But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.

>> once you've made that choice you are within my domain, under my roof, living by my rules.

No, my computer, my browser, my roof, my rules.

>> People get way too offended by analytics tracking when it's there for their benefit.

No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on. They may or may not object to it, but right now they don't even know.

And it's so lovely of you to have made the decision for me that it's to my benefit, so I don't have to worry about pesky things like privacy concerns, or having control over my own computing.

>> Do Not Track is snake oil for the conscientious objector.

This is about the only thing we agree on. It's pointless and it was never going to achieve anything.

His website.

Seriously, people should be warned that they are tracked, the purpose for which they are tracked and what exactly is tracked. Google Search for example is giving warnings lately, that you have to manually dismiss (probably because of EU laws) and I view that as being progress.

On the other hand demanding of publishers to not track you while you're on their property is unreasonable. Of course, you can complain about it, you can stop using such services or websites and so on. Voting with your wallet (or eyeballs) still works, even on the web.

I also view the "Do Not Track" header as a good thing, because it's an automated way for publishers to respect your wishes, should they choose to do that. But customers must also understand that this header represents a kind request, nothing else and we shouldn't make it something else, as that's a slippery slope.

Running in my browser.

>> On the other hand demanding of publishers to not track you while you're on their property is unreasonable.

I'm not on their property. I'm fairly happy for them to record what they can see at their end in terms of what pages I go to, but I find it very unreasonable to demand that I run whatever code the website operator asks me to run, to turn my computer into a machine that reports anything/everything about my site interaction to anyone the site owner feels like, and all on the basis of an implied social contract of some form.

The only thing I find reasonable is for users to be warned that they are tracked, precisely for enabling them to move to alternatives that better respect their wishes.

His website is running in your browser by your choice, not his ;-)

>> His website is running in your browser by your choice, not his ;-)

Excellent, now how do I know ahead of time, or without digging through the source, which sites are going to try and run this stuff?

--edit-- Also, and here's the rub - again I just requested some data from his server, and it provided it to me. I made no promise to render or run it in the way he wants. If he has requirements about that sort of thing then maybe he needs to specify them.

Ideally, the browser would start by making an OPTIONS request in which the server would reply with something like "yes, I'll track this user in spite of their preferences" (even with a link to their privacy policy) and then the browser could block the view with a warning, just like how Chrome and Firefox are giving warnings for insecure connections, giving users the option to add exceptions or to go somewhere else.

This would be fair to both users and publishers.

As I implied in my other comment, this is a false dichotomy; by using browser extensions, I can and do control my browsing experience to benefit from sites that track while preventing them from tracking.

The very concept that I should subject myself to the whims of web sites is completely counter to the history and culture of the net.

Usually when someone says as simple as that, it clearly is not that simple.

I use Ad-Block Plus and Ghostery for all my web browsing, and have both Ad-Block Plus set to block _all_ ads and Ghostery set to block _all_ tracking scripts.

These extensions do not make 'polite requests'; they directly control the browsing experience to my benefit.

I (and my extensions) control my browsing experience, not you.

(You can argue that this is unfair, but in the long run I believe the outcome will be a better business model for sites to make money.)

> I believe the outcome will be a better business model for sites to make money

Sites will make less money without use of cookies, images, and support of encoding sessions into URIs. You ARE welcome to use the web without these things, but it is going to mean you are not a customer of many entities, because your kind are vanishingly small in number.

You might be interested in the Firefox section of http://crunchbang.org/forums/viewtopic.php?id=24722, if your serious about your privacy and security.

Secondly, in my ordinary web browsing, I'm not trying to avoid all tracking whatsoever - I'm much more interested in blocking the 99.9% low-hanging fruit of commercial 3rd-party tracking. If I really was paranoid / needed to prevent tracking completely, I'd use a much more sophisticated setup.

Given that context, the fact that some people may be trying to embed image web bugs on a bunch of pages isn't nearly as important or interesting; AFAIK most commercial 3rd-party trackers are javascript-based these days. Same applies for straight cookies - blocking the 3rd-party javascript usually prevents these begin set in the first place.

