DNT HTTP header

[0xBRM]

Enables Firefox's built-in tracking protection

This is actually counterproductive. Websites are not forced to honour the browser's request to not be tracked and thus, you are more likely to be tracked across the web for displaying "suspicious behaviour." The superior approach is to not include anything in the HTTP header.

[pyllyukko]

The DNT and tracking protection are two different subjects.

You are absolutely right, that it's up to the website to decide, whether to respect DNT or not. As with all security, these kind of controls can not be implemented client-side.

Even though I also think, that this doesn't help at all, I somehow naively would like to believe that somewhere out there is this one site that actually respects this :) Probably there isn't.

And I think the "suspicious behaviour" aspect is already lost altogether, by all these tweaks. I'm pretty sure there are a whole bunch of other red flags for those who care to notice.

If you have any references to some studies about the effects of DNT, please link them here.

I'll leave the DNT enabled for now, but I think I'll leave this issue open also in hopes of more discussion, as this is a good topic and a matter of debate. Thanks for the input!

[0xBRM]

Ah yes, I understand that, and quoted the wrong thing. I am aware of Mozilla's Polaris project that uses Disconnect's list to block certain scripts, cookies, and whatever else (though, admitedly, I would much rather use uBlock, and Policeman in default-deny mode, or just one of them if I had to pick between Disconnect and a single extension).

I do agree that hardening your browser may set off a few red flags, but nothing quite as flamboyant as admitting to not wanting to be tracked across domains. Not being a low hanging fruit is certainly a very good thing, but you're actively indicating you'd rather not be tracked which, in their mind, directly translates to "he's got something to hide." You may find a site that honours the header, but then again, such a site would be probably owned by someone with a strong moral compass, someone you could potentially trust with your browsing habits, which is why I believe no DNT header is the way to go.

There are no studies on DNT that I know of, though we could in theory try to measure its effects to a degree. I suppose I will look into it and report back with results! Lots of users would benefit from this. I shall draft the methodology tomorrow, or on monday.

[nodiscc]

Enabling DNT presumably makes browser fingerprinting easier. See https://amiunique.org/. I think the pref should be left unset.

[pyllyukko]

Enabling DNT presumably makes browser fingerprinting easier. See https://amiunique.org/. I think the pref should be left unset.

I don't think identifiability itself is enough to justify the removal of this setting. There are so many settings in this project that makes us quite unique anyway. There's no way of blending in at this point I'm afraid.

Also I think that DNT is slowly starting to be a setting for average users. What I mean is, that it's available in most of the GUIs and not hidden in the depths of about:config. And I'm not talking only about Firefox. For example, in iOS Safari's Privacy & Security settings group there are three settings and DNT is one of them. In Firefox it's the first setting in the Privacy tab. In my Jolla's browser settings Privacy section, it is first out of six settings, etc.

[0xBRM]

What I mean is, that it's available in most of the GUIs

What is the default setting for most of them?

[pyllyukko]

What I mean is, that it's available in most of the GUIs

What is the default setting for most of them?

Probably off. Not entirely sure though.

[pyllyukko]

I'll still be using it :) But as it's so simple for the users to control it by themselves (even from the GUI), I think we can leave it commented out.

[pyllyukko]

This is interesting. This must be the first service I see, that at least claims to (somewhat) respect DNT: https://support.twitter.com/articles/20169453-twitter-supports-do-not-track

[tryoxiss]

Standard IANAL

Sorry for necro, but a german (berlin regional) court semi-recently ruled that the DNT signal is legally relevent, persuitant to GDPR. More cases would be needed, but other european countries are moving towards a simillar stance.

It is unclear what legally relavent means, but it likely means its akin to something like cookie consent. I think it may be worth revisiting its default value if things keep going the way they are.

EDIT: After a bit of digging, the Sec-GPC: 1 header appears to be a successor in many ways, and is supposidly also legally binding in many juristictions, most notably california where companies have been fined for not respecting it.