Apache Foundation creates firestorm over user privacy choices [POLL]

Filed Under: Adobe, Featured, Internet Explorer, Microsoft, Privacy

Creative Commons photo of tracks in the snow courtesy of PöllöThe Apache Foundation, which oversees httpd, the world's most popular web server, has decided to ignore an important privacy setting for users of Microsoft's upcoming Internet Explorer 10 browser.

This feature, known as Do Not Track (DNT), allows users to express their preference to not be tracked by online advertising networks through the use of a header the browser sends every time you visit a website.

Implementing something as politically charged as DNT was going to be an uphill battle to begin with. The advertising industry is fighting a very delicate battle to find a way to avoid government regulation, yet still be able to track most users to support their existing revenue models.

In fact the senior privacy counsel for the largest online advertising company, Google, was quoted as saying:

"I don’t know what a do-not-track header is, I don’t know what it means."

I suppose that it is no surprise, then, that the only major browser without explicit support for DNT is Google's Chrome. Chrome users can install an extension if they wish to take advantage of the feature, though.

So back in May, Microsoft's announcement that it would enable the Do Not Track (DNT) header by default in Internet Explorer 10, which ships with Windows 8, placed the entire standard at risk before it was even agreed upon as a standard.

The controversy centers around this key point: The concept behind DNT, according to the Tracking Protection Working Group (TPWG), of which Microsoft is a member, is to represent a user's preference:

"Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed."

It goes on to clarify exactly how it should be implemented:

"A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT:1. A user agent MAY offer a third alternative choice: DNT:0.

If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled."

Arguably this means a browser cannot force a user to make a choice, rather it must default to "unset." If the user later explicitly chooses whether or not to be tracked, this preference will then be transmitted to websites the user visits.

From the messages below, does it appear Microsoft is letting the user choose, or are they noncompliant with the TPWG proposed standards?

Windows 8 Express Settings for DNT

And if you choose Customize:

Windows 8 Customize privacy settings

Adding fuel to the fire, Adobe's Roy Fielding, a co-founder of the Apache HTTP Server Project, submitted a patch for httpd titled "Apache does not tolerate deliberate abuse of open standards," which instructs the Apache web server to ignore tracking preferences for users browsing with IE 10.

While this appears to be a stab at Microsoft for what Roy believes is a subversion of the intent of the agreed-upon standard, what it really does is put users at risk.

If I were using IE 10 and I explicitly chose the Do Not Track option, I would be extremely concerned if I discovered my preference was being ignored because of a political dispute.

Many social media users were pinning this decision on Adobe, so I contacted Wiebke Lips, Sr. Manager, Corporate Communications at Adobe. Lips responded in part:

"For your background, releasing this patch was a decision made by Apache, not Adobe. Roy Fielding wears multiple hats. His involvement on this patch relates to his work wearing his Apache hat."

She continued:

"In terms of the Tracking Protection Working Group and the DNT standard, Adobe believes that DNT should reflect a privacy choice by the consumer. Microsoft’s current settings eliminate that choice."

So it appears that Roy, Adobe, Apache and even Mozilla fault Microsoft in this dispute. Where do you stand on the issue?

And don't just make your vote - tell us why you made your choice by leaving a comment below.

Thanks for sharing your point of view!

Creative Commons photo of tracks in the snow courtesy of Pöllö.

, , , , , , , ,

You might like

28 Responses to Apache Foundation creates firestorm over user privacy choices [POLL]

  1. Robby · 741 days ago

    I'd have voted "no one" but the logic in the explanation is wrong. Microsoft is wrong because they are, in fact, subverting the standard. Too many users will *not* read the list of things that are defaults (please note also that they *will* give out location and other personal info by default, how is that OK?). However, Apache is wrong to outright ignore the header. Neither of these is related to how advertisers behave. I finally voted that apache/adobe/mozilla are more right because ms is undermining the standard, and this is a way to push back.

  2. James · 741 days ago

    I tend to think shame on all of you. I think the revenue sharing setup has more to do with this than anything else but;

    Microsoft shame on you, please add an option in I.E. 10 settings that it will save site preferences and ask me when I visit a new site what I want to do? I appreciate you going with DNT out of the box. I have grown tired of default open... it is really default got you at this stage!!

    Google, Apache httpd, you are the big losers on this one. By applying your patch you have eliminated the users choice, same as MS, and created a safety issue for users that believe they are not being tracked. Nice job!

    As always guys (All of you) thanks for dragging the whole industry through the deep end of the outhouse. It would be nice if both sides could think about user safety and choice and less about advertising revenue models. Create a safe place to work, play, and spend on the intertubes and watch what will happen!!

