Browser Do Not Track

amarok · October 4, 2024, 8:58pm

Like the recent addition to Firefox privacy settings: Global Privacy Control.

TiX0 · October 4, 2024, 11:54pm

This new pref really any use?
I mean, sites can just as well ignore it. Like the DoNotTrack farce…

FranklyFlawless · October 5, 2024, 12:09am

It is only useful if websites respect it, no different from Do Not Track.

See also:

amarok · October 5, 2024, 12:42am

It has more clout than “Do not track” due to privacy laws (and therefore penalties) in certain regions, including a number of US states, the UK, and the entire EU. In those areas, it’s allegedly as good as submitting an opt-out directly to companies via their websites.

From Wikipedia:

In 2020, a coalition of US-based internet companies announced the Privacy Control header that spiritually succeeds Do Not Track header. The creators hope that this new header will meet the definition of “user-enabled global privacy controls” defined by the (CCPA) and the European General Data Protection Regulation (GDPR). In this case, the new header would be automatically strengthened by existing laws and companies would be required to honor it.

Let’s hope more jurisdictions hop on that train in the near future!

TiX0 · October 5, 2024, 12:55am

Well, it’s rather encouraging news if there are real legal consequences.
I guess it has not yet been tested in Courts, then. I had never heard of this privacy control header before you mentioned it…

amarok · October 5, 2024, 1:03am

In Firefox Preferences, but not yet in FF-ESR.

TiX0 · October 5, 2024, 1:12am

Ok. That explains. I only use Tor Browser, which is based on 115 ESR
But otherwise, I have never heard of any legal action being undertaken, even in jurisdiction with strong data privacy laws like CCPA and GDPR. It seems totally unknown and under the radar as of now…

amarok · October 5, 2024, 1:19am

It first appeared last year, in Firefox 120.

amarok · October 5, 2024, 1:24am

Of course… soon after that Mozilla bought an ad company and defaulted their entire user base into “privacy-respecting” ~~advertising~~ data collection.

TiX0 · October 5, 2024, 1:27am

I guess we have much digressed from the original topic…
Maybe a thread split would be required

amarok · October 5, 2024, 1:30am

Not really. We got here by discussing what kind of wearable opt-out might deter PimEyes+Meta glasses from doxing random people on the street.

irvinewade · October 6, 2024, 9:46pm

In what way does “Do not track” not meet the definition in those laws?

It just seems as if the intent is identical and if the laws don’t include DNT then that is a flaw in the law.

As far as I can see, the respective headers are
Dnt: 1
Sec-Gpc: 1

and the two headers are basically identical. There is no syntax in the value other than specifying 1 if you want privacy.

Personally I have both headers set, in the hope that one or the other or both might be respected.

From the same Wikipedia article that @amarok quotes from:

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2-million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.

Sure it’s a drop in the ocean but you have to start somewhere …

amarok · October 6, 2024, 10:09pm

It’s a valid question, and I agree, but apparently websites and entites behind the tracking get away with ignoring it.

irvinewade · October 6, 2024, 10:45pm

A post was split to a new topic: TOR browser issues

SteveR · October 6, 2024, 11:08pm

I just recently installed the duckduckgo browser in to my Android phone. It seems to be the best one for privacy that I’ve found yet. There are several tools that work together, and there is a counter on the home page that shows how many tracking attempts it’s blocked in the current session. That counter increments at a typical rate of over 500 blocked tracking attempts per hour.

There is also a button at the top of the home screen that sends up flames from the bottom of the screen to the top of the screen, as a symbol to show that everything about your current session has just gone up in flames. You can push that button any time you want to assure that your session is safe from security threats.

irvinewade · October 6, 2024, 11:42pm

Doesn’t exactly surprise me.

From a recent media report:

An investigation by the Irish Council For Civil Liberties (ICCL) reveals how the online ad industry is exposing sensitive personal information

It outlines how the Real Time Bidding (RTB) system sells detailed and sometimes compromising data to thousands of businesses around the world, including those with links to foreign states and non-state actors.

The ICCL research was led by Dr Johnny Ryan

“[The RTB system] is operating 24/7, and it will send information about what an Australian is reading or watching and where they are about 449 times a day,” Dr Ryan said, adding that the true figure was likely much higher because researchers weren’t able to analyse data from Meta and Amazon.

