irenesteam

joined 1 month ago
sorted by: new top controversial old
Ask Mozilla: Bring back Do Not Track in c/privacy@lemmy.dbzer0.com
[–] irenesteam@mander.xyz 2 points 22 hours ago* (last edited 22 hours ago)

Thank you for cross-posting my first post on Lemmy. Thank you to everyone who took the time to respond on the issue.

I am new to Lemmy and I am not really certain how cross-posting works. It seems you may not get notified about comments from the original post.

Please refer to the original post for some additional relevant details in the comments. https://mander.xyz/post/24524978

Items mentioned there: A list of 200+ websites which obey Do Not Track signals. Quoted legal documentation which makes a website's claim of obeying Do Not Track signals legally enforceable. Further discussion on fingerprinting. Additional information on Global Privacy Control.

Ask Mozilla: Bring back Do Not Track in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 2 points 23 hours ago

4 - Expanding the Laws

Bringing back Do Not Track is all about creating this opportunity. We seem to agree it would be better for Do Not Track to become legally stronger. I believe we will have the greatest chance that this will happen if Mozilla brings back Do Not Track. I believe it is also important to increase the user adoption percentage of enabling Do Not Track signals partially to increase legal pressure by providing legislators with a meaningful statistic.

Regarding this point: "Only when a consensus is being reached should Mozilla and browsers prepare to support the enforced feature." We already have legal consensus of website operators who serve California users being legally required to describe a stance on Do Not Track.

Note that the original posting describes how it was only after major web browsers offered the Do Not Track feature, a law was created requiring website operators to take a stance on Do Not Track. After a technology is implemented, we get laws to refine it. Laws are unlikely to begin with a detailed technical specification and so I ask you to change your expected order to the technology firms first putting an implementation in place and then laws coming afterward to refine the implementation.

I understand how the length of time for laws to get applied may be frustrating. We have already seen some progress on Do Not Track and the German legal case less than 2 years ago shows recent progress. But if we want to see further legal progress, we really need to bring back Do Not Track in Mozilla's user interface.

Please demonstrate your support for Do Not Track.

Ask Mozilla: Bring back Do Not Track in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 2 points 23 hours ago

First, I really appreciate you taking the time to share your thoughts and rationale. It is great to have informed debate. Let's try to address your points.

1 - Fingerprinting

As our first consideration, data shows that if you are concerned about fingerprinting, you should enable Do Not Track signals, as has already been explained, to blend in with the majority of others who can block fingerprinting JavaScript and who have enabled Do Not Track signals. Users who do not block fingerprinting JavaScript can be uniquely fingerprinted regardless of the Do Not Track preference and are encouraged to enable Do Not Track to benefit from the websites which obey it, such as some medical websites.

Regarding this point: "It still is however a data point often masked to follow the herd in order to minimize fingerprinting in territories where user privacy isn't enforced by law." I think your point better applies to Global Privacy Control, since it is Global Privacy Control which is being interpreted by some implementing companies as only applying to territories in which users live, while Do Not Track appears to be consistently described in privacy policies and listed in code snippets as applying to users worldwide, meaning that a user's territory is not relevant in the effectiveness or ineffectiveness of Do Not Track.

Data has not convinced you so let's take a logical approach to look at the situation a little differently, calling it our second consideration. When we consider the scenario of websites aggressively attempting to fingerprint us, there are two cases: when we cannot block JavaScript and when we can block JavaScript.

Case a) If we are unable to block a website's fingerpriting JavaScript, an HTTP header attribute value (such as Do Not Track) need no longer be a relevant concern. I encourage you to visit https://amiunique.org/fingerprint or other websites like it.

For example, under the JavaScript Attributes section, the Audio Data value gives me a Similarity Ratio of 0%. With only one JavaScript Attribute, it may be possible to uniquely identify me from my Audio Data if a website (or a set of websites with the same fingerprinting service provider) uses fingerprinting techniques.

There are a number of JavaScript Attributes which are difficult or time consuming for a user to modify, such as Audio Data, and a combination of these values can probably be used to create a unique fingerprint about a user.

What is important to understand in our discussion is that it may not make sense to have every measureable value contribute to a fingerprint analysis. If you resize your web browser's window and the Screen Width JavaScript Attribute changes, should you be assigned a new fingerprint and should the fingerprinting website blindly not recognize you as being the same user? We might conclude that it may not be effective for fingerprinting code to incorporate into the fingerprint a value which is easy for a user to change.

Case b) If we are able to block the fingerprinting JavaScript, there are less HTTP Header Attribute values compared to JavaScript Attribute values. Some of these HTTP Header Attribute values include: User Agent, Accept, Content Encoding, Content Language, Upgrade Insecure Requests, Do Not Track, and Global Privacy Control.

Suppose we found a website with naive fingerprinting code which relies on a Do Not Track value when generating a fingerprint. We can visit the website with a Do Not Track signal enabled. The next day, we can take off our sunglasses (disable Do Not Track signals), visit the same website, and the website will not be able to recognize us! The about:config method makes it very easy to switch to another window and toggle a button, which is similar effort to resizing a web browser window.

A question to ask ourselves is if we think a website fingerprinting technique would be that poorly coded. If we do not think this will be the case, then is it reasonable to say it is unlikely for Do Not Track signals to be consistently used in generating a fingerprint because it is easy for a user to toggle the preference?

A third consideration is how the benefit of fingerprinting for many website operators may be solely to serve targeted advertisements using JavaScript. Such a website operator may not want to waste time trying to fingerprint users based on HTTP attribute values since a user who disabled fingerprinting JavaScript probably also disabled advertisement JavaScript.