  3. Vampaerus · 741 days ago

    Assuming there is no override setting that web admins can use to change Apache's default behavior of ignore the setting? If so Apache is also screwing over it's real customers in favor of forcing the political hubris. Regardless of Apache's opinion on the matter, I wouldn't want any site I admin to be found ignoring my user's wishes. If I have to switch to NGINX or something else to do so I will.

    • Chester Wisniewski · 741 days ago

      It is a simple default configuration change. The following lines were added to httpd.conf:

      <IfModule setenvif_module>
      BrowserMatch "MSIE 10.0;" bad_DNT
      </IfModule>
      <IfModule headers_module>
      RequestHeader unset DNT env=bad_DNT
      </IfModule>

      A website operator that wishes to use Apache AND respect DNT from IE 10 users can simply comment out the above lines.

  4. Steve Powers · 741 days ago

    Robby, whether or not Microsoft is subverting the standard is irrelevant - it is still a user choice in that they choose to use IE. Apache/Adobe is not only wrong, but stupidly so.

    To put it in simpler terms, how would you feel if you went to a restaurant and ordered your steak "blue", but when it arrived it was "well done" because the management had decided that serving it blue was bad for their image? - This is basically what Apache/Adobe are doing (and it doesn't matter what hat Roy Fielding is wearing - it's just weasel words by a severely embarrassed PR manager)

  5. John · 741 days ago

    I think it's a great idea, however Microsoft shouldn't put it as default on their express settings but rather a totally separate setting altogether, so whichever the user choses (express or customize), they will still be prompted to either turn DNT on or off. That way users would only have to read one set of instruction, which most of them would have to read since they have to choose between either leaving it on or off. Although, even it was left on default, there's not a whole lot of users who uses IE anymore anyways.

  6. Guy Pace · 741 days ago

    I agree with Powers.

    From what I see, Microsoft is offering the user an opportunity to make a choice. So, I don't see Fielding's issue. However, consider that we are talking about the average user looking at the install and operation of IE 10 (or whatever browser they may be using). The option must be provided to the user in plain language. This text:

    "A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT:1. A user agent MAY offer a third alternative choice: DNT:0.

    If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled."

    Would make absolutely no sense and only confuse the average user. It looks very much like some of the language in some voter resolutions, the ones that require a "yes" vote to vote no, or a "no" vote to vote yes. Microsoft's option makes a clear statement to the user.

    Keep in mind users are the same folks who will continue to click on links in email and reply to phish, even after our continued effort to teach them it is bad. You have to make it easy and clear.

    It is in the advertiser's interest for the user to be confused and miss-configure the browser. It is in our interest to insure users can make reasonable choices based on clear information.

  7. markstockley · 741 days ago

    I'd say the standard is wrong. The entire world is effectively DNT:0 at the moment since a vendor will behave the same way if they get no DNT information or an explicit DNT:0. So the standard isn't championing user preferences at all, it's championing the preference of Big Advertising - it assumes that de-facto everyone is opting in to being tracked.

  8. @JaytonGarnett · 741 days ago

    They're all at fault in some way or according to some reasoning, though I believe Microsoft have made the correct choice in the interests of everyday non-technical users, people like my mother who call me about her computing woes.

    The others are getting in a huff because Microsoft "broke" away from the standard - before it was finalized. I think the DNT Standard of having the setting defaulted to "unset" is the actual error, browsers should enable it by default to protect their users or ask them one first run.Get over it Apache, you bully.

  9. Dantiumpro · 741 days ago

    Apache should consider this: if just one user sets DNT:1 by a mechanism other than Express settings, or as Steve Powers suggests they have chosen IE for its default settings, they have wilfully ignored that user's preference.

    If Apache regard web standards as inviolable they should look to their own implementation first. I agree with the Sophos 'Dislike' t-shirt that says "Privacy by default" and if there is doubt as to whether that was my choice or the browser vendor, less harm can arise from assuming it was mine.

  10. Jim J · 741 days ago

    The irony of nakedsecurity to pen statements concerning tracking.

    DNT blocks 12 tracking attempts each time I visit. Twice as many as most other sites.

  11. Robert Witham · 741 days ago

    Who is wrong or right is a complicated question - as evidenced by earlier comments. That being said, here is my perspective.

    Microsoft is probably wrong to ignore the standard (but when don't they ignore the standard), though I believe they are right to act in the best interest of their users. The message does clearly say how the DNT setting will be configured.

    Adobe/Apache are perhaps technically correct in their assertion that Microsoft is not following the standard, and they are perhaps understandable annoyed. Nonetheless, their response is petty and puts their own agenda ahead of their users. This also makes them wrong.

    Advertisers, and the weak politicians who cater to their special interests, are the most wrong of all. This, by the way, is how I voted in the survey. Ultimately, I don't trust them to respect the setting anyway so the entire issue is probably moot.

