back to article Apache man disables Internet Explorer 10 privacy setting

Apache HTTP daddy Roy Fielding has patched his popular server, telling it to ignore user privacy web settings in Internet Explorer 10. The Fielding patch will mean millions of web servers will ignore the Do Not Track header that's sent to them by users in IE 10, the browser for Windows 8. Apache is used by nearly 600 million …

COMMENTS

This topic is closed for new posts.
  1. OffBeatMammal
    Black Helicopters

    it's pretty obvious how to turn it off

    in both the explanation for the express setup and the custom setup, as well as in IE10 itself it's pretty clear that you're making a choice and that it's following the letter of the standard not some personal interpretation (unfortunately by someone with a bit of power - and you forgot to mention he works for Adobe in his day job)

    the downside of his behaviour is that more folks will need to opt for things like porn mode and resort to AdBlock and the like.

    wonder which advertiser promised a suitcase full of unmarked sponsorship to Apache in return for them slipping this fix in

    1. yossarianuk

      Re: it's pretty obvious how to turn it off

      A more obvious (and far cheaper) solution is to stay as far away as possible from Windows 8.

      1. dogged
        Stop

        Re: it's pretty obvious how to turn it off

        Windows 8 has several good points. DNT is one of them.

        Personally, I use Firefox but I have to go and find the setting every damn time I install it. For the "default" browser that the technically non-adept are likely to use to turn off tracking by default - that's a good thing by the standards of anyone who isn't just out to score points against Microsoft.

        If Opera did this, the fourteen people who use Opera would be crowing it from the heavens.

        1. leexgx
          FAIL

          Re: it's pretty obvious how to turn it off

          if i could down vote you 3 times i would

          ((( @dogged

          Windows 8 has several good points. DNT is one of them.

          Personally, I use Firefox but I have to go and find the setting every damn time I install it. For the "default" browser that the technically non-adept are likely to use to turn off tracking by default - that's a good thing by the standards of anyone who isn't just out to score points against Microsoft.

          If Opera did this, the fourteen people who use Opera would be crowing it from the heavens.)))

          DNT was never meant to be enabled by default, this was to be expected to happen <DNT enabled> what browser IE10 Ignore DNT flag as its not been set by the user

          AVG is as bad as it installs an DNT plugin that enables DNT by default on all browsers where the plugin is supported (if you uninstall it iAVG nags you to death to reinstall it), maybe some one important can give AVG the up on not to do with DNT

        2. kwhitefoot
          Thumb Down

          Re: it's pretty obvious how to turn it off

          The snide remarks about Opera are tiresome. And anyway Opera 12 has a Do Not Track option, and the default is off.

      2. Anonymous Coward
        Anonymous Coward

        Re: it's pretty obvious how to turn it off

        The obvious solution is to lock all advertising 'executives' and any other scum involved in that sordid trade in the hold of a ship and sink it in the Marianas Trench !

    2. DrXym

      Re: it's pretty obvious how to turn it off

      It's not a case of being obvious, it's a case of the power of the default. If DNT is enabled for everybody then marketing networks will simply ignore the preference altogether claiming quite rightly that it does not reflect the user's choice. This in turn renders it a worthless setting.

      One could say that Microsoft cynically enabled it by default because either a) it shuts out competitors from gathering data from the Windows 8 ecosystem, or b) it voids the purpose setting completely. Either way Microsoft stands to gain.

      1. Anonymous Coward
        Anonymous Coward

        Re: it's pretty obvious how to turn it off

        @DrXym, or you could say that MS shut out advertisers in preference for their customers' privacy.

        Then again, it's not very fashionable to say anything positive about MS or Win8 here, is it?

        1. DrXym

          Re: it's pretty obvious how to turn it off

          "@DrXym, or you could say that MS shut out advertisers in preference for their customers' privacy."

          You could say that but you'd be wrong. Windows 8 will be loaded down with Bing apps which will be analogous to Google apps on Android. They'll be tied into a single sign on through Live.com in much the same way too and will be tracking your location, searches and all the rest. If you think for a second that these will honour your privacy you're living in cloud cuckoo land. The primary reason for DNT is to give MS an unfair advantage in gathering data and in setting up their own ad services and to shut out other providers.

          1. dogged
            Stop

            Re: it's pretty obvious how to turn it off

            Windows 8 will be loaded down with Bing apps which will be analogous to Google apps on Android. They'll be tied into a single sign on through Live.com in much the same way too and will be tracking your location, searches and all the rest. If you think for a second that these will honour your privacy you're living in cloud cuckoo land. The primary reason for DNT is to give MS an unfair advantage in gathering data and in setting up their own ad services and to shut out other providers.

