DevHeads.net

Review Request: GUI configuration for the 'Do Not Track' feature...

Review request for kdelibs.

Summary
The attach patch adds GUI configuration for the 'Do Not Track' feature that has just been implemented in kio_http[1]. Support for the Do Not Track functionality exists in almost all of the recent versions of the major browsers. The draft spec for this feature can be found at <a href="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt" title="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt">http://www.ietf.org/id/draft-mayer-do-not-track-00.txt</a>.

[1] <a href="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553" title="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553">http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553</a>

Anyhow, the patch also includes cleanup of the code in htmlopts.cpp. Any objections, insights, suggestions are all welcome before I commit this.

Diffs
konqueror/settings/konqhtml/htmlopts.h b0faf0d
konqueror/settings/konqhtml/htmlopts.cpp 1ca17cb

Diff: <a href="http://git.reviewboard.kde.org/r/101124/diff" title="http://git.reviewboard.kde.org/r/101124/diff">http://git.reviewboard.kde.org/r/101124/diff</a>

Testing

Thanks,

Dawit

Comments

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/14/2011 - 13:08

(Updated April 14, 2011, 5:08 p.m.)

Review request for kdelibs.

Changes
Based on Maksim's feedback, updated comment in the code to correctly reflect what the code is actually doing.

Summary
The attach patch adds GUI configuration for the 'Do Not Track' feature that has just been implemented in kio_http[1]. Support for the Do Not Track functionality exists in almost all of the recent versions of the major browsers. The draft spec for this feature can be found at <a href="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt" title="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt">http://www.ietf.org/id/draft-mayer-do-not-track-00.txt</a>.

[1] <a href="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553" title="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553">http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553</a>

Anyhow, the patch also includes cleanup of the code in htmlopts.cpp. Any objections, insights, suggestions are all welcome before I commit this.

Diffs (updated)
konqueror/settings/konqhtml/htmlopts.h b0faf0d
konqueror/settings/konqhtml/htmlopts.cpp 1ca17cb

Diff: <a href="http://git.reviewboard.kde.org/r/101124/diff" title="http://git.reviewboard.kde.org/r/101124/diff">http://git.reviewboard.kde.org/r/101124/diff</a>

Testing

Thanks,

Dawit

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/16/2011 - 00:41

(Updated April 16, 2011, 4:41 a.m.)

Review request for kdelibs.

Changes
Changed the label of the DNT option as shown in the attached screenshot.

Summary
The attach patch adds GUI configuration for the 'Do Not Track' feature that has just been implemented in kio_http[1]. Support for the Do Not Track functionality exists in almost all of the recent versions of the major browsers. The draft spec for this feature can be found at <a href="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt" title="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt">http://www.ietf.org/id/draft-mayer-do-not-track-00.txt</a>.

[1] <a href="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553" title="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553">http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553</a>

Anyhow, the patch also includes cleanup of the code in htmlopts.cpp. Any objections, insights, suggestions are all welcome before I commit this.

Diffs (updated)
konqueror/settings/konqhtml/htmlopts.h b0faf0d
konqueror/settings/konqhtml/htmlopts.cpp 1ca17cb

Diff: <a href="http://git.reviewboard.kde.org/r/101124/diff" title="http://git.reviewboard.kde.org/r/101124/diff">http://git.reviewboard.kde.org/r/101124/diff</a>

Testing

Screenshots
Screenshot
<a href="http://git.reviewboard.kde.org/r/101124/s/128/" title="http://git.reviewboard.kde.org/r/101124/s/128/">http://git.reviewboard.kde.org/r/101124/s/128/</a>

Thanks,

Dawit

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/17/2011 - 12:22

(Updated April 17, 2011, 4:22 p.m.)

Review request for kdelibs.

Changes
- Changed the implementation such that:
* DNT:0 is never ever sent to the server since no header supposedly implies OPT-IN
by default according to the spec listed in the description section.
* By default the DNT:1 header to OPT-OUT is not sent. The user would have to explicitly
enable this functionality just like in Firefox 4.
- Updated label to make it clear that we are only sending a header. See new screenshot.

