Re "What's wrong with DNT?"
There's nothing wrong with DNT but its not enough on its own.
Firstly, recognising and obeying DNT is not a legal requirement -- so to a spyware company intending to steal your personal data, its about the equivalent of putting a sign on your front door "please do not burgle here".
There's never going to be a total international acceptance of any privacy legislation, even if the more enlightened countries can be persuaded to adopt some. And those countries that are most likely to adopt any privacy legislation will write it with the primary intention of allowing companies to *invade* privacy rather than to ensure it. Just like they already did with the "you can spam" act.
So when DNT becomes widespread, will the worst sites unnecessarily redirect you to a "you have DNT so you can't come in" page -- just like some of them already do if you try to visit with javascript disabled?
Next, DNT is either on or off. OK, that's a start -- but that's a bit like saying everybody must choose whether or not to have sex. If they choose NO, then they can have sex with nobody whatsoever. If they choose yes, they must be willing have sex with everybody else who wants it. I'm guessing, but most people could not comfortably choose either of those two options.
Equally, there's a difference between tracking for the efficient operation of the site and tracking to obtain saleable data. I don't mind if a site knows I've visited the site before or even what pages I've seen there, but it absolutely should *not* be possible for some other site to know that I've been there, or to any other site for that matter.
Clearly, there's an argument for something in between. At the very least, a middle ground version of DNT that says "OK, but keep it totally confidential" when visiting the first party site, but gives an "absolutely not" when accessing third party sites whose content has been embedded in the page.
My feeling though is that an enhanced DNT isn't going to work -- if only because the worst of the data thieves would simply ignore it. So it is more important to work on technical standards that would require the browser not to deliver information in a form that allows third party tracking.
For example -- I visit abc.com and it uses some API from google. If google requests my cookie, then it should get one, but it should not be the same cookie that it gets when I visit google direct, so it should not be able to track me through any google log in. Then if I subsequently visit def.com and that also uses some API from google, google should get yet another cookie that prevents it knowing that I've visited abc.com. So, separate cookies for each third party site depending on where it is being visited from.
That's a bit simplistic and there are other spyware problems (eg Etag) that need to be similarly defeated. If there is no better way, then separately cache google's images for every site you visit it from.
Whatever is needed, the solution which would work best is the one which is controlled within the browser. It simply doesn't give trackable data to the third party site -- and it would be best for most people if that is what happened by default unless they choose to allow otherwise.
Maybe there's a part to be played by my ISP, which could be required to falsify my IP address in packets passed to third party sites. Or maybe all traffic, if there's no easy way to identify third party traffic.
But ... and here's where the W3C as a standards body could sensibly step in to the picture ... the standards should stipulate that users and their browsers are entitled to inhibit tracking and should require all sites to continue to work with proper third party anonymity (as well as with flash, javascript and similar all disabled in situations where there is no absolute functional need for them).
