Do Not Track and the GDPR

Author(s) and publish date

By:

Mike O'Neill

Published:

11 June 2018

The Tracking Protection Working Group (TPWG) has been engaged with issues of online data protection, privacy and tracking since 2011. Its Tracking Protection Expression draft recommendation (TPE), substantially completed in 2013, first became a Candidate Recommendation (CR) in August 2015.The main feature of the TPE, the DNT request header, is now implemented by all the major browsers via a general preference setting, with the JavaScript API for registering a site-specific preference implemented by browser extensions, as well as Microsoft's Internet Explorer and Edge browsers.

The DNT header indicates settings that a user has made within their browser, either directly or mediated by script on a page, to indicate their preference of agreeing or declining to be tracked. Once a "general preference" is configured, browsers add the DNT header to all HTTP requests, including requests to be sent to embedded sub-resources. The header value can either start with "1", meaning "Do Not Track", or "0" signifying "this user has agreed to tracking for the purposes explained". There is a defined JavaScript API letting a browsing context change the DNT setting for its own domain origin, or for the domain origin of its embedded sub-resources – so called "site-specific" consent.

GDPR & ePrivacy

The General Data Protection Regulation (EU) 2016/679, which has just come into force, is important for web privacy because it clarifies what makes for valid user consent in more detail than the Data Protection Directive that preceded it. The existing ePrivacy Directive (introduced in 2002, amended 2009) requires prior user consent for access to storage in browsers, other than for a restricted set of exempted purposes, and now for consent to be valid it must meet its description in the GDPR. Consent must not only be freely given, specific, informed and unambiguous, it must be indicated by the user's affirmative act – it is no longer enough to display "implied consent" notices, pre-selected checkboxes, or cookie walls, and it must be as easy for users to withdraw consent as to give it.

The GDPR also introduces much larger fines, making data and privacy protection a board level topic.

There is also a new ePrivacy Regulation (ePR) in the works, aimed at replacing the ePrivacy Directive. Although the European Parliament completed its deliberations last year, and voted through its own draft text, the European Council has dragged its feet somewhat. Even so, the important trilogue discussions between the European Parliament, Council and Commission, aimed at finalising the text, are expected to start soon. DNT

DNT

DNT is a highly efficient way to convey user consent to web servers because the header is always present in every request. A JavaScript global property also allows a browsing context, say for an iframe tag or a first-party page, to immediately determine the current setting. Although HTTP cookies can of course also encode a consent signal, there is no way to selectively include them in sub-resource requests, as cookies once stored will always be sent to their respective domain origins (i.e. to access third-party resources on any first-party site), and moreover there is no simple or efficient API a browsing context can use to set cookies for its embedded sub-resource domains.

The TPE also defines a JSON resource, called the Tracking Status Resource (TSR), to be made available by domains that implement DNT, located at a well-known path (/.well-known/dnt/). This resource enables domains to declare their identity, policy for tracking, and other important items, important so that browsers can show users the servers being enlisted to supply content for a page, to support the now legally required transparency. European data protection and privacy law requires that users be able to determine who they may be tracked by, for what purpose, and give their informed and specific consent if they freely choose to.

The Tracking Protection Working Group was chartered in 2017 to demonstrate the viability of TPE to address the requirements for managing cookie and tracking consent that satisfies the requirements of EU privacy legislation". This resulted in a new CR for the TPE in October 2017 which included improvements for the Javascript API and other elements.

Later further changes in the draft were put forward to meet the requirements for the European Parliament's agreed text for the EU's ePrivacy Regulation, and to allow for the communications of agreed purposes requested by the AdTech or "industry side" group members. The API was extended so that a site-specific signal was available to indicate the required right-to-object for permitted "web audience measurement"(A8.1d in the European Parliament's ePR text), i.e. to send a DNT:1 header to certain domains even if the general preference had not been set, and to define an extension to the header so that a purpose descriptor could be sent when consent had been given, i.e. an extension to the DNT:0 header. A new "purposes" property for the TSR was defined whereby a server can indicate, via a dynamically created web page, the purposes the user has agreed to by decoding the new extension field in the incoming DNT header.

