Jump to content



Photo

Apache Hammers Microsoft Over Do Not Track


  • Please log in to reply
121 replies to this topic

#1 t_r_nelson

t_r_nelson

    Neowinian Senior

  • 2,111 posts
  • Joined: 01-September 05
  • Location: Minneapolis, US

Posted 12 September 2012 - 15:43

Apache has issued a web server that aims to correct a standard violation by Microsoft. The violation, however, may not be, depending on your point of view, as bad as you think. In detail the patch is described as follows:

"Apache does not tolerate deliberate abuse of open standards." The open standards Apache is referring to are the agreed do not track (DNT) settings in a web browser, which should be turned off by default. Microsoft went the other way and decided it may be beneficial to its users to actually turn the tracking protection on by default and, in effect, violate the standard. Apache reacted by issuing an update, which overrides a web server's configuration file so that it ignores Internet Explorer 10's DNT settings.

While this may be a violation, the case is not quite so clear and Apache is currently hit by criticism for turning itself into the browser police. A standard violation in this specific case may not be such a bad idea anyway. More than any other browser maker, Microsoft is dealing with a user base that is not very interested in fine-tuning browser settings and if do-not track is, in fact, a technology that is offered to users as a way to protect their privacy, some may even argue that Microsoft should be applauded for this move.

Adobe's Roy Fielding, cofounder of the Apache HTTP Server Project, wrote the following in a thread post:

The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization. Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user's want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

While Fielding has reason to chastise Microsoft for the way the feature was announced and implement, we also realize that Microsoft has a very strong interest in user tracking to cater to its advertising customers. So it is even an unusual move and certainly raises the question whether the standard or Microsoft is wrong.

Source

I think it's the smart move but what are your opinions of MS breaking open standards for the security of the users?


#2 Haggis

Haggis

    Neowinian Senior

  • 2,466 posts
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 12 September 2012 - 15:47

Surely Apache overriding a browsers security setting is more of a bad thing?

#3 Harrison H.

Harrison H.

    Neowinian

  • 580 posts
  • Joined: 21-August 04
  • Location: Florida
  • OS: Windows 8.1
  • Phone: Nokia Lumia 1520

Posted 12 September 2012 - 15:50

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?

#4 Vice

Vice

    Bye!

  • 15,877 posts
  • Joined: 03-September 04

Posted 12 September 2012 - 15:51

I'm with Apache on this. If the browsers default behavior is do not track then web services will simply ignore the flag entirely. It has to be a choice that the users make instead of a default if it has any hope of working.

This should force Microsoft to change their stance but we all know it won't they are too stubborn.

#5 Haggis

Haggis

    Neowinian Senior

  • 2,466 posts
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 12 September 2012 - 15:52

I thought IE gave you the option to enable or disable protection when you installed it?

#6 TPreston

TPreston

    Neowinian Senior

  • 2,554 posts
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 12 September 2012 - 15:57

I don't trust the advertisers to begin with or the organizations that make money selling your browsing habit's and no browser plugin will change that . Block them all.

#7 Harrison H.

Harrison H.

    Neowinian

  • 580 posts
  • Joined: 21-August 04
  • Location: Florida
  • OS: Windows 8.1
  • Phone: Nokia Lumia 1520

Posted 12 September 2012 - 16:01

I thought IE gave you the option to enable or disable protection when you installed it?

This is a new feature in IE10 which so far is only available on Windows 8. During the installation of Windows 8, if you choose to use the express settings option, it will default to turning DNT on. If you click customize, you are presented with a choice to keep it on or turn it off.

#8 BajiRav

BajiRav

    Neowinian Senior

  • 10,582 posts
  • Joined: 15-July 04
  • Location: Xbox, where am I?
  • OS: Windows 8.1, Windows 8
  • Phone: Lumia 920

Posted 12 September 2012 - 16:02

Source

I think it's the smart move but what are your opinions of MS breaking open standards for the security of the users?

How is MS breaking the standard when
1. users are clearly told that DNT will be turned on
2. the standard is not even a standard yet

I'm with Apache on this. If the browsers default behavior is do not track then web services will simply ignore the flag entirely. It has to be a choice that the users make instead of a default if it has any hope of working.

This should force Microsoft to change their stance but we all know it won't they are too stubborn.

IE10's default behavior fits the "standard" as it stands today.

#9 ichi

ichi

    Akihabara Style

  • 4,941 posts
  • Joined: 20-December 04

Posted 12 September 2012 - 16:03

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?


Both MS and the standard are wrong, but the problem is that the whole reason this standard came to be is because ad companies (MS being one of them) wouldn't accept to honor the DNT flag if it was enabled by default. Basically they wouldn't accept it if there was any chance of a wide majority of users browsing the web with that flag enabled.

