"Do Not Track" is a horrible idea

Many years later, I revisited this page. Do-not-track has been implemented, and surprise, surprise: it didn't work.

I've heard about the idea of a "do-not-track list" for Web privacy for a while now, online, in print, and in person.

Simply put, all of the "opt-out" ideas that I've heard have been horrible. In short, they rely at best on unenforceable behavior and at worst on something that is an inherent contradiction.

Donottrack.gov?

The first "solution" that I've heard proposed is something akin to the popular Do Not Call Registry. There's a fundamental problem with this. How on earth do you determine if a visitor to or user of your site is on the registry? Well... they'd have to present some sort of unique identifier that could be matched up to a central database and... hang on... isn't this starting to sound like what we want to avoid?

Trust the browser, trust the servers

Ok, so let's leave the idea of a "do not track registry" to die in a corner, and instead focus on something that would obviate the need for a unique fingerprint. Let's have the browser send a special header, perhaps something like X-Do-Not-Track that denotes the preference of the user. At first glance, this looks a bit better. We don't have to uniquely identify ourselves, and we're not dependent on a central source of information, ripe for the harvesting. We'll just configure the browser to send something saying that we don't want to be tracked, and sites will act accordingly.

That won't work. Here's why:

So at best, we'll have a system that's entirely opt-in on the advertiser side and will only be observed by the most noble companies (but not all of them, and not all the time.) Anyone intent on data mining/tracking/etc. for nefarious purposes will continue to do so, same as before, and will happily ignore the header with absolutely no consequences, while overly-optimistic or misinformed users will feel semi-anonymous.

What a waste.

The Solution

There is no real solution.

There is no one technology, law, or other magic bullet that will guarantee you privacy on the internet. Sorry.

Instead, you have to use a combination of technologies and tactics to enforce your own privacy policy. As for me? I use uMatrix, uBlock Origin, HTTPS everywhere, PrivacyBadger and a rather aggressively-maintained hosts file to limit my trackability.

This works pretty well.

Postscript, much later

It didn't work. And nobody's invisible, not if they interact with their surrounding world. It's a question of finding a balance and making informed trades.

A header won't do that for you.