            I'm running Windows 8 (release version) and you're wrong. The apps included make very sure that you agree to any service - location, whatever - that they use before allowing you to use them. Some offer opt-outs at that point, too.

            What you've forgotten is that somebody who installs Windows 8 is Microsoft's customer. That's very different from Google, where you are their product and the advertisers are their customer. One could easily say that both companies are interested in keeping their customers happy.

            The individual user's task here is to figure out which one works better for them. Do you want to buy some software or do you want to be sold to a spammer? Your call.

          2. h4rm0ny

            Re: it's pretty obvious how to turn it off

            "You could say that but you'd be wrong. Windows 8 will be loaded down with Bing apps which will be analogous to Google apps on Android. They'll be tied into a single sign on through Live.com in much the same way too and will be tracking your location, searches and all the rest."

            Actually it's pretty easy to see what information a ModernUI app is asking for and grant it or refuse it. I've been using Windows 8 for a while and it's pretty good about this sort of thing. Microsoft and Google have fundamentally different business models. Google sells your behaviour to advertisers to make their money. Microsoft ask for the money from you. You're the customer with Microsoft. With Google, the advertisers are their customers.

      2. JeevesMkII

        Re: it's pretty obvious how to turn it off

        So basically you're saying that advertisers will respect DNT right up until the point people actually start using it. This cynical point of view may well be true, but it's more a reflection of advertiser's willingness to annoy and disrespect the people they're advertising to in the name of making a buck than it is Microsoft's bad faith.

        Microsoft clearly have the right of this. If you polled a thousand web users, how many would really want advertisers to track their browsing habits? I'm betting not many. Privacy should be the default, not a privilege to be exercised by an elite few. If DNT isn't going to work when it's the default then it isn't going to work at all, and when self regulation fails then the advertising industry will have to accept government regulation of their behaviour.

        1. BlueGreen

          Re: it's pretty obvious how to turn it off

          I think Roy Fielding, a main contributer to the http spec and producer of this <http://www.ics.uci.edu/~fielding/pubs/dissertation/fielding_dissertation_2up.pdf> which I've read and likely not one of you other posters have, did the right thing. I think he handled it badly though.

          DNT only works if there is there is reason to assume a user has made the choice freely and knowingly. MS was using a standard for its own benefit against google. They did not care about the users on this and anyone who thinks they did, or that it will benefit them for very long, isn't so bright. Quite frankly if the commenters here are too witless (on a tech site of all things) to work out the basics of how to go further than not track, how to actually block ads and all connections with web servers, using the most basic facility of a block list and downloaded from <http://winhelp2002.mvps.org/hosts.htm> which ***even includes a batch file to insert it for you***, then you have bigger problems than cookies.

          All these angry, angry sheep blasting out their righteous fury into the mockingly deep comments bile-pit of the reg without having too much idea that their online privacy is a bit wider than a tracking cookie -- please install windows 8 for your own protection and enjoy your last bath in mint sauce.

          (NB there are some here who may or may not agree with me but made some intelligent points, thank you)

      3. h4rm0ny

        Re: it's pretty obvious how to turn it off

        "It's not a case of being obvious, it's a case of the power of the default. If DNT is enabled for everybody then marketing networks will simply ignore the preference altogether claiming quite rightly that it does not reflect the user's choice. This in turn renders it a worthless setting."

        How is a user actively turning it on less of an expression of choice than a user actively turning it off? It isn't unless one has a subjective bias.

        And the choice is fully presented to the user during IE10's installation or first use. It just happens that it explains in unambiguous language what that choice is and has it off by default. The user is given plenty of opportunity and information to turn it on if they want to. The choice requirement has been fulfilled. The issue is that advertisers were hoping the choice would be something users remained unaware of, in some buried setting somewhere.

      4. Anonymous Coward
        Anonymous Coward

        Re: it's pretty obvious how to turn it off

        "It's not a case of being obvious, it's a case of the power of the default. If DNT is enabled for everybody then marketing networks will simply ignore the preference altogether claiming quite rightly that it does not reflect the user's choice. This in turn renders it a worthless setting."

        It's already a worthless setting. It does nothing other than express a preference that scumbags will happily ignore anyway. 'Apache dude cuddles up to big business and acts like an ad-agency knobhead' would have been a better article title.

        "One could say that Microsoft cynically enabled it by default because either a) it shuts out competitors from gathering data from the Windows 8 ecosystem, or b) it voids the purpose setting completely. Either way Microsoft stands to gain."

        Conversely one could say all you argument does is illustrate what a pile or shite DNT currently is.

