“Do Not Track” Dangerous and Ineffective

In 2009, before I became seriously involved in web security, a standard called Do Not Track was proposed, standardized by the W3C in 2011, and implemented in Internet Explorer, followed by Mozilla Firefox and Google Chrome.

Do Not Track is supposed to prevent websites from tracking your activity online, probably for advertising purposes. It works by making your browser politely ask every website you visit to not set tracking cookies and so on.

There are real, dangerous problems with this approach and I really cannot believe it was ever taken seriously. Now that it’s implemented and standardized so widely, it’s become a serious threat to how Internet privacy is perceived.

The main problem with Do Not Track is that it lulls users into a completely false sense of privacy. Do Not Track works by simply asking the websites you’re visiting not to track you — the websites are completely free to ignore this request, and in most cases it’s impossible for the user to find out that their Do Not Track request was in fact discarded. When the user therefore enables Do Not Track on their browser, they are lulled into a false belief that they are no longer being tracked, even though from a security perspective, the tracking prevention that Do Not Track presents is useless.

In fact, Google’s search engine, as well as Microsoft’s (Bing), both ignore the Do Not Track header even though both companies helped implement this feature into their web browsers. Yahoo Search also ignored Do Not Track requests. Some websites will politely inform you, however, of the fact that your Do Not Track request has been ignored, and explain that this has been done in order to preserve their advertising revenue. But not all websites, by a long shot, do this.

Do Not Track is not only ineffective: it’s dangerous, both to the users it lulls into a false belief of privacy, and towards the implementation of proper privacy engineering practice. Privacy isn’t achieved by asking those who have the power to violate your privacy to politely not do so — and thus sacrifice advertising revenue — it’s achieved by implementing client-side preventative measures. For browsers, these are available in examples such as EFF’s HTTPS Everywhere, Abine’s DoNotTrackMe, AdBlock, and so on. Those are proper measures from an engineering perspective, since they attempt to guard your privacy whether the website you’re visiting likes it or not.

Do Not Track needs serious revision, replacement or simply removal. As it is right now, its only discernible function is to promise users with little to moderate computer knowledge (most of the world) that they’re browsing in privacy, while in reality discouraging them from adopting real privacy solutions that work. Web privacy and security engineers need to have a discussion about this.

Posted February 13, 2013 by Nadim in Internet, Security

Tagged with