The Apache Foundation oversees the world’s most popular web server – Apache serves more than 50% of all the world’s websites.
So a proposal from Apache to actively ignore a key privacy feature (‘Do Not Track’) of Microsoft’s new IE10 browser could be a serious blow to IE10 privacy.
Do Not Track (DNT) is a proposed web standard that allows you to let a website know you would like to opt-out of third-party tracking for purposes including behavioral advertising.
It does not block ads but may change the type of ads you see – instead of behavioral ads (targeted to your interests, based on the websites you visit and search terms used) you may see generic ads (not targeted, could be for anything).
Personally I’m not a huge fan of DNT – if I’m going to see ads I’d rather see ones that are targeted e.g. if I’ve been viewing lots of sports websites I’d much prefer an ad for sport to an ad for cooking… Note that the DNT standard is not finalized yet and it is not obligatory for websites to honor it – even if you opt into the feature they can ignore it.
IE10 enables DNT by default. This appears to violate the proposed standard which states that “a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed”.
As IE10 Express installation settings turn on DNT by default, Microsoft may be failing to adhere to the standard – and Apache are miffed. Apache co-founder Roy Fielding has submitted a change request entitled “Apache does not tolerate deliberate abuse of open standards” in which Apache would ignore the DNT preference for all IE10 users.
Even if a user specifically enables DNT in IE10’s Customize installation settings, Apache web servers would ignore it and allow the website to track the user anyway.
Do Not Track in Other Browsers
Firefox supports the DNT feature but it is an optional setting (as it should be) – users have to specifically enable it. You can enable it via Firefox Options \ Privacy and select/tick ‘Tell websites I do not want to be tracked’.
Chrome itself does not currently have built-in DNT support. You can enable it by installing the Do Not Track extension here. Safari and IE9 (not IE8) support the DNT feature and, again, it is an optional setting which users have to specifically enable.
Tip: you can check if DNT is enabled in your browser by visiting the DNT test website here.
Microsoft are mostly to blame for this impasse by appearing to purposely subvert the proposed open web standard – IE10 is the only browser to make DNT the default option for users, eliminating user choice.
In their defense, it could be argued that the default setting in IE10 is better for user privacy – most users would never find/bother with enabling DNT if it was only an option hidden away in the menus.
However, that defense is weak – if Microsoft want to change the behavior they should argue their case in the Tracking Protection Working Group (of which Microsoft are a member) which oversees the DNT standard, not go it alone and ignore it.
Apache are also partly to blame for looking to ignore all DNT options in IE10 – even if the user specifically enabled it. Theoretically this is not good for user privacy and there is no (easy) way for a user to know if a website uses Apache or not.
In practise, Apache’s stance is not as harsh as it looks because the proposed standard is not obligatory – all websites can choose to ignore it anyway.
The Future Of DNT
The DNT standard has been effectively neutered as website compliance is already optional and the setting is not supposed to be enabled by default.
The cynical would argue that the ad industry know that only a tiny minority of users will ever find and enable the DNT setting if it is buried in menu options – so they can honor its use and look good for doing so.
However, if the DNT setting were to become enabled by default – in multiple browsers – I’m pretty sure that most websites would opt to completely ignore it.
Why? Because so many websites depend on ads for their funding – and behavioral ads (via tracking) generate much higher revenue than generic ads (no tracking). It stands to reason that if website revenues plummet the sites would either close down or revert back to tracking users.
Personally I side with Apache on this one – Microsoft’s policy may be intended to enhance privacy but, for websites on Apache servers, it will have the opposite effect.
Even if Apache did nothing, Microsoft’s pushing of DNT as a default option only makes it more likely that the DNT standard will be abandoned and lead to ad-funded websites ignoring it on all browsers – just to stay in business.