Privacy: Do Not Track – Expressing a tracking privacy preference is harder than you think



I’ve been reading through the actual Do Not Track spec (link). Section 4 is quite interesting, specifically as it relates to “the user hasn’t set a preference”. Here’s the current wording:


When enabled, a tracking preference is expressed as either:

  • 1… This user prefers not to be tracked on the target site.
  • 0… This user prefers to allow tracking on the target site.

If a tracking preference is not enabled, then no preference is expressed by this protocol. This means that no expression is sent for each of the following cases:

The user agent does not implement this protocol; or
The user agent does implement the protocol but the user has not yet enabled a preference.

In the absence of regulatory, legal, or other requirements, servers may interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances. Likewise, servers might make use of other preference information outside the scope of this protocol, such as site-specific user preferences or third-party registration services, to inform or adjust their behavior when no explicit preference is expressed via this protocol.


Here’s where things get interesting. How do I set a preference of “0”?

I just tested this with the latest version of Firefox which supports the protocol. So I turned on “Do Not Track” and sure enough I can see the HTTP_DNT=”1″ header field showing up at our Web site. So then I turned it off (unchecked the box) and checked the incoming headers. Guess what? There’s no HTTP_DNT=”0″. The browser supports the protocol so there should be a way to send that header.

So lets look to the spec to see the answer. I’ve unchecked the box so then i’m indicating that no preference is expressed (this is NOT the same as a 0). This means that no expression is sent for the following cases:

  • The browser doesn’t support the protocol (this is for older browsers) but in my case it does
  • The browser does implement the protocol (it does) but I haven’t “enabled” the preference yet

So how do you know which of the above two cases it is? Well the usual answer is “JavaScript” as in, write some code that I can send to the device to determine if the browser supports what I need. And here comes the next problem – what if the browser user has turned off use JavaScript (quite a few do), what if the browser doesn’t support the necessary calls to determine if it can or it can’t support the protocol (Mobile browsers come to mind)?

A stunning amount of code and bandwidth will have to be written and used, to determine something that should be there in the first place. The browser does support it and it’s currently unchecked, which means that the browser sends HTTP_DNT=”0″. In the absence of either a 1 or a 0 you only have one case left. The browser doesn’t support the protocol.



  • For browsers that do support the protocol there are two conditions
    • The box is unchecked – the browser sends HTTP_DNT=”0″ – I want to be tracked
    • The box is checked – the browser sends HTTP_DNT=”1″ – I don’t want to be tracked
  • For browsers that do not support the protocol there’s only one condition
    • There’s no header to look for

So which of the browsers that currently support the DNT header (Firefox, Safari, MSIE) are sending HTTP_DNT=”0″? None of them. So how do I express a tracking preference of 0?

Currently you can’t.

Posted in: #Choice, #mobile, Privacy

Email Subscription