enable Do-Not-Track DNT by default

Tor Browser users all share the same browser profile and settings. If anyone enables DNT by themselves they make fingerprinting easier.

Tor users want privacy and anonymity. It is a statement, opinion and a behavior.

Do Not Track does not provide any more privacy - it is simply a statement. So why not state DNT?

The more users use DNT, the more the big companies will know what is up. Who they already fu**ed up, and who uses DNT.

You can make a change. Activate DNT by default. If it is activated in the next Torbrowser version for everyone by default, there is no disadvantage for anyone. It's just a statement. And all users will agree on the DNT privacy statement.

added component::torbrowserbutton owner::mikeperry priority::medium resolution::wontfix status::closed type::enhancement labels

Alright, Mr/Ms/Mrs. Flamebait McTroll, I'm putting my h8r hat on.. You've been warned.

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, as a site operator, what the hell does DNT mean if a user logs into your site? You have to track them minimally, if only to provide functionality and security...

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.. If you're telling me that DNT is the best privacy engineering that $300M/yr can buy, I'm telling you you're doing it wrong. Happy to provide details upon request.

That said, I am all about stopgaps. If you can convince me DNT actually makes practical difference, we'll think about turning it on.

If we turn it on, is there a chance more places would take it seriously and thus there would become a practical difference, even if there isn't today? I'd say there's a chance.

Replying to arma:

If we turn it on, is there a chance more places would take it seriously and thus there would become a practical difference, even if there isn't today? I'd say there's a chance.

Who cares? What can this thing actually mean in any practical sense? If I log into facebook/gmail and send a bunch of messages to all of my friends' public walls/email lists with DNT set, what does that mean?

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

Moreover, what would the header buy us that https://www.torproject.org/projects/torbrowser/design/#DesignRequirements doesn't cover?

And how exactly does it better address "Do No Harm" principles wrt user experience?

Replying to mikeperry:

Alright, Mr/Ms/Mrs. Flamebait McTroll, I'm putting my h8r hat on.. You've been warned.

I am not a hater. This is not so fatal. You turn it on or not. No matter. I continue to use your browser.

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, as a site operator, what the hell does DNT mean if a user logs into your site? You have to track them minimally, if only to provide functionality and security...

For example, for google mail it would mean: "Do not scan their mails. Do not offer personalized advertisements. Use generic advertisements.".

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.

We try the technological and the political way at the same time. DNT is a political statement.

Replying to mikeperry:

That said, I am all about stopgaps. If you can convince me DNT actually makes practical difference, we'll think about turning it on.

Right now it's too new. It doesn't make a difference right now. It's a signal. Not using the signal is like not going to election, "my voice is insignificant".

While normal users turning on DNT can be tracked even better due to DNT, Tor is significant and can send a signal (all Tor users share it).

Who cares? What can this thing actually mean in any practical sense? If I log into facebook/gmail and send a bunch of messages to all of my friends' public walls/email lists with DNT set, what does that mean?

For facebook it means similar "Do not scan my messages. No personalized ads."

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

That is great! Imagine all the protests, people quitting facebook and facebook offering better privacy, less tracking.

And if something like that ever happens and it worsens the user experience, you can deactivate DNT in a further release. Releases are quite frequently anyway. And also this would be actually good press. "DNT failed. Torproject decided to disable DNT because too many websites rejected users who have DNT enabled. Privacy, what's that anyway? The thing they cared about in the 19th century? Self regulation failed. Stronger privacy laws needed."

Moreover, what would the header buy us that https://www.torproject.org/projects/torbrowser/design/#DesignRequirements doesn't cover?

It adds and political statement, which is more likely to be counted, than counting how many people have Tor IP's.

Replying to cypherpunks:

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, for google mail it would mean: "Do not scan their mails. Do not offer personalized advertisements. Use generic advertisements.".

I have a hard time believing that this is a substantial privacy improvement. Consider when a user reads my mail to them if I have this header set and they don't: they still get targeted based on the fact that they correspond with me and what we talk about is logged and datamined on their side. If we both use different webmail services, there is no way to communicate my DNT email preference to their email provider.

So, we could play all sorts of endless policy gymnastics and also to try find a cross-protocol way to communicate DNT on the engineering end, or we could just decide that we're cypherpunks damnit, and we're here to do this stuff right.

