Closed Bug 858839 Opened 11 years ago Closed 11 years ago

Do Not Track is not respected on Mozilla Websites

Categories

(Websites :: Other, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: evold, Unassigned)

References

Details

When I go to http://getfirefox.com/ I end up at http://www.mozilla.org/en-US/firefox/fx/?from=getfirefox which does not respect my Do Not Track preference..

IMO Google Analaytics should not even be part of the page if I request not to be tracked, but it appears as the the Do Not Track setting is not respected at all..
You misunderstand the point of DNT. See the discussion in bug 731314.
Assignee: mitchell → nobody
Status: NEW → RESOLVED
Closed: 11 years ago
Component: Miscellaneous → Analytics
Product: mozilla.org → www.mozilla.org
Resolution: --- → INVALID
gee I wonder how I made that mistake, I thought Do not track meant do not track...
This was also discussed and recently resolved in this bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14

tl;dr: We now have an option to opt-out of Google doing anything with the data that Google Analytics collections on Mozilla websites. GA tracking is anonymous and at the aggregate level and we use it to improve the experience of our websites.
(In reply to Chris More [:cmore] from comment #3)
> This was also discussed and recently resolved in this bug:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14
> 
> tl;dr: We now have an option to opt-out of Google doing anything with the
> data that Google Analytics collections on Mozilla websites. GA tracking is
> anonymous and at the aggregate level and we use it to improve the experience
> of our websites.

That's fine a dandy, but I'm pretty sure that users will not understand this nuisance, if a user is requesting to not be tracked I don't think they'll care how well intentioned or anonymous the tracking is.  It is still tracking.
s/nuisance/nuance
(In reply to Reed Loden [:reed] from comment #1)
> You misunderstand the point of DNT. See the discussion in bug 731314.

Reed do you work for Mozilla?
(In reply to Reed Loden [:reed] from comment #1)
> You misunderstand the point of DNT. See the discussion in bug 731314.

and do you work on mozilla.org?
(In reply to Chris More [:cmore] from comment #3)
> This was also discussed and recently resolved in this bug:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14
> 
> tl;dr: We now have an option to opt-out of Google doing anything with the
> data that Google Analytics collections on Mozilla websites. GA tracking is
> anonymous and at the aggregate level and we use it to improve the experience
> of our websites.

Chris who makes the decision to use GA on mozilla.org? whom should I be speaking to?
(In reply to Erik Vold [:erikvold] [:ztatic] from comment #6)
> Reed do you work for Mozilla?

No, not for a number of years. I'm still a very active contributor in the community, though.

(In reply to Erik Vold [:erikvold] [:ztatic] from comment #7)
> and do you work on mozilla.org?

Yes. I used to be the technical module owner, though I think I'm just a module peer nowadays. :)
(In reply to Reed Loden [:reed] from comment #9)
> (In reply to Erik Vold [:erikvold] [:ztatic] from comment #6)
> > Reed do you work for Mozilla?
> 
> No, not for a number of years. I'm still a very active contributor in the
> community, though.
> 
> (In reply to Erik Vold [:erikvold] [:ztatic] from comment #7)
> > and do you work on mozilla.org?
> 
> Yes. I used to be the technical module owner, though I think I'm just a
> module peer nowadays. :)

Ah alright I was wondering why I didn't see you in the phonebook.  I think I need to talk to the person that makes the decision to include GA on mozilla.org, do you know who that is?
(In reply to Erik Vold [:erikvold] [:ztatic] from comment #10)
> Ah alright I was wondering why I didn't see you in the phonebook.  I think I
> need to talk to the person that makes the decision to include GA on
> mozilla.org, do you know who that is?

There's a list of people in bug 793287, comment #0 that may help you...
Alight let's see what Chris says..
Flags: needinfo?(chrismore.bugzilla)
Mozilla.org is owned from a technical perspective from me and my Web Productions group: https://wiki.mozilla.org/Webdev/Web_Production

Mozilla.org is owned from a product perspective from Jen Bertsch, but as you imagine almost everyone is a stakeholder with the website.

I implemented GA on Mozilla.org and 40+ other websites at Mozilla.