Summary
The attach patch adds GUI configuration for the 'Do Not Track' feature that has just been implemented in kio_http[1]. Support for the Do Not Track functionality exists in almost all of the recent versions of the major browsers. The draft spec for this feature can be found at <a href="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt" title="http://www.ietf.org/id/draft-mayer-do-not-track-00.txt">http://www.ietf.org/id/draft-mayer-do-not-track-00.txt</a>.

[1] <a href="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553" title="http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553">http://commits.kde.org/kdelibs/6c0da96a5735ca3517350791bf7b49f558837553</a>

Anyhow, the patch also includes cleanup of the code in htmlopts.cpp. Any objections, insights, suggestions are all welcome before I commit this.

Diffs (updated)
konqueror/settings/konqhtml/htmlopts.h b0faf0d
konqueror/settings/konqhtml/htmlopts.cpp 1ca17cb

Diff: <a href="http://git.reviewboard.kde.org/r/101124/diff" title="http://git.reviewboard.kde.org/r/101124/diff">http://git.reviewboard.kde.org/r/101124/diff</a>

Testing

Screenshots (updated)
screenshot
<a href="http://git.reviewboard.kde.org/r/101124/s/130/" title="http://git.reviewboard.kde.org/r/101124/s/130/">http://git.reviewboard.kde.org/r/101124/s/130/</a>

Thanks,

Dawit

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Commit Hook at 04/18/2011 - 23:53

This review has been submitted with commit 5daad5fc120c00a69f312bd7f868c3460ef78a5b by Dawit Alemayehu.

- Commit

On April 17, 2011, 4:22 p.m., Dawit Alemayehu wrote:

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Maksim Orlovich at 04/14/2011 - 18:26

Ah, I misread the default. But still, I don't think we want to send
DNT:0 if the user unchecks the checkbox, given how the label is worded
-- IMHO we wouldn't want to send the header at all.

On 4/14/11, Dawit Alemayehu < ... at kde dot org> wrote:

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/15/2011 - 09:24

On Thu, Apr 14, 2011 at 6:26 PM, Maksim Orlovich < ... at cornell dot edu> wrote:
That makes no sense especially since not sending the header is
currently equivalent to DNT: 1. The configuration option is there to
allow the user to opt-in if they so choose. Otherwise, it makes no
sense to have the configuration option in the first place. Anyhow, I
copied the wording verbatim from Firefox 4.0 configuration dialog and
as such can be changed to whatever we want. Perhaps I should have
labeled it like most other KDE option:

[ ] Allow websites I visit to track my browsing habits

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Oswald Buddenhagen at 04/15/2011 - 09:56

On Fri, Apr 15, 2011 at 09:24:47AM -0400, Dawit Alemayehu wrote:
(*) not that konqueror would be in any way significant, but whatever...

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Ingo =?iso-8859... at 04/15/2011 - 15:00

On Friday 15 April 2011, Oswald Buddenhagen wrote:
Ossi is right. NO-EXPRESSED-PREFERENCE (header is missing) is equivalent
to OPT-IN (DNT: 0) as in both cases "a server MAY perform THIRD-PARTY
TRACKING".

Sorry, but this argumentation is ridiculous. Bad data miners will ignore
the standard no matter what.

You do realize that people do not read dialogs? Most users will have no
clue what the dialog is talking about and just click Yes. OTOH, we, the
developers, know exactly what it means. Therefore, we are not just
entitled to but we are obliged to use the sensible default (OPT-OUT)
without asking the user questions he does not understand.

Regards,
Ingo

Re: Review Request: GUI configuration for the 'Do Not Track'?fea

By Oswald Buddenhagen at 04/16/2011 - 11:54

On Fri, Apr 15, 2011 at 09:00:11PM +0200, Ingo Klöcker wrote:
fwiw, the firefox 4 default is opt-in. and for some reason the setting
isn't even under "privacy", but under "advanced".

