File Under: Browsers, privacy

Yahoo, Microsoft Tiff Highlights the Epic Failure of ‘Do Not Track’

People who walked in snow also bought jackets, would you like a value proposition jacket? Image: rabiem22/Flickr.

Microsoft continues to take a beating for its decision to enable the Do Not Track privacy setting by default in the company’s brand-new Internet Explorer 10.

IE 10 has only been on the web for a few days (see Webmonkey’s IE 10 review), but Yahoo has already released a statement saying that the company will ignore the Do Not Track header when broadcast by IE 10 users. Yahoo is not the first to take exception to Microsoft’s decision to turn Do Not Track on by default — the Apache web server may ignore IE 10′s DNT header as well — but it’s the biggest site so far to square off against Microsoft.

This most recent squabble comes despite the fact that Microsoft and Yahoo are partners and that Yahoo has previously said it would support Do Not Track.

The Do Not Track header is a proposed web standard for browsers to tell servers that the user does not want to be tracked by advertisers. DNT is supported by all the major web browsers, but only Microsoft has elected to make DNT part of the browser’s default setup. That means that all IE 10 users will be telling advertisers to back off, which some argue is not what DNT was intended to do.

The problem for Yahoo is that it risks ignoring not just a coming web standard, but the wishes of those users who would have opted in to Do Not Track even if it were off by default. Brad Smith, Microsoft’s VP of Legal & Corporate Affairs, recently said that turning on Do Not Track “reflects what our customers want: 75 percent of the consumers we surveyed in the U.S. and Europe said they wanted DNT on by default.”

On the first count Yahoo’s jargon-laden policy announcement seems to be saying that the company believes Microsoft is violating the W3C draft of Do Not Track. “Recently, Microsoft unilaterally decided to turn on DNT in Internet Explorer 10 by default, rather than at users’ direction,” says the Yahoo Policy blog. “In our view, this degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them.”

The latter statement seems to be a blanket argument against DNT existing at all — a common argument from companies that make the majority of their money from advertising — rather than anything specific about IE 10, especially given that Microsoft appears to be conforming to the current draft of the spec. I contacted Yahoo asking for clarification about the company’s position on web standards support, but the company did not respond before this story was published. [Update: Yahoo's Sara Gorman tells Webmonkey that "Yahoo does not consider the current Microsoft Internet Explorer 10 or Windows 8 install flows to represent explicit user consent with respect to Do Not Track."]

Yahoo’s complaint, along with similar complaints from Apache and others comes down to this: Is Microsoft violating the DNT spec by turning it on by default?

Here’s what the spec says: “The goal of this protocol is to allow a user to express their personal preference regarding tracking … key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

That certainly sounds like it backs up Yahoo’s decision, and puts Microsoft in the wrong. But the spec continues:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high) (emphasis mine).

For Internet Explorer 10 Microsoft’s setup dialog offers the user two choices: Express settings and Customize. Choosing the Express option clearly states that it turns on the DNT header and would appear to comply with the wording of the current spec since it gives users a choice.

The cynical might be tempted to say Yahoo and other ad companies are nervous that DNT is actually going to catch on and may well hurt their bottom line, but to be fair Yahoo isn’t alone in saying that Microsoft is violating the proposed spec. Mozilla, which originally created Do Not Track, has argued in the past that Microsoft is abusing DNT with IE 10.

In the end it might not matter. The DNT specification has become a joke. It has seriously been proposed that one of the “Permitted Uses for Third Parties and Service Providers” be “marketing.” So one of the permitted uses for Do Not Track might be to allow advertisers to track you.

If that’s not crazy enough for you consider that most online ad companies are not planning to interpret the “Do Not Track” header to mean “stop collecting data.” Instead most advertisers plan stop showing you targeted ads, but continue to collect data and track what you’re doing on the web.

If that sounds insane, well, it is. But the reality is you are being tracked and you will continue to be tracked unless you do something about it.

If you’d like to be in charge of which data is collected about you and you’d like to actually stop advertisers from tracking you, you’re going to have to do it yourself using add-ons like Ghostery or Do Not Track Plus. See our earlier post, Secure Your Browser: Add-Ons to Stop Web Tracking, for more details on how to stop tracking without worrying about who supports or doesn’t support a still unfinished, potentially heavily compromised web standards proposal.