Opened 7 years ago

Closed 7 years ago

#6422 closed defect (duplicate)

Remove Do Not Track option from Tor Browser privacy preferences

Reported by: mikeperry Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-fingerprinting
Cc: gk, pde Actual Points:
Parent ID: #5545 Points:
Reviewer: Sponsor:

Description

Global privacy options such as Do Not Track are fingerprinting vectors. In #5273, we discussed an alternate privacy UI for useful privacy options. A mockup of such UI will be added to the Tor Browser design doc. Given enough development resources, we should be able to migrate useful, yet fingerprintable browser behavior items from the current Firefox Privacy UI into that UI, and silo them on a per-site basis.

We came to the conclusion that the Do Not Track header is not a useful privacy option for Tor Browser, though. Given our threat model and privacy properties (https://www.torproject.org/projects/torbrowser/design/#privacy), it is only a vector for fingerprinting.

We can thus remove it at our earliest convenience.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by pde

Agree there's an argument against making this a _globally_ toggleable option. Parenthetically, it's worth noting that the main reason Mike wants to leave this off rather than on is because he thinks that "DNT: 1" will be an extra reason for companies to be hostile to tor exit traffic. Counter argument-wise, some websites (and most relevantly, authenticated websites) may alter their behaviour to enable privacy settings when they see DNT:1. That might sometimes be useful to, say, a Tor user who is logging into a social network.

comment:2 Changed 7 years ago by mikeperry

Actually, my opposition to DNT:1 is many-faceted. See #5501 for the full litany of concerns complete with a bonus dose of hilarity at the end thanks to our friends at Microsoft, who basically read my mind and decided to demonstrate just one of the many hilarious ways this header can be abused by powerful interests for their own ends.

I don't think companies will be hostile to Tor traffic simply because of DNT. I think that an on-by-default adblocker will cause hostility.. perhaps you misunderstood that point? I think we can support ads while still providing privacy against 3rd party tracking, so we should not destroy the revenue stream of sites who welcome Tor users. We should prevent 3rd party tracking though, and we don't need DNT:1 to do it.

Actually implementing DNT as Privacy by Design might also face some opposition/breakage, but at least the Privacy by Design subversion will be obvious to us by way of that breakage. The problem with DNT:1 is that it will also be subverted in secret, outside the reach of regulatory or even netizen oversight. It will also be subverted by the vagueries of conflicting definitions and service specific use cases. P3P already failed hard, and it was way more amenable to fine-tuning.

I was briefly moved to consider allowing DNT:1 as a per-site privacy option, because that is way better than a global one from a fingerprinting perspective. Also, I thought it might be cute to literally have a site-specific menu option that said "Beg site for privacy". I did not expect anyone to take it seriously. Georg pointed out that even this much endorsement was dangerous. I think he's right.

comment:3 Changed 7 years ago by mikeperry

Resolution: duplicate
Status: newclosed

Dupping this to #7921. There's more fingerprintable stuff in the Firefox UI than just DNT:1.

Note: See TracTickets for help on using tickets.