Browser Do Not Track

It has more clout than “Do not track” due to privacy laws (and therefore penalties) in certain regions, including a number of US states, the UK, and the entire EU. In those areas, it’s allegedly as good as submitting an opt-out directly to companies via their websites.

From Wikipedia:

In 2020, a coalition of US-based internet companies announced the Privacy Control header that spiritually succeeds Do Not Track header. The creators hope that this new header will meet the definition of “user-enabled global privacy controls” defined by the (CCPA) and the European General Data Protection Regulation (GDPR). In this case, the new header would be automatically strengthened by existing laws and companies would be required to honor it.

Let’s hope more jurisdictions hop on that train in the near future!

2 Likes

Well, it’s rather encouraging news if there are real legal consequences.
I guess it has not yet been tested in Courts, then. I had never heard of this privacy control header before you mentioned it…

1 Like

In Firefox Preferences, but not yet in FF-ESR.

1 Like

Ok. That explains. I only use Tor Browser, which is based on 115 ESR
But otherwise, I have never heard of any legal action being undertaken, even in jurisdiction with strong data privacy laws like CCPA and GDPR. It seems totally unknown and under the radar as of now…

1 Like

It first appeared last year, in Firefox 120.

1 Like

Of course… soon after that Mozilla bought an ad company and defaulted their entire user base into “privacy-respecting” advertising data collection. :thinking:

1 Like

I guess we have much digressed from the original topic…
Maybe a thread split would be required

1 Like

Not really. We got here by discussing what kind of wearable opt-out might deter PimEyes+Meta glasses from doxing random people on the street.

1 Like

In what way does “Do not track” not meet the definition in those laws?

It just seems as if the intent is identical and if the laws don’t include DNT then that is a flaw in the law.

As far as I can see, the respective headers are
Dnt: 1
Sec-Gpc: 1

and the two headers are basically identical. There is no syntax in the value other than specifying 1 if you want privacy.

Personally I have both headers set, in the hope that one or the other or both might be respected. :frowning:

From the same Wikipedia article that @amarok quotes from:

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2-million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.

Sure it’s a drop in the ocean but you have to start somewhere …

3 Likes

It’s a valid question, and I agree, but apparently websites and entites behind the tracking get away with ignoring it.

3 Likes

A post was split to a new topic: TOR browser issues

I just recently installed the duckduckgo browser in to my Android phone. It seems to be the best one for privacy that I’ve found yet. There are several tools that work together, and there is a counter on the home page that shows how many tracking attempts it’s blocked in the current session. That counter increments at a typical rate of over 500 blocked tracking attempts per hour.

There is also a button at the top of the home screen that sends up flames from the bottom of the screen to the top of the screen, as a symbol to show that everything about your current session has just gone up in flames. You can push that button any time you want to assure that your session is safe from security threats.

3 Likes

Doesn’t exactly surprise me.

From a recent media report:

An investigation by the Irish Council For Civil Liberties (ICCL) reveals how the online ad industry is exposing sensitive personal information

It outlines how the Real Time Bidding (RTB) system sells detailed and sometimes compromising data to thousands of businesses around the world, including those with links to foreign states and non-state actors.

The ICCL research was led by Dr Johnny Ryan

“[The RTB system] is operating 24/7, and it will send information about what an Australian is reading or watching and where they are about 449 times a day,” Dr Ryan said, adding that the true figure was likely much higher because researchers weren’t able to analyse data from Meta and Amazon.

(my emphasis)

So assuming that you are asleep (dormant on the internet) for 8 hours, that means that you and your activities are being tracked approximately every 2 minutes.

The article does not make it completely clear but I think this figure covers Google leakage and Microsoft leakage only.

Don’t ask me why researchers who are apparently in Ireland have chosen to look at privacy leakage of Australians. Maybe their research covered a range of countries and media here only chose to publish a figure for Australia. I suppose that comparative figures for other countries would be useful e.g. to assess the effectiveness of privacy legislation.

3 Likes

I think the DNT and “laws” depend on what country one is in. I didn’t even know DNT was a law. I don’t think is is except maybe in the EU. I’m sure it’s not a “law” in Canada - yet. Our government doesn’t like it when they can’t track us so judging from our latest Bill being passed, I envision blocking tracking will be a new offense.