Also, here is some DNT copy/paste text:

--

"Third-party analytics, provided third parties use first - party cookies and agree to only disclose data to first parties. Analytics are essential to the operation of many online businesses. Privacy interests with respect to the analytics provider are de minimis since the analytics provider is, by agreement, just outsourced first-party analytics Enforcement impact will be modest owing to the significant concentration of the analytics market."

"A few simple steps would significantly mitigate the privacy concerns raised by outsourced analytics. First, an analytics service should technologically limit user identifiers to each customer website. Tracking cookies, for example, should be restricted to a unique domain name for each customer. This limitation increases the difficulty of tracking a user across sites, while leaving unaffected the ability to observe a user on a particular site. Second, an analytics service should separately store and handle the data from each customer website using technical and business protections. Last, an analytics service should be contractually prohibited from using the data it collects."

--

Google Analytics uses first party cookies, the data is in silos per domain, and Mozilla has opted out of Google using the data for any other purpose. This was a year-long discussion with legal, privacy, governance, and many parties at Mozilla.
Flags: needinfo?(chrismore.bugzilla)
"owned" is a bit grey on mozilla.org, because it is the face of Mozilla and gets the most traffic of any other Mozilla website. Many teams have input on mozilla.org and my team technically created the platform and does releases on a daily basis.
Also, websites privacy policy:

http://www.mozilla.org/en-US/privacy-policy.html (search for web analytics)
(In reply to Chris More [:cmore] from comment #13)
> Mozilla.org is owned from a technical perspective from me and my Web
> Productions group: https://wiki.mozilla.org/Webdev/Web_Production
> 
> Mozilla.org is owned from a product perspective from Jen Bertsch, but as you
> imagine almost everyone is a stakeholder with the website.
> 
> I implemented GA on Mozilla.org and 40+ other websites at Mozilla.
> 
> Also, here is some DNT copy/paste text:
> 
> --
> 
> "Third-party analytics, provided third parties use first - party cookies and
> agree to only disclose data to first parties. Analytics are essential to the
> operation of many online businesses. Privacy interests with respect to the
> analytics provider are de minimis since the analytics provider is, by
> agreement, just outsourced first-party analytics Enforcement impact will be
> modest owing to the significant concentration of the analytics market."
> 
> "A few simple steps would significantly mitigate the privacy concerns raised
> by outsourced analytics. First, an analytics service should technologically
> limit user identifiers to each customer website. Tracking cookies, for
> example, should be restricted to a unique domain name for each customer.
> This limitation increases the difficulty of tracking a user across sites,
> while leaving unaffected the ability to observe a user on a particular site.
> Second, an analytics service should separately store and handle the data
> from each customer website using technical and business protections. Last,
> an analytics service should be contractually prohibited from using the data
> it collects."
> 
> --
> 
> Google Analytics uses first party cookies, the data is in silos per domain,
> and Mozilla has opted out of Google using the data for any other purpose.
> This was a year-long discussion with legal, privacy, governance, and many
> parties at Mozilla.

I'm afraid my point is completely missed or ignored.  All of the above is a bunch of legalese mumbo jumbo that normal human beings don't care about, at all.  I'm not concerned that we don't have a legal right to track people, I am concerned about the signals we send to our community and Mozilla's reputation.  I don't think that we can hold the practices of Google, Microsoft, or anyone else as our gold standard.

Here is my point as clear as I can make it right now:

In the Firefox preferences window I have a setting checked that says 'Tell websites that I do not want to be tracked' and mozilla.org is ignoring that.

This setting doesn't say anything about 3rd party cookies or 1st party cookies, or any of what is being used as a counter argument to my request.

I think it is clear that google analytics is being used to track visitors on mozilla.org, sure the data belongs to Mozilla, so Mozilla is tracking users on mozilla.org regardless of a Firefox user's request to not be tracked...

Does anyone here think we are not tracking users on mozilla.org?

Does anyone here think this will not hurt our reputation?

Firefox has many add-ons, some of which are being developed here at Mozilla, like Collusion, which help make it obvious to users which sites are tracking them, and all of these add-ons consider GA as software that is tracking users.

Can we please be the company that sets the gold standard of respect and privacy?
Hi Erik-

I'll set up some time for us to talk about your concerns this week.

