I think it is perfectly reasonable to assume that users intend to not be tracked by the very large number of third parties they are involuntarily exposed to on the web.
Yahoo are resorting to this whole buzzword-laden meaningless rhetoric around ~user experience~ and ~value proposition~. That just reinforces the impression that the only reason anyone was prepared to go along with DNT was that they assumed that 99% of users weren't going to be in a position to express their ~user intent~ to not be tracked. Since, you know, most people have better things to do than to learn how to teach their computer about obvious preferences like "please don't spy on me".
Microsoft is simply making the benefits of the DNT scheme more accessible to its users. It's pretty telling that Yahoo is already backpedaling from respecting the users' intent, faced with the possibility that more than an insignificant fraction of users might actually be enabled to benefit from DNT by this decision.
(Edit: Personally I think rather than squabbling about DNT, browser vendors should be taking much more aggressive, technical steps to make tracking users harder, instead of having a default configuration that stops just short of transmitting the user's SSN via request header. Disabling features like user agent and referer headers for and quickly discarding cookies from untrusted (by individual user "intent", not based on SSL certs or anything) hosts would be a start.)
The benefit of the DNT scheme was to kill the lie that most users don't care. If 99% of users take positive action to change a default and say "Don't track me", it's believable. If a browser vendor says this, it's not.
Bear in mind that Do Not Track has _zero_ technical merit; it's equivalent to the "evil bit" prank RFC. Any merit it has must be political.
The value in DNT was going to be that we could convince advertisers that normal users do, in fact, care, and do, in fact, not want to be tracked. IE's decision is squandering what DNT attempts to communicate, and squandering that value. And so when you see advertisers _and_ web server developers rejecting IE 10's DNT indicator, that doesn't mean that the advertisers or web server developers are bad people -- that just means that you lost the politics.
That puts Microsoft in a bind. Sensible defaults are important; if you can guess what users want most of the time, then you should just do that.
In their shoes I would have done some focus groups, spending an afternoon with people and really educating them on the details of tracking, and what the pros and cons are for them. If at the end of it most typical users would have turned it on, then this would have been the right default.
After all, if places like Yahoo don't like it, they could ask people to turn it off. If Yahoo's right, then presumably most people would turn DNT off, or make an exception for them. But I suspect Yahoo knows that people don't want to be tracked, and that a lot of their profit comes from keeping their users in the dark.
> Sensible defaults are important; if you can guess what users want most of the time, then you should just do that.
That is a good general rule. In the case of DNT, the header was formulated specifically with the intent that the default would be off, regardless of what you expect the user to want, so that turning it on communicates individual user intent. This is a reason to ignore the general rule in this specific case.
A good related example would be license agreements. Most users want to ignore them entirely. Focus groups would indicate skipping them. But if you make a click-through license agreement invisible, while that's a better UX, the agreement is now completely legally invalid. In order for the agreement to be valid, you need the user to have an opportunity to read it (even if focus groups indicate nobody does).
And while you expect 100% of your users to accept the agreement, the default needs to be "No, I do not accept".
If Yahoo's right, then presumably most people would turn DNT off, or make an exception for them.
Nope, there are other reasons why one wouldn't turn it off: confusion, ignorance, laziness, etc. Everyone in tech support knows how hard it is to get users to perform simple tasks even with step-by-step guidance.
With Firefox, I use adblockplus, noscript and requestpolicy, along with some thing I forgot that wipes flash cookies and other persistent storage at the end of every session, and probably something else that I entirely forgot about.
But that does fuck all, apart from making me guess which third-party requests are instrumental to making a page I'm visiting for the first time properly, until it's some sort of concerted effort at a default behavior for browsers so that websites are coerced to adapt to it to stay competitive. So it's up to those with browser marketshare.
Can't you also change your cookie settings to require your to accept any cookie that wants to be set? I think we'd see less cookie abuse these days if 10 years ago browsers defaulted to asking users to store cookies. You can also disable all third-party cookies, which can help minimize tracking also.