If you remain unconvinced about fingerprinting, please let me know and we can explore the fingerprinting topic further.

When it comes to a website which obeys Do Not Track signals, there are implementations which will prevent connections to analytics JavaScript, which is very likely to be the source of fingerprinting code. For websites which disable fingerprinting JavaScript because we have enabled Do Not Track signals, enabling the signals benefits us against fingerprinting!

In this scenario, it is important to note that Global Privacy Control will not save us because the analytics and fingerprinting JavaScript will not be blocked! With Global Privacy Control signals enabled but with Do Not Track signals disabled, the same website and its third party analytics will fingerprint us!

2 - Law

I will repeat some points from the original posting and also add additional information.

By law, any website which plans to serve customers living in California must declare a public position regarding Do Not Track signals. Multiple tools exist to generate privacy policies and it has become standard to include this declaration in privacy policies for websites even for regional websites which may never get a visitor from California. This fact allows us to have a very quick way to consistently evaluate a website's practices. If you are a person who does not like reading privacy policies (maybe many people feel this way), please take a moment to understand how incredibly powerful a role this standard of requiring websites to declare a Do Not Track stance can perform in allowing you to evaluate a website's expected practices with just a web search.

By law, companies operating in Germany are required to obey Do Not Track signals. It is expected other European businesses will have to do the same in the future but maybe only if we bring back Do Not Track and keep it around long enough for corresponding legal cases to solidify the law.

https://wideangle.co/blog/do-not-track-gdpr-opt-out "And in fact, Article 21 (5) of the GDPR states that a person “may exercise his or her right to object by automated means using technical specifications”. Doesn’t this include DNT signals?"

"According to Hense, this part of the law was “basically invented” or “lobbied into” the GDPR “to help DNT signals become a standard.”"

You also raised an important point about writing fake information in a privacy policy. Privacy policies represent one of the main sources of commitments a website legally needs to follow in its relationship with you. Many companies are unlikely to lie because companies can and do get sued when a privacy policy does not match with the truth.

https://inspiredelearning.com/blog/a-brief-history-of-the-gdpr/ "Ireland’s DPA fined WhatsApp €225 million for not being transparent about how they use their users’ data in their privacy policy."

California law explicitly requires truthful statements for Do Not Track declarations.

https://www.loeb.com/en/insights/publications/2013/10/california-enacts-law-requiring-do-not-track-dis__ "The bill was signed into law Sept. 27, 2013 and applies to any operator of commercial websites or online services that collects personally identifiable information about a California resident, whether the operator is physically based in California or not."

https://www.foster.com/duff-on-hospitality-law/california-adds-do-not-track-disclosure-requirement-to-the-california-online-privacy-protection-act "Operators are in violation of CalOPPA if they knowingly and willfully, or negligently and materially fail to comply with either the law or the operator’s own privacy policy."

https://termageddon.com/do-not-track-caloppa/ "Operators should be cautious to follow the promises they make in their Privacy Policy. If an operator claims to respect these signals but really ignores the requests, they are violating CalOPPA. Further, the FTC considers misrepresentations in a Privacy Policy to be a deceptive practice, so an operator could face an FTC investigation for misleading consumers."

3 - Listed Websites

Because lemmy.world seems to use mostly English, I performed the web searches in English. I believe most of the links are for websites in the US.

This list is not exhaustive. I ran out of space in the Lemmy comment and stopped collecting websites. The list is intended to demonstrate it is more than "just 1 popular website in Germany" which decided to obey Do Not Track signals.

Some of these websites are regional, such as a medical office or restaurant. It is nice to know you can get life basics such as medical treatment and food without targeted advertisements.

Regarding this point: "There is just about zero reason I think nicely asking website admins to monitor and add support for DNT." Maybe your dental office has a website. It seems reasonable to ask your dental office to make changes to the website to obey Do Not Track signals. There is a supported real life business and this business wants to please its real life customers. Many analytics tools make it very easy. The code snippets linked in b) also make it easy for other analytics tools. You may give 300 families local to where you live a nicer experience and you might make your dental office gain more business from customer appreciation, which is likely to exceed any potential monetary compensation from targeted advertisements.

Ask Mozilla: Bring back Do Not Track in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 1 points 23 hours ago

My understanding of some points:

For California residents, perhaps only when you browse a website from an IP address in California, a website which obeys Global Privacy Control signals can opt you out of sharing and selling your data after it is collected but it will not opt you out of data being collected by the website and the website's third party analytics services. Colorado and Connecticut residents also have some legal protection using Global Privacy Control but the legislation is different and a website may react differently. The video was made in California and details about other locations were not fully discussed. Some states such as Virginia have corresponding legislation but do not appear to enforce the use of Global Privacy Control by website operators. Floria appears to primarily target big tech. Utah, Texas, Montana, Tennessee, Oregon, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island have also enacted some form of privacy legislation with different degrees of applicability.

Global Privacy Control will apparently not apply to users in regions without corresponding regulation, at least for the example website in the video. In contrast, Do Not Track appears to apply to users everywhere when a website claims to obey Do Not Track signals. The act of claiming to obey Do Not Track signals makes that claim legally binding.

Global Privacy Control allows for third party analytics tools to still collect data about you. In the process of collecting data about you, a website may use a Global Privacy Control signal as a reason to ask you to disable Global Privacy Control protection for this website. Do Not Track does not appear to have this drawback, at least for Do Not Track implementations which follow the code snippets in b) which prevent third party analytics connections.

