Firefox ditches Do Not Track because nobody was listening anyway When Firefox 135 is released in February, it'll ship with one less feature: Mozilla plans to remove the Do Not Track toggle from its Privacy and Security settings. The DNT toggle is already gone in the nightly developer release of Firefox 135, and Mozilla recently updated its Firefox support page for the privacy feature to …
Which part of "purely voluntary, optional and not to be taken serious" did you miss?... Why would anyone prevent absentminded/terminally impatient users just accepting the complete tracking package, just because at some point they bothered setting a purely decorative feature?
Poor DNT was doomed from the start, being voluntary it is as efficient as a "Please do not break in" on your house.
That might explain the prevalence of coffee in the US, due to Hershey's product which tastes of something that was almost, but not quite, entirely unlike chocolate.
If you have enjoyed the experience of this Hershey bar, why not share it with your friends - Because I want to keep them!
Not once you have used them to carry tea.
Most seriously not once you have used them to contain strong, tasty tea.
Which brings up a thinky, *can* chocolate be made strong enough to withstand hot tea? Without melting?
In short, are chocolate tea-pots even possible?
Not tea-pot shaped chocolate bars but actual, useful functional tea-pots made from chocolate instead of glass?
Materials technology is wonderful but is that beyond even our 21st Century powers?
"This is why the EU was so effective with it's "opt-in" approach."
I don't share your confidence.
Do you REALLY believe that Google, Meta and the rest aren't paying mere lip service to EU regs? I work in regulation, and I know for a fact that the big companies operate to the most liberal interpretation possible by a biased reader (and then some) of the law. I could offer you a perfect example of this behaviour by US big tech, but my state employers agreed to settle without disclosure, and it would be be both unprofessional and unwise for me to breach that.
Anybody in the EU, or anywhere else who thinks that Big Tech (not just US) isn't hoovering up their data need to take a course in critical thinking, I'm afraid.
Laws, like, say, the GDPR (UK GDFPR for us brits), which say that data controllers require permission, and which setting do not track clearly signals to the website that we do not grant permission for the data dragnet to be used and clearly fall within the gdpr meaning for witholding consent??
This is a poor move by Mozilla and I'm hoping an addon quickly adds it back in.
"Laws, like, say, the GDPR (UK GDFPR for us brits)"
UK GDFPR? What the heck is that?
Since Brexit the UK switched from the (EU) GDPR to the UK GDPR which is 99.999999999% the same as the (EU) GDPR (the changes basically just being to remove any mentions of the EU): https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/
Except that GDPR isn't really being enforced very much and DNT did not count as rejection of tracking. It didn't count as acceptance either, but it was sufficiently vague for sites to ignore it and use their other methods of collecting consent which are less automatic, less likely to get people to deny consent, and more random and thus difficult to plan for. Some of them might also not be GDPR compliant after all, but since nobody is enforcing, it mostly doesn't matter.
The problem with DNT is that it didn't do anything to protect users. It did come with two downsides. The small one: one more bit in a fingerprint. The large one: convincing users that this was actually helping their privacy when it did nothing at all.
Please post all your browsing history for the past week. Clearly, you must be fine with us looking through that because what harm could that do? Oh, and by posting it, you also give consent for me to sell that, along with any other data I can glean, to the highest bidder. Then the second-highest bidder. In fact, all the bidders that bid over the price I decide.
>to sell that, along with any other data I can glean,
I'm shocked that you would do that with others' personal data. Shocked I say.
No, you strip the most sensitive bits out before selling it. Then, once you've established your customer base, you can add it back as part of your more expensive "premium" package. That's how to really treat personal data.
>” Why does it matter whether companies track consumers?”
If you use a web browser, whether for work or personal, you are the product not a consumer.
The level of information that can be legitimately extracted from a web browser by a website is broadly equivalent to having someone looking over your shoulder and videoing everything you are doing…
Now ask does that matter?
Tracking can only be solved through laws, not technical solutions
Sounds great, but how you prove a company is tracking you and therefore breaking that law? Apple has set up a lot of things like for example Apple Pay where the protocol does not make it possible for them to track what you are buying. But that doesn't stop some Apple haters from claiming "they're doing it anyway, they control the OS so they can track everything you do" which is theoretically true - any protections offered by zero knowledge protocols, encryption, etc. can be undone by simply building the tracking into the GUI where the user is interacting with the device.
So short of raiding every company that's in a position to potentially track consumers to check their source code and see, or see if they are not tracking themselves but buying information from a shady third party (the government likes to use that workaround since it follows current law) how do you propose to enforce this law?
