← Back to context

Comment by maccard

4 hours ago

The problem with this is that DNT header is used by such a tiny minority of people that it’s basically a walking unique identifier for all of the side channels. Arguably it’s as identifying as the cookie you’re asking them not to store in the first place.

4 comments

maccard

Reply
whstl  4 hours ago

This is such a tired HN cliche response and it comes up as a negative whenever people mention things that actually improve users privacy, even ad blockers.

It honestly boils down to this:

If some website is breaking GDPR regulations, sure, you might get somehow fingerprinted. (EDIT: Because, surprise, fingerprinting also requires consent under GDPR!)

But for websites actually following the law, DNT is effective at best, ignored at worst. Because fingerprinting is also PII.

Sure: saying "people might fingerprint you" is technically correct. But virtually everything else in your browser, from the size in pixels of your browser tab to your IP address can be used for fingerprinting by malicious actors.

So yeah, if you have to use TOR (which actually has actual anti-fingerprinting measures), go ahead and remove the DNT bit. If you don't need TOR, get an ad-blocker ASAP so it at least protects you from AdWare and Tracking stuff that might fingerprint you.

  • maccard  4 hours ago

    > This is such a tired HN cliche response and it comes up as a negative whenever people mention things that actually improve users privacy, even ad blockers.

    We’re talking about regulation here. Some things (like ad blockers) are a unanimous win for privacy but have nothing to do with regulation.

    > If some website is breaking GDPR regulations, sure, you might get somehow fingerprinted.

    The ePrivacy Directive (cookie law) has nothing to do with GDPR. The directive only deals with cookies, and informed consent for the cookies. If the goal is to improve privacy it’s a failure because it doesn’t touch any of the other numerous ways that tracking happens. If it’s to improve how websites handle cookies then it’s succeeded there I guess, but to what end?

    GDPR on the other hand is a better attempt. It’s not perfect but it actually gets to the heart of it. GDPR changed behaviours, the cookie law slapped a banner in front of half the western world and continued as things were.

    • whstl  4 hours ago

      Most of this reply has nothing to do with mine.

      Your post that I replied to was about fingerprinting caused by DNT.

      This has nothing to do with ePrivacy. Websites don't get to "follow one regulation but not another", so if you fingerprint someone and create an ID that can identify someone, that's PII. If you don't get consent, you're breaking GDPR, period, regardless of following ePrivacy or not.

      Once again: the DNT header is only an issue for fingerprinting and side-channels on website that DON'T follow GDPR.

      I mentioned ad blocking because anti-ad-blocking posts here also mention the same concern about "ad blocking helping fingerprinting".

bayindirh  4 hours ago

I believe Firefox ships it enabled. So, it's already evident from my browser of choice.

Like security, it's a matter of tradeoff and reducing the surface area.