Apache Hammers Microsoft Over Do Not Track

[t_r_nelson]

Apache has issued a web server that aims to correct a standard violation by Microsoft. The violation, however, may not be, depending on your point of view, as bad as you think. In detail the patch is described as follows:

"Apache does not tolerate deliberate abuse of open standards." The open standards Apache is referring to are the agreed do not track (DNT) settings in a web browser, which should be turned off by default. Microsoft went the other way and decided it may be beneficial to its users to actually turn the tracking protection on by default and, in effect, violate the standard. Apache reacted by issuing an update, which overrides a web server's configuration file so that it ignores Internet Explorer 10's DNT settings.

While this may be a violation, the case is not quite so clear and Apache is currently hit by criticism for turning itself into the browser police. A standard violation in this specific case may not be such a bad idea anyway. More than any other browser maker, Microsoft is dealing with a user base that is not very interested in fine-tuning browser settings and if do-not track is, in fact, a technology that is offered to users as a way to protect their privacy, some may even argue that Microsoft should be applauded for this move.

Adobe's Roy Fielding, cofounder of the Apache HTTP Server Project, wrote the following in a thread post:

The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization. Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user's want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

While Fielding has reason to chastise Microsoft for the way the feature was announced and implement, we also realize that Microsoft has a very strong interest in user tracking to cater to its advertising customers. So it is even an unusual move and certainly raises the question whether the standard or Microsoft is wrong.

Source

I think it's the smart move but what are your opinions of MS breaking open standards for the security of the users?

[Haggis Veteran]

Surely Apache overriding a browsers security setting is more of a bad thing?

[Harrison H.]

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?

[Vice]

I'm with Apache on this. If the browsers default behavior is do not track then web services will simply ignore the flag entirely. It has to be a choice that the users make instead of a default if it has any hope of working.

This should force Microsoft to change their stance but we all know it won't they are too stubborn.

[Haggis Veteran]

I thought IE gave you the option to enable or disable protection when you installed it?

[TPreston]

I don't trust the advertisers to begin with or the organizations that make money selling your browsing habit's and no browser plugin will change that . Block them all.

[Harrison H.]

I thought IE gave you the option to enable or disable protection when you installed it?

This is a new feature in IE10 which so far is only available on Windows 8. During the installation of Windows 8, if you choose to use the express settings option, it will default to turning DNT on. If you click customize, you are presented with a choice to keep it on or turn it off.

[BajiRav]

Source

I think it's the smart move but what are your opinions of MS breaking open standards for the security of the users?

How is MS breaking the standard when

1. users are clearly told that DNT will be turned on

2. the standard is not even a standard yet

I'm with Apache on this. If the browsers default behavior is do not track then web services will simply ignore the flag entirely. It has to be a choice that the users make instead of a default if it has any hope of working.

This should force Microsoft to change their stance but we all know it won't they are too stubborn.

IE10's default behavior fits the "standard" as it stands today.

[ichi]

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?

Both MS and the standard are wrong, but the problem is that the whole reason this standard came to be is because ad companies (MS being one of them) wouldn't accept to honor the DNT flag if it was enabled by default. Basically they wouldn't accept it if there was any chance of a wide majority of users browsing the web with that flag enabled.

DNT is a joke, but violating it just guarantees that it'll also become completely useless.

IMO Apache should have done nothing about IE and let it blow latter on Microsoft's face when IE users found out that they were still being tracked and there was nothing they could do about it other than using a different browser.

[zhangm Supervisor]

I have to agree with MS here; block that *hit.

The standard was written in the spirit of allowing advertisement companies to exploit the general ignorance of the masses: Do Not Track being turned off as a default setting allows the end user no more of an informed decision than having it on by default. Since both options are essentially the same (the browser maker makes the decision for the user), the default off option merely slides the balance in favor of ad companies.

They are also companies - they'd never let honoring a default setting get in the way of profits anyway.

[Max Norris]

Regardless of if you thing DNT is good or bad, Apache has no business overriding a user's settings. The server has no way of telling if the user toggled it on themselves or if it was done automatically. Apache's changes to the conf file overrides this setting on everyone using IE10 unless the server admin removes the offending entries. Basically if it sees you're using IE10, it overrides it.. want it on? Too f'ing bad. Mixing politics in with software is just bad.. just sets a bad precedent for the next time the ASF takes issue with something. If the advertising lawyers have an issue with DNT they can go after Microsoft, or they can just have their server just ignore it anyway which a bunch probably will be doing regardless.. was pretty weak before, Apache pretty much just neutered it into oblivion.