Thanks,
Jen
Hey Erik: Good points and let's discuss.

Alex: Can you help here?

We use Web Analytics on www.mozilla.org and other Mozilla websites to improve the user experience and to test new features before rolling out to larger audiences. Since switching over from Webtrends to Google Analytics, we have found numerous issues with mozilla.org that were previously unknown. Web Analytics is critical going forward to help the websites team understand what works and what doesn't work for the betterment of the user experience. For example, a recent A/B test on the main Firefox download page revealed an unknown issue with IE8 that prevented users from downloading Firefox. The fix improved IE8 downloads by over 20%.

We've implemented GA separately on over 40+ websites at Mozilla and we understood that DNT, as currently defined, is not a direct concern because:

* Data is separated by website -- no cross website analytics
* 1st party cookies are used
* Metrics do not contain any PII
* 3rd party service have opted out of any additional use of the data -- The legal agreement with Google that resulted in a new feature for the entire world.

Any guidance would be appreciated.

Thanks
Flags: needinfo?(afowler)
(In reply to Erik Vold [:erikvold] [:ztatic] from comment #0)
> When I go to http://getfirefox.com/ I end up at
> http://www.mozilla.org/en-US/firefox/fx/?from=getfirefox which does not
> respect my Do Not Track preference..

Just as a side note unrelated to DNT since you mentioned getfirefox.com. getfirefox.com is similar to mozilla.com -- they are vanity URLs that 301 redirect to mozilla.org/firefox. mozilla.org/firefox is another redirect that determines if you are running one of the latest versions of Firefox or a non-Firefox/older Firefox version. If you are running a latest version of Firefox, you get redirect to /firefox/fx/, if you are running a non-Firefox or older Firefox, you get redirected to /firefox/new/. /firefox/new/ has the highest SEO for search terms like Firefox and thus most of the optimizations are on /firefox/new/. All of the /firefox content will be going through a major overhaul in Q2/Q3 2013.
Alex Fowler: Can we get your input here?
First, this is a great conversation. We haven't spent enough time digging into how we are going to interpret DNT on any of our sites, so thanks for kick-starting that effort.

There are a number of complexities to consider, because in a sense both Chris and Erik are correct. While the W3C chose to focus on cross site tracking by third parties, we know from surveys we've conducted of our users that they expect DNT to cover any party engaged in online tracking. The current formulation of the DNT setting in Firefox is ambiguous, so, without additional information, our users believe "no tracking" means "no tracking" if they turn it on.

In terms of GA, we have opted for an enterprise version where we are accountable for that data collection and have greater/direct control over subsequent uses of data related to our reports. This was critical in our decision to move to GA last year; a topic we discussed openly with the community at the time on our Governance list.* I think we can fully stand behind the due diligence we put into our decision to use GA versus previous analytics providers. Also, I don't believe we've compromised our visitors' privacy nor lowered our standards for privacy.

So, where does this leave us? For now, I'd suggest we continue to discuss how we want to begin to implement support DNT on our sites, looking for the obvious places where third party practices or service providers may be surprising to users. I think it would worth evaluating an implementation of GA where users with DNT are not included (e.g., what would that mean and how would it change our reports?). Perhaps there are other ways we can create more transparency, choice and control outside of DNT for this data.