(my emphasis)

So assuming that you are asleep (dormant on the internet) for 8 hours, that means that you and your activities are being tracked approximately every 2 minutes.

The article does not make it completely clear but I think this figure covers Google leakage and Microsoft leakage only.

Don’t ask me why researchers who are apparently in Ireland have chosen to look at privacy leakage of Australians. Maybe their research covered a range of countries and media here only chose to publish a figure for Australia. I suppose that comparative figures for other countries would be useful e.g. to assess the effectiveness of privacy legislation.

Sharon · October 7, 2024, 3:17am

I think the DNT and “laws” depend on what country one is in. I didn’t even know DNT was a law. I don’t think is is except maybe in the EU. I’m sure it’s not a “law” in Canada - yet. Our government doesn’t like it when they can’t track us so judging from our latest Bill being passed, I envision blocking tracking will be a new offense.

amarok · October 7, 2024, 4:23am

As far as I know, DNT is not enforced by any law, but Global Privacy Control is, at least in some jurisdictions.

FranklyFlawless · October 7, 2024, 5:00am

Here are more details about Global Privacy Control, as well as its relation to Do Not Track:

Is GPC legally binding?

GPC is intended to serve as an expression of users’ intent to invoke their online privacy rights. Depending on the jurisdiction and applicable laws, a user’s expression through GPC may have legal impact. However, GPC on its own does not create any legally binding obligations.

GPC may impact existing law in several ways: In California, Section 1798.135(c) of the California Consumer Privacy Act (CCPA) gives users the right to opt out of the sale of their personal information.

Furthermore, Section 999.315 of the CCPA Regulations requires businesses to honor these opt-out requests. The regulations specify that “[a] business shall provide two or more designated methods for submitting requests to opt-out […] [including] user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information. […] User-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.”

On this basis, it is possible that the GPC may become a legally binding opt-out signal in California.

In addition, the European General Data Protection Regulation (GDPR) gives users the right to object to their personal data being processed. The GPC signal is intended to convey a general request that data controllers limit the sale or sharing of the user’s personal data to other data controllers. It is possible that a GPC signal opting out of processing could create a legally binding obligation for data processors.

In Bermuda, the Privacy Commissioner has indicated that he believes the GPC may be used to create a legally binding obligation on businesses under their laws, which provide users the right to “request an organisation to cease, or not begin, using his [or her] personal information […] for the purposes of advertising, marketing or public relations,” or “where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual.”

Additional information is available in the proposed specification.

Why not just use Do not Track (DNT)?

Do Not Track was an effort preceding GPC to permit users to communicate their privacy preferences to websites they visit. Unfortunately, in the appendices to their Final Statement of Reasons, the California Attorney General (AG) determined that the AG could not require businesses to comply with DNT requests because the requests do not clearly convey users’ intent to opt out of the sale of their data. A more detailed discussion of the inadequacies of DNT is available as Appendix E of the AG’s Final Statement of Reasons.

When considering whether DNT was sufficient under the CCPA, the AG specifically determined that a new type of privacy signal would benefit users and businesses and that its regulation is “intended to support innovation for privacy services that facilitate the exercise of consumer rights in furtherance of the CCPA.”

GPC responds to this call for innovation by providing a mechanism for privacy signaling that is applicable to current laws, technologies, and business practices. The Attorney General has said that he believes GPC is “a technical standard that would make it easier for consumers to stop the sale of their personal information” and that he is “heartened to see a wave of innovation in this space.”

irvinewade · October 7, 2024, 5:07am

I think the general legal problem with “do not track” is that “tracking” is hard to pin down. What is tracking? How does anyone know when you are being “tracked”? The intention of the California law seems to be to substitute for the verb “track” the two other verbs “share” and “sell”, which are more clearly defined actions on the part of the company, which can then be restrained and which can (in theory) be prosecuted if those actions occur when they should not. I think per the intention of the customer, there is no difference.

It it were me, I would want to add a third verb to the above: “collect”. Do not collect! Because you can’t share or sell what do you not collect.

The California law appears to be silent on how a user signals a request for privacy. That is, use of the DNT header would not be inconsistent with the law. The key difference seems to be that the text within the browser config that sets Sec-gpc more closely matches the text within the law.