> since you seem to want the web to return to byzantine times? > without use of cookies, images, and support of encoding sessions into URIs

I'm not advocating for that at all - there is a continuum between only viewing raw HTML and running every bit of 3rd-party javascript someone decided to throw into the page.

My comment was bascially arguing that there _is_ a continuum, and that it is possible to block the vast majority of 3rd-party trackers, _without_ having to turn of JS completely, do anything really paranoid.

My whole comment, essentially, was about _avoiding_ turning off JS etc., and still maintaining a level of control over my browsing experience. I actually develop web applications for a living, so it would be a bit silly of me to say that we shouldn't have sessions support!

> > I believe the outcome will be a better business model for sites to make money

What I was referring to here, is that if ads and 3rd-party tracking are blocked, then sites will have to create new revenue streams to operate with - and if that means paying directly for good content, then I look forward to supporting that business model.

I think your annoyance is misplaced. I develop rails apps for a living, so I am aware of the importance of js, sessions etc. - I'm merely stating that I can have my cake (blocking 3rd-party trackers) and eat it (still use the next) too.

http://searchenginewatch.com/article/2280451/Google-Paying-t...

See https://adblockplus.org/en/acceptable-ads#optout (I have opted out).

I am annoyed that they accept money to whitelist ads and am also annoyed that they allow whitelisting like this at all; however there is a considerable distance between having opt-out whitelisting, and what you're implying.

At a fine-grained level, different aspects of that experience can be said to occur specifically on client or server. Each of those aspects can be constrained or manipulated by the respective property owner.

When it comes to preferences of the visitor for certain server actions (or inactions), one can only make a request. This isn't a grand moral point, or a technical one, but one of basic property rights and personal freedom. And such a request is what the DNT header signifies.

Likewise, when the server has preferences for certain user agent actions (such as running JavaScript or storing cookies) again it can only request that this occur since the user agent can typically disable JavaScript or cookies. This is what certain HTML metadata elements and the Set-Cookie header signify.

If visitors are unhappy with the behavior of a server, they can avoid it. In aggregate, such avoidance can become a significant market force. At the same time, a website that does no analytics for DNT visitors and has a high ratio of DNT visitors may also become less competitive and valuable over time. Both can feedback into respective preference consideration. This is ultimately the meager value of DNT. It (combined with adequate education) provides extra context data that can motivate through market forces an adjustment to web browsing norms.

Along the lines of "adequate education", the option in Firefox should read "Tell websites to restrict their tracking of me. __(Learn more.)__"

Practically, how would you know in advance if a server will respect your DNT preference without first visiting the site? Well, in real life, how do you know whether someone who invites you over for dinner won't serve you poison? One way is through trusted third-parties, but the market hasn't yet demanded such a service (and may never).

Absolutely. But the OP seemed to be saying that it was his right as the server owner to make me run his tracking scripts on my end.

If I have the wrong end of the stick then great, I'll shut up, but he seemed to be saying that clients don't get to go to his site and then reject his use of analytics by (for instance) refusing to load the scripts. I find that attitude quite objectionable.

I think it's his right not to provide site content for people who refuse to run his scripts, that seems perfectly reasonable, it's his site and his copyright material. I'd be perfectly happy for my initial request to have a header that says "By the way, I don't run analytics, social network widgets or graphical advertising". Then everyone is informed and everyone has a choice.

Yeah, it's perfectly fair and reasonable to have that attitude.

Practically speaking, something like the Collusion extension/add-on or Disconnect extension/add-on allow you to forcefully constrain a wide range of "tracking" activities preferred/requested by the server.

I think of websites like private properties. You are given conditional access on the assumption that you can behave (T&C / AUP), otherwise it's like trespassing. So, I don't think that people should expect excessive rights of freedom that they might have on their own property or even in public. It's a balancing act.

If we want to attach terms and conditions to it (i.e. to use this site you must accept analytics/tracking/advertising) then lets make a framework to automate this stuff. I'm perfectly happy for my browser to say, up-front, that it won't be displaying graphical ads and it won't be running any known trackers or analytic suites, it won't be providing you any location data, nor will it be loading any social media buttons or widgets. You can then decide if you want to give me your data. That would be fine.