Implementation

Now that the GDPR is in force, and the ePrivacy regulation final text hopefully soon to be agreed, the fact that a CR exists for efficient signalling of user consent may encourage browser providers to implement or update their DNT implementations.

If they do, DNT would offer a much better signalling method for user consent than techniques based on HTTP cookies. Third-party cookies as presently constituted cannot convey site-specific consent¹, and it is unlikely that users, once they have been made aware of their right to give their prior consent, will agree if their only option is to be tracked across the entire web. Although the IAB EU's recently introduced Consent and Transparency Framework (CTF) allows for consent to be recorded in first-party cookies, and so site-specifically, there is no mechanism to persist it within a sub-resource context without using a third-party cookie (or other domain specific storage), which is then incapable of recording the site-specific context. Without persistence the efficiency of indicating consent to third-parties becomes a problem.

In DNT the browser absolutely determines which domain receives the consent signal, within the parameters of the Same Origin Policy and, while it does not need the elaborate encoding of party identity, with its attendant fingerprinting risks, underlying the CTF's "daisybit" identifier, this can still be incorporated in a consent-based protocol where the "daisybit" is only sent to the parties the user has agreed to. This could give the online advertising industry, the publishers that rely on it, and web users a win-win outcome – good for data protection, privacy and commerce.

Extensions

The architecture of the DNT protocols has been designed to be extensible, and there have been discussions in the TPWG about additions that could help publishers and advertisers improve efficiency by extending the protocols for consent-contingent targeting and privacy-oriented audience measurement. If representatives from publishing and advertising wish to engage with that, the TPE is a great base to build on. We have had a charter extension till September but if new members with a commitment to engage were to appear, we should be able to extend it further.

Mike O'Neill is an Invited Expert in the Tracking Protection WG

Related RSS feed

Subscribe to our blog feed

Comments (15)

Matthew S. Shea - 13 June 2018 at 01:54:30 UTC

I am for the concept of allowing all users who browse the web more control over their data. And I do not agree with how anyone, company or even government have been able to easily manipulate the general public by underlining an enormous amount of fine print that must be agreed upon if choosing to utilize such services being provided.

Even though a user is fully responsible upon the data that is being shared a percise lime must be drawn when it pertains to any user's privacy.

First of all, I as an American am not associated with the E.U. in any way shape or form. And yet as much as I'm doing my research pertaing to the G.D.P.R. I can find anywhere that states that I have the right to have a company based within the E.U. to delete my data!? And if they don't, how would I know? And if I do know how does my Government protect us from anyone outside of the U.S. collecting as much data as they can from us Americans and could possibly planning a digital attack that not many Americans are costly comprehensive to how today's technology works to begin with. And this topic alone can be discussed in more detail.

Furthermore, I'm also concerned about a new form of a blockade being implemented in today's market. With the unbelievable amount of deception when it pertains to any form of an E-Commerce business within the U.S.

As of right now this entire ordeal with online privacy, data collecting etc. seems to hurt the American people on a much more economical broad scale, rather than ensuring a level playing field for users world wide.

I hope I am mistaken about how I'm viewing this and am only trying to encourage all people to utilize the internet as a powerful resource. I thank you for your time.

Matthew S. Shea
- Mike O'Neill - 13 June 2018 at 17:11:56 UTC
  
  Hi Matthew,
  
  DNT was started in as a response to concerns expressed in the US as well as elsewhere. The W3C activity took off after a Witehouse meeting where Pres. Obamacalled on the online industry to come up with a way for people to express their agreement (or not) to being tracked. He said legislation would follow if a mechanism did not emerge,but this did not in the end happen (the DNT signal did become available on browsers but web sites on the whole ignored it).
  