Technical solutions could help to make tracking harder. Perhaps Firefox needs to implement more anti tracking measures, we have random IP addresses for phones, perhaps we need to start to randomise the information browsers return to websites that allow websites to uniquely identify a system and user.
We really shouldn't expect this to come as a shock.
A noble idea and concept, but with the major data aggregators unlikely to think it's a good idea, why would you choose to do something optional if it impacts the bottom line?
As StrangerHereMyself has eloquently stated, there needs to be a legal framework to set the governance rules that must be adhered to before we see any improvement or change.
That header could make it harder for web sites to claim they had my informed consent when i tell them with every request that i do not consent to tracking so it could be used in court when laws like GDPR are in effect. As the feature is already implemented i don't see why it can't stay in place while we try to get the powers that be to change the law so web sites have to respect that setting. What is accomplished by removing that feature?
Removing a single bit of information that can be used to fingerprint my browser is very close to doing nothing, there is a ton of other information for fingerprinting.
The issue is that GDPR laws aren't enforced.
That has always been the problem with privacy laws. All it needs is for Facebook to pay a multi-billion fine once or twice, and the problem will be solved.
It'll also leave Ireland with a nice sovereign wealth fund.
"That header could make it harder for web sites to claim they had my informed consent when i tell them with every request that i do not consent to tracking so it could be used in court when laws like GDPR are in effect."
There are two problems with this. To have an effect, you would actually need to get the company concerned into a court, which mostly doesn't happen even though GDPR exists. Even if you do, DNT is generally not considered sufficient evidence of your lack of consent because it is one bit which is automatically sent. Most users who are sending it don't know that they are, which is the reason the sites that ignore it provide when called upon to explain why they ignore it (evidently saying "we make more money that way" was considered too honest). That is sufficient evidence for a site to collect your "informed consent" some other way, and having done so, they will use that evidence in court and explain that it should outweigh a switch that applies to all sites and is turned on by default, or at least was at the time. Judges will probably accept that because, when you do give informed consent to one site, you probably don't alter your settings to omit the DNT header when visiting that site. A judge would and should test whether their proof of your consent is valid, but DNT is not going to work as evidence.
> That is sufficient evidence for a site to collect your "informed consent" some other way
The important word is "informed" - how would they produce evidence of *informed* consent? e.g. some "Privacy Policy", buried away behind a link in a small font, which stated that by continuing to use their website you gave consent would not show *informed" consent.
They will come up with their own way that they claim is informed and test that in court if you challenge them. They may lose on that basis. If they do, it will be irrelevant to whether you had DNT on or not. Having it wouldn't help prove that the consent was not informed, but pointing out that they had hidden terms would.
Not only that there needs to be the ability to apply cease and desist orders with meaningful sanctions if the culprits ignore a setting the user and enabled or collect data that is against the framework that is in place.
That has to be absolutely huge fines based on % of revenue that increase on a daily basis at the point the order is served. No get out for appeals or anything. Everything these outfits do relies on the fact they have deeper pockets than anyone else and it is simply a war of attrition where currently they cannot lose.
I don't want you to follow me.
Stop following me, I said I don't want you to follow me.
I said don't follow me !
Stop following me !
Where's the police when you need them ?
. . .
Okay, fanstasy aside, this DNT "feature" was thought up in the last days of an Internet that was thought to still abide by moral behavior.
Unfortunately, everyone saw the writing on the wall from the start, and here we are now. You cannot ask corporations to behave nicely. You go in with the law as a reason and a vicious cluebat (aka penalties) as "encouragement".
But of course, then you have lobbyists crying that you are stifling "innovation".
And Capitalism rolls on . . .
Often, the tracking is done by a third party, and not by the website itself. And those websites are full of third party scripts. Very few major websites are devoid of third party scripts. Let me give you an example: one local news website that I visit has 14 third party scripts, as identified by NoScript. Another one has 18 third party scripts. Many websites now will not work unless you enable certain third party scripts. That is a major problem. It is my opinion that a website should never require javascript to work and also should never require any third party scripts to work.
It is my opinion that a website should never require javascript to work and also should never require any third party scripts to work.
I very much agree. Without javascript some fancy features might not work, but basic viewing, form filling, etc, do not need javascript.
I will accept that a small number of web pages need javascript, eg estate agents that let you "walk" through a house.
Actually, often they simply do not work at all. Disable Javascript and your IP is blackbanned as a robot. Just a static, generic, page. Now - I just need to get ALL IP addresses and get them on the robots list.
I could perhaps go through the page and enable scripts, site-by-site, but that is too much effort for the small amount of info i get from the page in question. It is just muscle memory that occasionally takes me there.