But I'm not buying into some idea of an implied social contract to let website owners do what the hell they want with my device.

This has already been done years ago, and failed: http://en.wikipedia.org/wiki/P3P

I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?

You are an agent entering my property. This is what your computer does when you access my site.

I can extend this further. You have your wallet, you make a purchase, I have a till I record the purchase and even give you a receipt of the purchase, so that you can come back and we can both agree that you've been here before. So you come on to my site and you click on a download, I record the event through Google Tag Manager, which shoots it across to Google Analytics, and I even give you a cookie, useful for both of us. Next time you come to the site perhaps that cookie will mean I hide the download button from you, or it shows another related download to you.

Feel free to rip up the receipt, or delete the cookie, you're messing with the accepted way of doing things and harming yourself as well as me, but please go ahead you're free to. But please try to understand that not everyone is out to get you, I'm not trying to 'spy' on you, I couldn't care less about you as an individual. I'm trying to optimise for the whole, for my business, for my clients. I have no evil agenda, and if I did you wouldn't be able to stop me because evil finds a way.

The social contract exists, it is established, and it is incredibly close to how physical suppliers of products and services work. You live your life allowing businesses to track your movements within their physical domains, so why have a double standard for virtual domains?

Don't pretend for a moment that because my 'shop' is rendering at your physical location that you aren't in fact virtually visiting me. You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.

Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.

No, no it does not. I'm not in your shop. I'm in my house. I requested some data from you, your server provided it. I'm under no obligation to do anything with that data at all, let alone allow you to execute arbitrary code on my computer because you feel like it's your right to.

It's closer to mail order, both in fact and in statute (remote selling regulations etc). You know I've ordered the catalog, you don't get to know it lay open at page 23 for half an hour or that I spent 15 minutes staring at the underwear models.

>> You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.

Cool, turns out I don't want it that badly that I'll allow my machine to tell you everything about what I'm doing, so if purchasing from your shop is conditional on you getting to run this code, do us both a favour and block my access.

>> Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.

You make the sweeping assumption here that it's ok to collect as much data as you like for purposes you think are good.

I disagree.

--edit-- let me make this very clear: I don't care in the slightest why you want to collect analytics data, I'm not interested in taking part and I won't allow my computer to leak information constantly.

And if that was what we were talking about then maybe, just maybe you'd have a point. But we're talking about active analytics scripts here.

Unless something about my behavior stands out to you I can make a reasonable assumption that 1) you are not going to watch me the entire time and 2) the only record you are going to keep of my visit is the transaction receipt, and perhaps a note that one more person came into your shop today. Every web server platform I am familiar with already logs access requests, which I don't think anyone is arguing against and you are free to monitor and analyze as you wish.

If you must monitor individual visitor's behavior it seems most stores have already worked that one out too, for example membership programs. A new analogy may read

> I'm going to give you the option of signing up for a membership program. If you sign up I will offer you services tailored to your habits whilst you are in my shop.

Even if you require membership for your services the terms of the relationship (e.g. you will be tracked) are, usually, available prior to the socially-questionable activity (e.g. tracking).

But for your analytic package the analogy would be more like

> I'm going to install live cameras throughout the shop to record you whilst you are in my shop. I'm going to review the recordings, or send them to a third party, so I may identify you and analyze your behavior at my own discretion.

Even if a shop has a camera the only social contract I am aware of is that the tape may be reviewed in the event of criminal or suspicious behavior.

You currently already have this option. You can control all this. That you've setup your browser to, by default, automatically grant JavaScript the right to run or accept cookies from third parties or numerous other things is on you.

That's it has become fairly standard practice is a result of the masses wanting it that way.

2. I am aware of my options, thanks. But you'll find the other parties arguing that I don't or shouldn't have the right to exercise them.

This is a terrible idea, as it will just devolve into the same type of faux-consent as click-through agreements and whatnot. Then there will be some legal concept that you've agreed to render web pages a certain way, and you'll have created the world you don't want.

If computers are to empower individuals, they must be owned by individuals and function as individuals' agents - not simply as local terminals running opaque code dictated by someone else (either through the technical means of DRM, or in this example legal means). Machine boundaries are trust boundaries, and network protocols mediate between them. Protocols enforce how processes communicate, but only make recommendations for how they should act. Relying on anything else is madness and should be considered a bug.

