"Do not track" in its present (non-)state is a farce. It should be implemented at the browser level.
My ideas on DNT:
If a user specifies "do not track" in their browser-global or site-specific settings then ALL requests to third party domains should simply be blocked.
This could be backed up by a site-provided manifest (potentially containing a comment for each ones justification, or a flag to say if its required or optional) to 'whitelist' 3rd party domains that they require it. There should be a browser feature to view this whitelist and 'uncheck' any sites you disagree with.
In fact, IMHO, thats the way modern browsers should work anyway - it would certainly solve a huge number of other issues (XSS, etc).
> ALL requests to third party domains should simply be blocked.
It's too late to do that. There's lots of websites relying on 3rd party CDNs for non-tracking purposes (CloudFront, Google-hosted jQuery, etc.)
Filtering on domain name alone won't prevent traffic from going through 3rd parties — tracking companies can ask websites to set up DNS CNAME for them or they'll use top-level HTTP redirects (like google.com uses to track SERP clicks).
And "my mom" isn't going to be able to vet list of domains. She'll call me and ask me to "fix" the computer so that "Log in with Facebook" works and there are no scary technical questions.
Yeah, DNT is kind of silly. It's like someone read the evil bit RFC (http://www.ietf.org/rfc/rfc3514.txt), thought it was a good idea, and implemented it at the level of HTTP.
I'd like to expand on this idea, by suggesting that in the case of sites being 'whitelisted' in the site-manifest, that they should only have access to an alternate cookie type, such that they are only accessible via that domain.
i.e. instead of them having access to cookies stored under their own domain (e.g. cookies stored under thirdparty.net) they have access to cookies stored under the scope of the domain of the website in the browser address bar (e.g. cookies stored under thirdparty.net@targetdomain.com).
This would allow the use of third party services, but specifically restrict their usage to the target domain.
My ideas on DNT:
If a user specifies "do not track" in their browser-global or site-specific settings then ALL requests to third party domains should simply be blocked.
This could be backed up by a site-provided manifest (potentially containing a comment for each ones justification, or a flag to say if its required or optional) to 'whitelist' 3rd party domains that they require it. There should be a browser feature to view this whitelist and 'uncheck' any sites you disagree with.
In fact, IMHO, thats the way modern browsers should work anyway - it would certainly solve a huge number of other issues (XSS, etc).