Do Not Track – Stoutner

Privacy Browser 1.10 will include an implementation of the DNT (Do Not Track) header. Because the implementation is not perfect, I felt it deserved a separate post.

DNT Is Useless

Although I believe the intentions of those who developed DNT were good, it does not provide any real additional privacy to users. This is because web servers get to choose if they want to voluntarily comply with the DNT request, and almost none of them do. The only organizations that do comply with DNT were those that already respected the users’ privacy and weren’t going to do anything inappropriate with user data anyway.

Imperfect Implementation

DNT suffers from all the difficulties of implementation imposed by Android’s WebView that were described in the post about the “X-Requested-With” header. Specifically, the DNT header is only sent with the initial URL request, and not with resource requests.

Browser Fingerprinting

In addition to the initial request only quirk, WebView also converts all header fields to lowercase letters. The spec for DNT is that the header should be “DNT:1”, which is how most browsers send it. Android’s WebView converts that to “dnt:1”. Web servers recognize this as a valid DNT header because header fields are technically case insensitive, but because only browsers that use WebView, like Lightning, send the DNT header in this form, it is one additional piece of information that web servers can use to fingerprint the browser.

Enabled By Default

Despite everything described above, I have decided that Privacy Browser 1.10 will ship with DNT enabled by default. This is because many privacy conscious users expect DNT, even though all it amounts to is privacy theater. If DNT were disabled by default I would spend half my development time responding to concerns from users. And the browser fingerprinting problem, though real, is so far down the list of possible ways to fingerprint the browser that I would be surprised if web servers bothered with it until we get to the point that we have tightened down all the easier mechanisms.

For those who don’t want it, DNT is easy to disable in the settings.

Update: With the release of Privacy Browser 1.14, DNT has been disabled by default.

3 responses to “Do Not Track”

Privacy Browser 1.10 – Stoutner says:

September 19, 2016 at 8:45 PM

[…] release also contains a Do Not Track option described in detail in an earlier post, user agents for iOS and OS X, two additional search engines, and updated German translations […]
Privacy Browser 1.14 – Stoutner says:

January 4, 2017 at 4:02 PM

[…] Do Not Track is now disabled by default for new installations. I have written before about how Do Not Track is privacy theater. The setting for current installations will not change and it is easy for users to enable DNT if […]
Privacy Browser 2.8 – Stoutner says:

February 23, 2018 at 12:32 PM

[…] third-parties that promise to honor Do Not Track. I have written before about how I believe Do Not Track is privacy theater. Instead of automatically unblocking websites that promise not to track users, I would rather that […]