Do Not Track: seems overly agressive


#1

Piwik v1.8 now respects the Do Not Track header.

When Do No Track is enabled, it seems very agressive. When I first read about the feature, I assumed it would not track personal information. For example it might not give them a cookie, and might track fewer of the details such as HTTP referrer. But now I think it excludes their visits entirely. They are just … invisible. My overall metrics, such as total pageviews, will exclude such users. That seems like overall.

This behavior does jive with the recommendation from donottrack.us, in particular Do Not Track - Universal Web Tracking Opt-out. The recommended Apache configuration will not record ANYTHING for visitors with the DNT header.

Both seem overly agressive with respect to the IETF recommendation.

In otherwords, the IETF is saying these changes affect third-party tracking services not first-party tracking services. They are not saying we can’t “count” their visit, or keep security logs. They are saying we should not track data which is linked to a particular person.


(mahdi1234) #2

I agree DNT is very aggressive, I’ve also noticed that browser extensions such as NoScript send DNT even for whitelisted domains (in particular for DNT this has to be enabled very low hidden in about:config for each domain manually :/) so I decided to disable DNT as I was missing quite a lot of data.

Also since you need to first enable the plugin in the piwik and then disable DNT in the settings --> this is quite confusing and I’m not surprised so many users complaining in the forums about having less/missing visits. One would expect with inactive plugin DNT would be ignored not the opposite.


#3

re: you need to first enable the plugin in the piwik and then disable DNT in the settings --> this is quite confusing

Umm, I don’t think this is true. In v1.8.2 and presumably all of v1.8.x, the ‘enabled’ state of the Do Not Track plug-in in controlled by the selection under “Support Do Not Track preference” in the Privacy tab. So, you can enable or disable Do Not Track through two means: the Privacy tab or by enabling / disabling the plug-in. The toggle on the Privacy tab is just a bit more front-and-center. What it does is enable/disable the plug-in.

re: One would expect with inactive plugin DNT would be ignored not the opposite
When the Do Not Track plug-in is enabled, Piwik will respect the DNT header in the browser. This makes sense to me.


(mahdi1234) #4

I agree that it behaves like that once plugin has been at least once activated, however when I upgraded from 1.7.1 to 1.8 plugin has been disabled in the plugin list while I still wasn’t able to track any visits with NoScript enabled, going deeper into issue I figured out that I had to first enable plugin and then disable (either under privacy or plugin itself), to make it work. Now it behaves correctly, could be related to my specific upgrade case, who knows, anyway I guess it’s good to share my experience.


(Matthieu Aubry) #5

mahdi1234 thanks for your report, it might indeed help other users I’ll suggest that to other users.

Regarding the “over-aggressive DNT”, this is potentially true: in the future we might enable by default a “degraded” tracking for DNT (ie. anoynmized IP, no referrer or similar), but like everything it takes time to implement :wink:


#6

What I learned when looking at mahdi1234’s question is that Do Not Track is implemented as a plug-in. So, I’m guessing someone could create a similar plugin with slightly different behavior. And, I’m guessing that behavior won’t get lost during an automatic update. That is pretty sweet really: I’ve been reluctant to look into the PHP code for this, because I don’t want to customize the code in a manner which will prevent easily updating to the latest version. But the plug-in system appears to address this.

Related question: how stable is the plug-in API? For example if someone were to implement a less-aggressive Do Not Track plug-in, how likely is it that this plug-in will need to be updated when Piwik is updated?


#7

We have a prior thread about this issue. Basically, the do not track feature in piwik is not a correct implementation of the browser flag for do not track. That flag refers to third party cookies. Piwik cookies are first party and are completely acceptable under the rules for do not track. I am hoping the next release will remove this “feature” or at least turn it off by default. It is incorrect.


#8

Do you know how to fix this?
Since I updated to 1.8, I have noticed piwik is not tracking firefox visits if they have do not track enabled.
I have not not checked in ie and chrome yet.


(vipsoft) #9

The Piwik implementation is as complete as possible wrt the draft spec.

The software doesn’t know if it is being used as a first or third party tracker. It errs on the side of privacy.

The software also doesn’t implement “/well-known/dnt” because that’s a server-wide declaration, and Piwik can’t vouch for other web apps.