    • Mike · 733 days ago

      Privacy is wholly subjective, hence there is no 'best interest' of any user with respect to privacy. Some people, myself included, actually value functionality (including advertising material that is relevant to my interests) over privacy to an extent. That's not to say I think that DNT should be turned off by default any more than you think it should be on.

      The point of the standard is to make sure that it is the USER who is deciding. ie. there is no 'default' privacy stance. Since it is impossible to determine whether the user made the choice in IE, the tag is not standards compliant and should be ignored, just as any other non-standards-compliant behaviour should be. This action by Apache doesn't degrade privacy over what was in place before the standard was implemented. If Microsoft choose to implement the standard correctly, they can expect their users to reap the benefits of the DNT header. If they don't, then their users miss out until they do.

      It's interesting that the most ardent advocates of privacy-at-all-costs (Sophos, Bruce Schneier et al) also seem to take the opposite political bias when it comes to (national) security. While the two are related in specific circumstances (often in a mutually exclusive cause-and-effect type of dialogue), I find far more similarities between the two arguments in terms of approaching an inherently subjective opinion based on personal values, using objective language, as if there is only one correct stance to be taken on privacy, much as there is only one correct stance to be taken on national security. At best, it reduces the fundamental importance of the individual's values in vain hope of making a passing counterpoint to a long running debate.

      Whether I support strong privacy or not is irrelevant. It's that it is an individual choice that's important. Which is why I don't support a 'default' setting.

  12. Juergen · 741 days ago

    IE comes installed as the default browser in Windows - so there is a huge chance that people not clued on privacy and security risks will use IE in default mode as their only webbrowser.

    Microsoft has an obligation to ALL of its customers to protect them against online threats. Anybody who actually takes an informed decision can then still disable DNT if they want to, but the default on ANY system should be FAILSAFE, not FAIL-UNSAFE

  13. kevinkiley · 740 days ago

    There is no 'open standard' for 'Do Not Track'.

    The Tracking Protection Working Group (TPWG) at the W3C is simply a 'work in progress' and they haven't even reached the required 'Last Call' phase yet, or the other 'phases' that must come after that in order for the work to reach the 'Published Recommendation' status.

    Their original one-year length charter has already EXPIRED and they have been forced to renew it at least once already... and the new projected timelines don't have them reaching the 'Published Recommendation' status until April of 2013.

    So there is no way for any software maker to be accused of being 'non-compliant' with anything, at this point.

    The DNT 'Working Drafts' are still changing almost on a daily basis.

    There isn't anything to be 'non-compliant' WITH.

    Not yet, anyway.

    I would suppose Microsoft's lawyers would have a field day with this one fact alone. Windows 8 and IE10 are already 'out there', and if they can prove they are being 'damaged' by other software makers for supposedly not adhering to some imagined 'standard' that doesn't even officially exist yet... I wouldn't want to be on the receiving end of THAT lawsuit.

    • Ellie K · 740 days ago

      Good point, Kevin! The Adobe representative's comment was confusing to me, regarding the existence of a current Do Not Track standard. Also, the comment attributed to Roy Fielding of Adobe and Apache DID imply that the standard was established, given his submission about Apache "not tolerating deliberate abuse of open standards", with specific reference to Microsoft Explorer 10.

      However, @chester of Naked Security, who wrote the article, clearly knows that this is still a proposed standard! He is right. In light of that, I'm less certain about the importance of his question, at this point in time:
      "Does it appear Microsoft is letting the user choose, or are they noncompliant with the TPWG proposed standards?" How can Microsoft be non-compliant with a proposed standard? Especially one that is still not clearly formulated, that is:

      Required choices: Unset OR DNT:1
      Optional choice: DNT:0
      IF (DNT:0 OR DNT:1) THEN (tracking preference enabled = TRUE)
      ELSE (tracking preference enabled = FALSE)

      That is confusing. Also, an Unset tracking preference must be either TRACK or DO NOT TRACK. What is the alternative?

  14. Ellie K · 740 days ago

    The comment by Google Senior Privacy counsel Keith Enright was not recent. The date of the cited Wall Street Journal article is 14 May 2011. It isn't an article, rather, it is the Digits blog, and the quotation lacks context. Also, Keith Enright started working for Google in late March 2011, just a few weeks earlier.

    I remain puzzled about Mr. Enright's comment to WSJ Digits though. It DOES seem odd, regardless of any of the items I just mentioned, given that Keith Enright has security-related certifications and prior experience at other organizations, in the area of user privacy and compliance, see http://www.pli.edu/Content/Faculty/Keith_Enright/...

  15. Gary · 740 days ago

    For anyone that doesn't want to be tracked by advertisers I have one word for you people...

    AdBlock.

    Job Done.

