"Do Not Track" is a horrible idea

I've heard about the idea of a "do-not-track list" for Web privacy for a while now, online, in print, and in person.

Simply put, all of the "opt-out" ideas that I've heard have been horrible. In short, they rely at best on unenforceable behavior and at worst on something that is an inherent contradiction.

Donottrack.gov?

The first "solution" that I've heard proposed is something akin to the popular Do Not Call Registry. There's a fundamental problem with this. How on earth do you determine if a visitor to or user of your site is on the registry? Well... they'd have to present some sort of unique identifier that could be matched up to a central database and... hang on... isn't this starting to sound like what we want to avoid?

Trust the browser, trust the servers

Ok, so let's leave the idea of a "do not track registry" to die in a corner, and instead focus on something that would obviate the need for a unique fingerprint. Let's have the browser send a special header, perhaps something like X-Do-Not-Track that denotes the preference of the user. At first glance, this looks a bit better. We don't have to uniquely identify ourselves, and we're not dependent on a central source of information, ripe for the harvesting. We'll just configure the browser to send something saying that we don't want to be tracked, and sites will act accordingly.

That won't work. Here's why:

So at best, we'll have a system that's entirely opt-in on the advertiser side and will only be observed by the most noble companies (but not all of them, and not all the time.) Anyone intent on data mining/tracking/etc. for nefarious purposes will continue to do so, same as before, and will happily ignore the header with absolutely no consequences, while overly-optimistic or misinformed users will feel semi-anonymous.

What a waste.

The Solution

There is no real solution.

There is no one technology, law, or other magic bullet that will guarantee you privacy on the internet. Sorry.

Instead, you have to use a combination of technologies and tactics to enforce your own privacy policy. As for me? I use uMatrix, uBlock Origin, HTTPS everywhere, PrivacyBadger and a rather aggressively-maintained hosts file to limit my trackability. It works pretty well too. My browser doesn't present a User-agent header. I don't accept cookies from any site except those that I pay (or that pay me), and the ones that I do accept cookies from have their cookies destroyed at the end of each browsing session. I don't use Flash. My browser doesn't run JavaScript (I can count the exceptions that rule on one hand, and each of the sites that are whitelisted have an existing financial relationship with me). I have two layers of protection (ABP and /etc/hosts) which attempt to prevent me from even contacting tracking/advertising-related servers. I've configured Iceweasel such that it isn't susceptible to the history information leak.

But I'm not completely invisible, nor do I want to be. I have a domain name and a website, both with copious amounts of personal information. I regularly post on forums, USENET, etc. with either my real name, or a handle that's listed on this site. I buy things online from (a limited number of) online merchants. But I do all that with full knowledge of the "worst-case" scenario, privacy-wise; I actually read the privacy policies of every site I submit information to (yes, in full), and have walked away from things I'd really rather do due to said policies. If I purchase something online, I assume that the details of the transaction are effectively public information, and act accordingly. I only post things to my site that I'm comfortable sharing with the whole world. In short, I make sure that I know exactly what I share and who I share it with, take a number of measures to prevent private information from reaching the Web, and employ a number of countermeasures designed to severely hamper marketers' ability to track me without my full and informed consent.

And even that's not perfect.