"Technical identifiers" is a very scary term and if you see it, it can mean many terrible things. According to the video, "technical identifiers" can include: your IP address, your cookie IDs, browser local storage identifiers, mobile device identifiers such as the Android advertising ID or the Apple identifier for advertising platforms, operating system based identifiers such as those offered on smart or connected TVs or media streaming devices, partner supplied technical identifiers, encrypted or one-way cryptographic hashes of personal information such as email addresses and phone numbers, account identifiers, derivatives or escalated versions of these identifiers, operating system or browser versions, cohort audience, and more. "In other words, everything. Trying to find some way to track you, hook onto you, see where you went, what you're thinking, what you like, what you're doing. We want it all."

"There is no US federal law requiring companies to respect GPC. Also the GDPR interpretation of GPC sadly seems a little weak."

"There are still too many regions that have no privacy regulations and the various regulations that do exist need to be harmonized with one another on what GPC really means. For example does the request apply only to further data collection or should it apply to data already collected? Does it apply to the user or just the device that set the GPC flag?"

In summary:

Global Privacy Control is not a replacement for Do Not Track. Do Not Track may offer stronger consumer protection. Global Privacy Control may be implemented by many US websites which choose not obey Do Not Track, offering arguably weak protection in place of no protection. Do Not Track has the potential to provide strong protection for European websites and for any website which volunteers to obey Do Not Track signals. Some US state laws recognize a universal opt-out mechanism, which can include Do Not Track or Global Privacy Control. The two settings deserve to coexist.

Ask Mozilla: Bring back Do Not Track in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 8 points 2 days ago

