"Do Not Track" Irony: Apache Developer Blocks It To Save It

Do Not Track, a tool designed to afford users privacy as they browse through the Web, will be active by default when users install or first-run Internet Explorer 10 in Windows 8. But in an effort to save Do Not Track, one developer for the popular Apache Web server is trying to to add a feature in Apache that will actively ignore any Do Not Track settings from any future IE 10 users.

The controversial choice was made by Apache HTTP developer Roy Fielding, who actually authored part of the standard that dictates how Do Not Track (DNT) is supposed to work. The patch proposed for the popular Web server would effectively make all websites running Apache servers (about 60% of the world's total sites) blithely ignore IE 10 browser's requests for DNT -precisely because the feature is pretty much turned on by default.

Security By Default Is A BAD Thing?

Confused? It's easy to get lost here, since one would think that a security feature that's turned on by default would be a good thing. But Fielding has taken exception to this practice, taking the extraordinary step to specifically short-circuit Microsoft's plans, which he sees as ultimately trying to bring DNT down.

Here's how DNT should work: a user decides that he or she does not want their information tracked by advertising and marketing sites and vendors as they surf around the Web. So they go into the settings of their browser (IE, Firefox or Chrome, to name the three most popular) and turn on DNT.

After that, every time they visit a new site that would like to track them, the user's browser sends a signal within the HTTP header informing the target website not to track that user. If the website's managers and developers (as well as the advertisers paying to be on that site) choose to honor DNT, then the user will be allowed to go on their way unmolested by cookies and other such tracking measures. Note that participation by websites is voluntary.

Microsoft Turns On Do Not Track in WIndows 8 / IE 10

In late May, Microsoft announced that DNT would essentially be turned on by default in IE 10 when the new browser is released within Windows 8, due out in late October.

"Consumers should be empowered to make an informed choice and, for these reasons, we believe that for IE10 in Windows 8, a privacy-by-default state for online behavioral advertising is the right approach," wrote Microsoft's Chief Privacy Officer Brandon Lynch at the time.

In August, Lynch elaborated on how DNT would work in IE 10 and Windows 8.

"DNT will be enabled in the 'Express Settings' portion of the Windows 8 set-up experience. There, customers will also be given a 'Customize' option, allowing them to easily switch DNT 'off' if they'd like," Lynch indicated.

Do Not Track Only Counts If It's A "Choice"

Not everyone agreed with Lynch's judgement. Certainly not Fielding, and not Microsoft's chief browser competitor Mozilla, makers of the Firefox browser, who believe that DNT should represent the user's wishes, not a default setting from the browser maker.

After Lynch's initial May announcement, Mozilla's Privacy and Data Policy Manager Alex Fowler blogged, "DNT allows for a conversation between the person sitting behind the keyboard and the site that they want to visit. If DNT is on by default, it’s not a conversation. For DNT to be effective, it must actually represent the user’s voice."

Surprise! Advertisers Don't Like The Default Option

That theme was avidly picked up by the Digital Advertising Alliance, which conveniently announced that it would not honor DNT from any user that had the setting turned on by default. Of course, since there's no way a website can tell if DNT was flipped on by the user or set at the factory, the DAA basically washed its hands of having to honor DNT at all. (Or at the very least not honoring it for IE 10 users.)

Fielding's stance falls in line with Mozilla's. In the comments to his patch to the Apache Web server defending his stance, Fielding wrote, "[t]he only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."

What Does "Choice" Really Mean?

Fielding's patch has stirred up a firestorm of protests in the Internet developer and user community, with opponents arguing that Fielding, and by extension Apache, has no business dictating for millions of potential IE 10 users that privacy settings they thought were turned on will now be effectively negated.

"My biggest concern with all of this is the fact that Apache thinks its OK to be the standards police like this," blogged Yammer JavaScript engineer Oscar Godson, "It's making the conscience decision to interpret a spec and give punishment to a vendor for not following it exactly (I think Microsoft did, but that's beside the point). That’s just not how we've all decided to do the whole standards thing. We decided that we were going to stop with with the 'this site looks best viewed in…' banners and instead organically get vendors to follow along, not force them into following it and punishing users while they’re at it."

Questioning Motives?

Since Fielding is also one of the authors of the DNT standard, which is currently in draft form, questions have also been raised about Fielding's motivation. In his day job as a principal scientist with Adobe Systems, Fielding's employers would have a vested interest in keeping tracking from being avoided.

"Do you honestly believe it's coincidence that the patch was submitted by an Adobe employee, given their position in the market? Do you not see how they benefit if the most widely used webserver (Apache) ignores the setting in the most widely used browser (IE)?," commented developer Andy Cadley.

But Fielding contents taht there's conspiracy to be found here, it's coming from Microsoft acting as an agent provocateur.

"Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE 10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user's want one. You can figure out why they want that. If you have a problem with it, choose a better browser," Fielding argued.

In that context, Fielding claims to be actually trying to protect the standard as it is exists, and give organizations like the DAA less of an excuse to ignore DNT.

Whatever his reasons, patch may amount to little more than a political statement from Fielding. To date, his patch has not been accepted by the main Apache team, so it isn't yet part of any official Apache release. And even if the patch were accepted, it will be a simple matter for Web masters to turn it off.

Still, the controversy is raising new questions about the very viability of Do Not Track at a time when it is being targeted by advertisers who still want to gather that all-important user data. Fielding's medicine could be worse than the disease, but in yet another irony, that may be exactly what it takes to get the online industry to keep paying attention to their privacy obligations.

 

Images courtesy of Shutterstock.