Opened 8 years ago

Closed 8 years ago

#5501 closed enhancement (wontfix)

enable Do-Not-Track DNT by default

Reported by: cypherpunks Owned by: mikeperry
Priority: Medium Milestone:
Component: TorBrowserButton Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser users all share the same browser profile and settings. If anyone enables DNT by themselves they make fingerprinting easier.

Tor users want privacy and anonymity. It is a statement, opinion and a behavior.

Do Not Track does not provide any more privacy - it is simply a statement. So why not state DNT?

The more users use DNT, the more the big companies will know what is up. Who they already fued up, and who uses DNT.

You can make a change. Activate DNT by default. If it is activated in the next Torbrowser version for everyone by default, there is no disadvantage for anyone. It's just a statement. And all users will agree on the DNT privacy statement.

Child Tickets

Change History (23)

comment:1 Changed 8 years ago by mikeperry

Alright, Mr/Ms/Mrs. Flamebait McTroll, I'm putting my h8r hat on.. You've been warned.

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, as a site operator, what the hell does DNT mean if a user logs into your site? You have to track them minimally, if only to provide functionality and security...

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.. If you're telling me that DNT is the best privacy engineering that $300M/yr can buy, I'm telling you you're doing it wrong. Happy to provide details upon request.

comment:2 Changed 8 years ago by mikeperry

That said, I am all about stopgaps. If you can convince me DNT actually makes practical difference, we'll think about turning it on.

comment:3 Changed 8 years ago by arma

If we turn it on, is there a chance more places would take it seriously and thus there would become a practical difference, even if there isn't today? I'd say there's a chance.

comment:4 in reply to:  3 Changed 8 years ago by mikeperry

Replying to arma:

If we turn it on, is there a chance more places would take it seriously and thus there would become a practical difference, even if there isn't today? I'd say there's a chance.

Who cares? What can this thing actually mean in any practical sense? If I log into facebook/gmail and send a bunch of messages to all of my friends' public walls/email lists with DNT set, what does that mean?

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

Moreover, what would the header buy us that https://www.torproject.org/projects/torbrowser/design/#DesignRequirements doesn't cover?

And how exactly does it better address "Do No Harm" principles wrt user experience?

comment:5 in reply to:  1 ; Changed 8 years ago by cypherpunks

Replying to mikeperry:

Alright, Mr/Ms/Mrs. Flamebait McTroll, I'm putting my h8r hat on.. You've been warned.

I am not a hater. This is not so fatal. You turn it on or not. No matter. I continue to use your browser.

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, as a site operator, what the hell does DNT mean if a user logs into your site? You have to track them minimally, if only to provide functionality and security...

For example, for google mail it would mean: "Do not scan their mails. Do not offer personalized advertisements. Use generic advertisements.".

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.

We try the technological and the political way at the same time. DNT is a political statement.

Replying to mikeperry:

That said, I am all about stopgaps. If you can convince me DNT actually makes practical difference, we'll think about turning it on.

Right now it's too new. It doesn't make a difference right now. It's a signal. Not using the signal is like not going to election, "my voice is insignificant".

While normal users turning on DNT can be tracked even better due to DNT, Tor is significant and can send a signal (all Tor users share it).

Who cares? What can this thing actually mean in any practical sense? If I log into facebook/gmail and send a bunch of messages to all of my friends' public walls/email lists with DNT set, what does that mean?

For facebook it means similar "Do not scan my messages. No personalized ads."

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

That is great! Imagine all the protests, people quitting facebook and facebook offering better privacy, less tracking.

And if something like that ever happens and it worsens the user experience, you can deactivate DNT in a further release. Releases are quite frequently anyway. And also this would be actually good press. "DNT failed. Torproject decided to disable DNT because too many websites rejected users who have DNT enabled. Privacy, what's that anyway? The thing they cared about in the 19th century? Self regulation failed. Stronger privacy laws needed."

Moreover, what would the header buy us that https://www.torproject.org/projects/torbrowser/design/#DesignRequirements doesn't cover?

It adds and political statement, which is more likely to be counted, than counting how many people have Tor IP's.

comment:6 in reply to:  5 Changed 8 years ago by mikeperry

Replying to cypherpunks:

DNT is not just a statement. It's a regulatory nightmare waiting to happen, and what it means depends upon user behavior, website features, and a whole lot of site-specific user consent.

For example, for google mail it would mean: "Do not scan their mails. Do not offer personalized advertisements. Use generic advertisements.".

I have a hard time believing that this is a substantial privacy improvement. Consider when a user reads my mail to them if I have this header set and they don't: they still get targeted based on the fact that they correspond with me and what we talk about is logged and datamined on their side. If we both use different webmail services, there is no way to communicate my DNT email preference to their email provider.

