Search form

February 19, 2011 | By Peter Eckersley

What Does the "Track" in "Do Not Track" Mean?

There is a lot of discussion about Do Not Track at the moment. The FTC has announced support for the idea; Mozilla has added a Do Not Track header option into Firefox betas, and Congresswoman Jackie Speier has introduced a Do Not Track bill. Other proposed privacy legislation, such as Rep. Bobby Rush's bill, could also achieve similar objectives. And yesterday, EFF submitted comments urging the Federal Trade Commission to defend online privacy by supporting the header-based Do Not Track feature.

Do Not Track is important because it creates a policy mechanism to augment the privacy enhancing technologies that we currently have. There is an arms race between practical privacy tools and ubiquitous online tracking, and we fear that the trackers have powerful techniques that will almost always allow them to win the arms race against ordinary people.

Some other anti-tracking technologies have also been discussed a lot recently, including
Microsoft's IE 9 Tracking Protection Lists, and AdBlock Plus with EasyPrivacy. These are great tools, and very much complimentary to the Do Not Track header proposal. We'll be posting about them at greater length soon.

Do Not Track is a technically simple proposal: add a header1 to the messages that browsers and other HTTP clients send when they fetch web pages. The header simply requests that webservers not track the user's behavior. It could be turned on if the user enters "private browsing mode", or if they have enabled a separate configuration setting.

There is more flexibility on the policy side of Do Not Track: "what is tracking?" "what should websites do to avoid tracking users who set the DNT header?" "would any websites be required to comply with the header?

There is a spectrum of good answers to each of these questions. This post will try to set out what we think some of the good answers are.

What is Tracking?

Tracking is a very simple, general concept. A good definition would be:

Tracking is the retention of information that can be used to connect records of a person's actions or reading habits across space, cyberspace, or time.

Despite this simple answer, we believe that there are some kinds of web tracking which — while they are still tracking — may not need to be categorically prohibited when the DNT header is set. A reasonable set of exceptions might be:

  1. Tracking that is limited to a single "1st party"1 website (either by the website itself or by an analytics provider subject to suitable contractual and technical protections)
  2. Tracking that is necessary to prevent fraud or respond to security incidents, provided such data is minimized, only kept for as long as necessary, and not used for other purposes.
  3. Tracking of users who have agreed to a clear and non-confusing “opt back in”
  4. Tracking that is necessary to complete an online transaction that the user has engaged in.

The existence of such excepted kinds of tracking does not, of course, mean that websites should not consider respecting DNT where possible in these cases too. For instance, we hope that many 1st party domains will choose to adopt limited logging and retention practices for users who enable DNT. There are other definitions of tracking that have been proposed. For instance, CDT proposed a slightly different draft definition, and our approach is largely in agreement with theirs.2

What should websites do in response to the DNT header? Should they be required to comply?

For most websites, and especially 1st party websites, DNT may make more sense as a voluntary convention, like ROBOTS.TXT, rather than a mandatory rule. However, there is a subset of websites where there is a stronger case for requiring compliance with DNT. These are the websites that (1) act as 3rd party tracking domains, invisibly monitoring people's reading habits as they browse the web; and (2) monitor a large number of users' browsing. There are several approaches to incentivizing compliance by large 3rd parties — some commentators have called for pressure in the marketplace via technical means ("if a large 3rd party appears not to be complying with DNT, add it to privacy blacklists"); the Rush bill incentivizes compliance with DNT-style opt outs through a "safe harbor"mechanism, while the Speier bill is more direct. We believe that legislation granting narrow authority to the FTC to set opt-out standards could be constructive, provided it focuses on the task of incentivizing compliance with consumers' preferences and avoids mandating particular technical methods of compliance.

Will a header always be the best mechanism for DNT?

Not necessarily. Over time, we will have new platforms and protocols to which DNT should apply, and perhaps more granular controls for users to express their preferences. Whatever path we follow for getting DNT deployed by browsers and respected by servers, we should be planning to have opt-out standards that evolve and support innovation.

