back to article W3C announces web-tracking privacy protection group

The World Wide Web Consortium (W3C) has announced the creation of a Tracking Protection Working Group to address online privacy concerns, but the task of getting all the players to agree on what standards should be adopted could yet be a sticking point. It said the group had ambitious plans to publish standards as early as mid …


This topic is closed for new posts.
  1. Stewart Atkins

    What's wrong with DNT? 8 bytes on each http request is probably as efficient as you're going to get

    1. Jani-Matti Hätinen
      Big Brother

      "What's wrong with DNT? 8 bytes on each http request is probably as efficient as you're going to get"

      Technically probably nothing at least on the protocol level. I would assume that the big question is what should fall under the DNT umbrella. Is it ok to include DNT users in your site-wide web analytics stats, or should it just apply to the massively cross-domain tracking methods that advertising networks, Facebook and Google use?

      Then of course there's the question where to draw the line on hosted web analytics solutions such as pretty much all of the reasonably priced ones. Technically they can be used to track users across massive amounts of domains, but as far as the site owner is concerned they're simply used to analyse traffic within the site.

      In my case I would (as I do now thanks to adblock) opt-in to web analytics tools because they're generally used to my benefit (as well as the site owner's of course) by improving the sites I visit. But on the other hand I'd opt-out of the massively spread tracking methods such as the Facebook "Like" buttons that you see everywhere, because that kind of tracking is absolutely useless to me (since I'm not a Facebook shareholder) and frankly more than worrying in terms of my privacy.

      So if DNT is just a check box, should it work like my current setup, should it block all cross-site tracking methods or should it simply block all tracking including any server-side statistics that have a unique ID? And if you provide options in the DNT configuration what should those options be?

    2. Oninoshiko

      The problem isn't

      the 8 bits. The problem is it doesn't DO anything. So you send 8 bits which say "don't track me" and the Russian mafia giggles a litte and tracks you anyway. If you can't trust the other end enough to let them track you, why do you think you can trust them to NOT track you?

      A better way would be to sandbox everything the browser does and delete that file(s) every hour.

      1. Jani-Matti Hätinen

        I think the point of DNT as well as the W3C working group would be to establish what's considered to be ok among law-abiding service provides. Kinda like the EU legislation on data retention, which effectively caps the maximum cookie expiration to 2 years. So assuming that the working group gets something concrete hatched out, there's no question that EU directives and such will follow.

        Doesn't help much with malicious service providers, but then again what does?

        As for Opera and Google not backing the current version, they both sit on an insane pile of traffic log data and the technologies to gather more of it (Opera through Opera Turbo mainly on mobile devices and Google through well, everything I suppose) and they probably won't support any version of the spec which would classify their logs under the DNT protection.

  2. Chronos


    Here's the deal, Big Business [TM]. You get caught using tracking cookies, DOM storage, flash or any other form of "supercookie" against users' wishes three times and we'll boot you off the web, take away your legal recourse and right to appeal and make you sit there and fester until we decide you can come back, which will probably be a fortnight after never.

    You can't possibly object since that what you want to do to users who cross your own self-defined lines of "common decency." What's sauce for the goose...

    No, didn't think so. So pack it in. If you don't want measures like this, don't make them necessary. The next step is legislation which you won't be able to bitch and moan your way around, barring the odd "bought" representative.

  3. Robert Carnegie Silver badge

    It occurs to me that an "individual" person may use more than one computer.

    ...and may wish to express different preferences about tracking to many different services.

    And what about when an individual uses a workplace computer? I suppose that the employer's preferences apply - but what about permitted personal use?

    Well, the employer may want to track that themselves. For instance, if a female employee is looking at web pages about pregnancy, but hasn't said anything to you...

  4. ScissorHands

    It's so strange, Opera going their own way...

    1. Patrick O'Reilly

      Not the only ones.

      So Opera didn't like DNT, Mozilla didn't like WebSQL so went off and made that horrible IndexedDB.

    2. Ilgaz

      Opera follows w3c, always

      Opera either invents a new standard and submits it (for real) to w3c and seriously follow or if w3c came up with a good standard that can be used right away, implement it.

      There has never been or never be a "Opera compatible" page, just make it w3c standards compliant as much as possible. That is the part webmasters never understood.

  5. Martin 47

    Still no (optional) stinking title.

    The thing that always puzzles me about the DNT request thingy is that the web sites that are likely to comply with it are probably the ones that I don't mind tracking me, the ones that ignore the requests are the ones I really do object to.

    Or have I got the wrong end of the stick (again)

  6. Camilla Smythe

    P3P Failed.. This will as well

    Those with a vested interest will set it up to fail or work from the inside to make it fail then after it has failed then they will ignore any parts of the failure that are implemented by applying their own interpretation in order to render it worthless.