  The EU has responded to tracking with more law based approaches, namely ePrivacy, but again this has been mainly ignored by companies, perhaps because the sanctions available to regulators were inadequate given the expense of prosecution, and the law did not reach US entities.
  The GDPR has changed the environment on this so now there will be a change in tracking behaviour in Europe. US based web servers where they target European residents will also have to comply.with ePrivacy and the GDPR..
  
  DNT is simply a signal designed to convey user consent for tracking, and will help protect privacy whatever the legal jurisdiction.
James Pulley - 13 June 2018 at 13:46:42 UTC

As a Performance Engineer, the DNT provisions and the recommendations from rfc6302 are going to have broad impacts on my work. It will become more difficult to catch poor performance issues.

Today, I can pull information inside of logs, or tools such as Dynatrace, AppD, Newrelic, down to the session level and watch (sometimes with PII data attached) how the system under examination is performing, allowing me to catch performance issues quicker. Security professionals also have the same need for detailed access to catch security issues.

The recommendation for purging logs quickly is also going to complicate issues regarding catching long term performance and security issues as well as trend analysis. This will make the building of load profiles more difficult if no system contains objective truth because of missing data from DNT provisions.

I can see companies making direct decisions if the GDPR fines are low, to simply be in a non-compliant state as long as there is access to the European market. This would allow current performance and security analysis practices to continue. If the fines are large or the threat of cutoff from the market is made, then be prepared to simply throw hardware at your performance issues and be prepared for many more uncaught data breaches.
Mike O'Neill - 13 June 2018 at 17:33:20 UTC

Hi James,

The TPE (DNT technical document) does not deal with log data per se and I have not been involved with RFC6302, but there are data protection principles, which in Europe at least have legal force, that have a bearing on how long activity logs should be kept.

Where logs contain personal data, which now can mean IP addresses, cookie UIDs and the like, they must be processed for a limited purpose and must not be kept for longer than necessary.

There is no reason that concerns about security and data breaches need to conflict with these basic principals.
Sean Parnell - 20 June 2018 at 05:29:51 UTC

How does the California Privacy Act compare with GDPR, and what do you think the probability is of its passing considering that some very large US companies are allegedly trying to kill it?
- Mike O'Neill - 24 June 2018 at 10:20:24 UTC
  
  Hi Sean,
  
  I have not looked into it, but I hope it does pass. Anything that improves privacy rights is a step in the right direction, and hopefully improves the chances for Federal laws such as the Do Not Track Online Act or similar.
Andrew - 22 June 2018 at 21:36:04 UTC

As an EU citizen, and simply as a reader, I feel hemmed by the overwhelming, neverending and present on every web page, questions if I wish to be tracked.
Instead of a real "privacy by default", which could only mean a real opt-in: a law-enforced assumption that nobody wants to be tracked, unless they create accounts, log in and ask to be remembered, we are being forced to answer the same question hundreds or thousands of times a week or month, which brings the memories of totalitary government's security service officers asking people a question as many times as needed to be answered "the only proper way".

In my opinion, any sane person should expect organizations like w3c to settle and the software industry to follow a standard way to allow the user of a browser application to define his consent or objection to gathering and processing of specific categories of data and aims for which they may be processed according to the law - only once and already on the browser application level, like the already available DNT.
The DNT itself, however, from the perspective of a human being who does not wish to be attacked with endless requests to agree to be tracked, is plainly useless if the website operators/administrators are not enforced by the law to honor it. Frankly speaking, the fact that DNT is built in the browsers, is probably merely an excuse so that software vendors, including open source, can tall the users "look, we have done so much to protect your privacy", at the same time accepting money from internet giants of online marketing...

I am awaiting proper plugins to automate saying no to all those privacy hunters...
- Mike O'Neill - 23 June 2018 at 10:06:13 UTC
  
  Hi Andrew, you hit the nail on the head.
  Yes, the web needs a universally recognised consent signal and it might as well be DNT.
  Trouble is we are stuck in a loop:
  1) Servers take no notice because there is no legal requirement being enforced.
  2) Regulators will not enforce it because it is not a full Recommendation.
  3) The W3C resists pushing it to a full Recommendation because browser companies have not properly implemented the site-specific API.
  3) The browsers will not implement the API because they say servers do not respect the signal, and have not expressed a need for the API.
  4) Goto 1.
  