Actually, they probably don't, they just don't give a tinker's cuss about the user of the web site they develop, for three reasons: [1] they (the developers) are Gods who can't be challenged; [2] they're getting paid by their client (the web site owner) not the users; [3] they're utterly ignorant of what they're creating at the code level coz they use fancy dev tools and open libraries that they just take for granted. An informed guy I spoke to recently told me that web development is now mostly in the hands of graphic designers, not technically informed folks.
It’s sad, but not surprising, that people can’t be trusted to act in a morally upstanding manner. I’m sure that, individually, these people are lovely - but when dealing with strangers, bits and bytes, they seem to forget that the bits and bytes that they are monetising are real life sentient being. The dream of the internet is turning into a bit of a nightmare. Turn it off. We’re done (well, except for El Reg. That can stay. And Stack Overflow. Er. I quite like Wikipedia too… And some others…)
Seriously though, this is an engineering problem. Do not track isn’t a flag - it’s a whole stack of defences in the war for privacy. It’s faked MAC addresses. It’s obfuscated font lists. It’s invented email. It’s denying websites the ability to query the computer. It’s regularly deleted cookies. Sometimes its user decisions too - lies about your birthday. We can’t stop tracking from happening - but we can make it difficult to do.
I can only assume Mozilla wasn't aware, but they should be if they deal in privacy.
Why not send both headers, i.e. "DNT: 1" and "Sec-GPC: 1", instead of removing DNT?
Saying "We don't have industry consensus over DNT but we do over GPC" is absurd, it's just a damn header. All that had to happen was the industry recognising DNT instead of messing round with header names and coming up with yet more reasons for delay.
Dan,
This is most interesting that this is legally recognised in Germany.
Do you have any links to legal acts or similar that reference this? I'd be keen to research and read anything available.
Also I'm not being a pedant either, I'm just a geek for this sort of thing!
Court Prohibits Linkedin's Data Privacy Infringements - "The Berlin District Court upheld vzbv’s [consumer organisation] view that the company’s [LinkedIn] statement was misleading, as it suggested that use of the DNT signal was legally irrelevant and that the company was under no obligation to observe it. This is, in fact, not the case. According to the General Data Protection Regulation (GDPR), the right to object to the processing of personal data can also be expressed using an automated procedure. A DNT signal represents a valid objection."
Is Recognising Do Not Track (DNT) Signals Required Under the GDPR?
The organization that wrote this post is multinational. You don't have sufficient evidence to decide that the choice was made by Americans, especially as mangled or invented words are common in nearly every country. The EU, for instance, is so famous for doing exactly that kind of thing that they had to write a paper telling people that "lannification is not a word among other examples of misuse. Not that Americans can't mangle with the best of them. Don't expect that you can find a country that is immune to this; if it's yours, your countrymen will happily prove you wrong.
Operate isn't the right word in the sentence though:
"As a result of the lack of consensus on how companies should operate the DNT preference"
That sounds like they don't know how to set or read the header. I suggest "respond to", which gives us:
"As a result of the lack of consensus on how companies should respond to the DNT preference, most sites do not respond to DNT as a consumer’s choice not to be tracked."
As a result of the lack of consensus on how companies should operationalize the DNT preference
What a load of manager-speak twaddle. "Operationalize"? That's a word? Well here's the thing, since some people seem to have difficulty understanding: DNT means user doesn't want to be tracked.
This does NOT mean the user is happy to be tracked unless they go to a special dialogue, turn off the cookies, find where the "Legitimate Interest" cons are hidden and turns off all hundred and eighty seven of them...
...it means DON'T FUCKING TRACK.
Of course, the irony is that activating DNT makes you stand out from the crowd, making it easier to track you.
https://coveryourtracks.eff.org/
> How is this used in your fingerprint?
> Browsers which set the DNT header to ‘1’ are fairly rare, and this can be an identifying metric. However, this should be left as the default for your browser.
While it's certainly possible I'd be dubious in reality. Firstly just how much use is a single bit in practice?
More importantly it is playing with fire: it could easily be spun as an aggravating factor in a case where GDPR violations have already been identified. That could be enough to push a compo bill from a token sum to exemplary damages that really would make the mega corps wince.
... I have tracking protection set to "Strict". And there appears to be no limit to the number of websites that put up a nag box to the effect that strict tracking restrictions will interfere with the operation of their site.
Actually, its not the DNT flag that causes them grief as much as its the cross-site cookie blocking and other f---wittery that Firefox blocks. But, the more that they scream, the happier I am.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
