[LINK] DNT : Do Not Trust the Do Not Track 'standard'

Roger Clarke Roger.Clarke at xamax.com.au
Wed Nov 16 09:41:24 AEDT 2011

[At least in the security and privacy space, W3C has become a highly 
inadequate standards-setter.

[Networks work on protocols, and those protocols specify, or at least 
strongly imply, appropriate behaviour by nodes using the protocol.

[The W3C P3P group started the trend towards one-sided failures.  It 
bowed to pressure from Microsoft , which demanded that W3C not 
interfere with the business of doing business.

[The promise of P3P in 1998 was neutered by 2000:
"The protocol specifies only the statement of a web-site's use and 
disclosure policy. Worse, it is actually depicted as thought it were 
a push-mechanism, rather than a communication initiated by a request 
by a browser.  [And, anyway] the browser submits personal data to the 
server irrespective of what the web-site's policy statement is. 
{And] the specification contains no minimum requirements of 

[The same gutlessness is apparent with the DNT initiative.

[W3C is simply indulging in window-dressing.  It's 'the American way' 
at its worst, creating the image of action in order to avoid actual 
regulation, while carefully avoiding doing anything harmful to 

W3C privacy workgroup issues first draft of Do Not Track [Request] standard
By Ryan Paul
Published about 8 hours ago - 15 Nov 2011
Ars Technica

W3C has published the first draft of a new Web standard that 
addresses online privacy. It establishes an official specification 
for the mechanism that browsers use to broadcast the "Do Not Track" 
(DNT) privacy preference to websites. The draft was authored by a new 
W3C Tracking Protection Working Group and could be ratified as an 
official standard by the middle of next year.

Mozilla originally introduced the DNT setting in Firefox 4 earlier 
this year. The feature consists of a simple HTTP header flag that can 
be toggled through the browser's preference dialog. The flag tells 
website operators and advertisers that the user wants to opt out of 
invasive tracking and other similar practices that have become 
pervasive with the rise of behavioral advertising.

Of course, the mechanism just indicates a preference and doesn't 
actively block tracking activity. The success and efficacy of the DNT 
header is predicated on voluntary compliance from the Internet 
advertisers that will have to take steps to implement support for the 

Although getting advertisers on board will take some effort, it's not 
an insurmountable obstacle. The mainstream behavioral advertising 
industry happens to have a decent track record on self-regulation and 
respecting opt-out initiatives. Their desire to avoid government 
intervention has led major behavioral advertising companies to stay 

There are a number of existing opt-out mechanisms that are already 
widely supported by advertisers. For example, the Network Advertising 
Initiative, which is backed by major Internet advertising companies, 
offers a simple Web-based tool that helps users configure opt-out 
cookies. The problem with the cookie-based approach, however, is 
impermanence. If the user clears their browser cookies, their opt-out 
preference is lost.

Mozilla came up with the DNT header and proposed it as a more 
practical long-term alternative to the cookie approach. The idea 
generated a lot of discussion but didn't initially attract the 
support of advertisers. Mozilla decided to roll the DNT feature out 
in the major Firefox 4 release-even though it wouldn't do anything 
yet due to lack of advertiser support-with the hope that the move 
would encourage adoption.

It didn't take long for Mozilla's gamble to pay off. At least one 
major advertiser was already on board by the time that Firefox 4 
reached consumers. Shortly after the release, other major advertisers 
began to take it seriously and considered implementing support. 
Microsoft and Apple also decided to back the feature.

Defining an official DNT standard seems like another really good step 
to help encourage broader support for the feature among advertisers. 
The spec will ideally provide clear and consistent guidance on how 
DNT support should be implemented in both servers and browsers.

The spec goes beyond merely defining how the header should be 
transmitted. It aims to address a lot of other issues, such as 
defining a standardized well-known URI where servers can issue 
responses to indicate whether they respect the DNT header. The draft 
is still at an early stage of development, however, and has many 
placeholders for sections that still have to be finished.

There are 15 companies and organizations collaborating on the draft 
through the W3C working group. These include all of the major browser 
vendors, several major Web companies (including Facebook), and 
advocacy groups like Consumer Watchdog and the Electronic Frontier 
Foundation. The US Federal Trade Commission (FTC), which has 
previously expressed interest in seeing broad DNT support, is also 
listed as a member of the working group.
The DNT standardization effort seems like a constructive undertaking 
that is on the right track. The draft of the DNT specification and 
the DNT compliance specification are both available from the W3C 

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list