Do_not_track - Hacker News

Posted by RubyGuy 22 hours ago

420 points | 128 commentspage 5

kstrauser 20 hours ago|

I’m morally opposed to the notion of optimizing the opt-out mechanism. I want a standardized opt-in mechanism, like:

  export ALLOW_TRACKING=telemetry,crash_dumps

and the absence of such a setting means “fuck off, don’t spy on me”. It’s not my responsibility to turn off apps wanting to track me. It’s their responsibility to get me to authorize their specific flavor of tracking.

cj 19 hours ago|

> It’s their responsibility to get me to authorize their specific flavor of tracking.

And they do by burying it in the user agreement you probably agreed to.

Like it or not, it is your responsibility. I agree it shouldn’t be, but let’s be realistic.

msla 19 hours ago||

Then it's my responsibility to feed them fake data.

They didn't opt out of my data, after all.

internetguy 13 hours ago||

https://xkcd.com/927/

varispeed 20 hours ago||

Default opt-in tracking should be illegal and enforced with such fines and prison sentences, that companies wouldn't even dare to have anything remotely capable of tracking in the runtime.

Unfortunately big corporations can always find away to make regulators see no problem.

pseudalopex 14 hours ago|

> Default opt-in

This is called opt out.

varispeed 3 hours ago||

Yeah, I always mix it up. Thank you!

walrus01 16 hours ago||

I'm sure this will be about as effective as putting yourself on the do not call list for domestic phone telemarketers, which has absolutely no effect whatsoever on overseas scam call centers.

charcircuit 17 hours ago||

This does not make sense to support. Businesses that have proper privacy controls and security do not want to be lumped together with random shady apps and want users to explicitly opt out. Another issue with this header is that users could set it and then accidentally opt out of other sharing that they don't realize since this header is being set somewhere random. Standardizing on a per app basis way to revoke consent, along with showing privacy polices and measures the apps have put in place for guarding security would be a more sensible alternative that could gain traction.

pseudalopex 14 hours ago|

Gathering information without real consent is shady.

stavros 20 hours ago||

Honest question, what's the problem with crash dumps that include no personal info? They just help make the software less buggy. I also don't see an issue with anonymized usage patterns (this feature was used X times this month, this one Y times, etc).

Can someone expound on what they see as a problem?

JoshTriplett 20 hours ago||

> Honest question, what's the problem with crash dumps that include no personal info?

In addition to the other response: crash dumps are difficult to anonymize, both because useful crash dumps include something like a minidump (or some other small alternative to a core file), and because even without that, any random information from a backtrace may be sensitive (e.g. a URL).

There's nothing wrong with saving a crash dump and giving the user control of whether to submit a bug report.

stavros 19 hours ago||

I'm more thinking Python crashes, where you just get the lines that executed, and ~zero identifiable data.

47282847 8 hours ago|||

Anyone on the path potentially learns something about your system and your software use.

Your IP during connection exposes your rough location.

Crash logs rarely are completely anonymized so both together can additionally serve as a way to re-identify the user.

The only way to properly transmit telemetry data would be Tor. And no, even then I don’t want my tools to report back my use. It’s simply not required, and data minimization is part of my set of ethics, and I’m happy that EU/GDPR sees it the same way. Not all data that you think is worth something to you is morally right to collect. You send data somewhere, even just to check for updates - ask me first. I do not want my hammer to report back how many nails I hammered in. I don’t want my software to reach out to the world without my consent.

sneak 4 hours ago|||

They expose to the developer that someone was using their software behind that IP address at that time. It also can frequently include private information. The events that occur on my computer are mine and do not belong to the developer of the software.

circadian 20 hours ago||

I would suggest that the default to enrolling people in supplying such information is the issue. In a world driven by surveillance capitalism, even "anonymous" data can be used for much broader purposes (think, for example, of when and where people are using tools geographically and at what times: you can start to track the behaviour of people in this way).

Users should never be opted in through usage alone of free or paid-for tooling to supply information that isn't part of the function of the tool. Where that is required for a service or product, you should opt-in explicitly, not implicitly.

stavros 20 hours ago||

That's fair, thanks.

tonymet 20 hours ago||

He’s better off vibecoding an include.sh that sets all the known do not track env vars for you.

sneak 4 hours ago||

Hi. I’m the one who made consoledonottrack.com (now expired and squatted) and originally specified and promoted this.

https://web.archive.org/web/20200613155957/https://consoledo...

I abandoned the project. Opting out of telemetry tells developers that opting us in automatically without consent is OK. It’s not.

Spyware is spyware even if it has an off switch.

Patch it out. Fork it. Don’t use spyware. Name and shame developers that accept pay checks to build spyware for corporations. Make it an economically bad choice to accept such jobs by poisoning the google results for the names of people who do this. Make them ashamed.

The one thing you DON’T want to do is validate their unethical model by opting out when you never opted in.

nixpulvis 19 hours ago||

Am I the only one who also finds it comical that rejecting cookies requires a cookie.

shevy-java 9 hours ago|

I personally do not use this. The reason is quite simple: I do not want to give out ANY information to external sites. Meaning, they could want to group me into "wants to be tracked" and "does not want to be tracked". I expect a general content blocker, which ublock origin is, to protect me from any malicious external actor, including horrible UI, such as nowadays google search has. I mean, just make a regular google search and then ask yourself why google places so many ads. Yes, ALL links to videos on youtube are also google ads - they self-promote themselves here.

We kind of need ublock origin on the operating system level - even more so as the new laws mandate age sniffing of everyone, tied to usage and access to the www (see the concomitant fight against VPN; that is the long road here, the "but but but the children!" is the lie, the cake, the carrot on the stick).

Ultimately one could ask "but the do not track thing is harmless" - the issue still is that I don't agree that my browser should betray me. Naturally since Google controls most browsers, can we trust Google? But, even aside from Google, can we trust other browsers? We need more diversity here again, but also more quality on every level. I consider the do_not_track as actually a you_will_be_marked and thus tracked.

More comments...