Re: Review Request: GUI configuration for the 'Do Not Track'?fea

By Dawit A at 04/16/2011 - 15:52

On Sat, Apr 16, 2011 at 11:54 AM, Oswald Buddenhagen < ... at kde dot org> wrote:
Though I agree with the premise, you argument is not entirely correct
and using it as a justification for why the opt-out should not be
default is completely wrong.

First, the idea that DNT affects most sites lively hood is something
that has already been dispelled. For most sites, there is no reason to
track your browsing habits to provide reasonable advertising on their
pages. For example, if you were to visit a wine related page, then it
is reasonable for you to expect to see wine related ads on that page.
The idea of specifically targeting ads based on more specific
information is mostly the domain of sites that collect vast amount
about you and what you do online, e.g. google/facebook. There a lot
more information about this and related subject at
<a href="http://donottrack.us" title="http://donottrack.us">http://donottrack.us</a>.

Second, even if we completely accept your premise, then why exactly
would it hurt the user for us to include the OPT-OUT header by default
? The sites that want to ignore that header will ignore it anyhow
regardless. So what exactly is lost by simply sending the header by
default ? Not sending it however means that you get no protection even
at those sites that have already implemeted support for this feature.
If you think that is a complete hogwash and no site will do this
willingly, then may I suggest you read
<a href="http://firstpersoncookie.wordpress.com/2011/03/30/industry-adoption-of-dnt-underway/" title="http://firstpersoncookie.wordpress.com/2011/03/30/industry-adoption-of-dnt-underway/">http://firstpersoncookie.wordpress.com/2011/03/30/industry-adoption-of-d...</a>.

Well that seems like the perfect argument why the OPT-OUT should be
the default. It is a well established fact that most users could not
be bothered to think about security or privacy issues until they get
bitten by it. Hence, the more reason why software should strive more
to do right by them as much as possible.

They will change it soon enough. For the life of me, I cannot imagine
of a single person that would voluntarily opt-in to be tracked online.
They have to be completely ignorant about the matter or threatened
with lack of access to capitulate on this issue.

Regards,
Dawit A.

Re: Review Request: GUI configuration for the 'Do Not Track'?fea

By Oswald Buddenhagen at 04/17/2011 - 05:43

On Sat, Apr 16, 2011 at 03:52:39PM -0400, Dawit Alemayehu wrote:
if you think that this is a matter worth pursuing, engage politically,
or help others to do so.

Re: Review Request: GUI configuration for the 'Do Not Track'?fea

By Dawit A at 04/17/2011 - 11:38

On Sun, Apr 17, 2011 at 5:43 AM, Oswald Buddenhagen < ... at kde dot org> wrote:
I have no desire to engage in politics, but even if I was I would
personally want to bring a concrete proposal to the table before
asking governments to intervene. The fact that the DNT proposal is on
the table, amongst others, makes it easier to advocate for such
protection, specially when it is an honor system like DNT.

Anyhow, for the sake of ending this discussion, I will relent and
change the configuration to how it currently is set in Firefox 4 for
now. By default, it will not be set and no DNT header will be sent.
That is we will never send the "DNT:0" OPT-IN header at all since no
header means automatic OPT-IN according to the spec listed. It could
always be turned on by default in the future.

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/15/2011 - 20:00

2011/4/15 Ingo Klöcker < ... at kde dot org>:
Hmm... I indeed got that wrong. According to the draft spec secion
8.3, no header present is an OPT-IN. However, since we always send
"DNT:1" or OPT-OUT by default, this should not be an issue. A user can
then uncheck the box to OPT-IN (DNT:0) if they so desire. And since
not sending the header is the same as "DNT:0", then there is no reason
why we should not explicitly include it in the header sent to the
server.

Regards,
Dawit A.

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By =?utf-8?Q?Thoma... at 04/15/2011 - 15:26

Am 15.04.2011, 21:00 Uhr, schrieb Ingo Klöcker < ... at kde dot org>:

I wonder whether DNT makes any sense at all (or is just a giant fake) and
it wouldn't be better to tell ppl. how to add sth like

127.0.0.1 <a href="http://www.google-analytics.com" title="www.google-analytics.com">www.google-analytics.com</a> google-analytics.com
quantserve.com edge.quantserve.com flash.quantserve.com
pixel.quantserve.com secure.quantserve.com

to /etc/hosts (does anybody know who ships the _unam, __csv & __switchTo5x
cookies?)