In other words, this is a problem that should be solved by end to end email encryption. There is a cost to making end to end encryption accessible and understandable to the general public. Accepting DNT is admitting that society doesn't want to pay that cost (because we'd rather track you) and we want to turn a blind eye to tracking rather than solve it.

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.

We try the technological and the political way at the same time. DNT is a political statement.

I worry it says we accept the political solution at the expense of the technical.

Right now [DNT is] too new. It doesn't make a difference right now. It's a signal. Not using the signal is like not going to election, "my voice is insignificant".

No, for us refusing DNT says "We refuse to trust the infrastructure."

While normal users turning on DNT can be tracked even better due to DNT, Tor is significant and can send a signal (all Tor users share it).

I am sure the advertising world will hear our signal independent of DNT. I have no doubts about that.

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

That is great! Imagine all the protests, people quitting facebook and facebook offering better privacy, less tracking.

Look, either you trust facebook or you don't. I think pretending that $facebook (or their extra-judicial non-US ad partners who aren't subject to DNT) would obey the DNT header in the face of subpoena, coercion, or compromise is just crazy. At the very least, they have audit logs. Those logs are available to anyone who can extensively compromise US corporate infrastructure. Since this adversary group includes Adrian Lamo along with most levels of the Chinese Govt, I don't think we have a serious threat model without employing end to end encryption inside of the communication channels of services like facebook.

It adds and political statement, which is more likely to be counted, than counting how many people have Tor IP's.

Oh don't worry, we'll be heard before this is over.

I guess the long and short of it is that I could be more easily convinced that DNT was worthwhile if I could be ensured that the regulatory nightmare that seems to be waiting to descend around it is just for show to ensure that Google, Facebook, et all are convinced that suffering through said regulation would be worse than the inner-most circle of hell. You know, that one where satan is half-burried in ice n' shit. Then maybe they'd be convinced these problems were worth solving with engineering and cryptography instead.

But the problem for me is that I see that outcome as unlikely. Instead, I see endless policy recommendations followed by regulation, bureaucratic waste, and eventual overseas downward leveling as the far more likely outcome of DNT.

Unless you're about to tell me the whole New World Order thing is actually going to work out and provide the world with One World Government and a uniform and just set of laws for all (including robust DNT regulation)? Because my money is against that one, too, at the moment.

So Mike, I tend to agree with you that it isn't likely that DNT will actually do very much good.[*] Where I diverge from you is that I don't see that it costs us much either, unless we lose our minds and actually endorse it rather than explaining how little we expect from it.

In other words, I think the unlikely benefits are on par with the trivial costs here, and so it might be doing in spite of the general policy-headedness of the idea.

I'd say maybe talk it over with Wendy and/or Tom at mozilla, and see whether they can convince you that there's a nonstupid angle here.

[*] In fact, I suspect that it's meant as a covering action so that the trackers can say of 90% [] of their customers, "Well, Alice here didn't click the DNT button. Therefore whatever we do to her data is as legal and ethical as can be, since she never objected." [] I'd be surprised if more than 10-20% of users will enable Do-not-track. Only something like 20% of US people are on the do-not-call list, and telemarketing is far more obvious and intrusive than web tracking.

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

I want our position absolutely clear on this one at every level.

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

From [https://tools.ietf.org/id/draft-mayer-do-not-track-00.txt]:

   The Do Not Track HTTP header, "DNT", must take one of two values: "1"
   ("opt out") or "0" ("opt in").  All other values are reserved.

Replying to rransom:

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

From [https://tools.ietf.org/id/draft-mayer-do-not-track-00.txt]: {{{ The Do Not Track HTTP header, "DNT", must take one of two values: "1" ("opt out") or "0" ("opt in"). All other values are reserved. }}}

Yeah, my read of this was "reserved for PROTEST". I thought this was a "political" header?

I think you just endorsed my proposal ;).

Sending “DNT: 1\r\n” would waste (at least) 8 extra bytes of exit-relay traffic per HTTP request. I think that outweighs any possible benefit from this ‘feature’.

Replying to rransom:

Sending “DNT: 1\r\n” would waste (at least) 8 extra bytes of exit-relay traffic per HTTP request. I think that outweighs any possible benefit from this ‘feature’.

After sleeping on this, I think there are in fact some benefits to this feature. For example, my favorite stat is that 5% of the Mozilla userbase found the feature buried in the privacy settings of the browser and turned it on in the first two months after rollout (http://www.techworld.com.au/article/400248/). Mozilla probably knows this because of addon, safe browsing, and/or browser update pings, and TBB shares at least the first two. So we would be sending a message to Mozilla to pay even more attention to privacy by sending the header to them for all of our users.