So, we could play all sorts of endless policy gymnastics and also to try find a cross-protocol way to communicate DNT on the engineering end, or we could just decide that we're cypherpunks damnit, and we're here to do this stuff right.

In other words, this is a problem that should be solved by end to end email encryption. There is a cost to making end to end encryption accessible and understandable to the general public. Accepting DNT is admitting that society doesn't want to pay that cost (because we'd rather track you) and we want to turn a blind eye to tracking rather than solve it.

If we can't solve privacy preferences with technological solutions that prevent data disclosure in the first place, we're not trying hard enough.

We try the technological and the political way at the same time. DNT is a political statement.

I worry it says we accept the political solution at the expense of the technical.

Right now [DNT is] too new. It doesn't make a difference right now. It's a signal. Not using the signal is like not going to election, "my voice is insignificant".

No, for us refusing DNT says "We refuse to trust the infrastructure."

While normal users turning on DNT can be tracked even better due to DNT, Tor is significant and can send a signal (all Tor users share it).

I am sure the advertising world will hear our signal independent of DNT. I have no doubts about that.

In the worst case it means facebook/gmail says "Sorry, you can't do that, you don't want to be tracked." Then the user is forced to disable the header globally (and incur the fingerprinting penalty globally), just to use a site-specific service.

That is great! Imagine all the protests, people quitting facebook and facebook offering better privacy, less tracking.

Look, either you trust facebook or you don't. I think pretending that $facebook (or their extra-judicial non-US ad partners who aren't subject to DNT) would obey the DNT header in the face of subpoena, coercion, or compromise is just crazy. At the very least, they have audit logs. Those logs are available to anyone who can extensively compromise US corporate infrastructure. Since this adversary group includes Adrian Lamo along with most levels of the Chinese Govt, I don't think we have a serious threat model without employing end to end encryption *inside* of the communication channels of services like facebook.

It adds and political statement, which is more likely to be counted, than counting how many people have Tor IP's.

Oh don't worry, we'll be heard before this is over.

comment:7 Changed 8 years ago by mikeperry

I guess the long and short of it is that I could be more easily convinced that DNT was worthwhile if I could be ensured that the regulatory nightmare that seems to be waiting to descend around it is just for show to ensure that Google, Facebook, et all are convinced that suffering through said regulation would be worse than the inner-most circle of hell. You know, that one where satan is half-burried in ice n' shit. Then maybe they'd be convinced these problems were worth solving with engineering and cryptography instead.

But the problem for me is that I see that outcome as unlikely. Instead, I see endless policy recommendations followed by regulation, bureaucratic waste, and eventual overseas downward leveling as the far more likely outcome of DNT.

Unless you're about to tell me the whole New World Order thing is actually going to work out and provide the world with One World Government and a uniform and just set of laws for all (including robust DNT regulation)? Because my money is against that one, too, at the moment.

comment:8 Changed 8 years ago by nickm

So Mike, I tend to agree with you that it isn't likely that DNT will actually do very much good.[*] Where I diverge from you is that I don't see that it *costs* us much either, unless we lose our minds and actually endorse it rather than explaining how little we expect from it.

In other words, I think the unlikely benefits are on par with the trivial costs here, and so it might be doing in spite of the general policy-headedness of the idea.

I'd say maybe talk it over with Wendy and/or Tom at mozilla, and see whether they can convince you that there's a nonstupid angle here.

[*] In fact, I suspect that it's meant as a covering action so that the trackers can say of 90% [] of their customers, "Well, Alice here _didn't_ click the DNT button. Therefore whatever we do to her data is as legal and ethical as can be, since she never objected."
[
] I'd be surprised if more than 10-20% of users will enable Do-not-track. Only something like 20% of US people are on the do-not-call list, and telemarketing is far more obvious and intrusive than web tracking.

comment:9 Changed 8 years ago by mikeperry

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

I want our position absolutely clear on this one at every level.

comment:10 in reply to:  9 ; Changed 8 years ago by rransom

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

From https://tools.ietf.org/id/draft-mayer-do-not-track-00.txt:

   The Do Not Track HTTP header, "DNT", must take one of two values: "1"
   ("opt out") or "0" ("opt in").  All other values are reserved.

comment:11 in reply to:  10 Changed 8 years ago by mikeperry

Replying to rransom:

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

From https://tools.ietf.org/id/draft-mayer-do-not-track-00.txt:

   The Do Not Track HTTP header, "DNT", must take one of two values: "1"
   ("opt out") or "0" ("opt in").  All other values are reserved.

Yeah, my read of this was "reserved for PROTEST". I thought this was a "political" header?

