Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.

From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

As stupid as it may sound (why parties who are interested in tracking you would comply?), a mean to clearly express your will of not being tracked is going to be useful, especially when backed by law or industry self-regulation, as explained here. Therefore it seems in the interest of NoScript users and privacy-concerned netizens in general to participate in this effort.

In its current release, NoScript allows the “Do Not Track” feature to be disabled or tweaked by opening about:config and editing the noscript.doNotTrack.* preferences:

  • noscript.doNotTrack.enabled (self explanatory)
  • noscript.doNotTrack.exceptions, space-separated URL patterns of destinations which are not sent the “Do Not Track” message
  • noscript.doNotTrack.forced, space-separated URL patterns of destinations which are sent the “Do Not Track” message even if they match exceptions

A GUI for these options, and possibly finer grained controls (e.g. to allow some or all the 3rd party trackers on certain websites only) will be added in future releases.

Update

The header name has been changed in DNT, but the preferences to control it remain the same.

44 Responses to “X-Do-Not-Track support in NoScript”

  1. #1 WildcatRay says:

    Is it possible to have/use the do-not-track feature with having NoScript set to allow all scripts or is it independent of the other aspects of the add-on?

    Would it be possible to have an add-on that only does provides the do-not-track feature? Perhaps there is one already available?

  2. #2 Giorgio says:

    @WildcatRay

    Is it possible to have/use the do-not-track feature with having NoScript set to allow all scripts or is it independent of the other aspects of the add-on?

    Yes to both. Most NoScript features, including this one, work even if you allow scripts globally.

    Would it be possible to have an add-on that only does provides the do-not-track feature? Perhaps there is one already available?

    Again, yes.

  3. #3 jingle says:

    Why have you removed JAR blocking?

  4. #4 Basti says:

    Do Not Track (us) doesn’t list your addon, although the other addon is listed.

    Great job. (I haven’t tried the new version yet)

    Hope the JAR blocking isn’t gone.

  5. #5 Giorgio says:

    @jingle:
    JAR document blocking as an anti-XSS countermeasure is gone because recent Firefox versions (all those currently supported by NoScript) have built-in protection against this exploitation scenario, obsoleting this feature.

    Same destiny for embedding opacization, which is superseded by ClearClick as an anti-Clickjacking mitigation.

    These, together with the emulated TLD service which was only needed in Fx < 2.0, have been removed in the context of an ongoing effort to cleanup the code base and reduce the bloat, as a preparation to the painful but unavoidable architectural earthquake of Electrolysis compatibility.

  6. #6 Cae says:

    Just to feedback that in Iceweasel (Debian), there is NO "noscript.doNotTrack." options in the about:config.

    So in this case, what is the default?
    and what should the users do/set?

    Sreenshot as evidence :)
    http://img80.imageshack.us/img80/6082/snapshot10o.png

  7. #7 Giorgio says:

    @Cae:

    Is that NoScript 2.0.9.2?
    Most likely it’s 2.0.8.1. Could you add your “About NoScript” window to your evidence screenshot? :)

  8. #8 jingle says:

    "JAR document blocking as an anti-XSS countermeasure is gone because recent Firefox versions (all those currently supported by NoScript) have built-in protection against this exploitation scenario, obsoleting this feature."

    Does Firefox protect against script and CSS cross-site inclusions in JAR?

  9. #9 Giorgio says:

    @jingle:

    Does Firefox protect against script and CSS cross-site inclusions in JAR?

    No, Firefox does not, but NoScript still does (even though it doesn’t notify anymore, but just logs to the console).
    It’s the inclusionTypeChecking feature, which blocks cross-site script and css files unless they’re served with the correct mime type: if they’re extracted from a JAR URI they’ve got application/java-archive or application/octect-stream instead of text/javascript or text/css.

  10. #10 Cae says:

    Ahh …..

    seems to be getting old, it is 2.0.8.1

    Tried 2.0.9 and it’s there.

  11. #11 WildcatRay says:

    Thanks, Giorgio.

  12. #12 Anonymous Coward says:

    Shouldn’t this be opt-in?

  13. #13 Giorgio says:

    @Anonymous Coward:
    If it was opt-in nobody would discover it.
    On the other hand, as I wrote in the article, NoScript users can be safely assume to be the “opt-in” type when it comes to tracking (like they are for scripting), therefore this seems a sensible default.

  14. #14 mrbobbyd says:

    I just installed TrackerBlock before I updated NoScript do I still need TrackerBlock installed.

