[jmillikin]

Sending servers a "Do-Not-Track" header is like putting a "please don't look at my house!" sign on your porch. It's a request to forbid a fairly harmless behavior (cross-site cookies) which is potentially a prelude to malicious behavior (robbing your house / mapping a visitor's browser to a person).

There's also the problem of how vague the spec is. For example, it states "A first party is a functional entity with which the user reasonably expects to exchange data", and then says that DNT should block non-first-parties from storing data about the user. So should YouTube be forbidden from logging in the user based on their Google cookie? After all, most users don't know that they're the same company, and wouldn't expect visiting YouTube to use information from Google. Same applies to any other "big company / acquisition" pair, such as Facebook/Instagram.

It would be much better to forbid the malicious behavior itself, such as by writing privacy laws that require companies to obtain explicit consent before distributing data collected from or about users. That would have stopped events like "I visited some random website and they knew my address!"

[azakai]

> Sending servers a "Do-Not-Track" header is like putting a "please don't look at my house!" sign on your porch

If we must make an analogy, it might be more like, "please don't sell photos of my house without my approval." But even that isn't a good analogy because houses aren't people vising websites.

[jmillikin]

There are many uses of cross-site cookies that do not involve selling users' personal data. The most obvious one is customized ads (as used by Google et al), but shared logins and hosted commenting systems are also common.

[azakai]

Arguably customized ads is still selling user's personal data, but the other examples are valid, yeah.

[jmillikin]

  > Arguably customized ads is still selling user's personal data

I think this is not true, and that it's an important distinction to make.

Selling a user's data means that a site has taken information the user gave them, and sent that data to a third party in some non-anonymous format. It's an unconscionable breach of trust. When there's some service that tells any site a user visits what that visitor's home address is, that's horrifying. It's like having a friend who forwards your private facebook posts to 4chan.

In contrast, when a service uses personal data to change what ads are shown, the data is never sent to a third party. If you tell Google my address so map search gives local results, then they might use that to filter out ads for stores in a different state, but they won't tell those stores where you live.

[azakai]

I definitely see the difference. However, even in the second case, the user's data is being used to make a profit; the company collecting the data and showing the ads is making the ads more valuable - i.e. making more money off of them - with the user's data.

Again, I totally agree that selling the data to a third party is much worse.