I think you just endorsed my proposal ;).

comment:12 Changed 8 years ago by rransom

Sending “DNT: 1\r\n” would waste (at least) 8 extra bytes of exit-relay traffic per HTTP request. I think that outweighs any possible benefit from this ‘feature’.

comment:13 in reply to:  12 Changed 8 years ago by mikeperry

Replying to rransom:

Sending “DNT: 1\r\n” would waste (at least) 8 extra bytes of exit-relay traffic per HTTP request. I think that outweighs any possible benefit from this ‘feature’.

After sleeping on this, I think there are in fact some benefits to this feature. For example, my favorite stat is that 5% of the Mozilla userbase found the feature buried in the privacy settings of the browser and turned it on in the first two months after rollout (http://www.techworld.com.au/article/400248/). Mozilla probably knows this because of addon, safe browsing, and/or browser update pings, and TBB shares at least the first two. So we would be sending a message to Mozilla to pay even more attention to privacy by sending the header to them for all of our users.

However, the costs are potentially much greater than just the 8 (or 9) bytes of request overhead. I seriously really want absolutely no part of the policy side of the header. I want so little to do with it that I would actually *prefer* that sites *not* treat our users specially based on our use of the header, for the reasons I stated above.

AIUI, the reason the header exists is because it grew out of a desire to consistently tell 3rd parties that you want to opt out of 3rd party tracking and behavioral advertising (aka Taco, but without hundreds of opt-out cookies). But the 3rd party tracking problem is something we should be solving with browser engineering. Again, see https://www.torproject.org/projects/torbrowser/design/#DesignRequirements

It's possible that if the header was actually called "Do Not Sell", it might make a little more sense to trust it to drive policy successfully, because that is a much more direct statement to a top-level site that you want the information that you provide to them to stay between you and them. But "Do Not Track" is waaay too vague a term for any hope that it will transform into something meaningful, consistent, and benevolent in all circumstances.

Hence, if our goal is to be 'heard', I still think "DNT: -1" is the best choice for now...

comment:14 Changed 8 years ago by mikeperry

I've created ticket #5545 for the other side of this. Happy new year!

comment:15 Changed 8 years ago by arma

I talked to Ashkan about this last night, and he said it is too early for us to be setting do-not-track in tbb. His first reasoning was that he wanted it to be an explicit "the user chose it" opt in, so seeing it has more impact on vendors. I explained that the user is choosing TBB and that means they're opting in to all the good things we give them. His next reasoning was that nobody knows what do-not-track is actually supposed to mean vendors will do, and those decisions will come later.

So, no rush here.

Also, Mike, you'll get a chance to debate this topic in person with him at the WSJ NYC hackfest I think?

comment:16 Changed 8 years ago by phobos

maybe we need a blog post on why DNT is a horrible solution, regardless of the political statement it makes. How about "Do Not Track equals Please Do Not Steal" using the analogy of tattooing your national ID number (SSN in US) on your forehead but with a sticky note under it that says "do not steal". Or something along these lines. Leaving your keys in your car with a note on the dashboard that says 'please do not steal'. Or leaving all of your doors in your flat open with a note that says 'please do not steal anything'.

Effectively, DNT is saying "I know I've given you all of my data by browsing your site, but please do not use it."

comment:17 in reply to:  16 Changed 8 years ago by mikeperry

Replying to phobos:

maybe we need a blog post on why DNT is a horrible solution, regardless of the political statement it makes. How about "Do Not Track equals Please Do Not Steal" using the analogy of tattooing your national ID number (SSN in US) on your forehead but with a sticky note under it that says "do not steal". Or something along these lines. Leaving your keys in your car with a note on the dashboard that says 'please do not steal'. Or leaving all of your doors in your flat open with a note that says 'please do not steal anything'.

Deja vu. https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

This was later developed into https://www.torproject.org/projects/torbrowser/design/#DesignRequirements.

Effectively, DNT is saying "I know I've given you all of my data by browsing your site, but please do not use it."

Yeah, the key difference is that the TBB design pushes back the data that you provide to a site to that which is *consentually* transmitted. Hence my earlier statement that a "Do Not Sell" header could be useful for us, for communicating the desire to protect constentually transmitted data (via authenticated history, form submissions, purchase records, etc).

But IMHO even that stuff is still much more cleanly protected with cryptography and proper design than through begging...

comment:18 in reply to:  9 Changed 8 years ago by cypherpunks

Replying to mikeperry:

Crazy idea: what if we set "DNT: -1" instead as a compromise? -1 is still technically true..

I want our position absolutely clear on this one at every level.

No good idea. Companies might phrase "if DNT = 1 then ... else ...". And not "if DNT == 0 ... elseif DNT = 1 ... else ...".

comment:19 Changed 8 years ago by pde

Hopefully DNT in TBB is a moot point: DNT was conceived as a privacy measure that should achieve some meaningful protections for people who find tools like Tor and NoScript/RequestPolicy too burdensome to use for their daily browsing. 