More than 200 websites which obey Do Not Track signals

https://www.actorsite.com/privacy-policy
https://builder.io/docs/privacy
https://www.ckcancercenter.com/privacy-policy.html
https://elesplace.org/privacy-policy
https://www.royalresortscaribbean.com/pdf/PrivacyPolicy.pdf
https://www.americaphonebook.com/privacypolicy.htm
https://www.itup.org/privacy-policy/
https://www.milligan.edu/privacy/
https://www.bmigeorgia.org/privacy-notice
https://www.lamisinstitute.com/privacy-policy
https://www.pizanoschicago.com/privacy-policy/
https://www.docsites.com/privacy/
https://dogtrainerhawaii.com/privacy-policy/
https://www.kidznotes.org/privacy-policy/
https://harrissmile.com/privacy-policy/
https://www.researchandme.com/legal/privacy
https://thesauceologygroup.com/
https://drurybodyshop.com/privacy-policy/
https://www.istemai.com/istem_privacy_policy.html
https://veregy.com/privacy-policy/
https://childrensparadise.com/privacy-policy/
https://manzelexpress.com/privacy
https://cs.newton-conover.org/o/cs/page/privacy-policy
https://drtraceywilliams.com/privacy-policy/
https://www.landmarkathens.com/privacy-policy/
https://www.irvineparkrailroad.com/privacy-policy/
https://www.paritygo.com/privacy-policy/
https://www.faitfellowship.org/privacy-policy/
https://middlecoffdentalgroup.com/privacy-policy/
https://www.gocadmium.com/privacy-policy
https://www.tr3dent.com/privacy/
https://www.chrishartlaw.com/privacy-policy/
https://www.srbx.org/privacy-policy.html
https://seoshope.com/privacy-policy/
https://www.ilcao.org/downloads/omjprivacypolicy.html
https://www.guru99.com/privacy-policy
https://www.ennovationlifesciences.com/index.php/privacy-policy/
https://www.wheelership.com/privacypolicy
https://www.rillusion.com/privacy.html
https://risesouffle.com/privacy-policy
https://www.g2inc.com/privacy-policy/
https://werelivingwell.com/privacy-policy-2/
https://mru.edu/privacy-policy
https://premium.infornweb.com/privacy-policy/
https://www.townmoneysaver.com/PrivacyPolicy
https://terrycmisfeldt.com/privacy-policy/
https://www.lacucinareno.com/privacy-policy.html
https://www.stylewe.com/information/privacy-policy
https://www.choixmalins.com/privacy-policy/
https://auroraflighttraining.com/privacy-policy/
https://www.franchisefastlane.com/privacy
https://www.hospiceandcommunitycare.org/hospice-care/website-privacy-policy/
https://philadelphiaeaglesdentist.com/privacy-policy/
https://www.rosesdaughters.com/privacy-policy/
https://aomorispring.com/privacy
https://projects.cangguproperti.com/privacy-policy
https://www.bostoncollegiate.org/privacy-policy/
https://www.medtrition.com/privacy-policy/
https://www.advtrain.com/privacy-policy/
https://counta.com/privacy-policy/
https://trackmaker.com/main/en/privacy-policy
https://www.cadl.org/contact-help/policy-site-map/privacy-policy
https://www.centralarkansasfamilyclinic.com/privacy
http://www.himalichacha.com/privacy-policy.html
https://muniss.net/legal/
https://pointstravels.com/privacy-policy/
https://moriumius.jp/en/policy/
https://noracora.com/information/privacy-policy
https://www.cspwal.com/privacy-policy
https://www.ccsblaw.com/privacy-policy/
https://srifas.com/privacy-policy/
https://www.roberthainesco.com/privacy-policy/
https://www.dashhound.com/privacy-policy/
https://www.marseilleshotel.com/privacy-policy/
https://vanessaduplessie.com/privacy-policy/
https://jasonlowensteinmd.com/privacy-policy/
https://www.dellrapidsdental.com/privacy-policy
https://mypaperhub.com/privacy.php
https://www.elijahnotes.com/privacy-policy/
https://www.eliscoffee.com/privacy-policy/
https://www.mdscheduler.net/app/PrivacyPolicy.aspx
https://www.rockhilleyecenter.com/privacy-policy/
https://lvg.virginia.edu/policies-procedures/privacy-policy
https://www.catalystkids.org/privacy-policy/
https://www.jumbledbrain.com/privacy-policy/
https://jenniferperkins.com/privacy-and-cookie-policy/
https://www.optionsforlearning.org/pdf/Policy-_35-Website-Privacy-Policy-FINAL-10-23-2018.pdf
https://takingroot.com/privacy-policy/
https://www.intergroom.com/privacy-policy
https://www.scenicsuds.com/privacy-policy
https://www.weknowgrass.org/privacy
https://barnessolar.com/terms/
https://weolive.com/privacy/
https://bataviafamilydental.com/privacy-policy/
https://orilliadentistry.com/privacy-policy/
https://grymesschool.org/privacy-policy/
https://www.kenrashsoutdoorfurniture.com/privacy-policy
https://montrosedentalgroup.com/privacy-policy/
https://www.morganchasecatering.com/privacy-policy
https://www.allpridefitness.com/privacy-policy
https://www.lassendas.com/privacy/
https://mezzotechnologies.com/privacy-policy/
https://harbor360hotel.com/privacy-policy/
https://www.paintedgrapenc.com/privacy-policy.html
https://advancementresources.org/privacy-policy/
https://www.p-b.com/privacy-policy/
https://anydate.com/privacy-policy-terms-of-use/
https://keepfloridabeautiful.org/privacy-policy/
https://herosports.com/privacy-policy/
https://www.aacn.org/privacy-policy
https://www.augustint.com/us/support-338.html
https://www.inetis.com/privacy-policy.html
https://www.anesthesiascheduler.com/app/PrivacyPolicy.aspx
https://revivesmile.com/privacy-policy/
https://mtbakerlodging.com/privacy-policy/
https://myplazadental.com/privacy-policy/
https://www.tampalanguagecenter.com/terms
https://parkridgesmiles.com/privacy-policy/
https://agilevirtualpt.com/privacy-policy/
https://www.columbiaconventioncenter.com/privacy-policy
https://www.innatwillowgrove.com/privacy-policy
https://aylmerfamilydental.com/privacy-policy/
https://www.axiad.com/privacy-policy
https://womancarepc.com/privacy-policy/
https://familydentalphx.com/privacy-policy/
https://www.yourvalleysmile.com/privacy-policy.html
https://workwelldentalmanagement.com/privacy-policy/
https://prokolusa.com/privacy-policy/
https://www.awra.org/AWRA/Members/Privacy.aspx
https://wsbr.org/privacy-policy/
https://www.brusselsbistro.com/privacy-policy
https://www.naics.com/privacypolicy/
https://compassionandchoices.org/privacy-policy/
https://www.oakleafclinics.com/privacy_policy.pdf
https://www.bluestonepim.com/privacy-policy
https://hartfordfamilydentistry.com/privacy-policy/
https://eldredgelumber.com/privacy-policy/
https://www.parrapediatrics.com/privacy-policy-2/
https://edgewaterdentistchicago.com/privacy-policy/
https://www.privacy.haleon.com/en-us/general/general-full-text/
https://lesshousemorehome.co/privacy-policy/
https://www.sambuno.com/sambuno-privacy-policy/
https://rzsoftware.com/cookie-policy/
https://bingoplayers.com/privacy-policy
https://rebeccahite.com/privacy-policy/
https://kecny.com/privacy-policy/
https://paulcassimus.com/privacy-policy
https://www.penndelbowling.com/privacy
https://www.learningfornature.org/en/privacy-policy/
https://www.caviarandbananas.com/assets/pdfs/cb_privacy_policy.pdf
https://hamptonresearch.com/privacy-policy-25.html
https://www.jamesbatesllp.com/privacy-policy/
https://www.healthcare.gov/privacy/
https://purexp.com/privacy-policy/
https://help.pinterest.com/en/topics/privacy-safety-and-legal
https://www.nwgroom.com/privacy-policy
https://www.lightdirections.com/privacy-policy
https://www.vinivia.com/legal/cookies
https://birdbuffer.com/privacy-policy-2/
https://ettsdds.com/privacy-policy/
https://www.arenaenergy.com/privacy-policy/
https://doctorwestmoreland.com/privacy-policy/
https://hwhmt.com/privacy-policy
https://excelrehabsports.com/resources/privacy-policy/
https://www.familyfirstathome.com/privacy-policy
https://ofcourseme.com/privacy-policy-2/
https://atlanticbrainandspine.com/privacy-policy/
https://fifth-avenue-dental.com/privacy-policy/
https://www.sowela.edu/privacy/
https://itaberco.com/privacy-policy/
https://midcitypeds.com/privacy-policy/
https://www.6minded.com/privacy-policy
https://waynebelisle.com/privacy-policy/
https://kopernik-foundation.org/privacy-policy/
https://majormarine.com/privacy-policy/
https://holteybrownnewsom.com/privacy-policy/
https://blackbeards.com/privacy-policy/
https://pslstrive.org/privacypolicy
http://champaceramics.com/Privacy
https://www.sugaravenue.com/privacy-policy/
https://www.quetext.com/privacy-policy
https://winnipegperiodontist.com/privacy-policy/
https://brardentistry.com/privacy-policy/
https://www.lindseya.com/privacy-policy-and-disclaimer/
https://www.daytonabahamahouse.com/privacy-policy
http://www.techbeatph.com/wproot/about-us/privacy-policy/
https://citiesalive.org/citiesalive-privacy-policy
https://milfordfamilydentalma.com/privacy-policy/
https://www.equian.com/privacy-policy/
https://hallhall.com/privacy-policy/
http://beatingbeats.com/privacy-policy
https://cityventures.com/privacy-policy/
https://www.businessmapping.com/privacy.php
https://entcenterutah.com/privacy-policy/
https://metrorichmondzoo.com/privacy-policy/
https://w4.shangri-la-frontier.com/privacy-policy/
https://www.poteaudental.com/privacy-policy.html
https://eastlake.church/privacy-policy
https://www.sellooil.com/privacy-policy/
https://www.wlf.louisiana.gov/page/privacy-policy-wma-app
https://www.getstreamline.com/privacy-policy
https://www.rolair.com/privacy
https://www.arcadiapublishing.com/pages/privacy
https://sddentalspecialists.com/privacy-policy/
http://jpisaacsauthor.com/privacy-policy/
https://www.aspirephysicalrecovery.com/privacy-policy/
https://elearning.costar.com/privacy-policy
https://lospoblanos.com/privacy-policy
https://luigis-citypizza.com/privacy/
https://bcgl-law.com/privacy-policy/
https://graypants.com/privacy-policy/
https://www.ledistrict.com/privacy
https://luggagehero.com/terms-conditions/privacy-policy/
https://clearlinkpartners.com/privacy/
https://www.mems25.org/home/MEMS2025_PrivacyPolicy.pdf
https://www.turntableindy.com/privacy
https://www.gritman.org/privacy-policy/
https://carmifamilydental.com/privacy-policy/
https://olympuseyemd.com/privacy-policy/
https://ossonetwork.com/privacy-policy
https://www.nwaproclad.com/privacy
https://fairlawnwest.org/privacy-policy/