  15. #15 Ronin says:

    "especially when backed by law"

    I’m very doubtful that something which people are mass-opted-into, without any overt action, or even knowledge, on their part, would carry any weight at all, legally.

    Plus, you know what they say about assumptions making an ass out of u and me ("this is a safe assumption about the feelings of most if not all NoScript users").

    Overall I think it would be wiser and more ethical to provide an opt-in mechanism, rather than just automatically opting people in. I find it strange that an attempt to give people greater freedom from control, in a sense, would be done in such a controlling fashion. I don’t appreciate it when _anyone_ does that.

    That said, after reading up on the issue, I would be one of those who _would_ opt in. So I suppose that’s further evidence that you don’t need to automatically opt everyone in; plenty of people would opt-in as long as they knew about the issue and about the ability to opt out of it.

    The justification that "if it was opt-in nobody would discover it" is besides the point. If that’s true, you’ve chosen to opt the same people in and they will never discover _that_. You’re not excused for opting people in without their knowledge, just because it would be difficult to inform people and get their consent first.

  16. #16 Alan says:

    Not cool. This isn’t even noted on the NoScript homepage (other than in the changelog, and that will soon be displaced). Disabled.

    This is outside NoScript’s core fuction. It’s better as a separate addon like TACO.

    Plus the standard is fugly; it should be a flag on "tracking cookies" instead. No need to endorse it through early adoption.

  17. #17 Jeffrey Thompson says:

    Thank you Georgio and all the other volunteers who have helped make NoScript great.

  18. #18 One Happy Customer says:

    I am really happy opt-out is the default. Thank you!

  19. #19 Digidave says:

    If I wanted to be tracked, I wouldn’t be using NoScript. I don’t always have time to read the release notes so I rely on NoScript acting in my best interests without intervention on my part. Many thanks for a great utility!

  20. #20 Emini says:

    Thank you, to everyone who has contributed to NoScript.

    For those that want to voluntarily have their actions tracked, please do the rest of us a favor, and grow up. If you have a problem with the way things are done around here, take your psuedo intellectual - ethical hippy BS, and find some other software to install. The number of people who welcome this, or just don’t plain care, out number you 1000 to 1.

  21. #21 rsteer says:

    @ Anonymous Couward and Ronin — The programmer always has to choose a default … it’s not like there can be "no" default for any feature. So those who set the default have not only the opportunity, but to some degree a responsibility, to pick the most beneficial default for their users. (See "Nudge", by Thaler and Sunstein.)

    I may be an ass too, but I think Giorgio is making the correct assumption about NoScript users, and he’s also making the "correct" default choice based on the whole philosophy behind NoScript and AdBlock (NoScript’s partner in this experiment).

    The legal impact argument about opt-in vs. opt-out is specious — NoScript users being "opted-in of opting-out" doesn’t make their numbers any weaker — you can bet that advocates of tracking will argue that there are millions of browsers that haven’t opted out of being tracked (because their browsers and websites default to opt-in) as evidence that most people don’t care.

  22. #22 Paulo Cezar says:

    I´ll second Digidave (#19): I trust NoScript to always act in my best interest. And this new NoTrack feature is great. Even as an experiment, it´s great. It gives us a voice. Making it opt-out was the correct way.
    Great work as always. Thank you very much.

  23. #23 Alan says:

    Just noticed the Adblock link. They seem to be taking a much more sensible approach - DontTrack is enabled iff you’ve enabled the "EasyPrivacy" list.

    Emini: I’m not saying that I want to be tracked willy-nilly. Like you, I want to be able to tell exactly what my computer is doing. From that specific POV, NoScript has put a foot in the wrong direction here. It’s analogous to the much worse situation with the TACO opt-out addon, where an "upgrade" replaced it with an entire control center that I didn’t want - that didn’t even work on my computer because it didn’t support a 800×480 screen, without warning.

    Just look at the NoScript page on the mozzila site -

    "Often used with…

    * Download Statusbar
    * DownThemAll!
    * FlashGot
    * Flashblock
    * Greasemonkey"

    notice the absence of TACO, ghostery, or even Adblock?

    And given the continued lack of notice in the addon’s description, I don’t see that this would "express [my] will of not being tracked". It expresses Giorgio Maone’s will that tracking should be disabled unless the user opts in.

  24. #24 David Kedron says:

    Hmm… pretty interesting issue\debate we’re seeing here. I’m going to have to ultimately side with the "I trust NoScript to act in my best interest" group.

    The whole thing is quite minor IMO - so we’re being opt’d in by default for useless functionality for an experiment, big whoop, I can tell you I’m not going to let it keep me up at night.

