The Apache Foundation, which oversees httpd, the world’s most popular web server, has decided to ignore an important privacy setting for users of Microsoft’s upcoming Internet Explorer 10 browser.
This feature, known as Do Not Track (DNT), allows users to express their preference to not be tracked by online advertising networks through the use of a header the browser sends every time you visit a website.
Implementing something as politically charged as DNT was going to be an uphill battle to begin with. The advertising industry is fighting a very delicate battle to find a way to avoid government regulation, yet still be able to track most users to support their existing revenue models.
In fact the senior privacy counsel for the largest online advertising company, Google, was quoted as saying:
"I don’t know what a do-not-track header is, I don’t know what it means."
I suppose that it is no surprise, then, that the only major browser without explicit support for DNT is Google’s Chrome. Chrome users can install an extension if they wish to take advantage of the feature, though.
So back in May, Microsoft’s announcement that it would enable the Do Not Track (DNT) header by default in Internet Explorer 10, which ships with Windows 8, placed the entire standard at risk before it was even agreed upon as a standard.
The controversy centers around this key point: The concept behind DNT, according to the Tracking Protection Working Group (TPWG), of which Microsoft is a member, is to represent a user’s preference:
"Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed."
It goes on to clarify exactly how it should be implemented:
"A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT:1. A user agent MAY offer a third alternative choice: DNT:0.
If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled."
Arguably this means a browser cannot force a user to make a choice, rather it must default to "unset." If the user later explicitly chooses whether or not to be tracked, this preference will then be transmitted to websites the user visits.
From the messages below, does it appear Microsoft is letting the user choose, or are they noncompliant with the TPWG proposed standards?
And if you choose Customize:
Adding fuel to the fire, Adobe's Roy Fielding, a co-founder of the Apache HTTP Server Project, submitted a patch for httpd titled "Apache does not tolerate deliberate abuse of open standards," which instructs the Apache web server to ignore tracking preferences for users browsing with IE 10.
While this appears to be a stab at Microsoft for what Roy believes is a subversion of the intent of the agreed-upon standard, what it really does is put users at risk.
If I were using IE 10 and I explicitly chose the Do Not Track option, I would be extremely concerned if I discovered my preference was being ignored because of a political dispute.
Many social media users were pinning this decision on Adobe, so I contacted Wiebke Lips, Sr. Manager, Corporate Communications at Adobe. Lips responded in part:
"For your background, releasing this patch was a decision made by Apache, not Adobe. Roy Fielding wears multiple hats. His involvement on this patch relates to his work wearing his Apache hat."
"In terms of the Tracking Protection Working Group and the DNT standard, Adobe believes that DNT should reflect a privacy choice by the consumer. Microsoft’s current settings eliminate that choice."
And don't just make your vote - tell us why you made your choice by leaving a comment below.
Thanks for sharing your point of view!
Creative Commons photo of tracks in the snow courtesy of Pöllö.