45
Ask Mozilla: Bring back Do Not Track (mander.xyz)
 

https://blog.mozilla.org/en/mozilla/advertisers-and-publishers-adopt-and-implement-do-not-track/ Mozilla introduced the Do Not Track feature in January 2011 and other major web browsers soon did the same. With the Do Not Track preference enabled, when a user attempts to connect to a website, a Do Not Track signal is sent as a part of the header which is sent during the connection attempt. A website which obeys Do Not Track requests is able to act on the user's choice before loading a webpage.

A website which obeys a Do Not Track signal value of "true" can use this setting positively in multiple ways.

a) https://lemmy.world/post/22974927 More than 15 analytics tools can be conveniently configured by a website operator to obey Do Not Track signals.

b) https://filippovicentini.com/notes/2019-04-22/ https://medium.com/@fixitblog/solved-how-to-make-google-analytics-respond-to-quot-do-not-track-quot-7f9785385371 Multiple websites explain how a website operator can obey Do Not Track signals, such as when an analytics tool does not have that option. These methods can be used to prevent connections to third party tracking services.

c) At least one "cookies consent" tool obeys a Do Not Track signal by silently disabling tracking cookies without the need for user interaction with potentially annoying cookie popups.

https://www.cookieyes.com/blog/respecting-browser-do-not-track-setting-cookieyes/ "If you install CookieYes banners on your website, it will respect the active DNT of the users’ browsers and avoid placing any tracking cookies"

d) Do Not Track signals have also been legally defended as a compatible mechanism of the General Data Privacy Regulation (GDPR) for a user to indicate a preference to not be tracked, in a court case in Germany. Do Not Track signals are expected to legally apply to other countries and other scenarios involving GDPR, but court cases would likely have to happen first.

https://wideangle.co/blog/do-not-track-gdpr-opt-out "A recent German court case against LinkedIn suggest that websites that track their users should recognise DNT signals or risk violating the General Data Protection Regulation (GDPR)."

"'The court stated the obvious and even quoted a bunch of legal commentaries on it,' Hense said. 'They all agreed with DNT being a valid signal.'"

In the German court case, Microsoft's LinkedIn could attempt to overturn this verdict on appeal if first Mozilla permanently removes the Do Not Track setting from Firefox's user interface and if Chromium then, in turn, removes the Do Not Track setting with partial reasoning being because Mozilla, the original champion of the setting, also removed it. Microsoft could then ask to have the verdict dismissed on appeal because a majority of web browsers might no longer have a Do Not Track setting in the user interfaces, and such an appeal result could be a terrible blow to privacy, as well as a blow to the possibility of conveniently obtaining private web browsing on potentially many more websites in the future.

There have been some arguments raised which call for the removal of the Do Not Track setting. Let's explore these arguments and see if they are strong enough to justify removing the Do Not Track setting.

These arguments include:

1 - Global Privacy Control (GPC) is legally supported in some jurisdictions and thus can replace Do Not Track.

2 - Global Privacy Control can replace Do Not Track in terms of functionality.

3 - Hardly anyone enables the Do Not Track setting and thus a user may stick out in terms of fingerprinting.

https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951 "even with our past education campaigns around DNT... users did not care to enable it."

4 - Hardly any of the websites which a user visits obey Do Not Track signals.

https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951 "it no longer made sense to offer a signal that is consistently ignored by the vast majority of site operators while also being a potential fingerprinting vector itself due to how unique it is because of its low adoption."

