Threat Level: green Handler on Duty: Tom Webb

SANS ISC: The "Do Not Track" header - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The "Do Not Track" header

A recent proposal, supported by many current web browsers, suggests the addition of a "Do Not Track" (DNT) header to HTTP requests [1]. If a browser sends this header with a value of "1", it indicates that the user would not like to be "tracked" by third party advertisers. The server may include a DNT header of its own in responses to indicate that it does comply with the do-not-track proposal.

The proposal focuses on third party advertisements. It does suggest retention periods for first parties (2 weeks for all logs, up to 6 months for security relevant logs) to remain some compatibility with compliance standards that require specific logging schemes and retention times.

The biggest problem with this standard, aside from user awareness, is the fact that this is all voluntary. There is no technical means to enforce that  a web site treats your data in accordance with the DNT header. Some legal protections are in the works, but as usual, they will probably only apply to legitimate advertisers who are likely going to comply. DNT will only matter if enough advertisers sign up to respect it. It is kind of like the "robots.txt" file, and could even be abused for user tracking as it will make browsers even more "unique" to allow them to be identified without the use of cookies or other tracking mechanisms. [3]

If you are concerned about tracking by third party sites, you need to not load content from third party sites, in particular ads and additional trackers (like cookies). Various ad blockers will help with this. Of course at the same time, you are violating the implicit contract that keeps many sites afloat: For letting you watch my content for free, my advertisers will track you. 

At the same time, users overwhelmingly don't appear to care much about privacy.  The "Do Not Track" header is usually not enabled by default. I don't think many users know about it, or how to enable it. The URL listed below has instructions on how to enable it, and will tell you if it is enabled in your browser. On the ISC website, the number of users with DNT enabled went from about 3.4% to 5.1%, which shows that while DNT adoption in our more technical readership is picking up, it is still rather low.

As far as this website is concerned: We do continuously try to refine our site to "leak less" of our visitors information. For example, we recently switched to a privacy enhanced social sharing toolbar. Our site is also using https for most parts. Aside from the obvious encryption advantage, this will prevent referrer headers from being included if you are clicking on a not-https link on our site.

Our biggest issue right now is the use of Google Analytics, and Google Ads in a couple spots, but I am reviewing these, and am looking for a replacement for Google analytics. Over time, I hope to have less and less third party content on the site that could be used to track visitors wether or not the have the "Do Not Track" feature enabled. 

[1] http://donottrack.us/
[2] http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt
[3] https://panopticlick.eff.org/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3532 Posts
ISC Handler
"As a little experiment, " Argh! Don't keep me in suspense, what's the experiment? ;-)
John

88 Posts
Twitter has announced that they respect the DNT header.
https://support.twitter.com/articles/20169453
John
1 Posts
sorry about the "experiment". That was a typo.
Johannes

3532 Posts
ISC Handler
- http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business
"... 31% of your website visitors are likely to be damaging intruders. Google Analytics doesn’t show you 51% of your site’s traffic including hackers, spammers & other non-human stalkers. Most website owners don’t know that a startling 31% of any site’s traffic can harm its business. And although most website owners rely on Google analytics to track who’s visiting their site, Google simply doesn’t show you 51% of your site’s traffic including some seriously shady non-human visitors including hackers, scrapers, spammers and spies of all sorts who are easily thwarted, but only if they’re seen and blocked...
> http://www.incapsula.com/images/blog-images/stalking_%20Pie.jpeg
As website owners work hard to attract good human traffic, it’s just as important to see and block the bad guys & bots that can hack your site, steal your customer’s data, share your proprietary business information, and a whole lot more. It’s time to see who’s visiting your site, and make sure the good guys get through fast while the bad guys are kept out...
> http://www.incapsula.com/images/blog-images/stalking%20table.jpeg
.
Jack

160 Posts
>> There is no technical means to enface use of the DNT header.

When I fill-in the fields on a personal cheque, I "enface" it, unless I deliberately "deface" it.

I do wish that banks would "enforce" that the signature(s) on the cheque match the on-file sample signatures.

I probably will never use "deforce" in any of my communications. :-)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!