Respecting the DNT header shouldn't be factor

Agnes_de_Lion · August 27, 2023, 10:41am

When reviewing Privacy Policies, there are three possible reactions to DNT headers.

Some services, like privacy-friendly analytics such as Piwik/Matomo do respect those signals (which is covered by this case)
Other services ignore DNT headers and track anyway, which is linked to this case
Non-CCPA compliant services may not inform users on tracking behaviour when receiving a DNT header. If this happens, we can’t automatically assign one case or another, so either we directly ask the service (as PrivatePrawn did) or no point is created.

As long as these three situations exist, I believe it is important to mark as a bad point services that don’t do the effort to respect user will.

AgreementFinder · August 27, 2023, 1:43pm

Why is the DNT header special and not for example the Global Privacy Control header or P3P?

The latter is a similarly failed proposal that has no bearing on the modern internet. the former is in the process of being created.

Somewhat humorously, what about failing to set the RFC 3514 bit?

CCPA has no relevence to the DNT header.

https://edit.tosdr.org/cases/233 should have a weight of zero and be ignored (as DNT is a failed proposal).

It is important that the grade assigned via the extension be useful and informative - else it will be ignored. Including the DNT header makes it less useful and less informative.

Agnes_de_Lion · August 28, 2023, 7:35am

Fair enough

Do you all agree on turning Case 233 to neutral?

Deveroonie · August 28, 2023, 8:50pm

I’d say rename it to “GPC headers”

NeurohrByteS · August 30, 2023, 8:07am

GPC and DNT are not quite the same.

GPC handles what you would allow me to do with your data (do-not-sell-or-share).

In the development community I’m in, we don’t really handle the Sec-GPC header, because we would never handle user data in this matter anyway (or you could say we always treat Sec-GPC to be 1)

The technical test if GPC is handled is if /.well-known/gpc.json returns a JSON where gpc is set to TRUE. However this is optional and absence does not indicate that GPC is ignored (since for GDPR-compliant sites GPC should be a given anyway).

DNT handles which technology I can use to gather data from you.

In the development community I’m in, we use DNT as an additional wish of the user to accept a suboptimal user experience (videos not auto-playing, additional clicks to explicitly send data to external services) for improved data control.

There is a similar technical test with /.well-known/dnt-policy.txt for sites which wish to actively indicate that they comply.

My opinion

Taking care of the DNT header is a positive indicator that the site actively wants to empower users to decide between the best/intended experience and on-site data collection and third-party data dissemination (IP addresses, browsing behaviour, f.e. when embedding a video from a third party)
- However there is no defined standard what should be part of the DNT-treatment.
Not taking care of the DNT header is neutral. As previous posters mentioned the proposal failed to reach a wider development audience.
Taking care of the GPC header is also a positive, but only indicates what we expect all sites to do anyway: Not sharing or selling our data with third parties without consent.
- The problem: “Collecting” is still allowed and “Sharing” is ill-defined and hotly debated in data security circles. Is it sharing data to Google if you embed a YouTube Video? Arguably yes (I ask your browser to expose your IP-address to fetch the video), but on the other hand you also share that data to your hoster’s internet service provider and any router inbetween.
Thus not taking care of the GPC header is neutral too (because f.e. for EU-sites the GDPR enforces this behaviour anyway).

shadowwwind · September 17, 2023, 10:02am

possible solution would be to change the case to “This service allows you to limit preprocessing of your data through automated means like DnT or GPC headers.”

Also maybe a separated case for services that only make that work when law requires it like under the CCPA

NotALawyer · September 17, 2023, 5:59pm

I strongly disagree with this proposal. The DNT header saw no wide adoption because companies saw no direct consequences for their actions. With TOSDR being one of the very few mediums that users actually use, it would be extremely counter-productive to remove the negative score of the DNT header point.

Sites that do the effort to respect their users deserve to be rewarded, and the sites that don’t deserve to be shamed.

The DNT header has been defined for many years now and is well known in the tech world. Therefor we must assume that companies who have chosen not to respect their user’s right to privacy must have done so out of malice and greed.

To try and use mass-adoption as an excuse is nonsencial. Companies don’t need others to do the same in order to respect their users.

shadowwwind · September 17, 2023, 6:09pm

you should also consider that DnT is deemed “end of life”. Yes services should be rewarded for having it, but punishing a service for not spendending expansive work hours on a mostly dead feature is a waste, especially considering that newer standards, that even are designed with CCPA and GDPR in mind like GPC exist.