Otherwise i guess a cookie filter by cookie name would be faaar more
powerful than DNT or the domain based cookie.

Cheers,
Thomas

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/15/2011 - 19:53

On Fri, Apr 15, 2011 at 3:26 PM, Thomas Lübking
<thomas. ... at gmail dot com> wrote:
That is like playing a chicken and mouse game. There are so many ways
to circumvent what you are doing above it is not even funny. Moreover,
nothing stops these sites from refusing to show you a site, if they
cannot set certain cookie that can be used for tracking. Yes, asking
the fox to guard the hen house is not much better, but at least it
would work more effectively than the arms race approach you stated
above.

And what prevents people from changing the cookie values to a point
where they are completely indistinguishable from any "benign" cookie,
if there is such a thing. IOW, at least the DNT feature, as absurd as
it sounds, is a much better solution than the very same approach you
advocate here. Look at the anti-virus business as an example. It is a
constant arms race.

Anyhow, if adding this feature means just few sites will leave you
along because they honor the header name, then personally I think it
is worth the minuscule effort it requires to implement it.

Regards,
Dawit A.

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By =?utf-8?Q?Thoma... at 04/17/2011 - 04:05

I didn't mean or say: "don't add the DNT header" (http is bloated anyway)
and i don't even oppose making it opt-out (the setting, ie. opt-in
tracking)
My general feeling is just that this is just some salvation promise and
Ossi's objection to not make it opt-out since otherwise the DNT won't work
anymore somehow stresses the "works unless used" character. Yes, checked
your "DNT gets adopted" link, but we'll see mid-term impact. DNT just
seems like a "please don't conquer us" shield ;-)

And yes - to fight tracking is a raise of arms - the other option is to
surrender.

If ultimately a service makes tracking prerequisite of it's usage it
becomes some kind of entrance price.
If i desperately want this service i'll pay the price - otherwise the
service may as in any other case just kiss my shiny ass ;-P

Cheers,
Thomas

PS: __unam is from sharethis.com

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/15/2011 - 14:57

On Fri, Apr 15, 2011 at 9:56 AM, Oswald Buddenhagen < ... at kde dot org> wrote:
ahhh... huh ?

Please note that this feature by design is entirely voluntary from the
sites prespective. They are under no obligation to honor the header in
the first place. What we are doing here is by default we send a header
"DNT:1" to tell sites that honor the specification not to track. The
user does not have to do anything! If on the other hand the user does
not mind being tracked, then they can uncheck, or if we change the
label of the checkbox, check the option to send "DNT:0".

That is exactly what firefox does. I do not know what is so confusing
about this. I would be the last person to turn on privacy invading
functionality by default!

Regards,

Dawit A.

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Maksim Orlovich at 04/14/2011 - 12:42

Very cool. But re: original change. Are you sure we want to be sending
the opt-in header by default? (Also, does KProtocolManager copy
kioslaverc into the metadata or something, or will that need a
separate change?). Can't really review this right now, but one thing
that I noticed:
// Read the configuration from konquerorrc
might be clearer to add "with khtmlrc as fallback" to the comment.

On 4/14/11, Dawit Alemayehu < ... at kde dot org> wrote:

Re: Review Request: GUI configuration for the 'Do Not Track' fea

By Dawit A at 04/14/2011 - 13:03

On Thu, Apr 14, 2011 at 12:42 PM, Maksim Orlovich < ... at cornell dot edu> wrote:
No. We are sending the opt-out header by default. The "DNT: 1" which
will be sent, when the "DoNotTrack" is set to "true" (the default),
tells websites which support this functionality not to track you.

(Also, does KProtocolManager copy
No additional change is required. KIO::Scheduler automatically reads
the settings in kioslaverc, in addition to kio_<protocol>rc and makes
it available to each ioslave in form of a meta-data. See the config()
functions in slavebase.cpp and

True, done...