[Brandon Live Veteran]

How is MS breaking the standard when

1. users are clearly told that DNT will be turned on

2. the standard is not even a standard yet

IE10's default behavior fits the "standard" as it stands today.

Indeed. If I recall correctly, someone updated the draft to include language about it not being a default setting after IE announced its support for the feature (and default enabled state if you choose "express settings"). And it's still a work-in-progress.

[HawkMan]

I don't think Microsoft is in the right if they are breaking the standard, but I also don't think they are wrong because if they are, I think the standard is wrong. I do like what they are doing though. If you want personalization of ads, turn the tracking off. Are there even that many websites that follow the standard to begin with?

The standard isn't even finished yet. and Now all the other browsers are going against DNT as standard just because MS went for it on by default. never mind the fact that Chrome will probably never even have a setting for DNT ;p. also if you don't go for express settings, you choose to have it on or off.

Apache is definitely in the wrong here and are doing bad browser sniffing changing user standards. even for those who have actively set it to off.

I'd like an actual legislation on DNT, and I'd like apache to be slapped with a fine for ignoring user settings on tracking.

IMO Apache should have done nothing about IE and let it blow latter on Microsoft's face when IE users found out that they were still being tracked and there was nothing they could do about it other than using a different browser.

How would changing browsers help ? the ad companies are still going to ignore DNT. they'll ignore it until there's legislations and heavy fines, and even then they'll do their best to track and hide that they're doing it, despite tracking being completely unnecessary and often counter productive.

[ichi]

I'd like an actual legislation on DNT, and I'd like apache to be slapped with a fine for ignoring user settings on tracking.

I'd like a legislation on DNT too, it'd be cool if enabling DNT actually guaranteed that you would not be tracked, and even more cool if being tracked was opt-in and not opt-out.

As things are now (more so with DNT being just sort of a draft) I don't think anyone is actually paying attention to the DNT flag, so Apache blocking it for IE is effectively irrelevant.

I don't agree with Apache's move, but the real issue here is not that Apache changes the flag but rather that DNT is completely useless.

How would changing browsers help ? the ad companies are still going to ignore DNT. they'll ignore it until there's legislations and heavy fines, and even then they'll do their best to track and hide that they're doing it, despite tracking being completely unnecessary and often counter productive.

That'd be in the best case scenario where ad companies actually honored the DNT flag.

[simplezz]

Surely Apache overriding a browsers security setting is more of a bad thing?

The problem is, Microsoft's non-standard compliance (again) is threatening to derail the entire DNT specification. IE users are at risk of losing the option entirely thanks to Microsoft's showboating.

[jakem1]

I thought IE gave you the option to enable or disable protection when you installed it?

It does.

Fielding has made a big mistake here by violating standards and favouring advertisers over users. Additionally, it's now clear that DNT is an absolute joke. It's completely useless if it's ignored simply because too many people use it. With any luck governments will step in to protect user rights now that the industry has proven that it can't be trusted. Just goes to show that OSS doesn't necessarily equal good software.

This is a new feature in IE10 which so far is only available on Windows 8. During the installation of Windows 8, if you choose to use the express settings option, it will default to turning DNT on. If you click customize, you are presented with a choice to keep it on or turn it off.

MS also makes it clear that DNT will be turned on as part of the express settings.

[HSoft]

I'm with MSFT on this one. Most users of Windows, as stated in the article, won't go in and fine tune settings. Most of them probably don't even know what it is.

Apache is in the wrong here, especially if they are going to just ignore/break users wishes.

The standard as quoted in the article needs to be completely overhauled if that is indeed the standard. Basically saying that if a site thinks the DNT switch wasn't adjusted by a human then it can completely ignore it. What the hell kind of standard is that? What does it do? All sites will ignore it and just say "I didn't think the user actually turned it on". That's not a standard, that's a farce.

[PGHammer]

Source

I think it's the smart move but what are your opinions of MS breaking open standards for the security of the users?

Despite Apache being open-source, the majority of Apache's userbase are interested in who is viewing their site; browser-based roadblocks (such as IE10's Do Not Track) get in the way of that. However, until DNT, all such browser-based roadblockage was opt-in (in short, you had to enable it). IE10, however, is the reverse, requiring users to opt-OUT if they want to be tracked - given privacy concerns, all else being equal, most users won't opt out of DNT - hence Apache's anger.