    3. JetSetJim
      FAIL

      Re: it's pretty obvious how to turn it off

      It would seem that Firefox has the same default behaviour. Navigate to http://www.mozilla.org/en-US/dnt/ and it shows you what your setting is. I've certainly never explicitly ticked the box in the Tools -> Options -> Privacy tab, although perhaps it slipped past my beady eyes when installing it. Either way, DocFielding should now submit a patch to ignore the FF setting, obviously.

      FAIL for Fielding, not for FF (or MS, for a change)

      1. Anonymous Coward
        Anonymous Coward

        Re: Firefox has the same default behaviour

        I don't know what you've done to FF, but I've never changed mine and it says Do Not Track is OFF

        1. JetSetJim

          Re: Firefox has the same default behaviour

          > I don't know what you've done to FF, but I've never changed mine and it says Do Not Track is OFF

          How peculiar - on my home machine it's off. Both machines were fresh installs, one from a corporate server on WinXP (where it was turned on) and the other a domestic Win7 rebuild (turned off)...

  2. dogged
    Thumb Up

    *snork*

    From a comment -

    "Wow. Just... wow. I had not realised just how much @royfielding's employers make from the User Tracking business.

    http://www.adobe.com/uk/solutions/digital-marketing.html

    "

    Well played, sir.

    1. This post has been deleted by its author

  3. sjsmoto

    So why not change the option text from "do not track" to "let anyone follow my every move" and the default can remain unchecked.

    1. Ian Yates
      Joke

      Or what it should always have been called "please be nice and honour my request that you do not track my activity" - PBNAHMRTYDNTMA for short

  4. Richard 31
    Paris Hilton

    waah waah waah..

    .. i'm a big girls blouse is what i heard from the Apache guy here.

    He has found an angle to have a go at MS and big up his own software. Are we surprised?

    Bored now.

  5. Anonymous Coward
    Anonymous Coward

    Irony...

    "@royfielding you have a PhD FFS, you should know better than to leverage open source to sneak in your own personal political agenda"

    From what I've seen of folk getting PhD, it's the icing on the cake that gives them the arrogance to start to leverage their own personal political agenda.

    AC, 'cos I want to keep my cushy job in academia :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Irony...

      "@royfielding you have a PhD FFS"

      intelligence != common sense

    2. Anonymous Coward
      Anonymous Coward

      Re: Irony...

      The arrogance of Fielding is astonishing. Why is choice of browser any less valid a choice than choosing some setting in a browser? MS have publicised the DNT default enough for people to actively choose IE over another browser because of that feature. Is Fielding saying that they shouldn't be allowed to make such a choice?

      It's pretty clear that Fielding has a problem with MS. Here we have a company selling a large amount of proprietary software doing something good for the consumer. And on the other hand there's an open source proponent saying that consumers shouldn't be allowed to benefit. Normally one would expect it to be the other way round. What an a-hole.

      1. Anonymous Coward
        Anonymous Coward

        Re: Irony...

        It is a little like MS automatically setting the URGENT flag in TCP.

        By giving traffic from MS hosts a default setting which gives the users an advantage, everyone now ignores the urgent flag. Just because some traffic from an MS host might be urgent, doesn't excuse setting the flag for everything.

        The point is that while some people choose IE10, the vast majority of IE10 users have not made a conscious decision to use it over another browser, so the DNT option is not a choice. Opera users, however, probably did choose their browser and therefore a large number probably did choose the attributes associated with it.

  6. h4rm0ny

    Well now I've seen everything!

    Microsoft are the good guys and Apache the villains.

    What is the good of a choice if you're only allowed it on the condition that you choose what the other party wants you to choose? What the advertising industry is saying is that sure, you can have your token gesture of privacy so long as only a statistically tiny handful of people use it and all their friends, family and everyone else they know continue being tracked. Some people think that it's fine to have it off by default because they themselves will turn it on. Well I find that rather self-centred. If one thinks that privacy is a good thing (and rather obviously from my post, I do), then why should it be the preserve of the technologically aware only?

    I support MS's on by default approach and if that leads to advertising companies being forced back to the negotiating table, so be it. I do not favour a policy of keeping feeding the tiger so that it doesn't bite you. The tiger just gets bigger and more comfortable and demands more. If the whole world ends up giving up its right to not be tracked and monitored on everything they do, then eventually, even those that are technologically competent will find themselves out-manoeuvered at some point and there will be no legal recourse of chance of drumming up popular opposition to when the ISPs decide they're going to record all your habits at their level or the next Phorm, because society will have reached the point that it is a given you are monitored and tracked by corporations.

    A choice you're only allowed because you don't exercise it, is a false choice. A choice you are allowed on the condition you leave the rest of society to deal with consequences you dodge, is not an especially ethical choice, imo. I understand the Mozilla foundation criticizing it - about 85% of their income comes from funding from Google, basically "search royalties" - but I'm very disappointed in the Apache Foundation.