*See https://groups.google.com/forum/?hl=en&fromgroups=#!search/mozilla$20governance$20google$20analytics/mozilla.governance/9IQvIubDOXU/0tWVVlrUJOQJ
Flags: needinfo?(afowler)
(In reply to Alex Fowler from comment #21)
> First, this is a great conversation. We haven't spent enough time digging
> into how we are going to interpret DNT on any of our sites, so thanks for
> kick-starting that effort.
> 
> There are a number of complexities to consider, because in a sense both
> Chris and Erik are correct. While the W3C chose to focus on cross site
> tracking by third parties, we know from surveys we've conducted of our users
> that they expect DNT to cover any party engaged in online tracking. The
> current formulation of the DNT setting in Firefox is ambiguous, so, without
> additional information, our users believe "no tracking" means "no tracking"
> if they turn it on.
> 
> In terms of GA, we have opted for an enterprise version where we are
> accountable for that data collection and have greater/direct control over
> subsequent uses of data related to our reports. This was critical in our
> decision to move to GA last year; a topic we discussed openly with the
> community at the time on our Governance list.* I think we can fully stand
> behind the due diligence we put into our decision to use GA versus previous
> analytics providers. Also, I don't believe we've compromised our visitors'
> privacy nor lowered our standards for privacy.
> 
> So, where does this leave us? For now, I'd suggest we continue to discuss
> how we want to begin to implement support DNT on our sites, looking for the
> obvious places where third party practices or service providers may be
> surprising to users. I think it would worth evaluating an implementation of
> GA where users with DNT are not included (e.g., what would that mean and how
> would it change our reports?). Perhaps there are other ways we can create
> more transparency, choice and control outside of DNT for this data.
> 
> *See
> https://groups.google.com/forum/?hl=en&fromgroups=#!search/
> mozilla$20governance$20google$20analytics/mozilla.governance/9IQvIubDOXU/
> 0tWVVlrUJOQJ

So it looks like you suggest having a discussion about this, but there has been none..

Where should this discussion take place in a manner where a decision can actually be made and people don't just waste time talking?

Erik
Flags: needinfo?(afowler)
As I see it, there are three sore spots on which Erik has laid his finger:

1) DNT as a Firefox feature is obviously broken, because as Alex notes, it does not do what users expect it to. Erik even argues it does nothing whatsoever and is therefore an anti-feature. Certainly it is a fair point.

2) Should Mozilla do third party tracking (when receiving DNT headers) on its own sites if that third party makes some assurances about it may do with the data? As a user, I am completely unpursuaded that third-party tracking is somehow not third party tracking if the third party promises not to do anything appalling with the data. Mozilla has no way to verify whether such promises are kept, but even if they were: Google is still a third party!

3) Should Mozilla, on its own websites, actually do what users expect from DNT, which is to do no tracking at all? This notion seems to fit rather well with Mozilla's stated mission to improve web users' privacy protection.

In my view, tracking only serves one purpose: to gather information about a visitor, or in other words, to reduce that person's privacy. I do not believe people who say that reducing my privacy is necessary to improve their website. You can do that just as well without recording my IP address.
DNT does exactly what it's designed to do; sends a message to websites that the user does not want to be tracked. The reason that it's implemented in the way it is, is because there are no technical measures we can take (which don't break the web) to achieve as big an effect as DNT potentially can. Saying "it's broken" because it's not magic pixie dust is unfair.

Exactly what "do not track" means in a particular context, though, could fill a book and will vary from user expectation to user expectation. Mozilla is trying to achieve consensus on this point across the industry. For me, I think there are some things it clearly means, some things it clearly doesn't, and some things on which opinions will vary.

What does respecting the DNT header mean?

It means:
- Don't track me, or let anyone else track me, across sites owned by different owners.
- Don't build a profile on me as a person based on my browsing behaviour.
- You can't outsource your analytics unless the provider also agrees not to do any of the above.

It doesn't mean:
- Don't use cookies at all
- Don't do any analytics on how visitors use your site
- You can't ever outsource your analytics

Opinions vary:
- Don't let anyone track me across sites owned by the same owner.
- Don't build an anonymous profile on me based on my browsing behaviour.

> In my view, tracking only serves one purpose: to gather information about a visitor, or in > other words, to reduce that person's privacy.

Even for e.g. ad companies, reducing a person's privacy is not a purpose, or goal. It's a side effect of what they want to do (in that case, show contextual ads).

Gerv
(In reply to Gervase Markham [:gerv] from comment #25)
> Saying "it's broken" because it's not magic pixie dust is unfair.

Fair enough.

> What does respecting the DNT header mean?
> 
> It means:
> - Don't track me, or let anyone else track me, across sites owned by
> different owners.