  25. #25 Rebecca says:

    Since this isn’t currently supported by law or industry self-regulation, how much more trackable (via something like browser fingerprinting) does enabling this make someone’s web browser?

  26. #26 Giorgio says:

    @Ronin:

    I’m very doubtful that something which people are mass-opted-into, without any overt action, or even knowledge, on their part, would carry any weight at all, legally.

    If you are going to defend your privacy in a court, who could challenge your statement that your installed NoScript not to be tracked?

    @Alan:
    I updated the add-on long description on AMO, FWIW.

    @Rebecca:

    how much more trackable (via something like browser fingerprinting) does enabling this make someone’s web browser?

    Not much, if you consider that using NoScript (i.e. disabling JavaScript & plugins) reduces the fingerprinting surface more than anything else (if your User Agent string is generic enough, like in Firefox 4): the new headers will just tell the fingerprinter that you use NoScript (or Adblock Plust + EasyList), like the 99% of other people who browse with JavaScript & plugins disabled.

  27. #27 wkc says:

    Thank you for all the work you do to help keep our activities on the net private and safe. You are one of the last Wild Wild West heroes. I appreciate the no-track feature … it’s easier and faster than trying to opt out by using the downloaded opt out database. Thanks again. You’re right also about overall population of noscript users as well.

  28. #28 yellowbelly says:

    I think having a big flashing light on your browser fingerprint that says you don’t want to be tracked looks suspicious more than anything, and will make you stand out. Do not want.

  29. #29 Giorgio says:

    @yellowbelly:
    Having JavaScript disabled is equally suspicious: you’re either a “paranoid” NoScript user or a bot/leecher.
    From now on it also means that you don’t want to be tracked (something which was reasonably implied before as well).
    I can’t see any relevant difference.

  30. #30 Alan says:

    Georgio#26: thanks! The snipurl in the description seems broken though (I think because it includes the trailing ‘.’).

    I guess I’d be more sympathetic if this actually did anything at the moment - ala Mozilla’s work on filtering known tracking cookies. This, I can only parse as a political gesture & am not convinced that it carries much signal. Perhaps the noise will be useful to someone… Anyway, thanks again for at least talking about this.

  31. #31 Giorgio says:

    @Alan:
    Fixed, thanks (it may take some time to show up, though, since AMO is heavily cached).

    Yes, at this moment it’s mostly a political stance, but I’m more optimistic than you on the long term outcome.

  32. #32 Curious says:

    NoScript itself decreases drastically Firefox’s fingerprint by disabling Javascript and plugins.

    But this new feature does increase the fingerprint size a bit compared to previous NoScript versions, especially since it’s a very recent feature. This leads me to 3 questions…

    - What percent of NS users have v2.0.9 and up, and how fast does it grow?

    - How widespread NoScript-detection (without JavaScript) is, accross the web?

    - What’s the difference between Adblock Plus’ X-Do-Not-Track support and Noscript’s? I noticed that with ABP, HTTP headers as shown at www.ericgiguere.com/tools/http-header-viewer.html lack the "Do not track" flags. I’m guessing that ABP only sends these headers to page elements only and not the page itself? And so, would I be right if I said that NoScript’s implementation is complete while ABP’s is not? (in which case the ABP filter can be disabled)

  33. #33 Giorgio says:

    @Curious:

    - What percent of NS users have v2.0.9 and up, and how fast does it grow?

    About 80% right now, and fast growing (usually 95% are updated in 2 weeks at most, but holiday season slowed down things a bit).

    - How widespread NoScript-detection (without JavaScript) is, accross the web?

    No idea

    What’s the difference between Adblock Plus’ X-Do-Not-Track support and Noscript’s?

    Looks like Adblock Plus’ is an option activated by some subscriptions, e.g. EasyPrivacy.

  34. #34 Curious says:

    Interesting, thanks for the statistics :)

    I’ll have to determine for sure what’s best, fingerprint wise, between having NoScript block JS and plugins and NOT sending no-track headers, and the same config that does send the headers.

    It all depends on how many Firefox users who disable JS and plugins do it using NoScript… You say 99%, I’m not sure but it’s still plausible. I wish there were statistics ;)

  35. #35 Robert says:

    Like #19, I personally prefer NoScript’s current design philosophy of auto-enabling new safety and privacy features. As long as I know what just got turned on, I can make any decisions about turning it off if I need to.

    If NoScript was mainly trying to be a security blanket for people who cannot understand what it does, things might be different… but it’s not.