    1. DrXym

      Re: Well now I've seen everything!

      Microsoft aren't the good guys. They're just trying to stick it to Google by shutting them out of Windows 8. I bet if you were to read the shrinkwrap that comes with your Windows 8 / RT device that Bing / Microsoft would be exempt from honouring DNT themselves for one reason or another.

      1. This post has been deleted by its author

      2. dogged
        Stop

        Re: Well now I've seen everything!

        Actually, the license has been reworked and rather straightforward.

        Bing and other MS properties are not absolutely exempted from DNT.

        But nice try. Do you work for Adobe? Or Google?

        1. DrXym

          Re: Well now I've seen everything!

          "Actually, the license has been reworked and rather straightforward."

          And you've seen it have you, in which case where is it? I can see the Windows Phone privacy statement online at the moment and it more or less reinforces the point I was making, namely that the apps on the device need to obtain lots of information and what opt-outs MS provides don't cover the stuff MS gathers and are certainly not the default settings either.

          "Bing and other MS properties are not absolutely exempted from DNT."

          Sure they are. Bing Maps isn't using IE 10 so therefore the IE 10 setting is not applicable is it? Same for other apps. It might be a web request, but that doesn't mean it's IE. They'll make sure that the data gathering falls outside of general browsing, yet it will still be tied for most people's single sign on.

          I'm sure that Microsoft will keep the data private - to themselves, but that does not mean they are not gathering information by default and won't monetize it.

          "But nice try. Do you work for Adobe? Or Google?"

          No, and Google are just as bad. You just ascribe saintly acts to a company which has very little reason to perform them and plenty of reasons to harvest that data for its own ends. It may be that there are some settings in the OS to tone down or anonymize things other than web search, just like Facebook, Google, Amazon et all provide them too buried somewhere.

          1. Anonymous Coward
            Anonymous Coward

            Re: Well now I've seen everything!

            'And you've seen it have you, in which case where is it?'

            Everything you want to know is here :

            http://www.microsoft.com/privacy/default.aspx

            Well that was hard to find wasn't it. You might have to do a bit of reading and click a few links to find the exact privacy policy regarding the exact piece of software/service that you are looking for but it's all there and it doesn't read like a legalese dictionary. It's so easy to understand even you might grasp it once you get over frothing at the mouth about how evil Microsoft are

            1. dogged
              FAIL

              Re: Well now I've seen everything!

              And you've seen it have you, in which case where is it?

              It displays pretty clearly when you install the OS.

            2. DrXym

              Re: Well now I've seen everything!

              "Everything you want to know is here :

              http://www.microsoft.com/privacy/default.aspx"

              Er no it isn't. Where is the privacy policy for the whole of Windows 8 which I asked for? Where do Microsoft say what data they gather? What purpose is the data gathered for? What options are available to disable that data gathering?

              I am well aware that there is an IE10 DNT setting but that is not the same as what happens in the Bing apps or MS services. I've said this more than once and people don't appear to get it.

              There is also the small matter of people confusing data gathering with privacy. Microsoft undoubtedly gather data every time you use their apps or services. They might hold it privately (partly because such data is valuable) but that does not mean they do not gather it or monetize it through marketing, targetted ads, search results, restaurant suggestions etc. MS are no different from Apple or Google. All of them have reasonable sounding privacy policies, but privacy does not mean they do not gather data and make use of it.

              1. dogged
                Boffin

                @DrXym

                This is interesting, so I've been poking about in the Win8 SDKs to try to find the information you're looking for.

                1. There's an explicit setting when you install Win8 regarding whether apps are allowed to send usage metrics to Microsoft. This data is collated under your Microsoft account provided you choose to allow it. If you choose not to allow it, no data is gathered.

                2. The DNT:1 header sent by Internet Explorer 10 does not persist into apps. However, each app makes HTTP calls in its own session. You could in theory have an unlimited number of browser sessions open with an unlimited number of applications and there is no means of cross-referencing between them (unless done explicitly through Contracts, where an app sends a 1-way message to IE about, for example, what URL to open).

                3. There isn't a Bing Maps app (that I can find). However, the SDK allows developers to build mapping functionality into WinRT Metro apps. Apps can only communicate with each other through Contracts (see #2). This does create the potential for an unscrupulous app-maker to implement app-to-app tracking, but only for apps which they themselves developed. None of the MS apps available implement this (and it's easy to tell because the source code for all the "majors" is provided in the SDK as example code).

                The summary is that you could probably track users via apps if you could make them use many of your apps all at the same time but MS don't (and publicly say that they don't). You could not track users between apps and IE10 or (and because this would imply dropping to Desktop mode, I can be certain) between apps and any other browser.

