Archive for the ‘privacy’ Category

File Under: Browsers, privacy

Yahoo, Microsoft Tiff Highlights the Epic Failure of ‘Do Not Track’

People who walked in snow also bought jackets, would you like a value proposition jacket? Image: rabiem22/Flickr.

Microsoft continues to take a beating for its decision to enable the Do Not Track privacy setting by default in the company’s brand-new Internet Explorer 10.

IE 10 has only been on the web for a few days (see Webmonkey’s IE 10 review), but Yahoo has already released a statement saying that the company will ignore the Do Not Track header when broadcast by IE 10 users. Yahoo is not the first to take exception to Microsoft’s decision to turn Do Not Track on by default — the Apache web server may ignore IE 10′s DNT header as well — but it’s the biggest site so far to square off against Microsoft.

This most recent squabble comes despite the fact that Microsoft and Yahoo are partners and that Yahoo has previously said it would support Do Not Track.

The Do Not Track header is a proposed web standard for browsers to tell servers that the user does not want to be tracked by advertisers. DNT is supported by all the major web browsers, but only Microsoft has elected to make DNT part of the browser’s default setup. That means that all IE 10 users will be telling advertisers to back off, which some argue is not what DNT was intended to do.

The problem for Yahoo is that it risks ignoring not just a coming web standard, but the wishes of those users who would have opted in to Do Not Track even if it were off by default. Brad Smith, Microsoft’s VP of Legal & Corporate Affairs, recently said that turning on Do Not Track “reflects what our customers want: 75 percent of the consumers we surveyed in the U.S. and Europe said they wanted DNT on by default.”

On the first count Yahoo’s jargon-laden policy announcement seems to be saying that the company believes Microsoft is violating the W3C draft of Do Not Track. “Recently, Microsoft unilaterally decided to turn on DNT in Internet Explorer 10 by default, rather than at users’ direction,” says the Yahoo Policy blog. “In our view, this degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them.”

The latter statement seems to be a blanket argument against DNT existing at all — a common argument from companies that make the majority of their money from advertising — rather than anything specific about IE 10, especially given that Microsoft appears to be conforming to the current draft of the spec. I contacted Yahoo asking for clarification about the company’s position on web standards support, but the company did not respond before this story was published. [Update: Yahoo’s Sara Gorman tells Webmonkey that “Yahoo does not consider the current Microsoft Internet Explorer 10 or Windows 8 install flows to represent explicit user consent with respect to Do Not Track.”]

Yahoo’s complaint, along with similar complaints from Apache and others comes down to this: Is Microsoft violating the DNT spec by turning it on by default?

Here’s what the spec says: “The goal of this protocol is to allow a user to express their personal preference regarding tracking … key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

That certainly sounds like it backs up Yahoo’s decision, and puts Microsoft in the wrong. But the spec continues:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high) (emphasis mine).

For Internet Explorer 10 Microsoft’s setup dialog offers the user two choices: Express settings and Customize. Choosing the Express option clearly states that it turns on the DNT header and would appear to comply with the wording of the current spec since it gives users a choice.

The cynical might be tempted to say Yahoo and other ad companies are nervous that DNT is actually going to catch on and may well hurt their bottom line, but to be fair Yahoo isn’t alone in saying that Microsoft is violating the proposed spec. Mozilla, which originally created Do Not Track, has argued in the past that Microsoft is abusing DNT with IE 10.

In the end it might not matter. The DNT specification has become a joke. It has seriously been proposed that one of the “Permitted Uses for Third Parties and Service Providers” be “marketing.” So one of the permitted uses for Do Not Track might be to allow advertisers to track you.

If that’s not crazy enough for you consider that most online ad companies are not planning to interpret the “Do Not Track” header to mean “stop collecting data.” Instead most advertisers plan stop showing you targeted ads, but continue to collect data and track what you’re doing on the web.

If that sounds insane, well, it is. But the reality is you are being tracked and you will continue to be tracked unless you do something about it.

If you’d like to be in charge of which data is collected about you and you’d like to actually stop advertisers from tracking you, you’re going to have to do it yourself using add-ons like Ghostery or Do Not Track Plus. See our earlier post, Secure Your Browser: Add-Ons to Stop Web Tracking, for more details on how to stop tracking without worrying about who supports or doesn’t support a still unfinished, potentially heavily compromised web standards proposal.

