Do Not Track

Privacy Browser 1.10 will include an implementation of the DNT (Do Not Track) header. Because the implementation is not perfect, I felt it deserved a separate post.

DNT Is Useless

Although I believe the intentions of those who developed DNT were good, it does not provide any real additional privacy to users. This is because web servers get to choose if they want to voluntarily comply with the DNT request, and almost none of them do. The only organizations that do comply with DNT were those that already respected the users’ privacy and weren’t going to do anything inappropriate with user data anyway.

Imperfect Implementation

DNT suffers from all the difficulties of implementation imposed by Android’s WebView that were described in the post about the “X-Requested-With” header. Specifically, the DNT header is only sent with the initial URL request, and not with resource requests.

Browser Fingerprinting

In addition to the initial request only quirk, WebView also converts all header fields to lowercase letters. The spec for DNT is that the header should be “DNT:1”, which is how most browsers send it. Android’s WebView converts that to “dnt:1”. Web servers recognize this as a valid DNT header because header fields are technically case insensitive, but because only browsers that use WebView, like Lightning, send the DNT header in this form, it is one additional piece of information that web servers can use to fingerprint the browser.

Enabled By Default

Despite everything described above, I have decided that Privacy Browser 1.10 will ship with DNT enabled by default. This is because many privacy conscious users expect DNT, even though all it amounts to is privacy theater. If DNT were disabled by default I would spend half my development time responding to concerns from users. And the browser fingerprinting problem, though real, is so far down the list of possible ways to fingerprint the browser that I would be surprised if web servers bothered with it until we get to the point that we have tightened down all the easier mechanisms.

For those who don’t want it, DNT is easy to disable in the settings.

Update: With the release of Privacy Browser 1.14, DNT has been disabled by default.

Join the Conversation

3 Comments

Leave a comment

Your email address will not be published. Required fields are marked *