EU regulators side with Microsoft in IE10's 'Do Not Track controversy

They also want all browsers to prompt users to set their privacy choice

European regulators have urged an Internet standards-setting body to let Microsoft set users' preferences for the "Do Not Track" privacy feature in the upcoming Internet Explorer 10 (IE10).

But the European Commission also asked the Worldwide Web Consortium (W3C) to require browser makers to present Do Not Track (DNT) options to users when they first install or run a browser, and allow them to change the default.

"The standard should foresee that at the install or first use of the browser the owner should be informed of the importance of their DNT choice, told of the default setting and prompted or allowed to change that setting," Robert Madelin, who heads the European Commission's Information Society and Media Directorate-General, said in a Thursday letter ( download PDF) to the W3C.

Madelin's suggestion was the Commission's first public reaction to Microsoft's surprise announcement last month that IE10 will have DNT switched on by default.

On May 31, the same day that it released Windows 8 Release Preview, Microsoft's chief privacy officer said that IE10, the browser bundled with Windows 8 and its tablet offshoot Windows RT, would have DNT on by default because the company "believe[s] in people first."

The W3C, however, has opposed Microsoft's move.

In a draft of the standard published shortly after Microsoft's announcement, the W3C group working on DNT said users must express their preference, and that a browser maker could not do it for them.

That meant if Microsoft did not change its mind, or if the W3C did not back down, Microsoft would not be able to claim it supports the standard. Some in the W3C group, primarily online advertisers, wanted even harsher anti-Microsoft language in the standard that would let websites ignore IE10's DNT request because users had not been forced to make the choice themselves.

Mozilla, the maker of Firefox, has backed the idea that only users can turn on DNT.

Do Not Track is a browser feature that signals whether a user wants online advertisers and websites to track his or her movements. All five major browsers -- Chrome, Firefox, Internet Explorer, Opera and Safari -- can send a DNT signal.

Madelin said that IE10's on-by-default shouldn't be an issue.

"It is not the Commission's understanding that user agents' factory or default setting necessarily determine or distort owner choice," said Madelin. "The specification need not therefore seek to determine the factory setting and should not do so, because to intervene on this point could distort the market."

Some pundits have argued that Microsoft set DNT on by default as a way to separate IE10 from rivals, while others have speculated that the move was an attack against Google, which makes the bulk of its revenue from targeting ads that rely on user tracking.

Congress and the U.S. Federal Trade Commission (FTC) also waded in on IE10 and Do Not Track as the W3C met in Bellevue, Wash., last week to continue hammering out the standard.

Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas), the co-chairs of the House privacy caucus, sent a letter of their own ( download PDF) to the W3C last Tuesday, pressing for a change in its stance on IE10.

"We believe that browsers which default to Do Not Track provide consumers with better control and choice with respect to their personal information," Markey and Barton said. "We call on W3C participants to make the protection of consumer privacy a priority and support Microsoft's announcement by endorsing a default Do Not Track setting."

One of the FTC's commissioners, however, disagreed with the congressmen.

"Microsoft's default DNT setting means Microsoft, not consumers, will be exercising choice as to what signal the browser will send," wrote J. Thomas Rosch in his letter ( download PDF) to the W3C on Thursday.

The European Commission's idea that browsers should prompt users for their DNT choice has been considered by at least two browser makers, according to Jonathan Mayer, a researcher at Stanford's Center for Internet and Society (CIS). Mayer is one of two Stanford students who devised the HTTP header concept used by browsers to signal a user's DNT decision.

The W3G's DNT group has discussed the so-called "first-run" option, said Mayer in an interview earlier this month.

That solution is reminiscent of the deal the EU struck with Microsoft in 2009 that required the U.S. developer to show a browser ballot dialog box in Windows to offer Europeans multiple alternatives to IE.

Microsoft must include the ballot in Windows 8 when it launches this fall to give users in the EU a chance to download and install browsers other than IE10.

The European Commission's urging of a first-run DNT prompt could signal that it takes the privacy setting as seriously as browser competition, and that it may push aggressively for the choice dialog.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about browsers in Computerworld's Browsers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place