Just because Tycoon Inc. owns the 50 largest sites which happen to constitute the bulk of my web browsing, that doesn't mean that Tycoon should be exempt from my request not to be tracked, and still claim to respect my request. I will note that the Firefox preferences state "tell sites I do not want to be tracked", not "tell sites I do not want to be tracked, except by very large companies who own lots of websites", or even "tell sites I do not want to be tracked, except if I repeatedly visit the same website".
(In reply to Gervase Markham [:gerv] from comment #25)
> It doesn't mean:
> - Don't use cookies at all
> - Don't do any analytics on how visitors use your site
> - You can't ever outsource your analytics

On reflection, I think I disagree here - not as an absolute matter of principle, but in order to make it *evident to DNT:1 visitors* that you are complying with their request, it seems appropriate not to do these things.
The claim that GA or equivalent is needed to improve the web site is a red herring. Even when respecting do not track, GA can still be used on the vast majority of browsers that have not turned on DNT. That would be fully sufficient, for example, to notice and correct the IE8 download problem that was mentioned. 

The request here is to turn of GA for users who have explicitly requested not to be tracked, not to turn off analytics for all users.
(In reply to Zack Weinberg (:zwol) from comment #27)
> (In reply to Gervase Markham [:gerv] from comment #25)
> > It doesn't mean:
> > - Don't use cookies at all
> > - Don't do any analytics on how visitors use your site
> > - You can't ever outsource your analytics
> 
> On reflection, I think I disagree here - not as an absolute matter of
> principle, but in order to make it *evident to DNT:1 visitors* that you are
> complying with their request, it seems appropriate not to do these things.


If you're saying that the users request is "don't track me", full stop (ie, they misunderstand the real implications of DNT), and that it's important to meet that expectation regardless of correctness, why are you drawing the line at cookies and analytics? Shouldn't IP addresses be stripped from log files. HTTPS would need to be a requirement. Even first-party user account log in is nearly always a trackable action (or leads to trackable action); should it be disabled for DNT:1 users?

Another issue is clearly the aspects of communication outside the control of the requested website. Having DNT enabled will not prevent Comcast data capture, or an IP address from ending up in a Cisco router log file somewhere. If the attempt here is to say to the user "if you have this turned on, YOU WILL NOT BE TRACKED", without needing to give context, technical explanations, or caveats, how can that be done with so much being uncontrollable?

If the goal is being able to say "well, WE complied with their request", even if in actuality tracking is still happening as part of a DNT:1 request, what is the benefit? The real definition of DNT is being ignored, and the feel-good definition of "you get what you ask for" is not happening either.
Several of us Mozillians had a good chat on IRC about this this morning and I ended up reading the IEFT proposed standard. (as a side note, it made front page first link of HN)

I think the problem here is this:

We present this feature to the user as: "Tell sites that I do not want to be tracked" 

That's a pretty bold statement without exceptions...unless you read the standard.

Section 9.2 (http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt) defines tracking as pretty much everything, and 9.3 provides exceptions to tracking.

We utilize one of those exceptions in order to use GA on mozilla.org and our other various sites. At no point in time was the average end user informed there were exceptions. This provides the illusion that we're lying to our end user. We allowed them to opt out of tracking, and then tracked them. This gives us a bad rap, and I think why some of the 29 comments in this post are so passionate. :)

A proposal would be to change the wording to "Tell sites that I do not want to be tracked*", and have a footnote or a section in the "Learn More" link that discusses exceptions (without having to read the entirety of the standard). Without exposing our users to the exceptions, we look like liars (even though we're not).
(In reply to Brandon Johnson [:cyborgshadow] from comment #30)
> Several of us Mozillians had a good chat on IRC about this this morning and
> I ended up reading the IEFT proposed standard. (as a side note, it made
> front page first link of HN)
> 
> I think the problem here is this:
> 
> We present this feature to the user as: "Tell sites that I do not want to be
> tracked" 
> 
> That's a pretty bold statement without exceptions...unless you read the
> standard.
> 
> Section 9.2 (http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt)
> defines tracking as pretty much everything, and 9.3 provides exceptions to
> tracking.
> 
> We utilize one of those exceptions in order to use GA on mozilla.org and our
> other various sites. At no point in time was the average end user informed
> there were exceptions. This provides the illusion that we're lying to our
> end user. We allowed them to opt out of tracking, and then tracked them.
> This gives us a bad rap, and I think why some of the 29 comments in this
> post are so passionate. :)
> 
> A proposal would be to change the wording to "Tell sites that I do not want
> to be tracked*", and have a footnote or a section in the "Learn More" link
> that discusses exceptions (without having to read the entirety of the
> standard). Without exposing our users to the exceptions, we look like liars
> (even though we're not).