5 - It gives users a false sense of security.

Counter-arguments include:

1 - Global Privacy Control is legally enforceable in some states in a country. Do Not Track is legally enforceable in a country and is expected to be legally enforceable in most European countries if corresponding legal cases get presented.

https://wideangle.co/blog/do-not-track-gdpr-opt-out "For now, the judgment only applies to companies operating in Germany. However, the relevant parts of the GDPR are the same in every other country that has implemented the law."

It seems reasonable for both settings to exist in the user interface since each setting is supported by law.

2 - Global Privacy Control is akin to Do Not Track's weaker sibling and thus is not a valid replacement for Do Not Track. Suppose we discuss the scenario where a website obeys both Global Privacy Control signals and Do Not Track signals.

For Do Not Track, a website operator can either enable a setting in multiple analytics tools or can follow multiple websites which list a code snippet to check for Do Not Track signals. With most of these implementations, tracking data will not be sent to a third party analytics service.

For Global Privacy Control, the approach is to still send the tracking data to the third party analytics service!

https://www.techpowerup.com/329753/firefox-ditches-do-not-track-feature-in-version-135-in-favor-of-global-privacy-control "one criticism of the new reliance on Global Privacy Control is that GPC doesn't block Google Analytics tracking requests"

When Do Not Track signals are obeyed, privacy policies appear to indicate that this feature applies to the general Internet population. At least one company with users around the world has decided to interpret Global Privacy Control as only needing to apply to users in some jurisdictions.

https://www.atlassian.com/legal/privacy-policy "our websites do respond to the Global Privacy Control (“GPC”) to opt-out of “sales” of personal information and targeted advertising in certain locales."

3 - The Do Not Track setting is used by a significant proportion of users, with more than 20% of users reported as using it. Now is not the time to abandon it. A visit to https://amiunique.org/fingerprint shows more than 22% of users in the last 7 days, 15 days, and 30 days have enabled a "Do Not Track" HTTP header attribute value. Similar figures were reported in 2019. https://archive.today/zzcwE "A Forrester research report found 25% of people using the Do Not Track setting, and a national survey we conducted found 23%."

If JavaScript is enabled, fingerprinting can be extremely accurate with just JavaScript alone, without examining HTTP header attribute values, meaning that Do Not Track might only be considered for fingerprinting for users who have a solution for selectively blocking JavaScript, such as a web browser addon.

https://backlinko.com/ad-blockers-users "Sep. 02, 2024" "31.5% of internet users worldwide report using an ad blocker."

https://explodingtopics.com/blog/ad-block-users "June 25, 2024" "DataReportal found that approximately 1 in 3 (32.5%) internet users use ad blockers."

It might be reasonable to say at least 75% of users who enabled "Do Not Track" are also users who know what an addon is and would install an addon such as uBlock Origin, Privacy Badger, NoScript, AdGuard, etc, which can be used to selectively block JavaScript. Given this assumption, 75% of the 22% of users using "Do Not Track" signals is 16.5% of all users. 16.5% represents more than half of the reported 32.5% of users using an addon to block JavaScript. Given this assumption, to blend in with the majority of the users who use an addon to block JavaScript, we should be enabling "Do Not Track" signals!

4 - Maybe we could consider intentionally searching for and visiting more websites which obey Do Not Track signals. Websites which obey Do Not Track signals indicate they are a part of the Good Guys. Having this way of differentiating websites is a good thing. We can use a web search or even an AI web search to search for "name-of-website Do Not Track privacy policy" to quickly find some of the Good Guys. A legal requirement has caused a large proportion of websites to indicate in a privacy policy whether they choose to obey or not obey Do Not Track signals.

https://www.freeprivacypolicy.com/blog/privacy-policy-do-not-track-dnt/ "As of January 1, 2014, changes to the California Online Privacy Protection Act (CalOPPA) required the owners of websites, web apps, mobile apps, and desktop apps to include a Do Not Track disclosure in their Privacy Policy agreements."

"In order to comply with CalOPPA's DNT requirements, website owners must make sure they: State how they respond to the DNT signals they receive from user's web browsers"

"Even if a website owner or operator isn't based in California, it still must include a DNT disclosure in the Privacy Policy. This is because the website or app may be attracting visitors who live in California."

This law was created after Do Not Track signals were introduced into major web browsers. The continued existence of the Do Not Track setting in the user interfaces of web browsers means the law will still have a reason to exist and privacy policies will continue to be required to display this information, allowing us to quickly identify some of the Good Guys and even more of the Bad Guys.

If we are stuck using a Bad Guy website, the very existence of the ability to easily configure obeying Do Not Track signals in more than 15 analytics products means it is possible to contact a website operator and ask the website operator to enable the setting. For anyone who says it won't work, I ask you, have you tried?

If there are a lot of bad apples in a market, should we make it even harder to find the good apples, or should we feel happy that a tool exists (Do Not Track) which makes it easier to distinguish some of the bad apples from some of the rare good apples (by using a search engine to look at a very specific section common to most privacy policies)? The same argument can be used for any market where it is difficult to find something you think is good, including shopping for good clothing or finding a suitable marriage partner.

Why is it okay to say we should remove the Do Not Track feature because many websites do not obey it and because it could be used for fingerprinting, but exactly the same statements can be made about Global Privacy Control, while it is supposedly okay to use the Global Privacy Control setting?

5 - In Mozilla Firefox, immediately next to the Do Not Track setting is a link that has an explanation which does not seem to give a false sense of security.

https://archive.today/evyo1 "Honoring this setting is voluntary — individual websites are not required to respect it."