                If you wish to indulge in tinfoil-hattery, you could theorize that MS track everything via Microsoft account (if you use one) and that the released source of their apps is not the production source of their apps but that's delving deep into "they'm watchin me with rays, them and their big weasel" territory.

                It's in Microsoft's best interests to appear to be the "The Good Guy" to their customers. Advertisers are not their customers, users are. Therefore, the logical take-home is that MS is unlikely to fuck over their customers.

                You could say the same about Google but in that case, the advertisers are their customers while the users are not.

                1. dogged

                  Re: @DrXym

                  Oh, and anyone who says that IE does not EXPLICITLY offter the option regarding Do Not Track might like to examine this screenshot of the Express (not Advanced!) Win8 setup.

                  IE Express Settings

      3. h4rm0ny

        Re: Well now I've seen everything!

        "Microsoft aren't the good guys. They're just trying to stick it to Google by shutting them out of Windows 8. I bet if you were to read the shrinkwrap that comes with your Windows 8 / RT device that Bing / Microsoft would be exempt from honouring DNT themselves for one reason or another."

        Assuming you think advertising corporations not following everything you do online is a good thing (which I do), then we the public benefit from having DNT on. Whether MS also benefit from that or not doesn't change the benefit to me. And it's not the place of some individual in the Apache foundation to decide whether or not W3C standards should be followed. (And IE10 does follow the standards in this - the choice is clearly presented to the user with clear and unamigiuous language).

        And you'd better be sure about your comment that MS ignore DNT themselves because otherwise you're just creating groundless FUD which would be unethical. Though I'm not really sure what you mean. Are you saying that MS might somehow reach across the web and turn it off for particular sites or that microsoft.com doesn't honour DNT or what? Because DNT is something that exists between the browser and the web server. It's not something that gets routed via Microsoft HQ. I don't think IE10 contains a secret list of MS's friends that it doesn't send the DNT header to.

        As to your comment about "sticking it to Google" in general, Mozilla get hundreds of millions of dollars from Google for making its search engine the defaults for their browser. Do you also object to Google "sticking it to Microsoft?"

        1. Ian Yates

          Re: Well now I've seen everything!

          "we the public benefit from having DNT on"

          I do kind of agree with the sentiments of "Apache man" (the world's worst superhero). Having it on by default dilutes the purpose of user's choice in the eyes of advertisers.

          It would be like everyone in the UK automatically being enrolled on the original TPS list, which (until this year) had no penalty for companies breaching: everyone would just ignore it.

          Unfortunately, his logic falls down in that if you followed his advice and asked every user on the first run, I'm willing to bet at least 95% of people would still enable it (depending on wording), so you'd get the exact same result.

          TL;DR: DNT is a bit of a joke.

          1. dssf

            Re: Well now I've seen everything! DNT Honeynet/Blackhole

            The ONLY (or possibly only) way for DNT to be effective is if things like Better Privacy and the rest are fashioned into a sophisticated in-browser honeynet and adverft blackholer. Or, if some false return bot system could be in it to feed false info to the more brazen collector ad sites. If they WANT info, GIVE them info -- just make them waste their marketing dollars. That will teach them to sell real products, not other people's information. I SOMEtimes respond to ads, but not to very many. Response to too many just gives rise to more unwanted stuff. If I'm interested in ads, it's usually almost exclusively to products I have already purchased or read about in forums I specifically join to learn more about the product or its analogues in the field.

            Too damned many moguls and their networks know tooo damned much about too damned many of us. At some point, they're just sloshing around leads information like laundry -- dirty or clean. At some point, the reality is that they're awash in redundant, elusive information when people's moods dictate what they will really respond to. Unfortunately for them, some of these ad businesses operate on artificial funds on hopelessly sinking platforms.

  7. Anonymous Coward
    FAIL

    Lame decision IMO

    "But unless the user actively turns it off – or on – the advertisers can choose to ignore the default setting, Fielding argues."

    I think its a very lame argument. You can think of Microsoft what you want but they have shown time and time again that when it comes to privacy concerns they're taking their job very seriously. From their web services as SkyDrive where the policies clearly show that whatever you put up there will always remain yours, right to their mobile environment (Windows Phone 7.5) where all tracking options are either turned off by default, or it comes up with the question to turn it on at first use (Microsoft is interested in your browsing history, virtual keyboard usage, speech recognition history, etc.).

    Has Fielding ever considered that the only reason Microsoft did what they did could also be an honest attempt at protecting their users?

    I would have expected a much more professional approach than this to be honest.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lame decision IMO

      "Has Fielding ever considered that the only reason Microsoft did what they did could also be an honest attempt at protecting their users?"

