Contradictory settings for DNT #163
Comments
|
see, I told you not to enable TP xD navigator.doNotTrack is set to "unspecified" when DNT is disabled |
|
...or just go with it and enable the DNT pref as well |
|
I think a few sites honor DNT, so even though it's "honor-based", it's not all bad in and of itself. The question is what percentage of Firefox users are sending a DNT line as part of their HTTP/S request headers. That way, you can determine whether or not disabling DNT in the header increases or decreases entropy. |
|
We discussed DNT here, by scrolling down you see Pants results on Related: pyllyukko/user.js#11 (comment) Gorhill on DNT. |
FF is not lying to you. You just misread an (admittedly) ambiguously worded dialog. You misread the checkbox as giving you the option to enable or disable DNT, when it's actually giving you the option to enable it always or only when TP is on. Take another look:
This is why you find that DNT is set when Tracking Protection is enabled. FF tells you so.
A (good) argument can be made that when the user opts into Tracking Protection (which he must do since it's disabled by default), she is opting into the option to disable tracking, hence into DNT. I don't think FF broke the spirit of DNT. Indeed I think it would be exceedingly confusing to ask the average user to separately:
|
That confusing dialog / set of options has hopefully been made clearer in Nightly:
@RoxKilly nailed it. The two options confused our users who thought they were protected from tracking when they enabled DNT but not TP. When it comes to the spirit of DNT, the spec says that "the signal sent must reflect the user's preference". If a user chooses to go into Private Browsing or enables TP, then we argue that they have expressed a preference against being tracked.
Firefox telemetry shows that 17% of Nightly 56 users have DNT enabled (it's lower in Beta). But that's severely undercounting the signal since it's sent by default whenever users use Private Browsing (because TP is enabled there) and we don't collect telemetry for Private Browsing. |
|
@fmarier That's a huge improvement! 👍 It would be beneficial to have a "Never" option for the "Send websites a Do Not Track signal..." option. Alternatively, it likely would make more sense (and improve the UX) if the radio buttons for "Send websites a Do Not Track signal..." simply paralleled those for the "Use Tracking Protection..." header:
|
The only option is to also disable TP. The reason is that the Disconnect list relies on the EFF's DNT policy. If a tracker complies with it (none of them do at the moment except for a test domain we control) then they get removed from the Disconnect list. This means that if you were to enable TP but disable DNT, you could be tracked by trackers who would otherwise comply with DNT (i.e. don't track you) had you sent them the DNT signal. |
|
Thanks for that info @fmarier. Good to know. But doesn't that also mean that mozilla will never enable TP (+ therefore DNT) by default in non-private windows because you require the user to Opt-In for DNT? |
So far we've always talked about TP being opt-in in normal mode, not opt-out like it is in Private Browsing.
TP is meant to block trackers, not all ads. If the web moved from behavioural ads to non-tracking ads, that would be a huge improvement from a privacy point of view. And there will always be uBlock Origin & friends for those who want to block all of the ads. |
You write "1610: ALL: disable the DNT HTTP header (this is essentially USELESS and raises entropy)"
However, setting user_pref("privacy.trackingprotection.enabled", true); causes a DNT header to be sent.
Tested with FF52 ESR against https://browserleaks.com/donottrack.
Proposal to set user_pref("privacy.trackingprotection.enabled", false); in line with what you wrote under 1610. False is also the default in FF52.
The text was updated successfully, but these errors were encountered: