• United States



Apache fires at Microsoft over IE10’s DNT privacy settings

Sep 10, 20125 mins
ApacheData and Information SecurityInternet Explorer

Apache issued a web server patch named, 'Apache does not tolerate deliberate abuse of open standards.' This will override a web server's configuration file so that it ignores Internet Explorer 10's Do Not Track settings.

Do Not Track (DNT) is supposed to protect a user’s privacy; in theory if you have it on, then it tells advertisers not to stalk you around the web, not to track, build and sell your web behavior profile to yet other third parties. When Microsoft chose to buck the W3C’s DNT proposal of “explicit consent required” by the user, and instead turned on DNT by default in Internet Explorer 10, the decision has been a highly controversial one. The warring between web giants was just cranked up another notch. Very displeased, the Apache Software Foundation aimed at and caught Microsoft in its crosshairs before firing a shot heard by web servers around the world.

Mozilla previously made its position clear. “The right starting point for a DNT system is a default of preference unknown.” But Brendon Lynch, Microsoft’s Chief Privacy Officer, disagreed with the W3C’s Tracking Protection Group, stating, “We agree with those who say this is all about user choice. However, we respectfully disagree with those who argue that the default setting for DNT should favor tracking as opposed to privacy.” The conflict is far from over and now Apache has jumped into the fray.

Adobe’s Roy Fielding, cofounder of the Apache HTTP Server Project, wrote an Apache web server patch named, “Apache does not tolerate deliberate abuse of open standards.” This will override a web server’s configuration file so that it ignores IE 10’s DNT settings. Fielding explained on GitHub:

The only reason DNT exists is to express a non-default option. That’s all it does. It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user’s privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user’s want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

“It sounds like a conspiracy theory, but then Microsoft’s track record on the web means conspiracy theories have a ring of truth to them,” Webmonkey reported. “The comments on GitHub point out any number of counter conspiracy theories as well – that Apache is doing this to protect advertisers, that DNT itself will only be supported as long as it’s off by default, and so on.”

All big advertising networks profit by vacuuming up and collecting web user behavior data. Several people previously suggested that Microsoft’s decision to turn DNT on by default may be a strike at its rival Google, but that was before Microsoft raised privacy issues by following in Google’s footsteps and tweaking its TOS to share data across the cloud.

While Microsoft’s DNT decision sounds like a pro-privacy move, the entire DNT system is a bit defective by default. Think of the paparazzi that make their living spying and prying into private lives of celebrities, athletes, musicians and politicians. They may ethically know they shouldn’t snap that candid photo which could wreak havoc to a person’s life, but it’s how they make their living. In fact it spreads into a huge net of faceless behind-the-scenes people, entire industries built upon gossiping and reporting about the photos and the stories behind them. All of whom make their living and feed their families with what started as a paparazzi’s choice to exploit someone’s privacy. Likewise, advertisers may choose to honor DNT or choose not to respect it because there are no DNT police to patrol cyberspace and enforce it. In this case, you are like the famous person having your privacy pried open and sold. Webmonkey explained, “Asking advertisers not to set tracking cookies is like asking Cookie Monster not to eat them.”

That means it is still up the user to actively take steps to protect privacy and security with browser add-ons. In the end, DNT or no, it’s still a user’s choice to block and stop as much, or as little, as he or she desires. Sadly, too many people have yet to wrap their head around how much they are tracked online, how their data is mined and sold. Too many people don’t comprehend that while they are the consumer, they are also the product.

Like this? Here’s more posts:
  • Rise of the AI Overlord: Machines monitor, automatically detect suspicious behavior
  • Feds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…
  • Owned in 60 seconds with ZackAttack: From network guest to Windows Domain Admin
  • Emerging technology: Cool or creepy innovation?
  • Microsoft raises privacy issues with tweaked TOS to share data across the cloud
  • Unblinking surveillance stare: Army’s 7-story flying football field-sized blimp
  • Virtual avatar CBP agent Elvis screens travelers for lies at the border
  • Citizen Lab discovers mobile malware: FinFisher spyware variants target smartphones
  • Did AntiSec snag Apple UDID list from FBI laptop via Java 0day exploit?
  • P2P blocklists fail to protect privacy from copyright cops’ mass monitoring
  • WikiLeaks dumps Stratfor email dirt on TrapWire, a CIA-connected global spying system
  • Laptop fingerprint reader destroys ‘entire security model of Windows accounts’
  • Massive Leak: Project HellFire Hackers Dump 1 Million Accounts from 100 Sites

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.