File Under: privacy, Web Standards

Microsoft, Apache Square Off Over Privacy Settings

Apache, the most common server on the web, is giving Microsoft’s Internet Explorer 10 a privacy smackdown. A newly submitted patch tells Apache to ignore IE 10′s controversial Do Not Track (DNT) settings.

The Do Not Track header is a proposed web standard for browsers to tell servers that the user does not want to be tracked by advertisers. When IE 10 is officially released, DNT will be supported by all the major web browsers (except Google Chrome), but only Microsoft has elected to turn on DNT by default. That means that all IE 10 users will be telling advertisers to back off, which some argue is not what DNT was intended to do.

The changes to Apache mean the server will ignore any DNT header sent if it’s sent by IE 10. That means IE users won’t be able to stop advertisers from tracking them around the web.

The changes to the Apache web server were written by Adobe’s Roy Fielding, one of the authors of the Do Not Track standard. Here’s Fielding’s reasoning for the patch:

The only reason DNT exists is to express a non-default option. That’s all it does. It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

It sounds like a conspiracy theory, but then Microsoft’s track record on the web means conspiracy theories have a ring of truth to them. The comments on GitHub point out any number of counter conspiracy theories as well — that Apache is doing this to protect advertisers, that DNT itself will only be supported as long as it’s off by default, and so on.

The only thing that really matters is this: Is Microsoft violating the DNT spec by turning it on by default?

Here’s what the spec says: “The goal of this protocol is to allow a user to express their personal preference regarding tracking … key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

That sounds like making “on” the default setting would be a no-no, since the user would not be making a choice to turn it on. But the spec continues:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”) (emphasis mine).

ComputerWorld has a screenshot of what the Internet Explorer 10 setup dialogs show regarding DNT. The user has two choices: Express settings and Customize. Choosing the Express option clearly states that it turns on the DNT header and would appear to comply with the wording of the current spec.

Mozilla has argued in the past that it doesn’t. Fielding obviously feels likewise.

Our take is that the whole thing is smoke and mirrors; DNT itself is highly flawed and who supports it and how is a moot point.

Asking advertisers not to set tracking cookies is like asking Cookie Monster not to eat them. It might work for a while, but it’s not a sound long-term strategy. In fact relying on anyone else to protect your privacy is, at this stage of the web, not a sound strategy. If you really want to stop advertisers from tracking you you’re going to have to do it yourself using add-ons like Ghostery or Do Not Track Plus. See our earlier post Secure Your Browser: Add-Ons to Stop Web Tracking, for more details on how to stop tracking without worrying about DNT.