Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
andyzei 11 hours ago

The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian and Sid Stamm.[2] Mozilla Firefox became the first browser to implement the feature.

https://en.wikipedia.org/wiki/Do_Not_Track#:~:text=The%20Do%....

shdon 9 hours ago | parent | next [-]

I wonder how many web developers actually honour Do Not Track. I do, in all the websites I've made for my employer too, but I think I'm only getting away with it because my employer doesn't know. I've even made it so that browsing with Do-Not-Track enabled also skips the cookie consent banner and just assume the user wants no cookies other than the strictly necessary ones (like their session/login cookie), and doesn't include Google Analytics, instead just upping a single view counter on the page, with no PII in there.

kelnos 8 hours ago | parent | next [-]

A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.

I can dream...

hifromwork 2 hours ago | parent | next [-]

I know we all have our pitchforks out, and I hate tracking as much as everyone else here, but "tracking" is a very broad term, and is not always malicious. Unless you want to outlaw access logs, for example.

shadowgovt 5 hours ago | parent | prev | next [-]

This sounds like a recipe to reduce the internet to a handful of heavily-financed publishers who can afford legal protection against strict liability.

psd1 5 hours ago | parent [-]

That's reasonable. Could also decimate the adtech industry and cut them down to just serving ads based on keyword searches and location, like they did 20 years ago

shadowgovt 4 hours ago | parent [-]

I mean... I'm not categorically against the internet becoming the exclusive playground of FAANG companies, but I perceive many don't agree.

quectophoton 2 hours ago | parent | prev [-]

> A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.

I don't think it's that easy though. The "just" is doing a lot of work in there. Consider:

Some websites have login with third-party credentials. It doesn't matter that you choose to use these for convenience, because intent doesn't matter, and it is a fact that both the Service Provider and the Identity Provider are tracking you. IdP knows which sites you are logging in to, and SP knows and stores your third-party identity (they might say they need it to know which account you're logging in to, but like I said, intent doesn't matter).

Hacker News is currently tracking me. They might say the cookie is needed for session stuff to work, but intent doesn't matter, and it is a fact that the cookie uniquely identifies me.

My web browser is tracking my mouse position. Mozilla might say they need it for styling stuff to work, but intent doesn't matter, and it is a fact that Mozilla's software is tracking my mouse position in real time (let's not even talk about browser history).

Your browser cache might have two HN posts where my comments appear. If that's the case, then it would be a fact that you are tracking which posts I am commenting on. Intent doesn't matter, so hopefully you're not a company (tracking is fine if you're an individual though (based on the quoted text)).

/s

Hopefully this ride down the slippery slope illustrates some subtleties, at least without a very precise definition of "tracking". But then again, if the definition is too precise, there's gonna be loopholes in the letter of the law; in that case we might say that we should also consider the spirit of the law, but "intent" is part of that.

jeroenhd 7 hours ago | parent | prev [-]

You're taking exactly the right approach in my book. Thank you!

I don't know if they still do it, but last time I browsed Medium I found that it claimed to respect DNT, which is quite nice. Lots of self-hosted analytics software also respects DNT out of the box and I don't think site administrators often bother to turn that off. Still, the vast majority of websites probably ignores the header, especially since it's been deprecated as a standard. If you care about such things, maybe also consider looking into Sec-GPC, its intended replacement.

killerstorm 4 hours ago | parent | prev [-]

There was a much more elaborate standard called P3P recommend by w3c in 2002. It apparently defined a description of how business can use personal data.

But apparently it was considered too complex and "lacking enforcement".

Now maybe if it survived till GDPR it could have it's enforcement, but Mozilla yanked support before that...