However, the costs are potentially much greater than just the 8 (or 9) bytes of request overhead. I seriously really want absolutely no part of the policy side of the header. I want so little to do with it that I would actually prefer that sites not treat our users specially based on our use of the header, for the reasons I stated above.

AIUI, the reason the header exists is because it grew out of a desire to consistently tell 3rd parties that you want to opt out of 3rd party tracking and behavioral advertising (aka Taco, but without hundreds of opt-out cookies). But the 3rd party tracking problem is something we should be solving with browser engineering. Again, see https://www.torproject.org/projects/torbrowser/design/#DesignRequirements

It's possible that if the header was actually called "Do Not Sell", it might make a little more sense to trust it to drive policy successfully, because that is a much more direct statement to a top-level site that you want the information that you provide to them to stay between you and them. But "Do Not Track" is waaay too vague a term for any hope that it will transform into something meaningful, consistent, and benevolent in all circumstances.

Hence, if our goal is to be 'heard', I still think "DNT: -1" is the best choice for now...

I've created ticket #5545 (moved) for the other side of this. Happy new year!

I talked to Ashkan about this last night, and he said it is too early for us to be setting do-not-track in tbb. His first reasoning was that he wanted it to be an explicit "the user chose it" opt in, so seeing it has more impact on vendors. I explained that the user is choosing TBB and that means they're opting in to all the good things we give them. His next reasoning was that nobody knows what do-not-track is actually supposed to mean vendors will do, and those decisions will come later.

So, no rush here.

Also, Mike, you'll get a chance to debate this topic in person with him at the WSJ NYC hackfest I think?

maybe we need a blog post on why DNT is a horrible solution, regardless of the political statement it makes. How about "Do Not Track equals Please Do Not Steal" using the analogy of tattooing your national ID number (SSN in US) on your forehead but with a sticky note under it that says "do not steal". Or something along these lines. Leaving your keys in your car with a note on the dashboard that says 'please do not steal'. Or leaving all of your doors in your flat open with a note that says 'please do not steal anything'.

Effectively, DNT is saying "I know I've given you all of my data by browsing your site, but please do not use it."

Replying to phobos:

maybe we need a blog post on why DNT is a horrible solution, regardless of the political statement it makes. How about "Do Not Track equals Please Do Not Steal" using the analogy of tattooing your national ID number (SSN in US) on your forehead but with a sticky note under it that says "do not steal". Or something along these lines. Leaving your keys in your car with a note on the dashboard that says 'please do not steal'. Or leaving all of your doors in your flat open with a note that says 'please do not steal anything'.

Deja vu. https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

This was later developed into https://www.torproject.org/projects/torbrowser/design/#DesignRequirements.

Effectively, DNT is saying "I know I've given you all of my data by browsing your site, but please do not use it."

Yeah, the key difference is that the TBB design pushes back the data that you provide to a site to that which is consentually transmitted. Hence my earlier statement that a "Do Not Sell" header could be useful for us, for communicating the desire to protect constentually transmitted data (via authenticated history, form submissions, purchase records, etc).

But IMHO even that stuff is still much more cleanly protected with cryptography and proper design than through begging...

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

I want our position absolutely clear on this one at every level.

No good idea. Companies might phrase "if DNT = 1 then ... else ...". And not "if DNT == 0 ... elseif DNT = 1 ... else ...".

Hopefully DNT in TBB is a moot point: DNT was conceived as a privacy measure that should achieve some meaningful protections for people who find tools like Tor and NoScript/RequestPolicy too burdensome to use for their daily browsing. 

The way you can think of it is like this: before DNT, if you deleted a 3rd party tracker's cookies, or blocked it with a blacklist, and it found a way around those measures you took, it could claim that it hadn't realised you didn't want to be tracked.  Maybe you just did these things randomly.

But with DNT in place, if a third party tracking company keeps setting cookies, or using supercookies, or fingeprinting, that may have legal consequences.  Nobody is anticipating legal consequences for first-party sites that you log into (DNT won't affect gmail or facebook as a first party), although we may try to get systems like Apache to keep fewer logs out of the box when it is set.

More detail in this (somewhat out of date) post: !https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean