arstechnica.com

Back where it started: “Do Not Track” removed from Firefox after 13 years

A brief history of the privacy you never really got.

A chocolate chip cookie, broken into three major pieces, against a yellow background. A chocolate chip cookie, broken into three major pieces, against a yellow background.

Credit: Getty Images

It might not really ever be fully dead, but Firefox calling it quits on Do Not Track (DNT) is a strong indication that an idealistic movement born more than 13 years ago has truly reached the end of its viable life.

The Windows Report tech news site spotted that Firefox has removed the option to "Send websites a 'Do Not Track' request" as of version 135, already visible in Nightly builds. Users checking the Website Privacy Preference section will soon see a linked notice that Firefox will no longer support the signal. Firefox's support page for Do Not Track notes that "Many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy."

Google Chrome and Microsoft Edge (based in part on Chrome's open source origin, Chromium) still offer a Do Not Track option, but they are just as ineffective. Global Privacy Control has largely superseded Do Not Track as a supported—and, in some places, legislated—means of signaling a desire not to be tracked.

How did we get here, to where the major browser to still support Do Not Track was one of the last ones to sign on?

Wide adoption, default setting, success?

The Federal Trade Commission issued a report in 2010 on "Protecting Consumer Privacy in an Era of Rapid Change." In it, the FTC built on the ideas of researchers Christopher Soghoian and Sid Stamm, the former of which would go on to work at the FTC itself. The report latched onto the popularity (at the time) of the Do Not Call registry, asking for a similar "browser-based mechanism through which consumers could make persistent choices." The issue, then and now, was the ability of advertisers to track the behavior of browser users from site to site to develop profiles of their behavior, making them richer targets for advertising.

Google's move soon after was to offer a Chrome add-on that would trigger an opt-out supported by the 15 largest advertising networks. This opt-out signal would have persisted even when cookies were wiped. Ars' Ryan Paul described it as "effective and pragmatic" at the time.

You don't need to tell me this screenshot is from 2011, I can clearly see the Skitch arrow. Credit: Ryan Paul

Mozilla went a different route, relying on HTTP headers that signaled an opt-out from tracking, but which would put the onus on individual sites to comply. Firefox included a settings option, "Tell web sites I do not want to be tracked," in version 4 of its browser, less than four months after the FTC's challenge to browser makers and advertisers. Ars' Paul wrote at the time:

It's extremely important to understand that this checkbox doesn't directly block tracking. All it does is broadcast the user's opt-out preference to servers. The obvious problem with this approach is that it doesn't accomplish anything unless there is widespread industry acceptance of the custom header. There is no means of enforcing the preference or compelling advertisers to support it properly. Mozilla added the feature to Firefox 4 with the hope that it would encourage advertisers to get on board.

The standard-setting W3C had a draft Do Not Track standard by the end of 2011. In early 2012, the White House announced an agreement with 90 percent of behavioral tracking advertisers. While this meant that advertisers who signed on to the DNT agreement would be subject to FTC enforcement, "Apparently, that means companies that choose not to make the commitment will not be subject to FTC enforcement," Ars' Jon Brodkin wrote then. An industry group, the Digital Advertising Alliance, was already clarifying then that it would respect DNT only when users chose it, not as a default, and that users were informed that some information would still be collected.

Still, browser makers seemed eager. Microsoft, after initial push-back, made DNT a default switched-on option in Internet Explorer 10 (back then, IE was the most-used browser on the web). The Apache webserver and Yahoo both blocked IE10's DNT requests as a result. Google, for which web advertising is the vast bulk of its revenue, finally offered Do Not Track in Chrome 23 in November 2012.

DNT now more liability than help

That moment, when every major browser had a Do Not Track option, was perhaps the height of DNT, and even then, there was a feeling that it could never work. Lorrie Faith Cranor, leader of the Privacy Preferences Project (P3P) that predated DNT, told Ars in 2012 that "every time we come up with a technical solution that protects privacy, the websites come up with something they want to do that is broken by this privacy protection."

Yahoo, citing itself as the "first major tech company" to implement DNT, announced in 2014 that it no longer would honor it. The firm noted that the White House-organized promise "remains unfulfilled" and that standardized DNT "resulted in deadlock." The Electronic Frontier Foundation debuted its Privacy Badger extension as a means of enforcing DNT when users demanded it soon after. In early 2015, the Federal Communications Commission dismissed a petition asking it to enforce DNT among website owners and services like Netflix, mostly on technical grounds, but eliminating one of the last hopes for some kind of broad shift.

Besides lacking regulatory teeth, DNT was also generally overcome by advancements in tracking. All the signals put out by a browser—plug-ins, time zone, monitor resolution, even the DNT option itself—could be used to effectively track a user, even across browsers. Apple dropped DNT from Safari in 2019, citing both its effectiveness and fingerprinting.

Concerns about tracking are now mostly left to the user to figure out for themselves, whether that means choosing sites and services that make explicit their policies on tracking, clicking "Reject all" on GDRP-compliant websites and seeing what happens, or using software tools (like VPNs marketed with vague promises) to subvert advertising systems.

This week's removal by Mozilla, which was at the vanguard of the Do Not Track movement, is more symbolic than practical. Chrome, the by-far dominant browser, still offers it, even if it disclaims it right underneath the setting. People have shown, overwhelmingly, that they want this kind of privacy, like the 96 percent of iOS users who opted out of app tracking when Apple offered a blocking option. But they're not going to secure it by asking the advertisers for it.

Read full news in source page