Security Experts:

Microsoft's Do Not Track Decision Draws Fire

Microsoft has said that it would activate Do Not Track (DNT) by default in Internet Explorer 10 on Windows 8. This announcement caused a bit of a clash between Mozilla – the first to implement DNT – and advertisers.

DNT is a method that will enable users (at home and the office) to opt-out of the tracking mechanisms that many Web advertisers use. It’s gaining popularity in the mainstream – as many privacy advocates are talking about it – but that’s about it. Websites are not required to implement DNT, but some have made headlines (Twitter / Yahoo) for plans to enable it on their own.

Last week, Brendon Lynch, the chief privacy officer at Microsoft, said that his company would enable DNT on IE 10 as a means to “put people first.”

“We believe that consumers should have more control over how information about their online behavior is tracked, shared and used,” he wrote, adding that an important step in this process is implementing privacy by default.

With that said, while Mozilla – the first browser company to support DNT – welcomed Microsoft’s move, they raised questions over the reasoning.

“We appreciate seeing Microsoft putting its full weight behind DNT, especially given Firefox was the lone browser supporting DNT just one year ago,” wrote Alex Fowler, the global privacy and public policy leader at Mozilla.

“DNT is not an off switch for a particular technology, rather it is the expression of an individual user’s desire being reflected in code — and that’s what makes the feature great.”

However, turning it on by default removes the choice from the user, Fowler wrote, which is why Mozilla does not implement it by default. As it stands, DNT has three settings; accept tracking, reject tracking, or no choice. Without direction, it’s clear that advertisers will see option #3 in the browser and take that to mean the user is fine with option #1 being applied.

“This causes the presence of the signal to mean more — the signal being sent should be the user’s choice, not ours. Therefore, Firefox doesn’t broadcast anything until our user has told us what to send,” Fowler added.

To counter this, it looks as if Microsoft wants to take that off the table, by pre-selecting an option for the user. Oddly, this is a rare case where the user is opted-in to privacy, instead of being opted-out by default.

This method has earned the software giant a bit of heat from the advertising industry. The Digital Advertising Alliance (DAA), which is a coalition of the nation's leading media and marketing trade associations and companies, said Microsoft’s move “threatens to undermine that balance, limiting the availability and diversity of Internet content and services for consumers.”

According to the DAA, implementing DNT by default, “may ultimately narrow the scope of consumer choices, undercut thriving business models, and reduce the availability and diversity of the Internet products and services that millions of American consumers currently enjoy at no charge.”

For now, there is plenty of other DNT-related issues to settle, the chief among them determining the scope of DNT itself. Will it apply to analytics programs and third-party applications? Another question is one of internal collection. In order for a given domain to track users for their own purpose, they have to collect information and track the visitor. If this information isn’t shared with anyone else, could the website collect it and use it while remaining compliant with DNT?

This is going to be the topic to watch in the months ahead.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.