File Under: Browsers, privacy

Google Chrome Finally Jumps on the ‘Do Not Track’ Bandwagon

The most recent developer release of Google’s Chrome web browser adds support for the proposed Do Not Track (DNT) header, which allows users to tell advertisers to stop tracking their movements around the web.

If you’d like to test Do Not Track in Chrome you’ll need to download the “canary” channel release. The DNT header will likely be available in the stable version of Chrome some time around the end of 2012.

Unlike Microsoft, which recently caused a web standards hoopla by announcing it would enable Do Not Track by default in Internet Explorer 10, Google is leaving Chrome’s version off by default. To turn on Chrome’s new DNT feature yourself head to Settings >> Show advanced settings >> Privacy and check the Do Not Track option.

The Do Not Track feature, which will soon be available in every web browser, allows users to broadcast a simple message to advertisers — roughly, don’t track me. Advertisers honoring the header won’t set tracking cookies in your browser, nor will they show any ads targeted at you.

Chrome is the last major browser to add support for Do Not Track, which began life in Mozilla’s Firefox before moving to the W3C where it’s in the process of becoming a web standard.

Some have speculated that Google was dragging its feet with Do Not Track because it may hurt the company’s bottom line — Google’s well-targeted ads are made possible by tracking what you do online. The changelog message that introduces DNT is terse, but a Google spokesperson tells AllThingsD that the company is honoring “an agreement on DNT that the industry reached with the White House early this year.”

File Under: privacy, Web Standards

Microsoft, Apache Square Off Over Privacy Settings

Apache, the most common server on the web, is giving Microsoft’s Internet Explorer 10 a privacy smackdown. A newly submitted patch tells Apache to ignore IE 10′s controversial Do Not Track (DNT) settings.

The Do Not Track header is a proposed web standard for browsers to tell servers that the user does not want to be tracked by advertisers. When IE 10 is officially released, DNT will be supported by all the major web browsers (except Google Chrome), but only Microsoft has elected to turn on DNT by default. That means that all IE 10 users will be telling advertisers to back off, which some argue is not what DNT was intended to do.

The changes to Apache mean the server will ignore any DNT header sent if it’s sent by IE 10. That means IE users won’t be able to stop advertisers from tracking them around the web.

The changes to the Apache web server were written by Adobe’s Roy Fielding, one of the authors of the Do Not Track standard. Here’s Fielding’s reasoning for the patch:

The only reason DNT exists is to express a non-default option. That’s all it does. It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

It sounds like a conspiracy theory, but then Microsoft’s track record on the web means conspiracy theories have a ring of truth to them. The comments on GitHub point out any number of counter conspiracy theories as well — that Apache is doing this to protect advertisers, that DNT itself will only be supported as long as it’s off by default, and so on.

The only thing that really matters is this: Is Microsoft violating the DNT spec by turning it on by default?

Here’s what the spec says: “The goal of this protocol is to allow a user to express their personal preference regarding tracking … key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

That sounds like making “on” the default setting would be a no-no, since the user would not be making a choice to turn it on. But the spec continues:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”) (emphasis mine).

ComputerWorld has a screenshot of what the Internet Explorer 10 setup dialogs show regarding DNT. The user has two choices: Express settings and Customize. Choosing the Express option clearly states that it turns on the DNT header and would appear to comply with the wording of the current spec.

Mozilla has argued in the past that it doesn’t. Fielding obviously feels likewise.

Our take is that the whole thing is smoke and mirrors; DNT itself is highly flawed and who supports it and how is a moot point.

Asking advertisers not to set tracking cookies is like asking Cookie Monster not to eat them. It might work for a while, but it’s not a sound long-term strategy. In fact relying on anyone else to protect your privacy is, at this stage of the web, not a sound strategy. If you really want to stop advertisers from tracking you you’re going to have to do it yourself using add-ons like Ghostery or Do Not Track Plus. See our earlier post Secure Your Browser: Add-Ons to Stop Web Tracking, for more details on how to stop tracking without worrying about DNT.