      Except that it's not, because advertisers will only honour DNT so long as the specification is held that users enable it as a choice (on the assumption that most won't so it won't hurt them too much).

      It's an honour agreement between advertisers and browser manufacturers, one which Microsoft have now broken, meaning the advertisers are now able to ignore the DNT header for all browsers - hurting all users.

      That is Fielding's motivation for his commit rage - which I think was done in completely the wrong way.

  8. John Lilburne

    Wanker!

    1. Ben Holmes
      Happy

      ...and that, ladies and gentlmen, is our winner of 'Informed Comment of the Week'.

      1. h4rm0ny

        Well they could have written "individual who arbitrarily decides to affect the behaviour of millions of web servers around the world without consultation or approval and in defiance of what the W3C guidance", but 'wanker' is shorter.

  9. Anonymous Coward
    Anonymous Coward

    Its easy to fix.

    Have an option screen with

    Please se

    Yes (in green) Use Internet Explorer 10's Enhanced Privacy Features. Enable Do Not Track option. Your privacy will be protected and your browsing will not be tracked across sites.

    No (inb red) Disable Do Not Track privacy feature. Your browsing habits will be tracked across multiple sites. The information will be sold to other sites for spam and advertising purposes.

    Or somethign similar. They could easily fram an option screen in such a way that most people will select a certain option.

    1. Ken Hagan Gold badge

      Re: It's easy to fix

      Your text for the green option is missing the words "unless the advertiser decides he doesn't give a fuck what you think and prefers to track you anyway".

    2. h4rm0ny

      Re: Its easy to fix.

      Actually the set up screen for IE10 does tell the user about DNT and does so in pretty clear and ambiguous language and does offer a choice. Quite honestly, what proportion of people, when they understand what it is, are going to say: "yes, please, I do want private corporations to track me"? It's going to be pretty low. So really, Fielding's objections seem to basically be that Microsoft are making people a little too aware of the choice. He seems to prefer that it should be tucked away like in Firefox, left there only for the people who read forums like El. Reg. Anything else, he seems to think, will only anger Saruman the advertising companies and provoke their wrath upon Rohan us. Better to keep buying them off as Grima Wormtongue counsels.

      1. Vic

        Re: Its easy to fix.

        > in pretty clear and ambiguous language

        Errr....

        Vic.

  10. Anonymous Coward
    Anonymous Coward

    WTF ?

    What the heck is this guy smoking ?

    He accuses Microsoft (Gosh, I never thought I will come defend Microsoft!) of abusing open standards while himself pushing a patch to ignore those settings. Come on, dude, you can't have two defaults here: Apache web server will ignore DNT settings until they will be turned on or off so the default is OFF (like in Do track me).

    And in the end, it is not the bloody damn business of his piece of software to decide that I am "a real human being, with a real preference for privacy over personalization", will I have to beg a web server to believe me ? What a jerk he is!

  11. Anonymous Coward
    Anonymous Coward

    The link to the responses

    ...is to a site called 'GIThub'. Somehow appropriate for this muppet methinks!

  12. Callam McMillan
    Flame

    What a prat...

    So the Apache server will now ignore IEs privacy settings unless they're explicitly set by the user? How will it know, the DNT flag is either set or it isn't - so how can the web server tell whether it has been turned on by the user or not? If there is a way for the server to differentiate, then surely all IE10 has to do is set the default flag as if the user has opted out of tracking.

    I know it's not the cool thing to do, but I am going to stick my head out here and congratulate Microsoft for this position. Yes, I know there are some self-serving interests, but even so, it provides us as end users additional benefits. As for the title, Ron Fielding has been a bit of a prat here, and he has surrendered his right to ever act as an advocate of user privacy should there be a development which he does not like.

    1. Chris Rowland

      Re: What a prat...

      AIUI Apache will ignore the DNT setting if you are using IE10 regardless of how it's set.

      I wonder who made the change to the draft standard after IE10 escaped. It looks as if that change was made to try to put MS in the wrong. Nobody seems to be saying though.

      1. Callam McMillan

        Re: What a prat...

        "AIUI Apache will ignore the DNT setting if you are using IE10 regardless of how it's set."

        That's how I read it too and what I fear. Reading through the comments on the code submission, something that interested me was the point that in the EU, if this patch overrides a users explicit choice, then the website operator could be held liable. Worse, if the website operator is on a shared hosting platform, then they may not even know this patch has been applied to the Apache config file.

    2. Joe User
      Flame

      Re: What a prat...

      Both Microsoft and Roy Fielding are wrong:

      Microsoft -- Is it so f-ing difficult to simply ask the user about their DNT preference the first time they launch IE 10? Despite your company's belief, most users actually can think for themselves.