Just popping in here.
I really think this is a two legged problem.
The first one is the DNT feature in FF, you responded to that. Agreed.
But the second one is that mozilla.org isn't respecting the WISH not to be tracked. As mentioned before, you really dont NEED the tracking. And you can still use it for a large userbase who have DNT disabled. It might not be shared with 3rd parties, nor be personal, but it IS tracking.
I agree with Erik. I think we should disable GA for users with DNT enabled. I don't believe it will negatively impact our aggregate data and I think it's more in the spirit of DNT and the Mozilla mission as a whole.
(In reply to Paul McLanahan [:pmac] from comment #33)
> I agree with Erik. I think we should disable GA for users with DNT enabled.
> I don't believe it will negatively impact our aggregate data and I think
> it's more in the spirit of DNT and the Mozilla mission as a whole.

I'm not in the Metrics team and I think we'd need to ask them, but I think it would have a negative impact.

One big problem we have with opt-in telemetry and similar initiatives is skew - the people who opt-in are not a cross-section of the population. You have a similar problem with DNT in reverse - the people who opt out are not a cross-section, and so your remaining population is skewed.

It should be possible to run a good website, well and effectively, in a privacy-respecting way, even if _every_ user uses DNT: 1. If that's not possible because DNT stops you doing some of the things you need to do to achieve it, then there's something wrong with the definition of "track".

Gerv
> One big problem we have with opt-in telemetry and similar initiatives is
> skew - the people who opt-in are not a cross-section of the population. You
> have a similar problem with DNT in reverse - the people who opt out are not
> a cross-section, and so your remaining population is skewed.
> 
> It should be possible to run a good website, well and effectively, in a
> privacy-respecting way, even if _every_ user uses DNT: 1. If that's not
> possible because DNT stops you doing some of the things you need to do to
> achieve it, then there's something wrong with the definition of "track".
> 
> Gerv

I agree completely, and that's why my proposal was not to remove the tracking (we understand we need non-identifying data about site visits, and DNT doesn't block that even for first party tracking) but to shed light on the fact that "hey, there's exceptions." Because the message we broadcast overall is very direct and doesn't sound like it has an exceptions. This changes the user perspective on what happens when they see us track something from "They lied. They're tracking me and I opted out of tracking." to "Oh, they must be using one of the exceptions they pointed out."

The small bit of additional information would change the end user perspective from a negative view to a neutral one, which is always better.
(In reply to Gervase Markham [:gerv] from comment #34)
>
> It should be possible to run a good website, well and effectively, in a
> privacy-respecting way, even if _every_ user uses DNT: 1. If that's not
> possible because DNT stops you doing some of the things you need to do to
> achieve it, then there's something wrong with the definition of "track".

I disbelieve that it is impossible to "run a good website" even if every user uses DNT:1 *and* DNT:1 is interpreted in an utterly absolutist manner -- no analytics, no IP logs, no nothin'.

Or, actually, with my ethicist hat on: If you *think* you need some form of tracking data in order to "run a good website", then you should reconsider both whether there are other means to the ends that seem to require tracking data, and whether the ends themselves are truly necessary.

That said, most of the exceptions in §9.3 of draft-mayer-do-not-track-00.txt seem /prima facie/ reasonable (I would strike points 2 and 4). I would support a more nuanced presentation of the client-side feature + user education as to "what DNT actually means", as suggested by Brandon.
(In reply to Gervase Markham [:gerv] from comment #34)
> It should be possible to run a good website, well and effectively, in a
> privacy-respecting way, even if _every_ user uses DNT: 1. If that's not
> possible because DNT stops you doing some of the things you need to do to
> achieve it, then there's something wrong with the definition of "track".

