The state of “Do Not Track”

Over the last few weeks, “Do Not Track” has been getting a lot of attention; Mozilla introduced DNT into FireFox as of January 2011 and has a very good FAQ up on the subject. Last week, the official announcement came from the big browser vendors, including Microsoft and Google, that they’d start incorporating DNT as a browser feature as well, which coincided nicely with the White House announcing a privacy bill of rights.

Do Not Track IndicatorIt’s great to see online data privacy finally being taken seriously, especially after the various shades of gray we have been seeing lately. Some of which are just plain scary.

But sending a “Do Not Track” header in your browser is one thing, having the server on the other side, and perhaps even more importantly, their (advertising) partners honor the request is quite another. And unfortunately, the the current state of affairs isn’t great; taken from Mozillas FAQ as mentioned above:

Companies are starting to support Do Not Track, but you may not notice any changes initially. We are actively working with companies that have started to implement Do Not Track, with others who have committed to doing so soon.

Let’s take a quick look at the current cookie setting practices from the top 500 websites, as counted by alexa. I ran a quick scan against http://www.domain.com, once with and once without a DNT header. Of those 500 sites, 482 gave useful replies; some of the most used domains are CDNs or don’t have top level content, so they are excluded.

From the chart below, you can see that most sites set 1-2 cookies, and that most of those cookies are somehow related to user or session specific data.

I’d have added a third line showing you the delta in cookies set when the DNT header was set, but the sad truth is that only 3 websites changed their cookie behavior based on the DNT header: Kudos to 9gag.com for not setting any cookies and blackhatworld.com & movie2k.com for at least dropping one of their user specific cookies. The outlier with a whopping 18 cookies, 10 of which are personally identifiable, is walmart.com.

Online Graphing

Now, setting a user/session cookie is not necessarily a bad thing; for one thing, you can not read the DNT header from JavaScript, so if you’d want to be DNT compliant in JS, you’d have to set a DNT cookie (although not part of the public standard, some newer browsers are starting to support inspecting the DNT setting from the DOM). The industry standard is now to set a cookie matching the string “DNT” or “OPTOUT”. Again, unfortunately, non of the top 500 websites actually do this when the DNT header is set.

The other viable option is to send back the same cookie, but set the expiry time in the past so that it’s removed by the browser. Although this would be silly on a first request (it would be better not to set a cookie at all in that case), and is not as useful in a JavaScript environment, it’d still be making an effort towards DNT compliance. From the top 500, only forbes.com is using this technique currently.

As it stands, only 4 out of 482 measured top 500 sites are actively responding to the DNT header being sent.

The FTC has been calling for a “Do Not Track” implementation and according to Mozilla, now 7% of Desktop Firefox users and 18% of Mobile Firefox users already have DNT enabled. With such a clear call from regulators and end users, why are so few sites actually following up with a solid implementation? And what does that mean for the advertising and widget partners they use, whose whole model is based around being able to use your personal data?

Again the answer is not very encouraging. The Wall Street Journal did a great investigation into this with their “What They Know” series and have found that even websites that you trust and use every day have literally hundreds of trackers ushered in when you visit them:

(full disclosure: I work for Krux, whose findings were featured in the WSJ “What They Know” series and we published a whitepaper on the subject)

If you browse through the above charts, it becomes obvious that your personal data is flying across the web and you have very little control of who takes it, how they use it and who they might be selling it on to.

The folks at PrivacyScore even built an index to show you how much your data is at risk when visiting any particular website. Some of the scores, like the one for Target are quite scary, and is illustrated by this story about how Target found out a girl was pregnant before her dad even did.

Bottom line, the worst offenders tend to be in the online merchant, advertising networks or widget providers space (especially those of the ‘free’ variety – because nothing is every really ‘free’) that play fast and loose with your personal data in order to optimize their own revenue. To illustrate the point, here’s a choice quote from the above article:

“AddThis has its own plans to sell user data, but it’s not looking to publishers as the main buyers. It will sell analytics on user data directly to ad agencies and brands themselves and will get a bigger cut by doing so.”

So, why is it hard for the good eggs to do the right thing, even though it’s making them look like bad eggs in the process? Part of it is awareness I’m sure, but another part of it is simply the challenge of implementing a good “Do Not Track” solution. Implementing DNT at scale is actually not that easy, and we spent a fair amount of time at Krux to get it right.

To further the cause of Data Privacy, we’re open sourcing our solution and it will be the topic of my next blogpost, in the hope that all the good eggs will at least be able to Do The Right thing easily, and making it easier for the rest of us to call the bad eggs on their behavior.

P.S, if you want to see where your personal data is going when you visit a webpage, we released a FireFox browser plugin called Krux Inspector, which you can install directly from our website. It shows you exactly who is bringing in which advertisers and partners on the webpage you’re viewing, and what personal data they’re skimming as well as the beacons they’re dropping.

17 thoughts on “The state of “Do Not Track”

  1. Hi would you mind letting me know which hosting company you’re working with? I’ve loaded your blog in 3 completely different internet
    browsers and I must say this blog loads a lot quicker then most.

    Can you suggest a good internet hosting provider at a fair price?
    Kudos, I appreciate it!

  2. Its like you read my mind! You seem to know a lot about
    this, like you wrote the book in it or something.
    I think that you could do with a few pics to drive the message home a bit, but other than that, this is fantastic blog.
    A fantastic read. I will definitely be back.

  3. You really make it appear really easy with your presentation however I
    to find this matter to be really one thing which I think
    I would never understand. It seems too complicated and
    very huge for me. I’m having a look forward on your next publish, I will try to get the dangle of it!

  4. You could definitely see your expertise in the work you write.
    The arena hopes for even more passionate writers such as you who are not afraid to say how they believe.
    All the time follow your heart.

  5. hello there and thank you for your information – I have
    definitely picked up anything new from right here.
    I did however expertise several technical points using this site, since
    I experienced to reload the web site a lot of times
    previous to I could get it to load properly. I had been
    wondering if your web host is OK? Not that I am complaining, but sluggish
    loading instances times will sometimes affect your placement in google and could damage your
    high quality score if advertising and marketing with Adwords.

    Well I am adding this RSS to my e-mail and can look out for
    a lot more of your respective intriguing content.
    Make sure you update this again soon.

  6. Both tins feature five booster packs and five special foil
    variant cards. You should always follow these
    rules and tips, to ensure that you are playing the
    Yugioh trading card game fairly. Card Text: “Elemental Hero Avian” + “Elemental Hero Sparkman” + “Elemental Hero Bubbleman” This monster is not Special Summoned
    except by Fusion Summon.

  7. Excellent blog here! Also your web site loads up very fast!
    What host are you using? Can I get your affiliate link to your host?
    I wish my website loaded up as fast as yours lol

  8. Hi there! I simply want to give a huge thumbs up for
    the good information you may have here on this post.
    I might be coming back to your weblog for extra soon.

  9. You have made some good points there. I checked on the internet for
    additional information about the issue and found most people will go along with your views on
    this web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s