[Ryoken]

I don't see how MS is breaking a standard, by using one of the two choices IN the standard.

Seems like a dick move by Apache.. Maybe MS should bring up a popup every time you hit an apache server saying "This server has chosen to ignore your privacy settings.."

In any case, MS might just have to ignore the standard, and start policing stuff on the client side.. setting up cookie blacklists and the like.. Cause clearly you can't trust web developers or servers to go by the honor system.

[ichi]

Sounds like organisations who are against DNT on by default (Google minions; the open source community) are turning this to a standards compliance war. I will not accept anyone tracking me and holding a profile of my browsing patterns and online product purchases. The social impact is so great but the people behind this are only thinking in $$.

Open source community, you just sold out what you stood for.

DNT is all about compliance, because technologically wise it doesn't actually do crap to protect your privacy. It's just a flag, and advertisers are supposed to willingly stop tracking you if you are sending it.

You can either overhaul and enforce the standard (which would be the best option) or just deal with this an comply. If you give ad companies the "it's on by default" excuse it just won't work (so yes, DNT is a joke, didn't you realize that already?).

Microsoft is part of the comitee that came up with this standard (and also a tracking ad company, by the way) so if they really think you should be able to ship it enabled then I'm sure there's something they can do about it on the "overhaul" side.

[simplezz]

I don't see how MS is breaking a standard, by using one of the two choices IN the standard.

Because the DNT specification clearly states that the user must elect to enable it. And by enabling it by default, Microsoft is purposely sabotaging the agreement.

Seems like a dick move by Apache.. Maybe MS should bring up a popup every time you hit an apache server saying "This server has chosen to ignore your privacy settings.."

No, it's "a dick move by Microsoft", which will hurt IE users in the end. I applaude this move by Apache.

In any case, MS might just have to ignore the standard, and start policing stuff on the client side.. setting up cookie blacklists and the like.. Cause clearly you can't trust web developers or servers to go by the honor system.

Microsoft has always ignored standards, this is nothing new. The problem is the web is built on standards. five years ago Microsoft could get away with it, but not anymore. IE isn't the top dog any more, and standards rule. By showboating like this, Microsoft has hurt its own users.

[Fourjays Veteran]

The problem is, Microsoft's non-standard compliance (again) is threatening to derail the entire DNT specification. IE users are at risk of losing the option entirely thanks to Microsoft's showboating.

This. While I get why some people here think MS's move is great, all it does is threaten the whole point of DNT.

My understanding is that it will only offer protection from compliant advertisers (those that follow the DNT standard). It isn't some magic button that blocks everything that tracks you, it is an option that you can set to tell advertisers you don't want to be tracked. If it is set to on by default DNT will be useless because they'll all just ignore the option and track you anyway. It is effectively an agreement between advertisers and browsers to allow users the choice to opt-in to DNT. By making DNT default, Microsoft are leaving advertisers no choice but to ignore the option.

[jakem1]

This. While I get why some people here think MS's move is great, all it does is threaten the whole point of DNT.

My understanding is that it will only offer protection from compliant advertisers (those that follow the DNT standard). It isn't some magic button that blocks everything that tracks you, it is an option that you can set to tell advertisers you don't want to be tracked. If it is set to on by default DNT will be useless because they'll all just ignore the option and track you anyway. It is effectively an agreement between advertisers and browsers to allow users the choice to opt-in to DNT. By making DNT default, Microsoft are leaving advertisers no choice but to ignore the option.

Users do have the choice. MS effectively recommend that users switch it on but if a user really does want to have advertising corporations track them online then they can turn DNT off when they first start IE.

Besides, I think you're misrepresenting the role that advertisers play here. They're not saying that they'll only honour DNT if a user switches it on. They're saying that they'll only honour DNT if it remains obscure, poorly supported and doesn't have any impact on their revenue. In other words, it's the advertisers (and Apache in this case) that render DNT useless, not MS who are simply recommending that people use it.

[The_Decryptor Veteran]

DNT is pretty useless (Since IE defaults it to on sites can no longer tell if the user actually wants it, and it actually helps fingerprinting), at most all it can do is ask sites not to store tracking information on the server (Everything else can be done better via client side blocks)

[Shane Nokes]

That's just what Microsoft hasn't done though...

They have 2 options during the install of WIndows.

1. Express which does enable DNT.

2. Custom in which you can choose to enable or not enable DNT.

So the user still has the choice on which they would prefer to do. The majority just prefer to enable it by default.