Apache Web software overrides IE10 do-not-track setting

Apache, the most commonly used software to house Web sites, will ignore Microsoft's decision to disable ad-tracking technology by default in Internet Explorer 10.

Microsoft set IE10 and Windows 8 so that, by default, Web sites that observe the Do Not Track (DNT) standard won't track people's behavior. The move was made to "better protect user privacy," the company said.

But protecting user privacy turns out to be a thorny matter in practice -- at least when a standard has to be palatable to advertisers as well as browser makers and people surfing the Web.

Mozilla, which as maker of the Firefox browser was the first to support DNT, objects to Microsoft's DNT position, arguing that DNT shouldn't be active or inactive until a person actively sets it one way or the other. And the Digital Advertising Alliance said it would only honor DNT if it's not switched on by default -- in other words, advertisers will ignore DNT altogether regardless of how a browser is set up.

Now the Apache software project is involved.

Roy Fielding, an author of the Do Not Track (DNT) standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10. "Apache does not tolerate deliberate abuse of open standards," Fielding titled the patch.

As a result of the Apache update, Web servers using the software will ignore DNT settings for people using IE10.

Microsoft declined to comment for this story.

When a debate began yesterday in the patch comments, Fielding elaborated on his patch:

The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

The current draft of Do Not Track standard reads as follows regarding how to determine a person's DNT preference: "A user agent must have a default tracking preference of 'unset' (not enabled) unless a specific tracking preference is implied by the decision to use that agent." A user agent means a Web browser.

Not all agree with Fielding's position. "IE10 is respecting the DNT standards. The specification says that the user should select the option, which the user [can] do during the Windows 8 setup," said programming student Francois Remy in one comment.

If a person hasn't explicitly enabled Do Not Track, some in the ad industry advertisers scoff at the idea that its being enabled means anything.

"If the site does not believe the DNT:1 signal is valid, then why would anyone in the supply chain be expected to honor the invalid signal?" asked Mike Zaneis, general counsel of the Internet Advertising Bureau in a comment on the DNT standard.

Windows 8 enables the Do Not Track setting as a default in IE10 when the operating system is installed with default settings, but the installer program does give people an option to change it.

"DNT will be enabled in the 'Express Settings' portion of the Windows 8 set-up experience," said Microsoft Chief Privacy Officer Brendon Lynch in an August blog post. "There, customers will also be given a 'Customize' option, allowing them to easily switch DNT 'off' if they'd like."

Microsoft declined to comment for this story.

Updated 12:02 a.m. PT Sept. 8 with Microsoft declining to comment.