133078 未加载

评论 #6133198 未加载

评论 #6134023 未加载

supermattalmost 12 years ago

"Do not track" in its present (non-)state is a farce. It should be implemented at the browser level.My ideas on DNT:If a user specifies "do not track" in their browser-global or site-specific settings then ALL requests to third party domains should simply be blocked.This could be backed up by a site-provided manifest (potentially containing a comment for each ones justification, or a flag to say if its required or optional) to 'whitelist' 3rd party domains that they require it. There should be a browser feature to view this whitelist and 'uncheck' any sites you disagree with.In fact, IMHO, thats the way modern browsers should work anyway - it would certainly solve a huge number of other issues (XSS, etc).

评论 #6133254 未加载

评论 #6134734 未加载

评论 #6135713 未加载

评论 #6133346 未加载

strictfpalmost 12 years ago

It's another case of bad naming. The feature should be called something less absolute like "do not track me across websites" or "track me less".

znowialmost 12 years ago

I'm with the bug author on this: "do not track" should mean do not track. And it explicitly mentions analytics on the DNT site.Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms<a href="http://donottrack.us/" rel="nofollow">http://donottrack.us/</a>However, Wikipedia says that the exact definition of what constitutes tracking is not yet clear.The Do Not Track (DNT) header is the proposed HTTP header field DNT that requests that a web application disable either its tracking or cross-site user tracking (the ambiguity remains unresolved) of an individual user.<a href="https://en.wikipedia.org/wiki/Do_Not_Track" rel="nofollow">https://en.wikipedia.org/wiki/Do_Not_Track</a>

3825almost 12 years ago

This is an interesting topic. Should I deliver different experiences depending on DNT header?

评论 #6132975 未加载

评论 #6132954 未加载

nlyalmost 12 years ago

Instead of the useless EU cookie legislation, we should have had legislation that enshrined explicit privacy preferences in to data protection law.When I signup to a website I'm expected to agree to their Privacy Policy. Both site owner and visitor expect that policy, provided that it's legal, to be somewhat enforceable in court. When I'm just visiting, why is there no such equivalent?The problem with DNT isn't that it can be ignored, it's that it can be ignored without penalty. People who think purely technical solutions (including Ghostery, NoScript, Adblock etc.) are the answer are ignoring the reality of how easy it is to fingerprint and track users on the web.

Boldewynalmost 12 years ago

The discussion is good and also a great example for Mozilla caring (especially that it is discussed in the open for all to see).

teejaalmost 12 years ago

That discussion is full of the usual run-arounds.The man scored a major point, and Mozilla has chosen to run away from it. The DNT flag, so far, looks just like the worthless piece of promotional fluff and 3-card Monte it is. ESPECIALLY if Mozilla chooses to run away from it.We're going to need laws to protect us from the continual government AND corporate riot of people-tracking. The People don't like it, and once they get done with NSA in Congress, they might as well get busy on making tracking OPT-IN. Including cookies, browser finger-printing, stashing stuff in browser cache (disk AND memory), and the hundreds of other ways these geniuses have evolved to invade the social communication space to promote their bottom line. We badly need to have this discussion as a nation. Because its starting to run over our boot-tops.Tracking could be limited to dot-coms. Then let the People decide whether to keep dot-coms in their bookmarks, or leave the rats to go down with their ship of fools.

lnanek2almost 12 years ago

So maybe the text in the UI jut needs to be changed to be more accurate. Instead of "Do Not Track", something along the lines of "Request No Tracking Across Sites" or "Request No Cross-Site Tracking". This clarifies that it isn't the browser stopping tracking, it is the browser asking the sites not to, which they may or may not implement. It also clarifies that what is being requested not to happen is using the same identifier across sites and between different parties.On an unrelated note, I'm really impressed with the Persona login on that site. When I first saw it I thought, oh no, not another username and password. Why can't they just use social login where I already have accounts? But all I had to enter was my gmail address, approve the usage, and I was done. No extra username and password even though I've never used Persona before. No need to confirm an email. It worked out really well.

teamjimmyyalmost 12 years ago

I don't get it. Why is this different from inspecting your web logs? Sure you lose the first-party cookie aspect, but I bet you can get awful close just looking at the request IPs. There's "tracking" inherent in how everything works, so why does it matter if collection is contracted to a 3rd Party?Does the poster expect the web server to not write a log line because he sent a DNT header too?

评论 #6136168 未加载

评论 #6136172 未加载

Radlealmost 12 years ago

Thanks for the link i just installed a "do not track plugin". Fuck GooglePlugin: (<a href="https://addons.mozilla.org/en-us/firefox/addon/donottrackplus/" rel="nofollow">https://addons.mozilla.org/en-us/firefox/addon/donottrackplu...</a>)

diminotenalmost 12 years ago

I genuinely don't understand all the hatred out there for advert companies tracking user purchase trends. Can someone explain to me why I should care about this?

评论 #6135457 未加载

lucb1ealmost 12 years ago

The very fact that the website must support DNT is its only and fatal flaw. Why should we trust websites to honor DNT when we keep sharing information with them?

评论 #6133688 未加载

meapixalmost 12 years ago

I don't think they can do this though. They can however disable javascript.