[Done] Supporting X-Do-Not-Track header

Various discussions related to Adblock Plus development
Wladimir Palant

[Done] Supporting X-Do-Not-Track header

Post by Wladimir Palant »

There is a proposal suggesting that the browser sends a special HTTP header (X-Do-Not-Track) when the user wishes to opt out of web tracking. While it is hard to imagine that the industry will decide to respect user's wishes voluntarily, FTC is considering to endorse this approach which is an entirely different game. Microsoft announced that Internet Explorer 9.0 will support this approach (among other things) - and that's something that Adblock Plus could easily add as well.

First of all: this is not a replacement for EasyPrivacy&Co. but rather an addition. It is unavoidable that EasyPrivacy will fail to block a tracking server occasionally, having X-Do-Not-Track header in these cases would be nice (at least once the industry starts respecting it). IMHO this feature is not something that the user needs to switch on explicitly - by adding EasyPrivacy or a similar list the user already indicated that he wants his privacy to be protected. Consequently, X-Do-Not-Track header should be sent automatically if such a list is present.

I think that this is best achieved using a special filter. We can even allow specifying exceptions for particular sites where this header shouldn't be sent - in case somebody gets the idea of blocking users sending out this header (which is unfortunately something to be considered as long as Adblock Plus stays the only major product supporting this feature). A new filter option should be the easiest solution:

Code: Select all

*$image,~image,donottrack
The "image,~image" part is required for backwards compatibility - that way the filter won't block anything in older Adblock Plus versions (unknown options are ignored). donottrack will be a non-default option defining requests where X-Do-Not-Track header should be sent - usually all of them of course. However, we might need domain exceptions later:

Code: Select all

*$image,~image,donottrack,domain=~example.com
Or even exception rules:

Code: Select all

@@|example.com^$image,~image,donottrack
Note: Half an hour required for implementation and testing, pretty trivial thing. All the necessary infrastructure already exists in Adblock Plus code.

Comments? Suggestions? Objections?
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: Supporting X-Do-Not-Track header

Post by Michael »

Instead of necessity for an inefficient filter in all privacy lists to support the command, I would request that a comment causes the X-Do-Not-Track header to be sent, with the ability to add domain exceptions in the filter form @@||example.com^$image,~image,donottrack.
Wladimir Palant

Re: Supporting X-Do-Not-Track header

Post by Wladimir Palant »

I considered a comment as an option but I'm not really happy with this solution, considering both consistency and implementation. If performance is really a concern I can change the address tested for "donottrack" checks so that this filter will always match:

Code: Select all

^donottrack^$image,~image,donottrack
"donottrack" will be added at the end of the address to allow finding this filter more efficiently.
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: Supporting X-Do-Not-Track header

Post by Michael »

The filter form ^donottrack^$image,~image,donottrack will make the rule non-standard in that, previously, the string had to match an item being loaded, whereas it is now used as an indicator of purpose. *$image,~image,donottrack is probably more advisable to avoid confusion and ensure that filters that appear alike act alike.

However, I have to admit that I'm still not convinced that support for the do not track header should be added to Adblock Plus. I first have my doubts about the header itself, including the respect that tracking companies will have for the preference and the fact that this header presumably needs to be communicated to the servers, the logs of which could then be analysed.

My other concern is whether the functionality really belongs in Adblock Plus. Unlike other technologies, which have been added specifically for the removal of adverts, this would be for the considerably less popular use of removing tracking. Furthermore, the fact that it sends, rather than blocks, content also make it a bit of an oddity. Would the filter, for example, appear in the blockable items window to indicate that it is active on the page?
Wladimir Palant

Re: Supporting X-Do-Not-Track header

Post by Wladimir Palant »

This has been implemented now: https://hg.adblockplus.org/adblockplus/rev/df7d895ac3c2
The "normal" filter should be used:

Code: Select all

*$image,~image,donottrack
It won't be marked as slow and in fact it isn't (the keyword "donottrack" is used automatically if no other keyword is found). $domain and $third-party options cannot be used however, they won't work. It turned out that getting this info is impossible at least for background images - so this better doesn't work at all rather than working unreliably.

