As part of our week of exciting announcements for Mobile World Congress, Mozilla is demonstrating the world’s first implementation of Do Not Track for a mobile Web OS. We’re also presenting a mock-up of the new 3-state setting for Do Not Track, as envisioned by the W3C.
Imagining how privacy and security can be core requirements in designing a mobile platform from the ground up, our support for Do Not Track in Boot to Gecko highlights the importance of Do Not Track on mobile, as well as desktop, devices.
Why this matters
As more and more Internet users access the Web from mobile devices, a growing gap exists in users’ ability to communicate a preference not to be tracked across all the ways in which they use the Web. Gartner Research predicts that by next year more people will be accessing the Internet on their mobile devices than those who will with their desktop computers.
Mozilla was the first major browser to provide its users with Do Not Track on desktop and mobile. Firefox for Android provides users with the ability to send the DNT header to websites visited via the browser, as well as to any third parties, just like they can send the header via desktop Firefox. As of February 26th, 18% of users of Firefox for Android had turned on DNT.
However, even if all the other native browsers on mobile followed our lead, there’d still be a gap where apps installed in mobile devices that include services from third parties, like advertisers and analytics, wouldn’t see the DNT header. To ensure that these parties also see users’ preferences not to be tracked, there needs to be a way to set the privacy preference at the OS level so apps can look for it.
How it works
Do Not Track can be enabled by accessing the preferences panel from a device running on Boot to Gecko. Just like in Firefox and Firefox for Android, the user scrolls to Do Not Track and turns the setting on (see illustration above). From that point forward, the device broadcasts the “DNT:1” header. Any Web sites visited by the user and all apps running on the device can see the header, including any third party services running on those sites or apps.
Take for example the case of one leading mobile advertising company, Jumptap, which announced last week that it supports Do Not Track. For Book to Gecko users with DNT enabled either visiting a Web site via their mobile browser or running an app both with ads being supplied by Jumptap, the company shows the user untargeted ads and updates the user in its systems as opted-out. Presumably, this would also be the case for companies like BlueCava that use device fingerprints to identify devices across sites and apps. BlueCava was one of the first to implement support for Do Not Track.
Our implementation in Boot to Gecko is intended to demo how the privacy feature can work with apps and encourage others to try similar implementations. As we saw with desktop with IE, Safari and soon Chrome and Opera, we hope other mobile OS providers will join our efforts on Do Not Track for mobile. We plan to begin working with app developers, too, to provide support for the privacy header. We’ll begin by focusing efforts on contributors to Mozilla’s Marketplace, which we announced would open for app submissions soon. We’ll also look to develop best practices with other app platform operators, which recently agreed to a request from California’s Attorney General to do more on privacy.
Through our work with the W3C Tracking Protection Group we’ve also started working on a three-state Do Not Track setting. Today, Do Not Track is either “off” or “on.” This doesn’t satisfy all the use cases on the Web nor fit well with laws in Europe. The three-state setting for Do Not Track will consist of “no preference,” “do not track,” and “allow tracking.” Details for how these preferences will be presented to a user are still being worked out, and we hope these will present some good opportunities to work with other browsers and the advertising industry to finalize the UI for Do Not Track.
I’ll be discussing our thoughts on Do Not Track for mobile and other privacy and security considerations as a speaker on Thursday’s “Mobile and Privacy: Are they Mutually Exclusive” at Mobile World Congress. If you’re in Barcelona, please join us.