Tracking, the collection of data about user behaviour, is widespread on the web. For this reason, the idea of a “Do-Not-Track” (DNT) setting emerged a little more than a decade ago, in 2009. This system gives users a simple choice to reject and accept online tracking on websites. Despite great ambitions, DNT has failed, whilst the practice of tracking continues. I want to explore with you why, but also how DNT has managed to change user privacy for the better.

History of implementation

After its first proposal in 2009, the Federal Trade Commission (FTC), which regulates privacy in the US, quickly picked up the idea of DNT.

The FTC expressed their backing for DNT as an effective alternative to failed industry self-regulation.

At the time, the tracking industry was offering a central website to users, to opt-out by setting the right cookies. Since this was unreliable and created further privacy risks, the FTC regarded DNT as a more robust solution to restrict tracking, not relying on cookies.

DNT works by the user’s browser sending a binary value to every website visited. This value, of whether or not tracking is allowed, is sent to a website in the request header, alongside other information such as requested URL.

The W3C, responsible for standards on the Internet, started to work towards a common standard from 2011.

By 2012, all major browsers had implemented DNT. In this implementation, the user could choose from the browser settings to enable DNT.

Reasons for failure

The weakest point of DNT is its reliance on the tracking industry. Implementation in all major browsers is not enough. Websites using tracking must also respect the user’s DNT setting.

Also, it is not clear what a DNT signal to a website actually means. Must all data collection on a website be stopped? Are certain types of data collection, such as analytics, still allowed?

With a lack of regulatory obligations and standardisation, very few services ever respected DNT. The search giant and largest online advertising company, Google, never implemented support for DNT on their websites or in their analytics tools.

Similarly, other big tech companies, including Facebook and Twitter, simply ignore the DNT signal. Instead, browsers were “just screaming for privacy into a void”, as expressed by the tech magazine Gizmodo.

Worryingly, DNT can have unexpected, negative implications for user privacy. Since only a small minority of users ever used the setting, DNT can be used to identify users. This technique called “browser fingerprinting” creates a unique user identify from your individual browser characteristics.

If only enough characteristics of your web browser, such as your DNT setting, are combined, this can be used to identify you. You can find out how unique your browser is with INRIA’s amiunique.org service.

Since there were no sufficient “indications of planned support among user agents, third parties, and the ecosystem at large”, the W3C stopped their efforts in January 2019

The following month, Apple removed support for DNT from their Safari browser.

Privacy, a binary setting?

Whilst it is easy to blame the failure of DNT on the advertising industry, the issue is arguably more complex than it first seems.

Many content creators online, including news outlets, rely on advertising revenue, and so an outright ban of tracking would be devastating for their business models.

A black and white setting does not give user a real choice to allow certain types of information sharing.

Much controversy was caused by Microsoft choosing to enable DNT by default in their Internet Explorer 10 on Windows 8. Other browsers had left it to their users to find the DNT setting in the depth of browser configurations.

The debate around DNT foremost took place in the US, which lacks a federal privacy law. By contrast, online tracking has long been on thin ice in the EU. According to EU data protection legislation, as little data as possible should be collected (data minimisation). Online tracking is widely considered to not be essential and explicit user consent is required. EU Internet users see more consent banners than US ones, given the lack of an established opt-out solution such as DNT.

The spirit of DNT lives on

Despite the failure of DNT, it managed to change user privacy permanently for the better.

Browser manufacturers have realised that a consensual implementation of user privacy without the explicit cooperation of tracking companies will be difficult–unless there are incentives to do so.

Instead, Safari and Firefox now resort to tracker blocking, that does rely on tracking companies.

Whilst ad blocking has been widely popular for some time, these new anti-tracking solutions do not primarily aim to block ads, but rather to protect user privacy.

Privacy is more complex than the click of a button, and many website owners rely on the evaluation of user behaviour. On both Safari and Firebox, the user can choose different levels of blocking, and disable tracking protection for every site visited. This avoids problems with website breakage due to blocking, affords users higher granularity than previous solutions, and aims for more fairness towards website owners.

Tracking continues, what’s next for user privacy?

Google Chrome takes the opposite direction than Safari and Firefox. Instead of pushing for increased tracking protection, the company is currently reworking the browser APIs, upon which current ad and tracking blockers rely.

This will restrict the number of URLs that can be monitored by browser extensions. This monitoring is currently used to block the connections to known tracker URLs.

The official reason for this change is increased performance. Critics expect a profound impediment to current ad and tracking blockers.

Changes to Google Chrome have a large reach. Chrome leads the browser market, being used by 68% of desktop users. Safari and Firefox only attract 9% of users each.

It is known that Google relies on advertising and data collection. They have a natural interest in limiting ad and tracker blockers. What might be less known to browser users is that the choice of browser is also a choice of privacy.

Overall, this article highlights how DNT has failed, but has motivated new solutions against tracking. It also underlines that privacy cannot be taken for granted in the 21st century. We will need to continue the debate, and to seek innovative solutions around user privacy.