The Apache Foundation oversees the world’s most popular web server – Apache serves more than 50% of all the world’s websites.
So a proposal from Apache to actively ignore a key privacy feature (‘Do Not Track’) of Microsoft’s new IE10 browser could be a serious blow to IE10 privacy.
Do Not Track (DNT) is a proposed web standard that allows you to let a website know you would like to opt-out of third-party tracking for purposes including behavioral advertising.
It does not block ads but may change the type of ads you see – instead of behavioral ads (targeted to your interests, based on the websites you visit and search terms used) you may see generic ads (not targeted, could be for anything).
Personally I’m not a huge fan of DNT – if I’m going to see ads I’d rather see ones that are targeted e.g. if I’ve been viewing lots of sports websites I’d much prefer an ad for sport to an ad for cooking… Note that the DNT standard is not finalized yet and it is not obligatory for websites to honor it – even if you opt into the feature they can ignore it.
IE10 enables DNT by default. This appears to violate the proposed standard which states that “a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed”.
As IE10 Express installation settings turn on DNT by default, Microsoft may be failing to adhere to the standard – and Apache are miffed. Apache co-founder Roy Fielding has submitted a change request entitled “Apache does not tolerate deliberate abuse of open standards” in which Apache would ignore the DNT preference for all IE10 users.
Even if a user specifically enables DNT in IE10’s Customize installation settings, Apache web servers would ignore it and allow the website to track the user anyway.
Do Not Track in Other Browsers
Firefox supports the DNT feature but it is an optional setting (as it should be) – users have to specifically enable it. You can enable it via Firefox Options \ Privacy and select/tick ‘Tell websites I do not want to be tracked’.
Chrome itself does not currently have built-in DNT support. You can enable it by installing the Do Not Track extension here. Safari and IE9 (not IE8) support the DNT feature and, again, it is an optional setting which users have to specifically enable.
Tip: you can check if DNT is enabled in your browser by visiting the DNT test website here.
Political Games
Microsoft are mostly to blame for this impasse by appearing to purposely subvert the proposed open web standard – IE10 is the only browser to make DNT the default option for users, eliminating user choice.
In their defense, it could be argued that the default setting in IE10 is better for user privacy – most users would never find/bother with enabling DNT if it was only an option hidden away in the menus.
However, that defense is weak – if Microsoft want to change the behavior they should argue their case in the Tracking Protection Working Group (of which Microsoft are a member) which oversees the DNT standard, not go it alone and ignore it.
Apache are also partly to blame for looking to ignore all DNT options in IE10 – even if the user specifically enabled it. Theoretically this is not good for user privacy and there is no (easy) way for a user to know if a website uses Apache or not.
In practise, Apache’s stance is not as harsh as it looks because the proposed standard is not obligatory – all websites can choose to ignore it anyway.
The Future Of DNT
The DNT standard has been effectively neutered as website compliance is already optional and the setting is not supposed to be enabled by default.
The cynical would argue that the ad industry know that only a tiny minority of users will ever find and enable the DNT setting if it is buried in menu options – so they can honor its use and look good for doing so.
However, if the DNT setting were to become enabled by default – in multiple browsers – I’m pretty sure that most websites would opt to completely ignore it.
Why? Because so many websites depend on ads for their funding – and behavioral ads (via tracking) generate much higher revenue than generic ads (no tracking). It stands to reason that if website revenues plummet the sites would either close down or revert back to tracking users.
Conclusion
Personally I side with Apache on this one – Microsoft’s policy may be intended to enhance privacy but, for websites on Apache servers, it will have the opposite effect.
Even if Apache did nothing, Microsoft’s pushing of DNT as a default option only makes it more likely that the DNT standard will be abandoned and lead to ad-funded websites ignoring it on all browsers – just to stay in business.
[Via Sophos]
Thank you for replying to my comments Roy. We could bat disagreements to and fro with this, which while I am happy to do, I am sure you dont have the time.
I cant resist responding to a couple of things you said, however.
Regarding the analogy of being tracked irl, yes banks know our purchases but that allows us to contest irregularities or mistakes surrounding our purchase, it is in our interest for them to hold such information.
In the scenario I presented I would be equally disgruntled if my real world activities, behaviour, interests etc were monitored but tied to me by something other than my individual identity.
I confused the issue somewhat by mentioning Apache. Yes, I see your point that autochecking the option goes against the principle you mentioned which dictates a user must make a choice to protect their identity and this gives Apache some leeway to ignore.
Somewhere my point is that I tend to believe that privacy should be protected by default and that sites should encourage users transparently to concede privacy to greater or lesser extents on a site by site basis.
In a final analysis I would probably relinquish a great deal of the control over my privacy which I spend so much time trying to hold on to if I was honestly, clearly and simply told the implications of how tracking and information sharing is to be carried out.
I tend to feel the whole system is geared up to cheat and lie about their intentions. For instance, while I didnt even know that this ‘active choice to protect’ policy existed (who decided upon that incidently I wonder) it seems to me that websites ignore those ‘active choices’ anyway.
I disable all cookies except session cookies in FF. I assume this rules out all tracking cookies by definition. Yet I also have the Ghostery extension installed. This is CONSTANTLY preventing tracking cookies from running, and this includes reputable websites. Now I have written all this I realise I need to try Ghostery when ALL cookies have been blocked, including session cookies.
I have digressed into another issue here, albeit the closely-related question of “how do we know if our requests are being listened to about privacy and how to look out for signs they arent” so apologies for that.
What you concerns me now is when I tell my browser to implement a privacy measure, is it the browser preventing a breach of privacy by the wrbsite or the site respecting my wishes as explained to.it by my browser.
Hi TB, ‘tracking’ cookies can still be session cookies – explains why Ghostery is kept busy ;-)
The Standard rules are drawn up by the committee which includes MS, Google, tech and ad companies etc – if they were too strict I guess the ad companies would just pull out so the option has to be voluntary to keep them onboard.
From a consumer view I do agree with you on privacy but, with my webmaster hat on, I probably see behavioral ads as a price to be paid for a mostly ‘free’ lunch/internet – without them sites like ours would struggle to pay the bills and even large sites like online newspapers could fold or flee behind a paywall a la NY Times
I totally disagree with you here. If I go out in to the big wide world, I would be horrified to discover someone has been following me to disciver my habits. It w be outrageous, and I feel entirely the same about what I do online. It irks me and always has irked me to have to learb how to protect my privacy online. The DNT feature is a great idea. Your argument, and Apache’s stance, puts website revenue above privacy which is something I dont understand.
But websites do not have to honor DNT so enabling it by default in IE10 not only fails to comply with the standard but also provides an excuse for websites to ignore DNT totally, as Apache servers will do.
The ‘privacy’ of DNT is illusory as tracking does not identify you as an individual, unlike your analogy of someone following you – or when you use a credit/loyalty card in the shops. We don’t object to our bank knowing every transaction we ever make so, to me, it’s not of great concern that a website can determine that a particular IP address likes Sports sites and shows a sports ad to that IP?