Privacy experts criticize moves to sidestep IE10's default Do Not Track settings

When it comes to consumers' rights to control their own browsers, everybody wants to sound like they're pro-choice. But with many millions of advertising dollars on the line, the definition of pro-choice tends to align with the financial interests of those doing the defining.

That probably goes a long way toward explaining why software giant Microsoft and web services including Adobe, the Apache Foundation and Yahoo are at odds regarding the Do Not Track (DNT) feature of Microsoft's Internet Explorer 10 (IE10), which comes with the release of Windows 8.

They all say consumers should have a say over the level of privacy they want, in the form of choice about whether or not they want their browsing activities tracked, which allows ad networks to display targeted advertising on websites they visit.

But so far, there haven't been any loud complaints from advertising advocates about a lack of choice in systems (including Apple's iO6) that have tracking enabled by default. It is when it is disabled by default -- as is the case with IE10 -- that "choice" becomes a very hot button.

Not only are Apache, the Internet's most widely used webserver application, and others complaining, some are deploying patches to override DNT signals from IE10.

Microsoft prominently presents the option for users to enable tracking during the Windows 8 setup. But that is not enough for Roy T. Fielding, principal scientist at Adobe and co-founder of the Apache HTTP Server Project.

Fielding submitted a patch that instructs Apache to ignore the DNT setting, arguing on Github that it amounts to a "false signal" because there is no way to tell if DNT is the choice of the consumer or Microsoft.

[See also: 6 ways we gave up our privacy]

Microsoft's response has been to say that since consumers are offered the option to turn tracking on, a consumer who leaves that and other defaults as they are (off) is assenting to them.

Fielding countered in his post: "The only reason DNT exists is to express a non-default option. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."

He added that Microsoft is deliberately violating the standard set by the Tracking Protection Working Group of the W3C (World Wide Web Consortium) and, "knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one."

Fielding is not alone. Yahoo issued a policy in a blog post last week, saying it would also ignore Microsoft's "unilateral" decision to have DNT on by default, because it "degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them. It basically means that the DNT signal from IE10 doesn't express user intent."

Those arguments don't convince privacy experts. Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, notes that contrary to Fielding's assertion about Microsoft violating the W3C standard, "there is no standard yet," since it is still under development.

And Tien noted that the argument against defaults "rings a bit hollow," noting that "browsers, apps, OSes -- all of them have lots of defaults," he said.

Chester Wisniewski in Sophos' Naked Security blog this week criticized Yahoo's decision, saying Internet Explorer 10 users have expressed their preference to not be tracked. "The do-not-track setting is clearly and explicitly stated during installation and is a clear expression of the user's choice to not be tracked," he wrote.

Michael Cherry, lead analyst for operating systems at Directions on Microsoft, also finds the complaints from advertising advocates about "consumer choice" to be disingenuous. He noted that too often browsers make it complicated and difficult to opt out of tracking.

"I have to know that I have to find it (the tracking option) in the control panel of the browser. I have to find out what tab it's under. And then I have to worry that the web site is even going to honor it," he said.

Cherry said he believes another, larger issue is that most people do not understand the depth of tracking. "I'm stunned by how invasive some of this is," he said. "There is a lack of transparency as to how big a profile they have on me and how long they keep it."

Cherry said any one bit of information, such as where somebody lives, might not be terribly invasive. But when every move on the web is tracked, including visits to sites having to do with medical conditions or other personal information, that can be used for more than just targeted ads.

Mozilla said it tries to balance privacy concerns with personalization in its Firefox browser. Alex Fowler, leader of privacy and public policy at Mozilla, wrote in a blog post last May [ that, "there are three different signals to consider in broadcasting the user's preferences for tracking," Those are, he wrote, to accept tracking, to reject it, or no choice.

He said the Firefox default is the "no choice" option, "so we're not sending any signals to servers."

But that means tracking is more likely than not. In response to questions about it, a Mozilla representative said in an email that if a user does not make a choice, "the browser and advertisers will continue to operate as usual," meaning that "the decision to track is made by the website being visited."

Both Cherry and Tine say there should not be a default -- that the consumer should be required to make a choice, and the choice ought to be simple and obvious.

Cherry said if those with a stake in tracking really care about choice, "Why not just have an icon like a shoe, visible at the top of the browser window, so you know where it is and it's readily changeable. If you choose DNT, then there's an X over the shoe."

"Put [the option] right in your face," Cherry said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsWindowssoftwareApache Foundationoperating systemsdata protectionData Protection | Data PrivacyAppleYahooDo Not TrackWindows 8MicrosoftInternet Explorer 10

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts