The co-founder of the Apache HTTP Server Project is under fire for a patch that instructs the world’s most popular Web server to ignore the Do Not Track privacy setting enabled by default in Internet Explorer 10.
Do Not Track is a specification under consideration by the W3C and under development by its Tracking Protection Working Group; it defines a header sent with each browser request that permits or denies tracking by online ad networks. Roy T. Fielding, whose day job is principal scientist with Adobe, submitted the patch last week that instructs Apache to ignore DNT on IE 10, which will ship with Microsoft Windows 8. Apache is the world’s most widely deployed Web server (59.4% market share, according to Netcraft). The DNT spec’s intent is to put a privacy-related choice in the user’s hand; Fielding argues that DNT on by default is counter to the spec and represents a machine’s choice versus a user’s.
“The only reason DNT exists is to express a non-default option. That’s all it does,” Fielding wrote on Github. “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.”
The issue has become divisive because Fielding’s patch also would impact users who purposefully chose to enable DNT during a custom setup, for example, thus ignoring those settings.
Microsoft, however, counters that the user is presented a choice to shut DNT off during the Windows 8 Express Settings setup, which is the recommended course of action for users. During setup, users are also presented with a Customize option where DNT can be shut off. Microsoft chief privacy officer Brendon Lynch wrote a blog post a month ago explaining how users would discover DNT and said users would get a prominent notice that DNT is on during the Express setup.
“By providing a simple experience that allows customers to set their preferences, we’ve sought to balance ease of use with choice and control,” Lynch wrote. “The recommended Express Settings are designed to expedite and streamline the overall set-up process, and, if selected, generally improve a customer’s privacy, security, and overall experience on the device.”
Proponents say the user implicitly makes a choice to enable DNT by using IE10. Fielding said Microsoft, a member of the Tracking Protection Working Group, deliberately violates the standard and that machine-generated preferences should be ignored.
“The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one,” Fielding wrote. “You can figure out why they want that. If you have a problem with it, choose a better browser.”
Mozilla’s Firefox browser defaults to no user choice while Google Chrome does not support DNT; there is a Google extension that will support the feature.
“DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice,” wrote Alex Fowler, privacy and public policy lead for Mozilla. “We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.”