The co-founder of the Apache HTTP Server Project is under fire for a patch that instructs the world’s most popular Web server to ignore the Do Not Track privacy setting enabled by default in Internet Explorer 10.

Do Not Track is a specification under consideration by the W3C and under development by its Tracking Protection Working Group; it defines a header sent with each browser request that permits or denies tracking by online ad networks. Roy T. Fielding, whose day job is principal scientist with Adobe, submitted the patch last week that instructs Apache to ignore DNT on IE 10, which will ship with MicApacherosoft Windows 8. Apache is the world’s most widely deployed Web server (59.4% market share, according to Netcraft). The DNT spec’s intent is to put a privacy-related choice in the user’s hand; Fielding argues that DNT on by default is counter to the spec and represents a machine’s choice versus a user’s.

“The only reason DNT exists is to express a non-default option. That’s all it does,” Fielding wrote on Github. “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.”

The issue has become divisive because Fielding’s patch also would impact users who purposefully chose to enable DNT during a custom setup, for example, thus ignoring those settings.

Microsoft, however, counters that the user is presented a choice to shut DNT off during the Windows 8 Express Settings setup, which is the recommended course of action for users. During setup, users are also presented with a Customize option where DNT can be shut off. Microsoft chief privacy officer Brendon Lynch wrote a blog post a month ago explaining how users would discover DNT and said users would get a prominent notice that DNT is on during the Express setup.

“By providing a simple experience that allows customers to set their preferences, we’ve sought to balance ease of use with choice and control,” Lynch wrote. “The recommended Express Settings are designed to expedite and streamline the overall set-up process, and, if selected, generally improve a customer’s privacy, security, and overall experience on the device.”

Proponents say the user implicitly makes a choice to enable DNT by using IE10. Fielding said Microsoft, a member of the Tracking Protection Working Group, deliberately violates the standard and that machine-generated preferences should be ignored.

“The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one,” Fielding wrote. “You can figure out why they want that. If you have a problem with it, choose a better browser.”

Mozilla’s Firefox browser defaults to no user choice while Google Chrome does not support DNT; there is a Google extension that will support the feature.

“DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice,” wrote Alex Fowler, privacy and public policy lead for Mozilla. “We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.”

Categories: Privacy, Web Security

Comments (13)

  1. Anonymous
    1

    I thought we would have some a hole sites that would ignore the IE10 DNT. I had the choice during installation and set DNT on. I also use the free DNT+ from Abine.com which nukes a lot of this advertising crap anyway. Coincidentally, because it stops a lot of ads from actually downloading, it gives you faster browsing.

  2. Anonymous
    2

      Like I’ve said many times before, you can’t let the fox guard the henhouse.  Just another reason I use DNT+ from Abine.com….

  3. Cesar Figueiredo
    3

    I also use DNT+ and I don’t want to be prevented from being able to avoid being tracked. It is everybody’s right. If it becomes a standard default, it will be even better (safer) for the users. I don’t think anyone likes being tracked. Of course, many people are worried about their incomes as ad broadcasters, for such an activity supports their free software. It is understandable, but, as privacy is priceless, I also think it’s better to pay something for having privacy than browsing while strangers are following all your steps as shadows. 

  4. Anonymous
    4

    Well, you can also leave it on and make a list of all the ads and make sure you never patronize those places.

  5. Anonymous
    6

    Explorer’s default setting does not deny choice; it is simply a recognition of the power of default settings, which advertisers understand well (and have used to their advantage).  To call it a “false signal” is disingenuous. 

  6. Koios
    7

    If anyone believes that someone with serious(tm) money on the line would follow an optional field header in a browser if they didn’t /have/ to: I have a bridge I want to sell you.

  7. EJ
    9

    Hey Roy T. Fielding,

    So you’re telling me that for every web session initiated by a user, there’s a human on the other side of the Apache web server, who is setting a switch to tell the web server to track each individual web session that comes along?  Your logic tells me it can’t be done automatically or by a machine or application, because as you say, it doesn’t count unless these track and don’t-track decisions were made “by a real human being”.  That logic should be applicable to both sides, not just the consumer’s.

    This might just resolve the unemployment rate, as all you website owners are going to have to put a body deciding to track each session that’s requested from your Apache web server.

  8. Mairead
    11

    Firefox does not default to “no user choice”, it defaults to “nothing chosen yet” .

    Bad wording on the writer’s part.

  9. Anonymous
    12

    Apache is open source.  What stops companies from mod-ing it and taking out the privacy protections anyhow?  We cannot trust others to protect our privacy.  It is clear that sellouts are everywhere.  We each need to install active client components to protect our privacy.  And to audit them to ensure their operation:  Put wireshark on your line.  Your browser is already probably feeding all your browsing to google under the rubric of “safe-browsing”.  You need to get eductaed and check these things yourself.

    And screw Apache.  I’m deeply unimpressed by the greed-heads on the team.

Comments are closed.