Firefox ditches Do Not Track because nobody was listening anyway
- Reference: 1733993352
- News link: https://www.theregister.co.uk/2024/12/12/firefox_do_not_track/
- Source link:
The DNT toggle is already gone in the nightly developer release of Firefox 135, and Mozilla recently updated its Firefox support page for the privacy feature to indicate it'll be gone for good once 135 is [1]generally available , which is planned for February 4, 2025.
As many have pointed out, however, and Mozilla reiterated, the optional nature of DNT means few websites actually honor the user's request not to track their activity.
[2]
"Many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy," Mozilla said on the updated DNT support page. It directs users to instead make use of newer Global Privacy Control features also present in the browser.
[3]
[4]
We asked Mozilla if it had any data on how many sites actually respect DNT requests, but didn't immediately hear back.
Global Privacy Control, or GPC, came to the forefront of online privacy as a [5]replacement for DNT . The World Wide Web Consortium (W3C) never managed to get DNT made official thanks to industry lobbying that [6]stalled its development, leaving it a purely optional measure that no one had to actually pay attention to.
[7]
"As a result of the lack of consensus on how companies should operationalize the DNT preference, most sites do not respond to DNT as a consumer's choice not to be tracked," the Future of Privacy Forum [8]noted on a page about DNT.
[9]No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedom
[10]Who's watching you the closest online? Google, duh
[11]Thought you'd opted out of online tracking? Think again
[12]EFF urges Chrome users to get out of the Privacy Sandbox
As we reported in 2020 when GPC was put forward as a new technical standard by a group that included Mozilla, Brave, DuckDuckGo, the EFF and others, the legislative landscape has changed since DNT was introduced to make GPC's enforcement more practical. California's Consumer Privacy Act and the EU's General Data Protection Regulation both include requirements that companies respect an individual's desire not to have their data shared or sold, and while there's no national privacy law in the US, the need to conform with EU and California standards mean many companies go the cautious route by default.
That's not to say there's any guarantee that anyone will actually respect GPC, which on its face functions very similarly to DNT, with user preferences for both simply expressed as a binary option in an HTTP header or DOM property.
Additionally, while Firefox, Brave, DuckDuckGo, and other browsers include GPC toggles, neither Google Chrome nor Chromium-derived Microsoft Edge support the option, requiring the installation of a [13]supporting browser or extension to get the job done.
Those concerned with privacy may want to go a step further instead of relying again on companies that profit from tracking to respect their wishes, and install one of various browser extensions like Privacy Badger, uBlock Origin, or a VPN to add an additional layer of security. ®
Get our [14]Tech Resources
[1] https://whattrainisitnow.com/release/?version=135
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1rCVgrroCZoV3csRxfWUgAAAII&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1rCVgrroCZoV3csRxfWUgAAAII&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1rCVgrroCZoV3csRxfWUgAAAII&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2020/10/10/global_privacy_control/
[6] https://www.theregister.com/2015/07/29/dnt_dead_in_the_water/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1rCVgrroCZoV3csRxfWUgAAAII&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://fpf.org/thank-you-for-visiting-allaboutdnt-com/
[9] https://www.theregister.com/2024/09/19/social_media_data_harvesting_handling_ftc/
[10] https://www.theregister.com/2024/09/24/google_online_tracker/
[11] https://www.theregister.com/2023/03/03/online_privacy_tracking/
[12] https://www.theregister.com/2023/09/30/eff_chrome_google_sandbox/
[13] https://globalprivacycontrol.org/
[14] https://whitepapers.theregister.com/
Re: Tracking
I agree, but since those lawmakers are largely funded by the businesses who want to slurp our data I'm not holding my breath for it to happen. The general internet users clearly have no appetite for boycotting these companies, which is the only way they would listen.
Re: Tracking
Another option would be the creation of a parallel internet where tracking isn't possible. I've proposed HORNET (high-speed onion routing network) in the past, but so far no internet provider has felt the need to implement it.
Re: Tracking
A combination would have been perfect, as an addendum to the current EU consent regulation: If DNT is set, you _cannot_ show a cookie banner, but most consider it as a "Reject all" click.
If it's optional why is anyone surprised?
We really shouldn't expect this to come as a shock.
A noble idea and concept, but with the major data aggregators unlikely to think it's a good idea, why would you choose to do something optional if it impacts the bottom line?
As StrangerHereMyself has eloquently stated, there needs to be a legal framework to set the governance rules that must be adhered to before we see any improvement or change.
Re: If it's optional why is anyone surprised?
That header could make it harder for web sites to claim they had my informed consent when i tell them with every request that i do not consent to tracking so it could be used in court when laws like GDPR are in effect. As the feature is already implemented i don't see why it can't stay in place while we try to get the powers that be to change the law so web sites have to respect that setting. What is accomplished by removing that feature?