This is a strawman because that will never happen. If people don't want to be tracked, then they also don't want their actions to affect how the site is developed. I like that it's their decision. Most people won't opt-out and we'll work with what we have because it's all we can do. If everyone did enable DNT then DNT would cease to be useful and would go away.
And if we do respect privacy and DNT (which we do) and do care about collecting that last bit of data from people who've enabled it, then we'd run our data collection and analytics in-house and moot the point. The bit that's catching us up is the 3rd party. We're allowed to do what we want with aggregate data about our own traffic, but sharing that with a 3rd party is what I'd expect DNT to prevent, even if that's not what the spec technically says, and even if there's a more nuanced explanation in the settings.
So maybe the text in the UI jut needs to be changed to be more accurate. Instead of "Do Not Track", something along the lines of "Request No Tracking Across Sites" or "Request No Cross-Site Tracking". This clarifies that it isn't the browser stopping tracking, it is the browser asking the sites not to, which they may or may not implement. It also clarifies that what is being requested not to happen is using the same identifier across sites and between different parties.
(In reply to Brandon Johnson [:cyborgshadow] from comment #30)
> Several of us Mozillians had a good chat on IRC about this this morning and
> I ended up reading the IEFT proposed standard. (as a side note, it made
> front page first link of HN)

DNT won't be standardized in the IETF.  That's an old draft (note the expiration date "Expires: September 8, 2011").  The W3C is the body who has been discussing it for the last two years:
http://www.w3.org/2011/tracking-protection/
http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html

Can I encourage all to take this to dev-privacy, governance or a discussion forum like these?  A resolved bug is not the best place to debate semantics of a not-yet-standardized feature.
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #40)
> (In reply to Brandon Johnson [:cyborgshadow] from comment #30)
> > Several of us Mozillians had a good chat on IRC about this this morning and
> > I ended up reading the IEFT proposed standard. (as a side note, it made
> > front page first link of HN)
> 
> DNT won't be standardized in the IETF.  That's an old draft (note the
> expiration date "Expires: September 8, 2011").  The W3C is the body who has
> been discussing it for the last two years:
> http://www.w3.org/2011/tracking-protection/
> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
> 
> Can I encourage all to take this to dev-privacy, governance or a discussion
> forum like these?  A resolved bug is not the best place to debate semantics
> of a not-yet-standardized feature.

+1 to Sid's comment.

This is not solely a www.mozilla.org concern. There are 100+ Mozilla project websites with GA enabled that helps product owners/managers understand how to provide an improved user experience and to make sure we are not "shooting in the dark" with revisions to interfaces. The data is aggregated anonymous trends, uses first-party cookies, and we have opted out on the GA side that Google or no other 3rd party can use this data. This is a great conversation and I agree that it should be moved to dev-privacy/governance because the decision should be comprehensive of all Mozilla web properties and not just www.mozilla.org.
Lots of discussion at https://news.ycombinator.com/item?id=6132718.
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #40)
> (In reply to Brandon Johnson [:cyborgshadow] from comment #30)
> > Several of us Mozillians had a good chat on IRC about this this morning and
> > I ended up reading the IEFT proposed standard. (as a side note, it made
> > front page first link of HN)
> 
> DNT won't be standardized in the IETF.  That's an old draft (note the
> expiration date "Expires: September 8, 2011").  The W3C is the body who has
> been discussing it for the last two years:
> http://www.w3.org/2011/tracking-protection/
> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
> 
> Can I encourage all to take this to dev-privacy, governance or a discussion
> forum like these?  A resolved bug is not the best place to debate semantics
> of a not-yet-standardized feature.

Defining DNT is a separate issue from the issue of how Mozilla respects privacy.
Sure, but please take it to a public forum instead of this closed bug.  Or better yet, help the W3C define DNT (http://www.w3.org/2011/tracking-protection/) since we've been working on it there for a couple of years.
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #44)
> Sure, but please take it to a public forum instead of this closed bug.  Or
> better yet, help the W3C define DNT
> (http://www.w3.org/2011/tracking-protection/) since we've been working on it
> there for a couple of years.

I have a feeling that will be a huge waste of time, but I shall try.
Flags: needinfo?(afowler)
Component: Analytics → Other
Product: www.mozilla.org → Websites
Summary: Do Not Track is not respected on mozilla.org → Do Not Track is not respected on Mozilla Websites
See Also: → 1136169
You need to log in before you can comment on or make changes to this bug.