Apple Is Removing 'Do Not Track' from Safari(gizmodo.com)
gizmodo.com
Apple Is Removing 'Do Not Track' from Safari
https://gizmodo.com/apple-is-removing-do-not-track-from-safari-1832400768
55 comments
The contempt that tracking companies showed to this feature killed it. But it also provides the perfect ethical justification for me blocking trackers and their ads. You didn't listen to me when I politely asked you to respect my privacy, so now it's scorched earth.
That's how I feel. We warned them that they should either fix their ads or we would take more drastic steps. They did not listen.
I was literally just talking about this with a friend last weekend. We were discussing if blocking ads was in effect stealing content from the people trying to monetize their content by running the ads in the first place. I said "I wouldn't mind just seeing a generic ad on a page that was shown to me at random, but the bastards try to track everything you do to better target you."
Save you from reading the article
1) Nobody obeys it
2) It's actually being used as a heuristic to track users through fingerprinting
If (2) was a huge issue for them, wouldn't removing the UA header help tremendously as well?
(Sure, you'd know it was an apple device, but that's still less than currently. It's also less if other browsers followed suit.)
(Sure, you'd know it was an apple device, but that's still less than currently. It's also less if other browsers followed suit.)
The safari UA is fixed - there was a post or document at some point saying that it had basically become a tracking tool, so beyond the compatibility requirements it is no longer changing.
Similarly queryable font and plugin apis are fixed.
But DNT is simply a tracking metric - and was opposed by everyone with non-ad revenue (specifically it was offered up by the ad industry to avoid regulation).
Similarly queryable font and plugin apis are fixed.
But DNT is simply a tracking metric - and was opposed by everyone with non-ad revenue (specifically it was offered up by the ad industry to avoid regulation).
iOS user agents aren't very identifying. Despite having multiple version numbers in them, all they pretty much tell you is 1) what type of ios device it is (eg. iphone or ipad) and 2) what ios version it is (mobile safari is updated along with ios, so the version numbers are pretty much the same for the same ios release). Considering that most ios users are up to date, you'll be hard pressed to squeeze more than a few bits of entropy from it.
>Considering that most ios users are up to date,
That's what makes it so valuable really. You get little to no entropy for a large portion of users, but you get a huge amount of entropy about the people who aren't.
That's what makes it so valuable really. You get little to no entropy for a large portion of users, but you get a huge amount of entropy about the people who aren't.
So you get amazing entropy on my grandma, which is quite possibly not worth the processing time you spent to track her, in terms of ad revenue or marketing campaigns. Sure - that's probably not the case in most of the cases, but it sure pollutes your otherwise good dataset.
I think part of the advantage of DNT for fingerprinting is that it's a user set signal.
BTW you can query the WebGL render to identify CPU / GPU information for iOS devices which is slightly more useful than just the UA
BTW you can query the WebGL render to identify CPU / GPU information for iOS devices which is slightly more useful than just the UA
https://webkit.org/blog/8042/release-notes-for-safari-techno...
> Froze the user-agent string to reduce web compatibility risk and to prevent its use for fingerprinting
https://github.com/WebKit/webkit/commit/4bc237458115ac916f39...
> Freeze the version reported as User Agent to OS 10.13.4 (OS 11.3 on iOS) and WebKit 605.1.15 for User Agent purposes.
> Froze the user-agent string to reduce web compatibility risk and to prevent its use for fingerprinting
https://github.com/WebKit/webkit/commit/4bc237458115ac916f39...
> Freeze the version reported as User Agent to OS 10.13.4 (OS 11.3 on iOS) and WebKit 605.1.15 for User Agent purposes.
IMO 2) is a PR move. Removing 1 bit of data isn't going to do much for anti-fingerprinting.
It’s vastly more than 1 bit - if I recall correctly the amount of bits of info you get is something like log(1/P(event)) so if P(dnt==true) is less than 0.5 you accede 1 bit of information. It’s logically probably closer to 10bits of uniqueness assuming .01% of the population have it enabled.
The number of people who enable DNT is relatively small, so having it enabled is worth a lot more than 1 bit.
Easy solution; make DNT legally binding.
From the individual, company, and even political perspective, how is that easy?
Because it's the most effective solution to the problem.
