Security Experts:

Do Not Track Settings In Internet Explorer 10 Challenged by Apache

Over the summer, Microsoft’s stance on Do Not Track (DNT), specifically the point that they will enable it by default on Internet Explorer 10, has gotten a mix of praise and some serious heat. However, a recent change to Apache’s (HTTPD) source code on GitHub targets Microsoft directly, and if enabled would undermine IE 10’s implementation of DNT.

Roy Fielding, a scientist at Adobe, editor of the DNT standard itself, and one of the founders of the Apache HTTP Server Project, submitted a change to the Apache source repository, titled "Apache does not tolerate deliberate abuse of open standards.”

If implemented, the new change in Apache (the world’s most used webserver platform) would ignore the DNT header sent by IE 10 completely. In June, when Microsoft’s stance fist came to the public’s attention, Brendon Lynch, the chief privacy officer at Microsoft, said that his company would enable DNT on IE 10 as a means to “put people first.” “We believe that consumers should have more control over how information about their online behavior is tracked, shared and used,” he wrote, adding that an important step in this process is implementing privacy by default. 

Mozilla, makers of Firefox, raised questions about Microsoft’s motives, noting that DNT is not an off switch, but an expression of an individual’s desire. Alex Fowler, the global privacy and public policy leader at Mozilla, said that enabling it by default would remove that choice from the user.

Last month, Fielding added a change to Apache that made his feelings clear. When questioned about the change itself in the comments on GitHub, he explained that Microsoft has violated the DNT standard.

“The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization,” he wrote.

“Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user's want one.”

Several people complained about the change, calling Fielding out for what comes across as abuse of his powers within the project. “This checkin is very obviously laced with your personal bias and has nothing to do with anything other than your opinion. It does nothing to protect user's interest, it singles out a particular browser, and it damages the idea of open source. It is bullshit, you are an idiot for doing it, and I hope Apache is smart enough to pull it out,” one comment exclaimed.

However, the reactions to the change itself are a bit stretched. What Fielding submitted was a change to the configuration files that administrators use to manage Apache. Automatically ignoring DNT from Internet Explorer can be ignored if the administrator wishes. Still, the change itself is part of the default configuration, so it will be up to the administrator to manage.

Microsoft has declined to comment on Apache settings.

However, in August when the DNT changes to Internet Explorer were explained, the software giant said that the controls are “consistent with Microsoft’s goal of designing and configuring IE features to better protect user privacy. It also underscores that the privacy of our customers is a top priority for Microsoft.”

In the end, no matter how DNT is implemented within a browser or webserver platform, the standard itself remains voluntary, as there is no law to compel website owners to implement it.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.