I do not think users will be very happy when they discover that they are globally trackable when IPv6 is enabled.
The RFC solves the problem of being trackable within a site, when the big problem is being trackable between sites.
Unfortunately it is the only mechanism available at the moment, and until something better comes along I think it should be enabled by default.
If you want to disable anything but EUI-64 addresses, could you not filter on the local bit? And redirect people to something explaining your rules.
Even if it is off by default on every operating system, some users are invariable going to enable it, and you need to deal with them anyway.
I do not think users will be very happy when they discover that they are globally trackable when IPv6 is enabled.
The RFC solves the problem of being trackable within a site, when the big problem is being trackable between sites.
Unfortunately it is the only mechanism available at the moment, and until something better comes along I think it should be enabled by default.
If you want to disable anything but EUI-64 addresses, could you not filter on the local bit? And redirect people to something explaining your rules.
Even if it is off by default on every operating system, some users are invariable going to enable it, and you need to deal with them anyway.