Mozilla has made multiple revisions to the wording of the Do Not Track feature and if someone feels there is a better way to formulate the text of the option, Mozilla allows anyone to make suggestions.

If we want to talk about a false sense of security, when we see Global Privacy Control's Firefox option's text of "Tell web sites not to sell or share my data" should we expect a website which obeys Global Privacy Control signals to share our data with a third party like Google? We might not expect as much, but our data will apparently be shared with that third party when that third party's analytics service is used by a website operator.

What can we do?

A] Enable Do Not Track signals in our web browsers and teach our family members how to do the same.

The following website obeys Do Not Track signals and gives instructions for many types of web browsers on how to enable Do Not Track signals.

https://www.surreycc.gov.uk/website/cookies/do-not-track "How to enable the 'Do Not Track' browser setting"

For Firefox users, the Do Not Track option can be toggled in about:config. In the top address bar, type in the text about:config and go to the about:config webpage. When asked to Proceed with Caution, choose to Accept the Risk and Continue. In the "Search preference name" text field we can enter a value of "donottrack" and then look at the value (true or false) of the privacy.donottrackheader.enable preference. If the value is false, we can use the toggle button to set the value to true. Our change will be applied immediately and we can close the about:config webpage tab at our convenience. This approach still works in Firefox 135 and also works in older Firefox versions.

B] Use one or more methods of selectively blocking Bad Guy JavaScript. Probabilistic tracking using a Do Not Track signal is likely to apply only to users who block JavaScript deterministic tracking. Do a good deed for the world and teach your family members how to use such an addon.

https://ublockorigin.com/ https://privacybadger.org/ https://noscript.net/ https://adguard.com/

C] If you have a Mozilla account or you do not mind creating one, you are invited to log in and "give kudos" at the following link.

https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951

D] Contact the website operators of websites which you use a lot and ask them to enable the Do Not Track feature in their analytics tools and send them the links in b) at the start of this posting. If you get a response, consider sharing that response with the community.

List of search engines in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 2 points 2 days ago (1 children)

You could certainly put in some time to review various search engines against a set of criteria. Since we are in the Privacy forum, I would think you could consider looking at privacy aspects.

For example, the following website does some simple evaluation by listing their criteria. But their list of reviewed search engines is far from complete. https://privacy-checkup.info/en/recommendations/search-engines One nice touch is they listed when a search engine is hosted on Big Tech services, meaning that Big Tech will still be watching what you do.

A good website to see what servers are being used by a website can be found at the following link, giving you a useful criterion to start with. https://hosting-checker.net/

You could also use a tool to see if third party JavaScript connections get made when visiting a website, which might indicate additional tracking is being done. One possible way is to install https://ublockorigin.com/ and use the "I am an Advanced user" option. Listing these third party JavaScript connections could be your second criteria.

If you are willing to put in the time, I think it would be a useful and unique contribution to the Internet to evaluate a lot of search engines for their privacy aspects.

Proton CEO embraces Trump for "standing up for the little guys" in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 1 points 2 days ago

Can you elaborate on what software or solution would allow someone to host an encrypted email server? Would outgoing messages be encrypted or just encrypted at rest? What about if you also had your family member on the same setup and you wrote to each other, would it be encrypted?

List of search engines in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 2 points 3 days ago (3 children)

https://seirdy.one/posts/2021/03/10/search-engines-with-own-indexes/

That link mentions every search engine which is already on your list plus a whole lot more search engines. That link's list is regularly maintained. It may be one of the most comprehensive lists which you will be able to find.

Firefox 134.0 Release Notes in c/firefox@lemmy.ml
[–] irenesteam@mander.xyz 2 points 4 weeks ago

Maybe Mozilla should try harder to also recruit Startpage. More options for users and more money for Mozilla.

It is also noteworthy that Ecosia has been hosted on Amazon and Cloudflare. Any intentional reference due to the trees being planted in the Amazon Rainforest? https://hosting-checker.net/websites/www.ecosia.org

Meanwhile Startpage appears to be hosted at Surfboard Holding BV in the Netherlands. https://hosting-checker.net/websites/www.startpage.com

For privacy you will want to make sure you feel comfortable also putting your trust in these other companies. https://www.ghostery.com/whotracksme/tracking-reach

Amazon: Rank #2

Cloudflare: Rank #3

Surfboard Holding BV: Not in the top 100 trackers listed

Mozilla Firefox removes "Do Not Track" Feature support: Here's what it means for your Privacy in c/privacy@lemmy.world
[–] irenesteam@mander.xyz 3 points 4 weeks ago

I would like to raise two somewhat related reasons for keeping Do Not Track which I have not yet seen discussed.

Reason 1: The analytics industry has made it easy for webmasters to make an explicit choice.

More than 15 analytics tools support the ability to obey Do Not Track signals as a setting for webmasters. Instead of leaving it up to webmasters to code a solution, the analytics industry has stepped up and has made it easy for a webmaster to make an explicit choice. A webmaster can migrate from one analytics tool to another tool while still being able to easily apply the same choice.

Reason 2: A significant number of websites have added text in their privacy policies indicating an explicit choice regarding Do Not Track signals.

Privacy policies are difficult to read and interpret. There are not many standards for privacy policies, making them typically very hard to compare against each other.

If we put our creative minds to the task, we might see that Do Not Track offers us a solution by providing a reasonably consistent way to QUICKLY EVALUATE a company's explicitly chosen practice by looking at only a small portion of a privacy policy.