Michael, I understand your concerns. However, X-Do-Not-Track is an interesting idea, it is finally a realistic option to opt out of tracking (a few hundred opt out cookies aren't). Also while ad networks won't be inclined to observe it - if conformance gets regulatory (looks like it will) they might have no choice. Either way, it doesn't harm if we try. It's not like we are giving up on blocking, this is only for the sites we miss.

And - yes, we are sending out something here. But there isn't really any information connected to this header.
Panther

Re: [Done] Supporting X-Do-Not-Track header

Post by Panther »

Sounds like a way to detect "sensitive users", this header is totally useless, privacy should be allready in the design!
erd

Re: [Done] Supporting X-Do-Not-Track header

Post by erd »

Will the user be able to turn this header off? Isn't ABP supposed to not establish a connection should an element be blocked? What does this funny header help then? It is utterly useless in my opinion because before a big majority starts using it you will be standing out like the previous poster mentioned. After it gets popular and like NoScript decided for its users to send this header by default as well, the effect should be going to zero at some point because then "everyone" will be stating that they want to "opt out".

Please think about forcing this header on your users by mass changing your filters and instead giving a global option to control this (experimental) behavior.
Wladimir Palant

Re: [Done] Supporting X-Do-Not-Track header

Post by Wladimir Palant »

Yes, the user will be able to switch this filter off - just like any other filter. It will also be affected by exception rules, this will allow turning it off for some servers only.

It isn't about the requests that are blocked, rather about the requests that are *not* blocked. For example, when you are searching Google some data on you will be stored and Adblock Plus cannot do anything about it (other than locking you out of Google entirely). This header tells Google that you want your privacy to be respected. It won't do much right now, not many sites will respect the header voluntarily. But things might change if FTC makes respecting this header mandatory.
User avatar
fanboy
Posts: 3446
Joined: Sun Jun 17, 2007 4:45 am
Contact:

Re: [Done] Supporting X-Do-Not-Track header

Post by fanboy »

so which trackers voluntary support this so far? Would it best to wait till its supported by industry?
Wladimir Palant

Re: [Done] Supporting X-Do-Not-Track header

Post by Wladimir Palant »

Probably none. For us this feature is highly experimental of course. On the other hand, it is very simple to implement and it won't cause any harm either - we can also drop support just as fast as it was added. So why not? The industry will certainly not move if there are no solutions actually sending out that header.
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: [Done] Supporting X-Do-Not-Track header

Post by Michael »

The suggested filter apparently blocks all items in AdBlock for Safari. Can anyone confirm this and optionally provide an alternative that will not cause this issue to occur?

Edit: I've just found the relevant bug report for AdBlock for Chrome. It looks like subscription authors will need to inform AdBlock for Chrome / Safari users to update as soon as the fix is released...
Nom nom nom

Re: [Done] Supporting X-Do-Not-Track header

Post by Nom nom nom »

Hi!

I noticed that no-track headers aren't sent with every request. (see this header viewer page)
It seems intended and I was wondering when ABP sends them and when it does not. My understanding is that ABP only sends these headers for elements loaded in a page (both 1st and 3rd party), and not for the page request itself. Is that so? And is it better this way? (why?)

Thanks :)
Wladimir Palant

Re: [Done] Supporting X-Do-Not-Track header

Post by Wladimir Palant »

Adblock Plus sends them for all requests. For me this page lists X-Do-Not-Track header when I am subscribed to the EasyPrivacy filter subscription (you might need to update it, the filter only has been added a few days ago).
Nom nom nom

Re: [Done] Supporting X-Do-Not-Track header

Post by Nom nom nom »

I just checked again, and still no header. Maybe you have NoScript 2.0.9.x installed? The headers show up when noscript.doNotTrack.enabled is set to true, but vanish when it's set to false...
Without NoScript and with EasyPrivacy's *$image,~image,donottrack activated, the headers don't appear on the page I linked to. At least for me :O
Wladimir Palant

Re: [Done] Supporting X-Do-Not-Track header

Post by Wladimir Palant »

Which Adblock Plus version do you have installed? It will only work with the latest development build.
Locked