DNT is good for us. We don't want to track someone who explicitly does not want to be tracked (boo, Microsoft IE team!)

In the end, Microsoft made the decision to force it into a yes/no, rather than leaving it at "NoPreference". I can fully see the argument that Microsoft is not following the spirit of the standard in doing so.

You already have control over this. That doesn't contradict someones right to track how people use the site.

> No, my computer, my browser, my roof, my rules.

And again, you already have control over this. However, if you give data to a remote server, they have the right to use that data. You are, in fact, giving them that data.

> No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on.

That's a result of people wanting defaults, and most people change those defaults to be the least annoying as possible, regardless of security/privacy implications, even if it's explained to them.

> And it's so lovely of you to have made the decision for me that it's to my benefit, so I don't have to worry about pesky things like privacy concerns, or having control over my own computing.

But you do. You can prevent cookies from being put on your computer. You can prevent 3rd party cookies. You do have this control.

What do you not have control over that you feel you should have control over? You keep talking about control as if you don't have it?

>> And again, you already have control over this. However, if you give data to a remote server, they have the right to use that data. You are, in fact, giving them that data.

I think we may be talking at cross-purposes. The post I replied to says that they have a right to run tracking scripts and I don't have the right to reject them. This is what I disagree with.

Track that my IP address has requested page A, then B, then D, F, Q and P in rapid succession? Knock yourself out. I have no problem with this. If I want to obfuscate it I'll use Tor or a proxy. But he doesn't get to force me to run his scripts.

>> most people change those defaults to be the least annoying as possible, regardless of security/privacy implications, even if it's explained to them.

Indeed, but at least then they are informed and its their choice to make. At the moment this isn't really the case.

>> What do you not have control over that you feel you should have control over? You keep talking about control as if you don't have it?

I know I have these powers and I exercise them. I'm only arguing against people who seek to take them away.

Yep, I saw that. Maybe it's just my interpretation. I thought of that as saying "I have the right to have scripts that track you." Not "I have the right to require that you run those scripts." So, they can provide the scripts, you can just choose to not have them run.

That's where I am coming from, and I don't get that anyone is trying to take that part away from you. That's all =)

Unfortunately the OP has just popped up again to say exactly that.

Anyways, I'm preaching to the choir.

> But you don't have a right to say what runs on my computer, or make it tell you what I'm doing. This is where our perceived rights collide.

Exactly! But you also don't have the right to tell him not to send tracking info either. You do, however, have the right not to execute it. For instance NoScript, Ghostery,and AdBlock+ will prevent the requests for this content from being made and executed.

> No, my computer, my browser, my roof, my rules.

I think OP meant that once you make a request to his server, his server is free to do what it wants with that request. I agree with this line of thought because most if not all others are silly.

> No, people get offended when you try to turn their computer into a device that spies on them. And we get more offended that this sort of stuff happens without most people even being aware its going on. They may or may not object to it, but right now they don't even know.

Again, you have the ability to not let your computer send these types of requests for special analytics packages &c. You can't possibly believe that his storing access logs is wrong.

> This is about the only thing we agree on. It's pointless and it was never going to achieve anything.

Hear! Hear!

I don't think they did mean that -

"But you've politely requested that I don't track you. For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site."

"People get way too offended by analytics tracking when it's there for their benefit."

It looks to me like they're saying that if you go to their site you have to run their scripts regardless of your own wishes, and that you're 'under his roof' and will therefore do what he says.

>> You can't possibly believe that his storing access logs is wrong.

No, I don't, that would indeed be silly! I believe that it's rude to try to demand people run your code, and if you do demand it then we need to find a way for me to tell him up front that I'm not going to, so he can decide if he still wants to send me the page data.

And though there are many analytics products that rely on running javascript on the client, almost all have fallbacks to 0px images--all that is needed is to comb through the logs occasionally.

"For starters this should only ever be a polite request, not a forced rejection of any tracking scripts. I have a right to track how people use my site."

"People get way too offended by analytics tracking when it's there for their benefit."