I'm pretty sure that Microsoft is doing this to hurt Google and hurting Google's ability to deliver a better ad experience. As well, it gets to paint itself as fighting for privacy, etc, so it's a double-win for them.
While it is reasonable to assume a user's intent, it is also reasonable to assume a content publisher's intent to monetize their content. An advertising-funded web is the reality of today, unless Microsoft is proposing a radical change in this model.
The concept of Do Not Track, despite the emotional appeal of the name, essentially seems to be a compromise between privacy and advertising, keeping the advertising-based model intact while also allowing the extremely privacy focused (minority set of) individuals to have things their way.
Turning DNT on by default is a hardline approach and violates the spirit of this compromise. Instead, there needs to be more effort to constructively work with content providers, privacy advocates and advertisers to come up with a more explicit protocol that satisfies everyone's interests.
Your theory appears to be that the minority of privacy-focused individuals are weird outliers in preference. but my impression is that they are weird outliers in knowledge.
When I talk with non-technical relatives about their internet use, privacy is a major issue for them.
They know, for example, that Facebook knows a lot about them, which scares them. They don't know how much ad providers track them, but if you tell them they're more scared. Facebook is at least a known entity that provides them some benefit. Shadowy private companies profiling them is a lot harder to get comfortable with.
I agree there is a problem with the lack of knowledge, but I wouldn't assume that it is all regarding "shadowy private companies". A number of public privacy scares like the concern of Gmail reading people's email seem to fall into the same category.
Again, there are good and bad players on all sides, but my point was simply that ignoring reality and making a complete swing to no monetization for content seems to assume all players on one side are bad. A more open standard that allows clear knowledge is probably a better direction for Microsoft to pursue.
I think it is perfectly reasonable to assume that users intend to not be tracked by the very large number of third parties they are involuntarily exposed to on the web.
I don't. In my limited experience, most users don't care nor mind unless they can see the immediate downsides to that.
How is a cookie 'just short of transmitting the user's SSN'? Microsoft itself, for example, doesn't support DNT for all browsers in its advertising network Atlas.
> How is a cookie 'just short of transmitting the user's SSN'?
In that it's fairly straightforward to track a user across multiple sites and sessions with a cookie, almost as easy as if the browser was already sending a user-specific identification number along on its own.
I didn't want to present Microsoft as the good guys here either, they're playing their own game and I have no illusion that they really care about their users' privacy.
1) They can often be used to identify you, especially when combined with other HTTP headers or information scraped from the client via JS[0].
2) They are abused by web developers who wish to lock out web browsers that they do not support. This is generally considered to be against the spirit of the web, though is sometimes useful for optimising page load times (for example, not sending IE conditional comments to all browsers).
Thanks. I didn't realize that the combination of headers could produce such a specific target. Apparently my browser fingerprint appears to be unique among the 2,474,746 tested so far.
Yahoo are resorting to this whole buzzword-laden meaningless rhetoric around ~user experience~ and ~value proposition~. That just reinforces the impression that the only reason anyone was prepared to go along with DNT was that they assumed that 99% of users weren't going to be in a position to express their ~user intent~ to not be tracked. Since, you know, most people have better things to do than to learn how to teach their computer about obvious preferences like "please don't spy on me".
Microsoft is simply making the benefits of the DNT scheme more accessible to its users. It's pretty telling that Yahoo is already backpedaling from respecting the users' intent, faced with the possibility that more than an insignificant fraction of users might actually be enabled to benefit from DNT by this decision.
(Edit: Personally I think rather than squabbling about DNT, browser vendors should be taking much more aggressive, technical steps to make tracking users harder, instead of having a default configuration that stops just short of transmitting the user's SSN via request header. Disabling features like user agent and referer headers for and quickly discarding cookies from untrusted (by individual user "intent", not based on SSL certs or anything) hosts would be a start.)