Removing a single bit of information that can be used to fingerprint my browser is very close to doing nothing, there is a ton of other information for fingerprinting.
Re: If it's optional why is anyone surprised?
The issue is that GDPR laws aren't enforced.
That has always been the problem with privacy laws. All it needs is for Facebook to pay a multi-billion fine once or twice, and the problem will be solved.
It'll also leave Ireland with a nice sovereign wealth fund.
Re: If it's optional why is anyone surprised?
Not only that there needs to be the ability to apply cease and desist orders with meaningful sanctions if the culprits ignore a setting the user and enabled or collect data that is against the framework that is in place.
That has to be absolutely huge fines based on % of revenue that increase on a daily basis at the point the order is served. No get out for appeals or anything. Everything these outfits do relies on the fact they have deeper pockets than anyone else and it is simply a war of attrition where currently they cannot lose.
It was a foregone conclusion from the start
I don't want you to follow me.
Stop following me, I said I don't want you to follow me.
I said don't follow me !
Stop following me !
Where's the police when you need them ?
. . .
Okay, fanstasy aside, this DNT "feature" was thought up in the last days of an Internet that was thought to still abide by moral behavior.
Unfortunately, everyone saw the writing on the wall from the start, and here we are now. You cannot ask corporations to behave nicely. You go in with the law as a reason and a vicious cluebat (aka penalties) as "encouragement".
But of course, then you have lobbyists crying that you are stifling "innovation".
And Capitalism rolls on . . .
"nobody was listening anyway"...
And there's the problem.
If there's no law enforcing this it's basically meaningless...
As long as large corporations are making money off of selling your personal data they're not going to stop unless they are forced to do so.
It's a pity they didn't go further with it.
Don't ask the website if they'll honour not tracking the user. Just full on block the site from doing it.
In other words, just don't visit that web site.
It’s sad, but not surprising, that people can’t be trusted to act in a morally upstanding manner. I’m sure that, individually, these people are lovely - but when dealing with strangers, bits and bytes, they seem to forget that the bits and bytes that they are monetising are real life sentient being. The dream of the internet is turning into a bit of a nightmare. Turn it off. We’re done (well, except for El Reg. That can stay. And Stack Overflow. Er. I quite like Wikipedia too… And some others…)
Seriously though, this is an engineering problem. Do not track isn’t a flag - it’s a whole stack of defences in the war for privacy. It’s faked MAC addresses. It’s obfuscated font lists. It’s invented email. It’s denying websites the ability to query the computer. It’s regularly deleted cookies. Sometimes its user decisions too - lies about your birthday. We can’t stop tracking from happening - but we can make it difficult to do.
DNT is legally recognised in Germany
I can only assume Mozilla wasn't aware, but they should be if they deal in privacy.
Why not send both headers, i.e. "DNT: 1" and "Sec-GPC: 1", instead of removing DNT?
Saying "We don't have industry consensus over DNT but we do over GPC" is absurd, it's just a damn header. All that had to happen was the industry recognising DNT instead of messing round with header names and coming up with yet more reasons for delay.
Re: DNT is legally recognised in Germany
Dan,
This is most interesting that this is legally recognised in Germany.
Do you have any links to legal acts or similar that reference this? I'd be keen to research and read anything available.
Also I'm not being a pedant either, I'm just a geek for this sort of thing!
Re: DNT is legally recognised in Germany
For coverage in english see e.g. https://cybernews.com/tech/germany-court-bans-linkedin-from-ignoring-browser-do-not-track/ or https://gdprhub.eu/index.php?title=LG_Berlin_-_16_O_420/19
Re: DNT is legally recognised in Germany
[1]Court Prohibits Linkedin's Data Privacy Infringements - "The Berlin District Court upheld vzbv’s [consumer organisation] view that the company’s [LinkedIn] statement was misleading, as it suggested that use of the DNT signal was legally irrelevant and that the company was under no obligation to observe it. This is, in fact, not the case. According to the General Data Protection Regulation (GDPR), the right to object to the processing of personal data can also be expressed using an automated procedure. A DNT signal represents a valid objection."
[2]Is Recognising Do Not Track (DNT) Signals Required Under the GDPR?
[1] https://www.vzbv.de/en/court-prohibits-linkedins-data-privacy-infringements
[2] https://wideangle.co/blog/do-not-track-gdpr-opt-out
Re: DNT is legally recognised in Germany
Very interesting; I made a feature request on the bugtracker to bring back DNT quoting your comment:
https://bugzilla.mozilla.org/show_bug.cgi?id=1936761
Tracking
Tracking can only be solved through laws, not technical solutions.
We need to put more pressure on our lawmakers to prohibit the tracking of consumers online, with large fines or prison time as sanctions.