    I think that both the tracker-cookie approach and the header approach are needed, since many tracker methods do not rely on cookies.

    Another advantage of the header (which affects locations like the university where I work) is that it enables optionally-anonymizing proxies to recognize when the client browser needs to actually allow tracking. There are environments where we are required to anonymize by default, but this breaks certain websites. Previously, any solution required teaching the users how to switch between two different proxies. We haven’t yet begun using the header for this, but it looks promising.

  36. #36 Ken says:

    Interesting new feature. I prefer not being tracked, and I found the NoScript page announcing the new version sufficient warning that a new feature was added. It appears to me to support the basic function of NoScript - i.e. I am less susceptible to inappropriate behavior by websites I don’t trust and haven’t investigated yet, but if I want to disable that protection for a website I trust and want deeper interaction with, that option is available, temporarily or permanently.

    Even more interesting, in a train-wreck, bloody-heads-next-to-a-freeway-accident way, is the bizarre projections of political motivation people in the comments project on others with different preferences than themselves ("script disabled = paranoid, ‘hippys’ want to be tracked, etc.). They make for interesting sociology papers.

  37. #37 Michael says:

    I see NoScript primarily as a security tool. I don’t want others to execute any code they’d like on my computer. As such, things that happen or are stored on the server side have nothing to do with security on my machine. Adding HTTP request headers is not what I think a security tool should do.

    And actually, even for those who do not want to be tracked, this "feature" does the opposite:
    1. No website site supports this, so users are still tracked. There is _no_ gain at all.
    2. The more users are sending this, the less likely it will ever be implemented on server side. Advertisers want to make revenue. Would Google honour robots.txt if Apache and IIS installed it by default, denying everything? So better only activate for those who really care for not being tracked (as soon as someone implements it server-side).
    3. As said before, it adds to the fingerprint of every NoScript user, making it _easier_ to track them.
    4. It identifies me as a NoScript (or ABP) user. Websites can choose not to send any content to me. Instead, they can show a message telling me that I must uninstall NoScript/ABP to visit the site. This happened to me a few years ago using WebWasher, one of the first ad filters. It added its name to the UserAgent.
    Testing for JavaScript execution is much more difficult. Especially because I can block the ad server and allow the content server. Since search bots also do not execute JavaScript(*), this is not an option for most websites anyway.

    (*)Prefbar allows you to change the UserAgent

    A few strong arguments to disable the "feature" by default.

  38. #38 AnonymousCoward says:

    @Michael, and others in favour of default disabling:

    It’s been noted fairly widely already that tracking has concrete potential for individual fingerprinting. Aggregation of even simple behavioural patterns would be plenty for those in the thriving fraud business to sharpen their already acutely successful tools. Any kind of tracking increases insecurity.
    This alone, for anybody who identifies NoScript as primarily a security tool, is a good reason to have this header turned on - if only yet as a vote for some kind of pressure for servers to honour it. Even if only a few popular sites honour it, it would interrupt tracking possibly enough to make fingerprinting less effective. At least it would slow down the development of individual fingerprinting, which I feel sure is the target of data miners everywhere. This addition of headers is only first baby steps in a pressure movement to cap behavioural tracking before it takes off.

    Addressing your second point, *Michael*, there are those in the Mozilla security group who disagree with you, and say that advertisers don’t anticipate more than about 7 percent of the online advertising market will be this specific third-party behavioural kind (among the many other kinds already very much in use) by 2014. So that at the most, the use of this header will cap, not kill the development. Advertisers will move around obstacles, not lose money. That’s how they operate.
    As much as we NoScript users fondly imagine ourselves to be the vanguard of careful Fx users, it won’t even make much difference to that 7percent development whether there even exists a do not track header in an add-on because according to AMO’s figures for 2009 (I haven’t seen their 2010 report yet) there are around half a billion (500 million) Fx daily users, and to be kindest to the very popular ABP, at most around 15 million daily users of ABP. There even fewer of us fabulous NS visionaries :-)
    About 3 percent at most combined of all Fx users. So what’s 3 percent of 7 percent going to do to dissuade advertisers from keeping on exploring the possibilities of third-party behaviourals? It’s no hole in their revenue to continue exploring its potential if only a smear of users signal they don’t want it.

    Your third point is only of value for fingerprinting if tracking by default becomes a web standard. What I trust is already happening is that browser development is already moving strongly against it and that all browsers will have default no-track. Giorgio and Wladimir’s initial concept shows the wider web community what should be the standard if blanket tracking is to be deprecated by the whole community.