  16. Marc · 740 days ago

    I think there is no wrong or right here yet the basic intelligent informed human decision should still be honored: Users want to avoid harm as such the standard should assume 'default on'

    At the time the standard itself is bullocks, standard off is no user choice nor the outcome that one can assume from statistics and applying 'non greed driven' thinking at all. Its a freaking default defined by the ad companies and might be one of the reasons they more sooner than later will be hit by heavy legislation due to ignoring privacy basics in many countries, still sailing in 'happy digital grayland'

  17. William A. Wheatley · 740 days ago

    The first company that provides a browser that not only expresses my *preference* that sites I visit not track me, but that actively blocks them from tracking me, gets my vote. When I go shopping at Macy's I don't want their store detective following me down the street to Toys R Us and then to Blooomingdales to see what I look at.

  18. Gary Blackwell · 740 days ago

    Seems to me that the trackers would rather have DNT off by default and take advantage of user ignorance. Microsoft on the other hand, can't rightfully have it on by default either.

    I think if companies want to track people they shouldn't be working from the shadows. I think there should be some education involved. If people understood how those cookies on their computers were being looked at they might freak. Many people consider looking at anything on their computer as an intrusion on privacy. I think there should be another approach.

    In the spirit of transparency these cookies should be explained. People should know exactly how cookies work, how they are managed, and what the potential risks and benefits involved in tracking. Companies could use this as a opportunity to offer incentives on tracking and give both the people and the corporations a choice in a very sensitive area of privacy.

  19. Doodle · 740 days ago

    As several have already stated, how can you be in violation of something proposed but not yet approved? Basically you can't. However, if you are on the committee that is proposing the standard, well.... then it is a little different when you are already going against the proposed standard. It leads me to believe that maybe the MS representative/s were against the initial (or current) proposition of having it off by default (the no user choice means no DNT).
    So where do I stand? To me, it just seems like common sense that DNT be on by default. I'm going to go out on a limb and bet that; if users were given a clear choice initially, and understood what having DNT on or off (assuming all sites adhered to it) meant, then an overwhelming majority would opt to have DNT on. If it either has to be on or off (no choice is still off), then shouldn't it be set to what the majority would select?
    Don't beat me up because I am making an assumption that most would want it on. Ask around, 20 or 30 people, and see what the majority say. I bet (another assumption) unless you work in a marketing group/company, the majority want it on.
    If the proposed standard goes through with it off by default, then the majority has lost in favor of those pushing the agenda. If MS voices their disagreement over the standard during this phase, by action or word, should they not be allowed too? If the majority agrees, shouldn't the proposed standard be changed?

  20. Nigel · 740 days ago

    I have to go with Microsoft on this one. I mean, jeez...for years Microsoft has been deservedly bashed for exposing users to all sorts of mischief via poorly conceived software products, and now that they're creating a default in favor of user privacy, they're getting ripped for it?

    Come on, Apache...pull your head out of your bottom throat. Sheesh...

  21. 21st Century · 740 days ago

    People still use IE?

  22. Walter Breen · 739 days ago

    If the computer industry refuses to recognize a DNT header, no matter how it is set, Congress will eventually step in and mandate that browsers, websites, and others recognize it. The resulting legislation setting statutory standards for technical matters will not only drive industry nuts, but it will open the door to more legislative fiddling. Any legislation here is guaranteed to screw over industry by opening a door that no one wants opened. Users will be hurt too.

  23. Freida Gray · 738 days ago

    When Microsoft first came out with DNT as the default in IE10 they _did _ give users the option to turn DNT off.
    Because advertisers knew that most users choose the default settings to avoid a lot of work setting up their browser,they came up with what they saw as a way to get DNT turned off by default.That way they could continue to follow users around the web to show their ads on each site visited.
    Microsoft came up with a way that they thought would allow them to seem to "comply " with what the advertisers wanted while still keeping their default settings in tact.
    Apache/Adobe/Mozilla decided to ignore IE10's default tracking settings.This opens the door for all sites to ignore the tracking settings on all browsers including Mozilla's Firefox, & Seamonkey browsers.In the long run as things stand now, _ everybody loses.Users lose because their privacy settings get ignored,advertisers lose because their ads get ignored,& Apache/Adobe/Mozilla lose because user will do their best to switch to what ever web alternative they have to avoid dealing with those companies.

  24. John · 738 days ago

    "Microsoft’s current settings eliminate that choice."

    How can she say that when the user can choose to turn it on? I would prefer DNT by default.

  25. pat · 738 days ago

    "For your background, releasing this patch was a decision made by Apache, not Adobe. Roy Fielding wears multiple hats. His involvement on this patch relates to his work wearing his Apache hat."

    Seems to me the hat switching is not working very well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.