      Roy Fielding -- What happens to those people who choose to enable DNT in IE 10? Can your patch distinguish between DNT enabled by default and DNT enabled by the user? No? You idiot.

      1. h4rm0ny

        Re: What a prat...

        "Microsoft -- Is it so f-ing difficult to simply ask the user about their DNT preference the first time they launch IE 10? Despite your company's belief, most users actually can think for themselves."

        You either haven't installed IE10 or possibly don't recall this (I had to go back myself just to be sure), but a page comes up with configuration options upon install and "Enable Do Not Track" is clearly displayed there. You can also click for an explanation of this.

        1. Joe User

          Re: What a prat...

          You either haven't installed IE10 or possibly don't recall this

          I installed Windows 8 Enterprise Evaluation (Build 9200) on my test machine. At no point during the installation was I prompted for anything about "Do Not Track". When I launched IE 10 for the first time, it never asked me about this, either.

          1. h4rm0ny

            Re: What a prat...

            "I installed Windows 8 Enterprise Evaluation (Build 9200) on my test machine. At no point during the installation was I prompted for anything about "Do Not Track". When I launched IE 10 for the first time, it never asked me about this, either."

            Then I'm pretty sure you just don't remember it because it is most certainly in there. Here is a screen shot:

            Settings This comes up when you are setting up Windows 8. As you can see it, lists what the default settings are for everything and has a clear button allowing you to change any of them. Also, you can click for more information and detailed explanations.

  13. Sil
    Thumb Down

    A despot that is not mature enough to work on a standard committee

    There is no standard, only a draft.

    Instead of arguing his view on the standard committee Fielding acted as a despot by clearly violating the intent of the standard hilmself and setting a damaging precedent on which shenanigans one can unfortunately expect from open source.

    Fielding should at the very least issue a public apology and resign from the standard committee and of course delete this patch and learn how to work on a committee before joining any other.

    1. h4rm0ny

      Re: A despot that is not mature enough to work on a standard committee

      I don't know that he should resign from the comittee, but he should undo this change and admit that its not his sole choice to make to violate the (proto-) standards. The comments on the commit log are scathing.

      1. Anonymous Coward
        Anonymous Coward

        Re: A despot that is not mature enough to work on a standard committee

        "I don't know that he should resign from the comittee"

        Oh, but he should, and he should do so whilst being flogged with network cables and wearing a sticker on his forehead reading 'Ad whore'.

        "but he should undo this change and admit that its not his sole choice to make to violate the (proto-) standards. The comments on the commit log are scathing."

        Yup. All those things.

  14. tkioz
    WTF?

    Urr... the world just turned upside down... I support Microsoft on an issue of ethics and morality... that's new...

    1. bazza Silver badge
      Pint

      Strange feelings

      It certainly induces strange feelings of disorientation.

      <---- fortunately there is a treatment!

  15. Anonymous Coward
    Anonymous Coward

    prespective anyone?

    I don’t believe what Roy Fielding has done is in any way right. Finally their were some positive steps on the road to online privacy which he has just pissed all over.

    But lets get things into perspective here....

    The tracking of websites you have visited is only so they can better target adverts. Advertisers don’t care that you have piles, they don’t want to go to the effort to tell the world, his wife and dog that YOU have a bunch of grapes hanging from your arse. All they are interested in is serving you up some adverts for Preparation H, an advert you are more likely to click on out of interest in the product. .

    If DNT is implemented correctly and observed correctly, it wont stop a single advert appearing on a single web-page. All it will achieve is that a random advert will appear instead of something relevant. Most of the adverts I see are for technology products, stuff I am interested in.

    I know their are some less than scrupulous people about with ulterior motives other than to try and flog you some lotion for genital warts, but these people will most likely have other ways to get around the DNT flag anyway.

    you can always use ad-blockers, but in my experience, they use up more resources than an advert does....

    1. Angry clown

      Re: prespective anyone?

      Ad-blockers use more resources than an advert does but they are using my computer resources not my brain resources. I'd rather have my CPU work twice as hard than my brain being forced to rummage ads. You know, information overflow, yada yada yada....

      1. Anonymous Coward
        Anonymous Coward

        Ad-blockers use more resources?

        Depends upon which resource you're talking about, I guess. On my smartphone, adverts -- especially video or animated adverts -- are incredible power hogs, both because of heavy GPU usage and the increased network activity to download them. I use an ad-blocker mostly to conserve my battery.

      2. Anonymous Coward
        Anonymous Coward

        Re: prespective anyone?

        No, they really don't, especially flash ads. Adblock plus makes things faster and lighter, in terms of memory, bandwidth, and lost opportunity to drop the CPU frequency.