NotALawyer · September 17, 2023, 6:47pm

DnT is deemed “end of life”.

By whom?

newer standards, that even are designed with CCPA and GDPR in mind like GPC exist.

Could you name some of those new standards? I’m keen on keeping DNT because so far it’s the only one that’s been integrated into browsers.

It might make sense to remove DNT once such new standards get to the user’s browsers, but until then it’ll do us no good to remove this case point.

shadowwwind · September 17, 2023, 6:55pm

GPC is available in browsers.

And its set to end of live by the standard body that created it.

Also about browser, Safari removed DnT because its EoL

Deveroonie · September 18, 2023, 6:53am

afaik it’s only in brave, DDG browser (???) and firefox dev builds, not any “mainstream” browsers like Google Chrome, Safari, Microsoft Edge.

I use FF stable and I had to download Privacy Badger to get support for it.

NotALawyer · September 18, 2023, 8:03am

And its set to end of live by the standard body that created it.

Sorry, I wasn’t aware of that. Then, with the objective of making the extension’s output more useful, I agree that case 233 should be made neutral.

As for GCP, it sounds like it could be a great addition in the near future. But we’ll have to wait and see if that gets the legal backing it needs.

NeurohrByteS · September 19, 2023, 6:55am

Just as an additional perspective from a developer.
Handling both DNT and GPC is the same effort as only handling GPC.

In JavaScript it’s just…

if ('1' == window.navigator.doNotTrack || window.navigator.globalPrivacyControl)
{
   return;    // User requires additional privacy, end this function now
}
// Rest of the function doing something privacy invasive.

…that handled both DNT and GPC… so not hours of work.
The code to handle the same in JaveEE / PHP is similarly short.

However, as mentioned in my post above:
DNT is about being tracked at all / GPC is about what the provider can do with the tracking-data.

GPC is a compromise: Yes you can track all you want, but “don’t sell or share”.
For sites operating in the EU GPC is basically given, because the GDPR has similar rules. GPC is only relevant, where you have to actively opt-out of data-brokering (like in the US), where as with GDPR you have to actively opt-in.

There is still a place for privacy-loving people for DNT (at least via browser extensions), so a bonus for pages respecting it, but society settled on a compromise, so no penalty if you don’t treat DNT.

Tech_TTGames · September 19, 2023, 7:14am

UPDATE, December 2021: Global Privacy Control is now available in the general release version of Firefox (Firefox 95). People interested in turning it on can follow the steps outlined below.

Quoting from Firefox fourms.

Tech_TTGames · September 19, 2023, 7:18am

Finalizing:

Case 233 will be neutralized.
and 2 more cases for GPC should be esablished with the not respected one being negative,
and the respected one being positive.

Any objections or notes?

shadowwwind · September 19, 2023, 8:47am

Yea, it think we should just create one case for all automated opt outs/preference indications Respecting the DNT header shouldn't be factor - #9 by shadowwwind
There 8s really no need to create a case for every single one.

NeurohrByteS · September 19, 2023, 10:09am

There are two different groups of mechanisms, which I wouldn’t combine to one case:

Mechanisms which are good (or neutral) to respect and negative to ignore
- GPC (track what you want, but don’t share or sell your collection)
Nice-to-have mechanisms which are good to respect and neutral to ignore
- DNT (disable tracking technology, warn me before sending me over to third-parties)

Both cases should be about the technology/implementation, not the legal requirements of the operator’s country, because that’s already covered by Case 241: The court of law governing the terms is in a jurisdiction that is friendlier to user privacy protection..

EDIT: When thinking about how to decide which mechanism is which case I changed my mind and agree with Moritz Beneke.

One case “positive when respected” and “neutral when ignored”.

Reason: My own argument about Case 241. Where respecting GPC is legally required not respecting it is a reason to sue the company, but internationally adhering to automated opt-in/opt-out solutions is only a nice-to-have feature.

Deveroonie · September 19, 2023, 3:25pm

I’ve gone ahead and done this as nobody seems to have any opinions against it.

shadowwwind · September 26, 2023, 10:05pm

Everyone in favour of

Neutral case for services that do not support any automated opt-out
Positive case for services that offer some automated opt-out

erik · September 26, 2023, 10:27pm

sure, go ahead with the change