The way you can think of it is like this: before DNT, if you deleted a 3rd party tracker's cookies, or blocked it with a blacklist, and it found a way around those measures you took, it could claim that it hadn't realised you didn't want to be tracked.  Maybe you just did these things randomly.

But with DNT in place, if a third party tracking company keeps setting cookies, or using supercookies, or fingeprinting, that may have legal consequences.  Nobody is anticipating legal consequences for first-party sites that you log into (DNT won't affect gmail or facebook as a first party), although we may try to get systems like Apache to keep fewer logs out of the box when it is set.

More detail in this (somewhat out of date) post: https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean

comment:20 in reply to:  19 ; Changed 8 years ago by rransom

Replying to pde:

But with DNT in place, if a third party tracking company keeps setting cookies, or using supercookies, or fingeprinting, that may have legal consequences.

With IFRAME, every website can be turned into a third party. And almost every non-trivial web application (including Trac) sets cookies in order to prevent CSRF attacks.

If the ‘legal consequences’ are for merely setting cookies (thereby ‘collecting’ data), everyone with legal ties to the U.S. who runs Trac or other web applications is at risk of selective prosecution or barratry.

If the ‘legal consequences’ are for ‘retaining’ data, every web server whose operator has legal ties to the U.S. is at risk for seizure and search (possibly as a fishing expedition looking for illegal web server logs or other evidence; possibly just as a way to make the server unavailable for a few months).

DNT laws and regulations are likely to be as destructive as SOPA, if not worse. I oppose them strongly, and I hope that EFF will recognize the danger that DNT poses to a free and open Internet and stop supporting DNT legislation.

comment:21 in reply to:  20 Changed 8 years ago by pde

It's important to understand that if we're talking about legal consequences, we're dealing with legal reasoning rather than technical reasoning. The first thing to understand about legal reasoning is that isn't consistent in a logical sense. It can have all sorts of fuzzy and contradictory aspects to it, and these tend to be resolved in a way that makes sense to judges (who are usually not technically sophisticated), if they are ever resolved at all.

Replying to rransom:

With IFRAME, every website can be turned into a third party. And almost every non-trivial web application (including Trac) sets cookies in order to prevent CSRF attacks.

(Aside: I'm a bit confused about how a cookie can prevent a CSRF attack.  Surely CSRF tokens need to be something that an attacker can't cause the victim's browser to send, such as internal DOM state, or a fragment or query parameter.  But let me answer as though cookies were necessary for CSRF protection)

The W3C spec is not finished yet, but the proposals all deal with the above by saying something like: "a website is a third party for a given request if it can infer with high probability that it is a third party".  So things that are designed or promoted for embedding are third parties; stuff that someone else randomly hotlinks or <iframe>s is not.

The proposals also have exceptions for widgets and other third party things that the user knowingly chooses to interact with.  So if someone builds a "distributed web bug tracker" that is embeddable in a lot of sites, if a user chooses to turn that on/logs in/etc, it's okay for it to set cookies and track that user across sites.

And before anyone asks, the aim with sites like Facebook/Twitter/etc that function as both first and third parties is to make sure that consent/choice to interact for the third-party aspect of the site is preserved, even if you're logged into it as a first party.  One consequence is that this handful of giant hybrid first/third parties should migrate to different domains for their first and third party stuff.  Which most of them have already done, for exactly this sort of reason.

DNT laws and regulations are likely to be as destructive as SOPA, if not worse. I oppose them strongly, and I hope that EFF will recognize the danger that DNT poses to a free and open Internet and stop supporting DNT legislation.

We aren't sure whether legislation is the right way to get DNT implemented (there are really a lot of ways it might happen), and at the moment no DNT legislation is remotely close to passing. If that ever changes, we'll look extremely closely at whatever bill, and work with the community, to make sure that it doesn't have unintended technical consequences. And if we feared it might, we would not support it.

comment:22 Changed 8 years ago by pde

Also, one fairly strong aspect of EFF's thinking about "legal consequences" and DNT has been: it is unlikely that we would every support legislation that said that anyone had to respect DNT, but we could imagine supporting legislation that used "safe harbour" provisions (for instance, a shield against particular kinds of liability) to create incentives for sites to respect it.

comment:23 Changed 8 years ago by mikeperry

Resolution: wontfix
Status: newclosed

FYI: MS apparently decided to troll either DNT, Google, or websites supporting DNT, and set it by default in IE 10. However, a new clause in the standard was quickly proposed that states that users themselves have to opt-in to DNT: http://www.wired.com/threatlevel/2012/06/default-do-not-track/

I would personally recommend against that, since it's really just another fingerprinting bit for bad actors. However, either way, it seems clear that we should not do this.

Note: See TracTickets for help on using tickets.