"Do Not Track" is a horrible idea

Many years later, I revisited this page. Do-not-track has been implemented, and surprise, surprise: it didn't work.

I've heard about the idea of a "do-not-track list" for Web privacy for a while now, online, in print, and in person.

Simply put, all of the "opt-out" ideas that I've heard have been horrible. In short, they rely at best on unenforceable behavior and at worst on something that is an inherent contradiction.

Donottrack.gov?

The first "solution" that I've heard proposed is something akin to the popular Do Not Call Registry. There's a fundamental problem with this. How on earth do you determine if a visitor to or user of your site is on the registry? Well... they'd have to present some sort of unique identifier that could be matched up to a central database and... hang on... isn't this starting to sound like what we want to avoid?

Trust the browser, trust the servers

Ok, so let's leave the idea of a "do not track registry" to die in a corner, and instead focus on something that would obviate the need for a unique fingerprint. Let's have the browser send a special header, perhaps something like X-Do-Not-Track that denotes the preference of the user. At first glance, this looks a bit better. We don't have to uniquely identify ourselves, and we're not dependent on a central source of information, ripe for the harvesting. We'll just configure the browser to send something saying that we don't want to be tracked, and sites will act accordingly.

That won't work. Here's why:

• There is a tremendous incentive to track people using it, as they have self-identified as being part of a group that might otherwise be harder to track. (In other words, less competition for those unscrupulous enough to ignore the header.)
• There is no practical way for end-users to determine whether or not the header was received, understood, and obeyed. If I sign up for the "Do Not Call Registry" and a telemarketer calls me, their violation is obvious. If my browser sends a header stating that I don't want to be tracked, but the server ignores (or never receives) it, how can I tell? I can't.
• Few advertising-dependent/marketing-aware companies (if any) are likely to voluntarily undertake the implementation cost, especially since doing so would actually make their job more difficult.
• Legislation mandating compliance with the header (the only remaining option) would likely work about as well as the CAN-SPAM Act has worked: poorly at best, and even then only in places subject to US law. (And that's for a law governing something that is eminently more visible and traceable!)
• Sometimes we do want to be tracked. Pretty much any sane, secure, and usable website with a login system has to do at least some tracking (at a minimum they must keep track of IPs, session IDs, and the association between the two). How exactly is one to enforce that this information only be used for that purpose? The more I think about this, the more I'm reminded of the evil bit: "Track me, but not in a bad way..." While I don't think it's impossible or even unlikely that people with technical know-how could write some decent legislation differentiating between the various sorts of "tracking", I do think it's exceedingly unlikely that Congress would be able to do so.

So at best, we'll have a system that's entirely opt-in on the advertiser side and will only be observed by the most noble companies (but not all of them, and not all the time.) Anyone intent on data mining/tracking/etc. for nefarious purposes will continue to do so, same as before, and will happily ignore the header with absolutely no consequences, while overly-optimistic or misinformed users will feel semi-anonymous.

What a waste.

The Solution

There is no real solution.

There is no one technology, law, or other magic bullet that will guarantee you privacy on the internet. Sorry.

Instead, you have to use a combination of technologies and tactics to enforce your own privacy policy. As for me? I use uMatrix, uBlock Origin, HTTPS everywhere, PrivacyBadger and a rather aggressively-maintained hosts file to limit my trackability.

This works pretty well.

Postscript, much later

It didn't work. And nobody's invisible, not if they interact with their surrounding world. It's a question of finding a balance and making informed trades.

A header won't do that for you.