  • 1. Standard terminology is that the website you can see in your browser's address bar is the "1st party" and other domains in the hypertext page are "3rd parties". It would have made more sense to say that you are the 1st party; the website you're looking at is the 2nd party, and embedded domains are 3rd parties.
  • 2. We think it makes slightly more sense to draw the line at the "retention" of tracking data, rather than "collection and correlation", because when trying to enforce DNT it's hard to tell the difference between data that is retained and correlated and data that is retained and not correlated.
Do Not Track
Online Behavioral Tracking

More DeepLinks Posts Like This

  • March 2011
    Tracking Protection Lists: A privacy enhancing technology that complements Do Not Track
  • September 2009
    How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)
  • November 2014
    Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls
  • May 2013
    Do Not Track: Are Weak Protections Worse Than None At All?
  • October 2012
    Ad Industry's Assault on "Do Not Track" Continues at the W3C Amsterdam Meeting

Recent DeepLinks Posts

  • Nov 8, 2014
    What Makes a Good Security Audit?
  • Nov 7, 2014
    And The Games Play On: EFF Fights For Users' Rights to Play and Preserve Abandoned Video Games
  • Nov 7, 2014
    Join Us This Weekend in Honoring Aaron Swartz's Legacy by Hacking for a Better World
  • Nov 6, 2014
    Notorious Scanner Troll Settles With FTC
  • Nov 6, 2014
    Demand the FCC Enact Real Net Neutrality, Join One of the Emergency Protests Happening Today Across the Country

Deeplinks Topics

  • Abortion Reporting
  • Analog Hole
  • Anonymity
  • Anti-Counterfeiting Trade Agreement
  • Biometrics
  • Bloggers' Rights
  • Broadcast Flag
  • Broadcasting Treaty
  • Cell Tracking
  • Coders' Rights Project
  • Computer Fraud And Abuse Act Reform
  • Content Blocking
  • Copyright Trolls
  • Council of Europe
  • Cyber Security Legislation
  • CyberSLAPP
  • Defend Your Right to Repair!
  • Defending Digital Voices
  • Development Agenda
  • Digital Books
  • Digital Radio
  • Digital Video
  • DMCA
  • DMCA Rulemaking
  • Do Not Track
  • DRM
  • E-Voting Rights
  • EFF Europe
  • Encrypting the Web
  • Export Controls
  • Fair Use and Intellectual Property: Defending the Balance
  • FAQs for Lodsys Targets
  • File Sharing
  • Fixing Copyright? The 2013-2014 Copyright Review Process
  • Free Speech
  • FTAA
  • Genetic Information Privacy
  • Hollywood v. DVD
  • How Patents Hinder Innovation (Graphic)
  • Innovation
  • International
  • International Privacy Standards
  • Internet Governance Forum
  • Know Your Rights
  • Law Enforcement Access
  • Legislative Solutions for Patent Reform
  • Locational Privacy
  • Mandatory Data Retention
  • Mandatory National IDs and Biometric Databases
  • Mass Surveillance Technologies
  • Medical Privacy
  • National Security and Medical Information
  • National Security Letters
  • Net Neutrality
  • No Downtime for Free Speech
  • NSA Spying
  • OECD
  • Online Behavioral Tracking
  • Open Access
  • Open Wireless
  • Patent Busting Project
  • Patent Trolls
  • Patents
  • Pen Trap
  • Policy Analysis
  • Printers
  • Privacy
  • Public Health Reporting and Hospital Discharge Data
  • Reading Accessibility
  • Real ID
  • RFID
  • Search Engines
  • Search Incident to Arrest
  • Section 230 of the Communications Decency Act
  • Security
  • Social Networks
  • SOPA/PIPA: Internet Blacklist Legislation
  • State-Sponsored Malware
  • Student and Community Organizing
  • Surveillance and Human Rights
  • Surveillance Drones
  • Terms Of (Ab)Use
  • Test Your ISP
  • The "Six Strikes" Copyright Surveillance Machine
  • The Global Network Initiative
  • The Law and Medical Privacy
  • Trans-Pacific Partnership Agreement
  • Transparency
  • Travel Screening
  • Trusted Computing
  • Uncategorized
  • Video Games
  • Wikileaks
  • WIPO
Donate to EFF

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

¿En Asunción? Súmate el jueves 13 para hablar sobre protección de datos y privacidad con @tedicpy @marsebu @lupa18:

Nov 9 @ 7:01pm

Your video games shouldn't stop working just because the DRM does.

Nov 7 @ 3:57pm

77 esteemed computer scientists and tech pioneers urge Supreme Court to rule APIs can’t be copyrighted

Nov 7 @ 1:51pm
  • Twitter
  • Facebook


  • Bloggers' Rights
  • Coders' Rights
  • Follow EFF
  • Free Speech Weak Links
  • Global Chokepoints
  • HTTPS Everywhere
  • Medical Privacy Project
  • Open Wireless Movement
  • Patent Busting
  • Student Activism
  • Surveillance Self-Defense
  • Takedown Hall of Shame
  • Teaching Copyright
  • Transparency Project
  • Trolling Effects
  • Ways To Help is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.