    And any web site that has conditional access? NoScript users aren’t passive. If they know what a server blocks, and still want to use a site, they know what to toggle, surely. And the experience of ABP users with sites that started out conditionally blocking ABP users was that overwhelmingly the sites backed down at protest. Very few sites run this kind of conditional access these days. Why should it be different in the future?

    For those who would like a little more insight into tracking than our small NS perspective, Arvind Narayanan has a good overview in his blog
    http://33bits.org/2010/09/20/do-not-track-explained/

  39. #39 Danny Moules says:

    "If you are going to defend your privacy in a court, who could challenge your statement that your installed NoScript not to be tracked?"

    Easy. "Although the header was included by a piece of software which, you admit yourself, added the feature in an automatic update without your intervention - you have not at any point taken any explicit action to identify yourself as part of this scheme. I submit that your actions MUST supersede any action taken indirectly by your computer system to whose behaviour you are not legally beholden."

    The law cares about positive actions - not bits sent over headers. In such the same way that if a web site makes you erase all your files (because you weren’t using NoScript), you are not held legally responsible. ‘The computer did it for me/him/her’ is not considered a valid argument.

    The legal basis of DNT is reliant not on the header (which is simply an identifier of intent) but the actual act of opting-in to DNT itself. I suspect simply having an update silently pushed onto your machine would not stand up in court and would form the basis of any defense/prosecution against DNT.

    I would instead suggest that if the user is using NoScript/DNT functionality for the first time, they are asked simply if they want to opt-in in a two second process. Strikes me as much more legally sound. At the very least, it should be nestled in the software’s contract of use, creating some kind of binding agreement that you accept and recognise you have chosen to opt-in to DNT in a legal sense.

    The issue is that DNT is legally dilute if you do not opt-in. DNT is a legal mechanism applied to the user, not a blocking technology you can just ‘flick on’ to prevent another technology from triggering.

    (Disclaimer: Not a lawyer)

  40. #40 Danny Moules says:

    Interestingly, I think AdBlock’s method has more legal clout (as hence, is more useful) because you have taken positive action to subscribe to a feed (subscriptions) to whom you have actively chosen to pass responsibility for such decisions. Still, don’t believe it’s nearly as powerful - legally speaking (and that’s what DNT is about) - as taking two seconds to click an opt-in checkbox.

  41. #41 Giorgio says:

    @Danny Moules:
    But since NoScript supporting the DNT header is widely publicized, and the extension is advertised and recognized as a security and privacy tool, which obstacles tracking in more than one way, it’s up to you to demonstrate that I did not install and/or keep NoScript installed with the intent (among others) of stating my Do Not Track will by means of the DNT header, while I just need to declare so and, more in general, that I use NoScript to preserve my privacy and make trackers’ life hard like advertised.

  42. #42 Danny Moules says:

    It’s not a question of simply having some vague intent, it’s about having a strong enough statement of intent you can form a binding contract. Binding contracts are hard enough to form as it is without diluting them.

    I think it’s worth re-stating that: Creating a binding contract with something as flimsy as a near-anonymous header is very difficult in the first place. If you, as an end-user, don’t even bother to actually action it and then ’sort of’ delegate that responsibility to a third-party (but not even in writing or through a T+C or something legal)… then it’s tough to see how a court is going to be able to make any use of it.

    The kind of vagueness automatic opt-in by a third-party creates is exactly the kind of thing that don’t lead to binding contracts. It only takes one of the many possible vague elements to be rejected to create a lasting precedent that could kill DNT for good.

    DNT is going to be tough enough to make work in a court of law (not necessarily just in the US, as well). This seems like a big hurdle it doesn’t need.

  43. #43 Victor says:

    GIORGIO, a suggestion for you. I support that the option by default is to activate the do not track support for most of noscript users. Why?

    1. There is not possible not to set an option by default.
    Even if you let people choose actively, that is an option you choose, between choosing actively or not.
    2. As a not tech savvy user, I do not want to face dozens of choices i do not even understand.
    3. SUGGESTION. Perhaps the best choice is to inform new users that noscript comes preset to highest level of security and privacy but "you could later change this settings as you get familiarized with it and decide to change them".
    4. the do not track me would become a great tool for policy regulations!

  44. #44 Giorgio says:

    @Victor:

    Thank you. Presets are coming before this summer, when the very experimental NoScript Anywhere and “classic” NoScript will be merged.

Bad Behavior has blocked 5593 access attempts in the last 7 days.