Mozilla has released Firefox version 4, featuring a new look and feel (Chrome, anyone?), and new privacy and security features. The feature with the most potential — and the most buzz — is “Do Not Track,” which “lets you tell websites you don’t want your browsing behavior tracked.”
This is an important step towards giving Web users more control over how their digital steps are being monitored and recorded. The Future of Privacy Forum has been tracking the history of this feature for some time, and we had a conference call with Mozilla, Microsoft, and Google a few weeks ago to learn about their various (and varying) methods for allowing users to prevent tracking.
Here’s how Firefox’s Do Not Track feature works:
For more background, please see Chris Soghoian’s detailed history of the inception of the opt-out header concept, as well as the DoNotTrack.Us website for full details on the broader project supporting these initiatives.
Note, however, a critical limitation (currently) to the Do Not Track method: it requires third-party advertisers to recognize and properly react to the DNT header sent to them from your browser, and there’s no requirement that they must. As Firefox notes: “Honoring this setting is voluntary — individual websites are not required to respect it.” While implementing the header should be easy for advertisers, no advertising network or other tracking service has yet announced plans to honor the Do Not Track header. The FTC might require something similar, and we can hope that public pressure might lead ad networks to voluntarily adopt Do Not Track, but for now, this is merely the expression of a user’s privacy preference that falls on deaf ears.
Despite this limitation, it still is very important and meaningful that Firefox has implemented Do Not Track for its millions of users.
The problem is, unfortunately, they made it very hard to turn Do Not Track on.
Today I installed Firefox 4 and went to the preferences panel to see for myself how Do Not Track has been implemented. Logically, I went to the Privacy tab first:
Here, all I see is a default setting of “Remember history”, noting that “Firefox will remember your browsing, download, form and search history, and keep cookies from Web sites you visit.” This default is discomforting. Looking at the menu of options, I see I can select “Use custom settings for history”:
Here, at least, I control whether Firefox stores my browsing history, or accepts third party cookies, etc. But, Do Not Track is nowhere to be found on the Privacy settings control panel.
Next, I try the Security tab, since Do Not Track is pitched as a security feature by Mozilla. Again, no settings for Do Not Track are provided:
Finally, I click on the ubiquitous “Advanced” settings tab. Bingo! Look closely, and you’ll see a setting for “Tell web sites I do not want to be tracked” among the list of browsing settings. And, of course, the default setting is to not have Do Not Track activated:
This design choice is very troublesome. Do Not Track is a major development in potentially providing Web users more privacy, security and control over their online activities. Mozilla brags about “leading the Web towards a universal standard Do Not Track feature,” and its own (draft) Privacy & Data Operating Principles talks about providing “real choices,” “sensible settings,” and “user control.” Yet, the setting to turn on Do Not Track is buried in the Advanced preferences tab, and listed alongside such mundane options for smooth scrolling and spell check.
Mozilla, you can do better than this.
MichaelZimmer.org 
Nice summary of the Do Not Track header and its current limitations. These restrictions are why I’m using Abine’s Do Not Track Plus, http://www.abine.com/dnt/, because it combines the DNT header of Firefox with the Tracking Protection Lists of Internet Explorer. It’s sort of double the protection than you’d get with either one alone. The best outcome would be a simple, uniform Do Not Track that’s automatically enabled, not disabled by default.