We can either spend the time to open up a privacy policy and search for the Do Not Track section or we can perform a web search with the website's name and the "Do Not Track" text.

It is not important whether we actually set the Do Not Track setting in our web browser! What is important is that the setting actually exists in our web browser as a potential choice. By keeping that setting available as a choice for users, some webmasters may continue to feel compelled to describe the explicit choice made for their websites, and we gain the ability to quickly understand the INTENTIONS of a given website. Do Not Track grants us the ability to be able to SAVE TIME by having a common way to evaluate multiple websites.

Here is a list of analytics services which offer a setting to enable or disable the obeying of Do Not Track signals.

https://experienceleague.adobe.com/en/docs/marketo/using/product-docs/web-personalization/getting-started/setting-web-personalization-to-do-not-track "In Web Personalization and Predictive Content, a marketer can set a toggle to indicate whether to support or ignore the browser's Do Not Track (DNT) setting." "When the toggle is set to On, Web Personalization will honor and support the browser's Do Not Track (DNT) setting, and will not track any web activity or run any campaigns or content recommendations on your website."

https://saschaeggi.medium.com/setup-matomo-analytics-with-drupal-and-respect-do-not-track-header-gdpr-compliant-d382b12e2740 "Matomo already provides you a setting to respect users with a 'Do Not Track' (DNT) header set."

https://docs.simpleanalytics.com/dnt "By default the data will not include visitors with the Do Not Track enabled. To also record DNT visitors you can add data-collect-dnt='true' to the script tag" "If you don't add the data-collect-dnt attribute we will not record visits from users who have DNT enabled."

https://developer.bitmovin.com/playback/docs/do-not-track-cookie-handling-in-analytics "By default Bitmovin Analytics will honor this user preference and ignore all incoming requests that have the DNT header set to 1."

https://www.hotjar.com/policies/do-not-track/ "Before collecting your data, Hotjar always checks to see if you have enabled the 'Do Not Track' setting in your browser."

https://wp-statistics.com/resources/do-not-track/ "The DNT-respecting functionality is active by default, aligning with our privacy-first philosophy."

https://help.mouseflow.com/en/articles/4325367-the-privacy-settings "Honor Do-Not-Track" "This setting allows you to honor the Do-Not-Track (DNT) signal. When enabled, Mouseflow will listen for the signal and if it is found, prevent the user session from being recorded."

https://jetpack.com/support/jetpack-stats/jetpack-stats-honor-do-not-track-dnt/ "As a site owner, you can force the Jetpack Stats feature to honor any visitors with DNT enabled and not track their activity"

https://wideangle.co/documentation/data-do-not-track-handling "Wide Angle Analytics proudly handles the Do Not Track irrespective of broader adoption. Doing so allows your visitors to indicate their Opt-Out of the tracking process."

https://docs.metrical.xyz/privacy/what-we-track "Metrical will honour the Do not Track setting and we don't send the visit when we find the do not track flag enabled."

https://umami.is/docs/v1/tracker-configuration "You can configure Umami to respect the visitor's Do Not Track setting."

https://wpcrux.com/blog/how-to-make-google-analytics-respond-to-do-not "To make Google Analytics respond to 'do not track,' you can enable the 'Respect Do Not Track' option in the settings of your Google Analytics account."

https://documentation.freshpaint.io/integrations/destinations/apps/mixpanel/mixpanel-reference "Ignore DNT" setting "When enabled, Mixpanel will track all events, regardless of if the browser has 'Do Not Track' enabled."

https://websmithiananalytics.ca/help/dnt "Yes, we honor the Do Not Track (DNT) setting from browsers that support it."

https://github.com/milesmcc/shynet "By default, Shynet will not collect any data from users who specify DNT."

https://baseanalytics.io/do-not-track-dnt/ "We do honor the Do Not Track (DNT) setting from browsers which support this."

please help me with some arguments for my wife in c/privacyguides@lemmy.one
[–] irenesteam@mander.xyz 1 points 1 month ago

The offline photos idea would be a wise choice until the child has grown up and can make the decision but let us assume your wife will not accept that approach.

The Proton Drive idea also sounds reasonable since you already use that service. You should password protect the shared link but you will want another communication path than email to share the password to your shared folder. Use different folders with limited expiration dates (3 months?) for different sets of photos. Be sure to write to relatives that they are not to share the photos. We get emails asking us not to share things, be it links to photos or sensitive topics such as health. If someone breaks the rule, you may have to "ground" that person by cutting off their access to folder sharing for a period of time. You must communicate the "grounding" to others but that person might still go behind your back and get the link and password from a sympathetic someone else.

Have you thought about using a Fediverse instance for family and friends? There is a fantastic blog post on this subject. https://runyourown.social/ You would end up running a fork like Hometown that allows you to keep a portion of your community not federated where family and friends can share pictures with each other so that only users with accounts (plus your web server staff) can access your photos. https://github.com/hometown-fork/hometown You would be helping out many family members and friends instead of only helping your child. You would get more family and friends to support you because they would also be invested in making your Hometown server work for them. Find a relatively safe web server to host your data. https://www.eucloud.tech/en/eu-providers/vps-hosting

fake it til you make it in c/science_memes@mander.xyz
[–] irenesteam@mander.xyz 10 points 1 month ago (1 children)

... and you are so unique as to be virtually unemployable. Many jobs these days want you to be siloed and do not want to pay for extra skills. Replaced by a fresh grad who does only one thing but does it well.

view more: next ›