DNT is a joke, but violating it just guarantees that it'll also become completely useless.

IMO Apache should have done nothing about IE and let it blow latter on Microsoft's face when IE users found out that they were still being tracked and there was nothing they could do about it other than using a different browser.

#10 zhangm

zhangm

    Just bitter.

  • 9,871 posts
  • Joined: 21-August 02

Posted 12 September 2012 - 16:08

I have to agree with MS here; block that *hit.

The standard was written in the spirit of allowing advertisement companies to exploit the general ignorance of the masses: Do Not Track being turned off as a default setting allows the end user no more of an informed decision than having it on by default. Since both options are essentially the same (the browser maker makes the decision for the user), the default off option merely slides the balance in favor of ad companies.

They are also companies - they'd never let honoring a default setting get in the way of profits anyway.

#11 Max Norris

Max Norris

    Neowinian Senior

  • 4,476 posts
  • Joined: 20-February 11
  • OS: Windows, BSD & Arch, Occasionally OSX
  • Phone: HTC One (Home) Lumia 1020 (Work)

Posted 12 September 2012 - 16:10

Regardless of if you thing DNT is good or bad, Apache has no business overriding a user's settings. The server has no way of telling if the user toggled it on themselves or if it was done automatically. Apache's changes to the conf file overrides this setting on everyone using IE10 unless the server admin removes the offending entries. Basically if it sees you're using IE10, it overrides it.. want it on? Too f'ing bad. Mixing politics in with software is just bad.. just sets a bad precedent for the next time the ASF takes issue with something. If the advertising lawyers have an issue with DNT they can go after Microsoft, or they can just have their server just ignore it anyway which a bunch probably will be doing regardless.. was pretty weak before, Apache pretty much just neutered it into oblivion.

#12 +Brandon Live

Brandon Live

    Seattle geek

  • 9,764 posts
  • Joined: 08-June 03
  • Location: Seattle, WA

Posted 12 September 2012 - 16:12

How is MS breaking the standard when
1. users are clearly told that DNT will be turned on
2. the standard is not even a standard yet

IE10's default behavior fits the "standard" as it stands today.


Indeed. If I recall correctly, someone updated the draft to include language about it not being a default setting after IE announced its support for the feature (and default enabled state if you choose "express settings"). And it's still a work-in-progress.

#13 HawkMan

HawkMan

    Neowinian Senior

  • 21,428 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 12 September 2012 - 17:03

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?


The standard isn't even finished yet. and Now all the other browsers are going against DNT as standard just because MS went for it on by default. never mind the fact that Chrome will probably never even have a setting for DNT ;p. also if you don't go for express settings, you choose to have it on or off.

Apache is definitely in the wrong here and are doing bad browser sniffing changing user standards. even for those who have actively set it to off.

I'd like an actual legislation on DNT, and I'd like apache to be slapped with a fine for ignoring user settings on tracking.

IMO Apache should have done nothing about IE and let it blow latter on Microsoft's face when IE users found out that they were still being tracked and there was nothing they could do about it other than using a different browser.


How would changing browsers help ? the ad companies are still going to ignore DNT. they'll ignore it until there's legislations and heavy fines, and even then they'll do their best to track and hide that they're doing it, despite tracking being completely unnecessary and often counter productive.

#14 ichi

ichi

    Akihabara Style

  • 4,941 posts
  • Joined: 20-December 04

Posted 12 September 2012 - 20:01

I'd like an actual legislation on DNT, and I'd like apache to be slapped with a fine for ignoring user settings on tracking.


I'd like a legislation on DNT too, it'd be cool if enabling DNT actually guaranteed that you would not be tracked, and even more cool if being tracked was opt-in and not opt-out.
As things are now (more so with DNT being just sort of a draft) I don't think anyone is actually paying attention to the DNT flag, so Apache blocking it for IE is effectively irrelevant.

I don't agree with Apache's move, but the real issue here is not that Apache changes the flag but rather that DNT is completely useless.

How would changing browsers help ? the ad companies are still going to ignore DNT. they'll ignore it until there's legislations and heavy fines, and even then they'll do their best to track and hide that they're doing it, despite tracking being completely unnecessary and often counter productive.


That'd be in the best case scenario where ad companies actually honored the DNT flag.

#15 simplezz

simplezz

    Neowinian Senior

  • 2,775 posts
  • Joined: 01-February 12

Posted 12 September 2012 - 21:46

Surely Apache overriding a browsers security setting is more of a bad thing?


The problem is, Microsoft's non-standard compliance (again) is threatening to derail the entire DNT specification. IE users are at risk of losing the option entirely thanks to Microsoft's showboating.