File Under: privacy, Web Basics

Twitter Improves Privacy Options, Now Supports ‘Do Not Track’

Twitter has jumped on the “Do Not Track” privacy bandwagon.

The company recently confirmed that it supports the Do Not Track header, a user privacy tool originally created by Mozilla that is in the process of becoming a web standard. That means if you visit Twitter in any web browser that supports the Do Not Track header, you can opt out of the cookies Twitter uses to gather personal information, as well as any cookies set by third-party advertisers.

Behavioral tracking, as such practices are often called, is a common on the web. Advertisers use cookies to track your clicks, watching which sites you visit, what you buy and even, in the case of mobile browsers, where you go. Often the sites tracking you are not just the sites you’ve actually visited, but third-party sites running ads on those pages.

And it’s not just advertisers tracking your movements, social networks like Facebook and Twitter also follow you around the web. You may not realize it, but Twitter has been tracking your every move for some time. The company doesn’t make a secret of it either. In a blog post announcing Twitter’s new “tailored suggestions system” Twitters Othman Laraki writes, “we receive visit information when sites have integrated Twitter buttons or widgets.”

To be clear, not only is Twitter able to set cookies any time you visit its own domain, whenever you visit a website (like this one) with a “Tweet This” or similar button Twitter can see you there as well. This practice is hardly unique to Twitter; Facebook, Google+ and others are doing the same thing.

Most of the time the information gathered is used to create a better experience for users. In the case of Twitter’s new “tailored suggestions” feature the information is used to build a profile of what you like and then Twitter makes suggestions based on that profile. You can read about exactly what Twitter does with your info and how long it keeps it in the company’s privacy policy.

The problem with such tracking is that it’s necessary for features we want, like smart, targeted suggestions — new users to follow, music you’ll likely enjoy, books you might want to read and so on — but it can also be used for decidedly less friendly purposes. As awareness of the downsides to such tracking become more well known a growing number of people are opting out of the tracking. The Mozilla Privacy blog reports that “current adoption rates of Do Not Track are 8.6 percent for desktop users of Firefox and 19 percent for Firefox Mobile users.”

To take advantage of Twitter’s new Do Not Track feature you’ll need to be using a web browser that supports the header. Currently that means Firefox, Opera 12+, Internet Explorer 9+ or Safari 5.1+. Chrome has pledged to add support for Do Not Track, but doesn’t just yet. For more information on protecting your online privacy, including tools like Ghostery, which go even further, blocking all tracking cookies, see our earlier post, Secure Your Browser: Add-Ons to Stop Web Tracking.

File Under: privacy, Web Basics

Yahoo Plans Support for ‘Do Not Track’ Web Privacy Tool

Yahoo has announced it will soon support the Do Not Track privacy header across its sprawling network of websites. Supporting Do Not Track means you will soon be able to easily tell Yahoo to stop tracking your movements around the web.

Behavioral advertising, as such tracking is known, is a common practice on the web. Advertisers use cookies to track your clicks, watching which sites you visit, what you buy and even, in the case of mobile browsers, where you go. Often the sites tracking you are not just the sites you’ve actually visited, but third-party sites running ads on those pages.

Much like the Do Not Call registry, the Do Not Track system offers a way to opt out of this third-party web tracking.

The Do Not Track header began life at Mozilla, but has since moved to the W3C where it was converted into a web standard by the Tracking Protection Working Group.

The Do Not Track header now works in every major desktop browser except Google Chrome, though none of them turn it on by default. Still, for privacy-concerned users savvy enough to enable Do Not Track, the header offers a quick and easy way to tell advertisers that you don’t want to be followed while you browse the web.

Numerous online advertising groups already respect the Do Not Track header and refrain from tracking users that enable it. Today’s announcement means that, starting this summer, you can add Yahoo to the list of companies that will stop tracking you if you’ve enabled Do Not Track in your web browser.

Of course, there are still many advertisers and websites that don’t yet support Do Not Track. If you’re concerned about your online privacy and don’t want to rely on the goodwill of advertisers, there are other, more aggressive steps you can take to limit how your tracked on the web. See our earlier post on browser add-ons that help stop web tracking for more details.