[Info] DNT Doesn’t Work – Suggestions For Browser Security

Do Not Track (DNT) is a user-set browser flag that is sent along with HTTP requests, with the intent of notifying the server that the user does not wish to be tracked for whatever purposes. Despite it’s virtuous intentions and all browsers allowing this function, it’s been generally regarded as being ineffective, or at worst, a near-complete failure. A condensed summary:

  • DNT is introduced in 2009, and legislated in 2011, allowing consumers to opt-out of online-tracking mechanisms and mass data-collection. This is done through a manual option the user must set in the options of their web browser.
  • This requires companies voluntarily abiding by a request by the user not to track them. You can predict what happens next.
  • Companies who make their bread and butter on user-tracking and trading that information with other companies still cry foul, including advertising companies, big-data companies and social networks like Facebook. Technically, it’s trivial to implement.
  • Abiding by DNT rules is entirely up to the company/server on a voluntary basis. Many advertisers have publicly stated their intention to treat it as merely a ‘suggestion’. Take-up is poor at best.
  • Just when DNT was flailing and dying, Microsoft, true to it’s bumbling fashion, puts the nail in the coffin, by enabling DNT to be turned on by default in IE10. This defeats the entire purpose of DNT, and allows web servers to cry foul and ignore DNT flags.
  • Mass confusion ensues, and as companies drop out of honouring DNT, such as Yahoo, they point to their in-built settings and lengthy Terms & Conditions as a response.
  • In the meantime, more nefarious sites have always been ignoring DNT, not to mention browser fingerprinting or third-party cookies to sell to third-party ad companies.
  • Long story short: You cannot trust companies on faith to look after your best interests. DNT is equivalent to throwing a cup of water at a house fire. A more concrete solution is required, see below.


These are the sites that are tracking you invisibly, when you visit ONE site. Many sites are worse.

My suggestions which I have found to be useful to inhibit being tracked, of which there are a multitude of ways, after many years of use. They are not mutually exclusive, if you wanted to be sure, do all of the below:

  • Don’t use Chrome, it has a bunch of phone-home features and is tied to your Google account, because convenience. Advertising is Google’s bread and butter. Not to mention it forwards 404’s, search suggestions and soon, voice searches. It’s also loaded with DRM and closed-source components. If you absolutely must, then at least use Chromium and manually install the closed-source components manually (ie. Flash).
  • Turn off certificate revocation checking (in any browser), it’s of limited use anyway. Exercise common-sense.
  • If you don’t wish to be tracked, make sure you don’t allow sites to set cookies (or at the very most, only set temporary or per-session cookies) in your browser. Add-on suggestions: BetterPrivacy, Cookie Monster, Self-Destructing Cookies.
  • Use off-the-shelf tracking blockers like Ghostery or Disconnect.
  • Adblocking scripts with appropriate filters. If you trust a website and/or want to support their content, whitelist them. Suggestions: Adblock Edge, with Fanboy’s blocking scripts. This also works on Firefox for Android. I’ll have an article up on securing Android soon.
  • Optionally, if you don’t want the large memory overhead of running an adblocker, block with hosts file, but not that specific element blocking will be unavailable. Suggestion: SWC Hosts File. This also works on Android devices (with root) too.
  • Log out of websites when you leave, clear the cookies or set them to automatically expire. Social websites like Facebook are notorious for tracking your movements through ‘Like’ buttons littered across the majority of websites, which is convenient available for advertisers to buy on FBX.
  • Disable Javascript from non-relevant sites – I find on average most mainstream sites load dozens of third-party analytics and tracking scripts, even IF you have adblockers installed. Note: that this is reserved for more advanced users, as fiddling is required to get many JS-reliant sites to work (which begs the question, why?). Suggestions: NoScript, the one and only. It also blocks XSS, click-jacking, Flash/plugins, many others. Bonus: Many sites will load MUCH quicker.
  • Even with all of the above, you can still be tracked via browser fingerprinting, which is identifying the unique attributes of your browser (such as version, OS, plugins, screen resolution, etc) and matching it all up. You can test how much websites can see about you (even WITH all of the above protections), with the EFF’s Panopticlick site. Random User Agent can help by spoofing. For IP-based tracking, you can also look at Tor or VPNs as an alternative.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s