1 Like

As far as I know, DNT is not enforced by any law, but Global Privacy Control is, at least in some jurisdictions.

1 Like

Here are more details about Global Privacy Control, as well as its relation to Do Not Track:

2 Likes

I think the general legal problem with “do not track” is that “tracking” is hard to pin down. What is tracking? How does anyone know when you are being “tracked”? The intention of the California law seems to be to substitute for the verb “track” the two other verbs “share” and “sell”, which are more clearly defined actions on the part of the company, which can then be restrained and which can (in theory) be prosecuted if those actions occur when they should not. I think per the intention of the customer, there is no difference.

It it were me, I would want to add a third verb to the above: “collect”. Do not collect! Because you can’t share or sell what do you not collect.

The California law appears to be silent on how a user signals a request for privacy. That is, use of the DNT header would not be inconsistent with the law. The key difference seems to be that the text within the browser config that sets Sec-gpc more closely matches the text within the law.

3 Likes

The real problem is that the states aren’t very interested in allowing the people to have their privacy rights. Each respective state could put a complete stop to privacy invasions overnight if they wanted to.

1.) Pass a law that prohibits the collection and storage of any location or other private information (other than your own). Make the violation of those laws be felonies and punishable by immediate arrest and incarceration.

2.) In one day, arrest Bill Gates, the CEO of Google, the CEO of Apple, and any other CEO who continues collecting private information after the law is passed. Show these guys all doing the perp walk as they are loaded in to police cars, on the evening news.

3.) Keep all of these CEOs in Jail without bail until their respective companies have pushed out software changes to stop all of the spying. Bill Gates can call Microsoft and say “look, I want out of here ASAP. How soon can you complete the pushouts and purge all of the databases of private information?”.

4.) After these executives get out of jail, continue with their prosecutions. Make sure that both the company and its CEO pay heavy fines and for the CEO, felony convictions. Make the deterrents be big and public.

5.) Make the trading in people’ s private information a felony crime also. Go after the CEO of any company that buys or sells private information.

Most of the spying and tracking of people would go away within a few days after taking the steps above. So we could stop the spying and tracking almost overnight, if we wanted. Our politicians choose not to put a stop to it. Allowing these privacy invasions is not a problem. It’s a choice.

1 Like

It’s a bit more complex than that because …

  • a company that you have chosen to do business with may have a legitimate reason to collect information that would otherwise be private (for example they may legitimately need to contact you!)

  • a company may be required by law to collect information that you would otherwise choose to keep private (there are things that you can’t do anonymously but blame the government for that, not the company)

and, in the case of the first bullet point, a company may choose to outsource some or all of its operations such that it needs to share some of the collected information with its suppliers. (I hate outsourcing because it means that you are contacted by and affected by companies that you have never even heard of but do we really want to go as far as making outsourcing illegal, at least to the extent that it would necessitate sharing of your private information?)

That’s a bit harsh, isn’t it? since he stepped down as CEO 24 years ago and hasn’t had any involvement with Microsoft in the last 4 years.

1 Like

There is a difference. If you track me and use the data by your own to train your own AI or just to know everything about me, it’s also tracking, but not sharing or selling. Sharing is an action when you give my data to other parties with known or unknown or even no restrictions. Selling is sharing that costs money (money restriction).

How would I define tracking:

  • Collecting personal data with information attached to a profile. A profile begins when data can be attached together via any identifier. That can be a name, an ID, an account or similar.
  • It has to be an action that is not done by users. Creating an account, writing posts and so on is creating data attached to a profile, but no tracking, because it’s done by hand of the user.
  • Collecting data like a generic counter (how often people open a specific page) is no user tracking (the counter tracks the web page).
  • Tracking is always about personal data (unlike data collecting in general).

To make an example - counting how often people open a specific page:
A +1 data is not tracking (but data collecting). An array of IPs is tracking where the array length shows the page count. A page count in account profile is also tracking, because the account is created by users, the counter is not and is connected to the profile.

An edge case is on discourse forum software. There is a discussion counter. This is also available on private messages where just two people communicate together. This counter is not personal, because it’s a +1 counter and not account bound. But since only 2 people are communicating, one person can track how often the other person opens that page. It can be even used to look at what time the other person is active (at the time when the counter goes one up - requires activity of the first person). So it’s a kind of tracking, but not as invasive as the problematic form of surveillance capitalism.

2 Likes