    Waves to Brooks Dobbs of Phorm, previously of DoubleClick who took part in the discussion regarding P3P. Perhaps I did not read some of the dialog between those concerned correctly but my impression was it went something like...

    "Let's do this."

    "Won't Work."

    "What if."

    "Won't Work."

    "But if."

    "Won't Work."

    "Won't Work."

    "Pardon, I hadn't said anything."

    "You seem to be getting the picture. Don't care and won't work."

    "Won't Work."

    "Adspend breaks £4 billion milestone, UK internet advertising grows 12.8% to break the £4 billion milestone."

    Economy in recession? Advertise shit harder.

    Let me express that in fulltext... £4,000,000,000




    Dear Mr Politician,

    I am slightly concerned about the rampant invasion of privacy being practised on the interwebs by advertising and other companies.





    A Voter




    Dear Mr A Voter


    In case you did not realise I was not interested in your opinion about anything anyway would the above figure clarify why I do not give a toss about your opinion on this matter?

    I assume you do not have your invite to "IAB Party on Down 2011".

    Sucks to be you.


    A Politician

  7. Anonymous Coward
    Anonymous Coward

    They probably don't back it because ...

    ... They know its ultimately a hiding to nothing.

  8. Harry

    Re "What's wrong with DNT?"

    There's nothing wrong with DNT but its not enough on its own.

    Firstly, recognising and obeying DNT is not a legal requirement -- so to a spyware company intending to steal your personal data, its about the equivalent of putting a sign on your front door "please do not burgle here".

    There's never going to be a total international acceptance of any privacy legislation, even if the more enlightened countries can be persuaded to adopt some. And those countries that are most likely to adopt any privacy legislation will write it with the primary intention of allowing companies to *invade* privacy rather than to ensure it. Just like they already did with the "you can spam" act.

    So when DNT becomes widespread, will the worst sites unnecessarily redirect you to a "you have DNT so you can't come in" page -- just like some of them already do if you try to visit with javascript disabled?

    Next, DNT is either on or off. OK, that's a start -- but that's a bit like saying everybody must choose whether or not to have sex. If they choose NO, then they can have sex with nobody whatsoever. If they choose yes, they must be willing have sex with everybody else who wants it. I'm guessing, but most people could not comfortably choose either of those two options.

    Equally, there's a difference between tracking for the efficient operation of the site and tracking to obtain saleable data. I don't mind if a site knows I've visited the site before or even what pages I've seen there, but it absolutely should *not* be possible for some other site to know that I've been there, or to any other site for that matter.

    Clearly, there's an argument for something in between. At the very least, a middle ground version of DNT that says "OK, but keep it totally confidential" when visiting the first party site, but gives an "absolutely not" when accessing third party sites whose content has been embedded in the page.

    My feeling though is that an enhanced DNT isn't going to work -- if only because the worst of the data thieves would simply ignore it. So it is more important to work on technical standards that would require the browser not to deliver information in a form that allows third party tracking.

    For example -- I visit and it uses some API from google. If google requests my cookie, then it should get one, but it should not be the same cookie that it gets when I visit google direct, so it should not be able to track me through any google log in. Then if I subsequently visit and that also uses some API from google, google should get yet another cookie that prevents it knowing that I've visited So, separate cookies for each third party site depending on where it is being visited from.

    That's a bit simplistic and there are other spyware problems (eg Etag) that need to be similarly defeated. If there is no better way, then separately cache google's images for every site you visit it from.

    Whatever is needed, the solution which would work best is the one which is controlled within the browser. It simply doesn't give trackable data to the third party site -- and it would be best for most people if that is what happened by default unless they choose to allow otherwise.

    Maybe there's a part to be played by my ISP, which could be required to falsify my IP address in packets passed to third party sites. Or maybe all traffic, if there's no easy way to identify third party traffic.

    But ... and here's where the W3C as a standards body could sensibly step in to the picture ... the standards should stipulate that users and their browsers are entitled to inhibit tracking and should require all sites to continue to work with proper third party anonymity (as well as with flash, javascript and similar all disabled in situations where there is no absolute functional need for them).

  9. Anonymous Coward
    Anonymous Coward


    Do not track is a waste as it relies on webmasters to be honest. A more important thing that I've been trying to push through is a header that will turn on private browsing. The idea is to protect abuse victims if they go to a charity website or support group. For business it could also stop information leakage in the browsers cache, eg. Intranet trade secrets or healthcare information. The project is hosted at

  10. Anonymous Coward
    Anonymous Coward

    @ "Nothing wrong"

    really? nothing wrong with a system where you have to explicitly opt-out of every single attempt?

    I suppose opting out of all those spam has worked for you too. Expect DNT as proposed to have the same effect.

This topic is closed for new posts.

Other stories you might like