  We now have an explosion of ineffective "smokescreen" consent tools or "just click accept" cookie walls, responding to the letter of the GDPR/ePrivacy legal requirements, but which just further reduce people's trust in the web, and the ability of law to protect their fundamental rights.
  
  It would be great if some significant party broke out of the loop, but nevertheless the work will continue.
  
  As an aside, there is a free plugin (ours) that implements the API and stops tracking when no consent has been given (i.e when DNT is not 0),
  see https://baycloud.com/bouncerDownload. If DNT was widely recognised there would be many more.
- Chris Cook - 23 June 2018 at 12:08:20 UTC
  
  I proposed market-specific domains and market-specific user agreements (in the context of global oil markets) maybe 17 years ago.
  
  http://wiki.p2pfoundation.net/Market_3.0
  
  This has been updated (using slightly different legal forms & instruments) to a current proposal fo a global market in natural gas within a market-specific 'Dot Gas' domain and an associative 'club' interactive user agreement/Club Rules'.
  
  The beauty of such a Club/Association is that it is both public (open) AND private (closed): it is closed because only club members can use DotGas but open because anyone who meets the club standards and club rules may be a member. Regulatory teeth derive from the fact that natiral gas trades would be registered on a shared market transaction repository.
  
  The key is the legal design of the domain protocol which I have termed 'Nondominium', where no stakeholder group has dominant rights over another.
  
  This model - where the Internet is a commons owned by all and by none - is universally extensible
- Chris Cook - 23 June 2018 at 12:10:21 UTC
  
  Note that there is no need for a blockchain: bilateral authentication/encryption and unique time-sequenced registration numbering is all that is necessary.
- John Doe - 30 August 2018 at 22:13:08 UTC
  
  Chrome is a product of Google and Google doesn't respect the DNT. The DNT should be respected under current GDPR ruling because
  1) A user explict sets the cookie
  2) A website is informed by the user his choice and shouldn't be asking extra consent.
  
  I see no reason why the DNT isn't part of the legal framework that's the GDPR. The GDPR is an abstract framework while the DNT is a concrete implementation.
  
  And especially in the case of Google/Chrome the points you made make no sense at all...
- Mike O'Neill - 31 August 2018 at 04:43:18 UTC
  
  The GDPR (and the ePrivacy Directive) do refer indirectly to DNT, as they both say that a user's agreement or not to personal data processing or access to terminal storage can be indicated by "browser settings or "automated means". Referring to DNT as a "concrete implementation" is a job for the regulators - i.e. the Supervisory Authorities, and hopefully they will do that. In my opinion there is already a legal justification for demanding that servers respect DNT as an opt-in (DNT:0) or an opt-out (DNT:1), but less clear that browsers would have to also take account of it.
  
  The European Parliament's draft of the new ePrivacy Regulation does have such a requirement on "software providers", but at this time the legislative process for it is still in limbo.
  
  Which of my points "make no sense"?
John Doe - 19 July 2018 at 15:02:05 UTC

DNT should be on by default in all browsers, otherwise it's useless, as it helps fingerprinting users and, therefore, tracking them around the web.
- Mike O'Neill - 19 July 2018 at 15:25:22 UTC
  
  I agree, in fact in Europe the ePrivacy Directive effectively means DNT unset (i.e. the header is not there) has to has to indicate no tracking. There is a situation where a specific DNT:1 header could be assumed to be an indication of the right-to-object called for in Article 21 of the GDPR, but this only makes sense when either the "legitimate interest" or "public interest" basis is claimed, and these do not replace the requirement for consent (under ePrivacy) anyway.
HP Laptop Troubleshooting - 3 December 2018 at 12:13:12 UTC

I haven't proper ideas about this GDPR and privacy policy. After reading your article I get useful information.