And the followup by the same OP -

"I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?

You are an agent entering my property. This is what your computer does when you access my site."

It seems clear to me that they feel entitled to have their scripts run on my computer. I have no issue with them checking their logs to see what I requested and when. Scripts, cookies, 0px images, each of these are mine to block as I see fit because I own the client, not them.

You're right about both parties' rights. However, dealing with the "Most Trusted Internet Company in Privacy" [1], I expect them to do better than to insist each their rights to the letter. With regard to this discussion, as a novice user, I'd expect Mozilla /not to track me/. No ifs, no buts -- Do Not Track ought to skip all third-party tracking and remove any of my identifying data from their logs as soon as reasonably possible.

[1] http://blog.mozilla.org/theden/2013/02/06/mozilla-is-most-tr...

  "once you've made that choice you are within my domain"

If I'm visiting a site that talks about rocketry and I'm suddenly being served ads for fishing lures and rods because 10 minutes prior, I was searching for fishing reels, it feels creepy. And it's entirely your opinion that feeling creepy about being served ads for something I'm not currently looking at is wanting "to go back to the dark ages".

Take it in another way. If I'm visiting a flea market on Saturday morning and going by some stalls that sell home made cookies and such, I'm fine getting a flyer for pastries, donuts and cakes. I'm not fine getting a flyer for an 18 pack of socks at the cookie stall because Friday night after work, I went shopping for boxers at a completely different place.

Since many advertisers seem to have the Zuckerberg mindset when it comes to privacy and the mere notion of wanting to remain "un-caterered to" no matter how helpful and in my benefit you think it is, we're forced to take measures into our own hands.

BTW... Mozilla.org not respecting Do Not Track is exactly what I expected since they've decided that my request is needless considering what they produce.

Strong disagree. Whether a user finds benefit from tracking is the opinion of the user, not the opinion of the site doing the tracking.

It's very arrogant for a site to say "I'm doing this to you for your benefit", especially if it's not made clear what this is. If you find yourself having to tell someone that what you are doing is for their benefit, without explaining exactly what you are doing and why, you can safely assume it's not genuinely for their benefit.

I can agree that malicious tracking cannot be prevented - but this does not mean that benign sites are implicitly permitted to maliciously track people. That is totally unethical.

I'm not on your server. My browser isn't on your site. It sent a request to your server to send me a copy of some content. Your server sent that content. It's all on my computer.

This, in my opinion, is why Do Not Track is silly: You, nor your server, have any right to the expectation that I'll send tracking information (that your site provided in, say, a cookie) with every request. Meaning that the browser makers should be providing users options in this space- the power lies entirely with the browser makers and their users. Of course, completely omitting cookies and other tracking details leaves you, the site owner, making assumptions about user behavior on your site from a limited number of details like IP address and perhaps user agent strings. The ever popular cookie was the answer to maintaining session data across requests, and Double Click made famous the idea of tracking users across many sites (by embedding their assets [a blank pixel, a JavaScript, etc] and giving the user a doubleclick.net cookie.) Double Click's concept was, in the minds of most Internet users, a perversion of the purpose of cookies.

lol no you don't. You're choosing to respond to HTTP requests to your site, you put it out in public. I'll make whatever requests I want to your site and do whatever I want with what you give me, which may include rendering some or all parts of a "web page" as I see fit. If I give you some data in turn, sure, do what you want with it.

Do Not Track is silly because it's based on trust. I don't trust you to not track me even if I ask you not to. The only privacy is when I choose not to send you data (and I shouldn't, and browsers are horrible in this regard, they have failed their users).

While I agree with the rest of your comment, isn't it possible that analytics is just snake oil for webmasters? The third party services like GA collect a staggering amount of real-time aggregate data in return for sharing a sliver of it with webmasters in the form of pretty graphs. I'm not saying this information isn't useful, but can webmasters reconcile the results against their own logs? Can they submit sanitized logs for analysis instead of including code in web pages, so they can proactively protect user privacy while sharing only the minimum data necessary for their needs? In any case, analytics services aren't motivated purely by altruism and their business model plausibly extends beyond purely providing a service to webmasters.