If I send DNT -> GDPR Opt Out of all tracking
IIRC this was discussed to be part of the GDPR but was kept out in favor of putting it in elsewhere at a later date.shmerl(5)
It was a stupid premise to begin with. "Oh, please, here's all of my stuff, but I'm asking you to not track me. I trust you won't" vs "I don't trust you and block all 3rd party cookies and scripts from being accessed by my machine except those I know and trust and explicitly allow through"
It's like leaving your door unlocked and with a sign on it asking criminals to obey your privacy and not enter vs having a lock on the door and not allowing them through until they knock, you can verify who they are and decide at that point whether to open the door to them.
It's like leaving your door unlocked and with a sign on it asking criminals to obey your privacy and not enter vs having a lock on the door and not allowing them through until they knock, you can verify who they are and decide at that point whether to open the door to them.
It's only a stupid premise if you take the feature for face value and assume that the people behind it expected it to magically solve all of the tracking problems on the web. Alternatively, consider that it's a great opportunity for all those companies that "value your privacy" to put up or shut up. Then tools like Privacy Badger [0] get to call out advertising companies that assert that they only track consumers because that's what consumers want while explicitly ignoring the industry standard opt out mechanism.
[0] https://www.eff.org/privacybadger/faq#How-does-Privacy-Badge...
[0] https://www.eff.org/privacybadger/faq#How-does-Privacy-Badge...
You can do both though - limit the amount of information you do send _and_ ask those that do respect it not to track the information you _must_ send.
Its a completely pointless setting. No user would chose to be tracked and no tracker wants to shut down their business. You don't need a setting for it because everyone wants the same thing.
I have no issues with websites tracking my usage, as long as the tracking scripts aren’t making my browsing experience miserable. And, especially for things like affiliate links, I’d like to make sure that the people that influence my decision to purchase an item get some credit for it.
>I’d like to make sure that the people that influence my decision to purchase an item get some credit for it.
This is a negative user experience. Affiliate links mean that people try to recommend things they get paid to recommend rather than what they actually think is best
This is a negative user experience. Affiliate links mean that people try to recommend things they get paid to recommend rather than what they actually think is best
Look I think we all know which is more likely to work in practice. It's sad that Do Not Track never took off, but let's not pretend to be surprised.
W3C changed the DNT Candidate Recommendation to a "Note" now, and says that the working group is closed: https://github.com/w3c/dnt/commit/5d85d6c3d116b5eb29fddc6935... (the page is here: https://www.w3.org/TR/tracking-dnt/)
If the other major browsers follow suit in considering it "expired" and remove it, I'm curious what effect this will have on the requirement in the California Online Privacy Protection Act (CalOPPA) for sites to state how they respond to the signal (more info: https://iapp.org/news/a/how-should-i-respond-to-californias-...).
Will sites legally need to continue explaining how they respond to a signal that effectively no longer exists? Most of them already just said "we don't do anything based on this signal", but that will be even weirder.
If the other major browsers follow suit in considering it "expired" and remove it, I'm curious what effect this will have on the requirement in the California Online Privacy Protection Act (CalOPPA) for sites to state how they respond to the signal (more info: https://iapp.org/news/a/how-should-i-respond-to-californias-...).
Will sites legally need to continue explaining how they respond to a signal that effectively no longer exists? Most of them already just said "we don't do anything based on this signal", but that will be even weirder.
> almost no websites actually honor the request not to be tracked because the government never forced them to comply with it.
Damnit Gizmodo. You had the first part right, that the setting is ignored, then you had to go and make up the reason. These blurred lines between reporting and opinion are the embodiment of fake news. There is a primary fact or two and then subjective garbage.
Damnit Gizmodo. You had the first part right, that the setting is ignored, then you had to go and make up the reason. These blurred lines between reporting and opinion are the embodiment of fake news. There is a primary fact or two and then subjective garbage.
[deleted]
The way this is written makes it obvious that the author has an agenda altogether and dislikes the idea of this feature. It's written with a very condescending undertone. Nothing wrong with that of course, just might be nice to be transparent around it.
2 minutes I wont get back..
2 minutes I wont get back..
People do tend to dislike features that don't work.
A shame, although I can see the logic behind the decision. We use this on sites we build so we don't even need to show those visitors a cookie notice, and just assume they don't want Google Analytics turned on.
the "do not track" setting probably helps advertisers track users because it creates a more unique configuration/fingerprint... personally, I still use it in Firefox but probably should not since there are no consequences for them if they don't honor it.
Its true, I don't know why you are being downvoted
I haven't down voted but I would imagine it's because it's just repeating the article and some what obvious
if it is so obvious, why did hundreds of engineers decide to implement it anyways?
Leave it on whatever the default is on firefox. Thats the best way to avoid extra identification.