Privacy experts criticize moves to sidestep IE10's default Do Not Track settings
Apache, Yahoo overriding tracking settings -- off by default -- in Microsoft's new Internet Explorer browser
CSO - When it comes to consumers' rights to control their own browsers, everybody wants to sound like they're pro-choice. But with many millions of advertising dollars on the line, the definition of pro-choice tends to align with the financial interests of those doing the defining.
That probably goes a long way toward explaining why software giant Microsoft and web services including Adobe, the Apache Foundation and Yahoo are at odds regarding the Do Not Track (DNT) feature of Microsoft's Internet Explorer 10 (IE10), which comes with the release of Windows 8.
They all say consumers should have a say over the level of privacy they want, in the form of choice about whether or not they want their browsing activities tracked, which allows ad networks to display targeted advertising on websites they visit.
But so far, there haven't been any loud complaints from advertising advocates about a lack of choice in systems (including Apple's iO6) that have tracking enabled by default. It is when it is disabled by default -- as is the case with IE10 -- that "choice" becomes a very hot button.
Not only are Apache, the Internet's most widely used webserver application, and others complaining, some are deploying patches to override DNT signals from IE10.
Microsoft prominently presents the option for users to enable tracking during the Windows 8 setup. But that is not enough for Roy T. Fielding, principal scientist at Adobe and co-founder of the Apache HTTP Server Project.
Fielding submitted a patch that instructs Apache to ignore the DNT setting, arguing on Github that it amounts to a "false signal" because there is no way to tell if DNT is the choice of the consumer or Microsoft.
[See also: 6 ways we gave up our privacy]
Microsoft's response has been to say that since consumers are offered the option to turn tracking on, a consumer who leaves that and other defaults as they are (off) is assenting to them.
Fielding countered in his post: "The only reason DNT exists is to express a non-default option. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."
He added that Microsoft is deliberately violating the standard set by the Tracking Protection Working Group of the W3C (World Wide Web Consortium) and, "knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one."
Fielding is not alone. Yahoo issued a policy in a blog post last week, saying it would also ignore Microsoft's "unilateral" decision to have DNT on by default, because it "degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them. It basically means that the DNT signal from IE10 doesn't express user intent."
Those arguments don't convince privacy experts. Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, notes that contrary to Fielding's assertion about Microsoft violating the W3C standard, "there is no standard yet," since it is still under development.
And Tien noted that the argument against defaults "rings a bit hollow," noting that "browsers, apps, OSes -- all of them have lots of defaults," he said.
Chester Wisniewski in Sophos' Naked Security blog this week criticized Yahoo's decision, saying Internet Explorer 10 users have expressed their preference to not be tracked. "The do-not-track setting is clearly and explicitly stated during installation and is a clear expression of the user's choice to not be tracked," he wrote.
Michael Cherry, lead analyst for operating systems at Directions on Microsoft, also finds the complaints from advertising advocates about "consumer choice" to be disingenuous. He noted that too often browsers make it complicated and difficult to opt out of tracking.
"I have to know that I have to find it (the tracking option) in the control panel of the browser. I have to find out what tab it's under. And then I have to worry that the web site is even going to honor it," he said.
Cherry said he believes another, larger issue is that most people do not understand the depth of tracking. "I'm stunned by how invasive some of this is," he said. "There is a lack of transparency as to how big a profile they have on me and how long they keep it."
Cherry said any one bit of information, such as where somebody lives, might not be terribly invasive. But when every move on the web is tracked, including visits to sites having to do with medical conditions or other personal information, that can be used for more than just targeted ads.
Mozilla said it tries to balance privacy concerns with personalization in its Firefox browser. Alex Fowler, leader of privacy and public policy at Mozilla, wrote in a blog post last May [https://blog.mozilla.org/privacy/2012/05/31/do-not-track-its-the-users-voice-that-matters/ that, "there are three different signals to consider in broadcasting the user's preferences for tracking," Those are, he wrote, to accept tracking, to reject it, or no choice.
He said the Firefox default is the "no choice" option, "so we're not sending any signals to servers."
But that means tracking is more likely than not. In response to questions about it, a Mozilla representative said in an email that if a user does not make a choice, "the browser and advertisers will continue to operate as usual," meaning that "the decision to track is made by the website being visited."
Both Cherry and Tine say there should not be a default -- that the consumer should be required to make a choice, and the choice ought to be simple and obvious.
Cherry said if those with a stake in tracking really care about choice, "Why not just have an icon like a shoe, visible at the top of the browser window, so you know where it is and it's readily changeable. If you choose DNT, then there's an X over the shoe."
"Put [the option] right in your face," Cherry said.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts