Apache Blocks IE 10 Do Not Track Privacy Setting

The co-founder of the Apache HTTP Server Project is under fire for a patch that instructs the world’s most popular Web server to ignore the Do Not Track privacy setting enabled by default in Internet Explorer 10.

The co-founder of the Apache HTTP Server Project is under fire for a patch that instructs the world’s most popular Web server to ignore the Do Not Track privacy setting enabled by default in Internet Explorer 10.

Do Not Track is a specification under consideration by the W3C and under development by its Tracking Protection Working Group; it defines a header sent with each browser request that permits or denies tracking by online ad networks. Roy T. Fielding, whose day job is principal scientist with Adobe, submitted the patch last week that instructs Apache to ignore DNT on IE 10, which will ship with MicApacherosoft Windows 8. Apache is the world’s most widely deployed Web server (59.4% market share, according to Netcraft). The DNT spec’s intent is to put a privacy-related choice in the user’s hand; Fielding argues that DNT on by default is counter to the spec and represents a machine’s choice versus a user’s.

“The only reason DNT exists is to express a non-default option. That’s all it does,” Fielding wrote on Github. “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.”

The issue has become divisive because Fielding’s patch also would impact users who purposefully chose to enable DNT during a custom setup, for example, thus ignoring those settings.

Microsoft, however, counters that the user is presented a choice to shut DNT off during the Windows 8 Express Settings setup, which is the recommended course of action for users. During setup, users are also presented with a Customize option where DNT can be shut off. Microsoft chief privacy officer Brendon Lynch wrote a blog post a month ago explaining how users would discover DNT and said users would get a prominent notice that DNT is on during the Express setup.

“By providing a simple experience that allows customers to set their preferences, we’ve sought to balance ease of use with choice and control,” Lynch wrote. “The recommended Express Settings are designed to expedite and streamline the overall set-up process, and, if selected, generally improve a customer’s privacy, security, and overall experience on the device.”

Proponents say the user implicitly makes a choice to enable DNT by using IE10. Fielding said Microsoft, a member of the Tracking Protection Working Group, deliberately violates the standard and that machine-generated preferences should be ignored.

“The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one,” Fielding wrote. “You can figure out why they want that. If you have a problem with it, choose a better browser.”

Mozilla’s Firefox browser defaults to no user choice while Google Chrome does not support DNT; there is a Google extension that will support the feature.

“DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice,” wrote Alex Fowler, privacy and public policy lead for Mozilla. “We introduced DNT to do just that: to give users a voice and let them tell sites that they don’t want to be tracked. We did this before knowing exactly how sites and advertisers would respond, and we still believe this is the most effective way for DNT to work.”

Suggested articles

Survey Finds People are Privacy Hypocrites

A report by HP found that most people admit to looking at others’ computer screens and documents in the workplace while still keeping their own privacy top of mind.


  • Anonymous on

    I thought we would have some a hole sites that would ignore the IE10 DNT. I had the choice during installation and set DNT on. I also use the free DNT+ from Abine.com which nukes a lot of this advertising crap anyway. Coincidentally, because it stops a lot of ads from actually downloading, it gives you faster browsing.

  • Anonymous on

      Like I've said many times before, you can't let the fox guard the henhouse.  Just another reason I use DNT+ from Abine.com....

  • Cesar Figueiredo on

    I also use DNT+ and I don't want to be prevented from being able to avoid being tracked. It is everybody's right. If it becomes a standard default, it will be even better (safer) for the users. I don't think anyone likes being tracked. Of course, many people are worried about their incomes as ad broadcasters, for such an activity supports their free software. It is understandable, but, as privacy is priceless, I also think it's better to pay something for having privacy than browsing while strangers are following all your steps as shadows. 

  • Anonymous on

    Well, you can also leave it on and make a list of all the ads and make sure you never patronize those places.

  • Anonymous on

    Some posters here seem to be confused about DNT v. ad blocking, which are not one and the same.

  • Anonymous on

    Explorer's default setting does not deny choice; it is simply a recognition of the power of default settings, which advertisers understand well (and have used to their advantage).  To call it a "false signal" is disingenuous. 

  • Koios on

    If anyone believes that someone with serious(tm) money on the line would follow an optional field header in a browser if they didn't /have/ to: I have a bridge I want to sell you.

  • Sandro kensan on

    If you have a problem with it, choose a better browser.


  • EJ on

    Hey Roy T. Fielding,

    So you're telling me that for every web session initiated by a user, there's a human on the other side of the Apache web server, who is setting a switch to tell the web server to track each individual web session that comes along?  Your logic tells me it can't be done automatically or by a machine or application, because as you say, it doesn't count unless these track and don't-track decisions were made "by a real human being".  That logic should be applicable to both sides, not just the consumer's.

    This might just resolve the unemployment rate, as all you website owners are going to have to put a body deciding to track each session that's requested from your Apache web server.

  • 0xRiddle on

    What kind of power user still uses IE anyway ???
  • Mairead on

    Firefox does not default to "no user choice", it defaults to "nothing chosen yet" .

    Bad wording on the writer's part.

  • Anonymous on

    Apache is open source.  What stops companies from mod-ing it and taking out the privacy protections anyhow?  We cannot trust others to protect our privacy.  It is clear that sellouts are everywhere.  We each need to install active client components to protect our privacy.  And to audit them to ensure their operation:  Put wireshark on your line.  Your browser is already probably feeding all your browsing to google under the rubric of "safe-browsing".  You need to get eductaed and check these things yourself.

    And screw Apache.  I'm deeply unimpressed by the greed-heads on the team.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.