    2. Anonymous Coward
      Anonymous Coward

      Re: prespective anyone?

      "The tracking of websites you have visited is only so they can better target adverts."

      In general, that's right.

      "Advertisers don’t care that you have piles"

      Of course they do. That's how they better target their ads and increase ROI!

      "they don’t want to go to the effort to tell the world, his wife and dog that YOU have a bunch of grapes hanging from your arse."

      I beg to differ. Do you use FB much?

      "All they are interested in is serving you up some adverts for Preparation H, an advert you are more likely to click on out of interest in the product."

      But to get a better ROI, that want to know that you have piles.

      "If DNT is implemented correctly and observed correctly, it wont stop a single advert appearing on a single web-page"

      That is not its intent.

      "All it will achieve is that a random advert will appear instead of something relevant. "

      And...?

      "Most of the adverts I see are for technology products, stuff I am interested in."

      That's you. Others may want the choice.

      "I know their are some less than scrupulous people about with ulterior motives other than to try and flog you some lotion for genital warts"

      Read 'every ad corp are less than scrupulous'.

      "but these people will most likely have other ways to get around the DNT flag anyway."

      No getting around it needed. They just ignore it.

      "you can always use ad-blockers"

      DNT is NOT about ad blocking. That's something different altogether.

  16. dr2chase
    FAIL

    Fielding's standards violation is larger

    His decision gives IE users no choice at all. That is larger change than "wrong" choice of a default value that can be changed by users.

    In addition, he ignores the possibility that I might express my preference for DNT by electing to use a browser where it has been set the way I want it, by default. I like products whose default choices align with mine; presumably he thinks my time is well spent twiddling knobs preset to stupid values.

    I'm not sure what's an appropriate reaction by Apache, but this is not someone I would trust with committer privileges.

  17. paul 97
    Mushroom

    Not bothered

    IE10 isn't going to be big - despite the advertisements. Chrome + Firefox + Safari just offer far to much competition. (Sorry Opera - I wish you luck).

    1. Anonymous Coward
      Anonymous Coward

      Re: Not bothered

      Safari? Oh, you're funny! :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Not bothered

      What sort of continuum is "far to much" anyway, Mr. Curious Safari Believer?

  18. mark l 2 Silver badge

    How will this effect EU customers who get to choose which browser to install when they first boot the PC or have MS now managed to get around having to offer up other browsers under Windows 8 in Europe?

  19. RetroTom
    Thumb Down

    Not a Microsoft fan...

    but I hope Microsoft take Apache to the cleaners in this case. An option, provided and set to a default for the benefit of the customers is being specifically ignored.

    This is targeted at, and directly harms the reputation of IE, open and shut case I'd say.

  20. Anonymous Coward
    Anonymous Coward

    "Adobe employee wields influence over open source project to protect user tracking revenue streams"

    So he's saying that IE's bad defaults are best fixed by more bad defaults in Apache?

    He's helping to completely destroy the value of DNT. The point that it has to be user decision is a fair one, but ultimately the header is useless if advertisers refuse to acknowledge it. Each person/company/application that interferes with that user choice makes it more likely that everyone will ignore it entirely.

    I think this title fits better. Nowt wrong with a bit of hyperbole, and that barely qualifies anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Adobe employee wields influence over open source project ...

      What if Microsoft change their default setting to ....RANDOM... so that there's a 50% chance of the default being presented as DNT as it is don't DNT? Would that make him happy?

      1. Anonymous Coward
        Anonymous Coward

        Re: "Adobe employee wields influence over open source project ...

        I really don't see Fielding's problem. Editors Draft. 3. Determining User Preference: "A user agent must have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent."

        In essence, as long as IE10 has DNT: <unset> before the users makes their choice (which they have to do and can change from 'ON' to 'OFF') then there's no issue, except in Fielding's head.

        The more I read the draft, the more I think he's completely and utterly wrong - on this and other counts.

    2. Vic

      <title truncated>

      > ultimately the header is useless if advertisers refuse to acknowledge it.

      And this is the nub of the problem.

      The advertisers have said that they *will* refuse to acknowledge it if one of the major browers sets the flag by default - so by defaulting DNT to on[1], Microsoft has put us into the situation where advertisers will ignore the flag for absolutely everyone. The entire system becomes useless.

      I think Fielding's response is way OTT, but I can see the point he's trying to highlight. This is clearly not the right way to handle the problem, but I'm not sure I know what would be the right way.

      Vic.

      [1] If that is actually what MS has done - the comments in this thread suggest that it might or might not be so...

  21. Anonymous Coward
    Anonymous Coward

    Did I interpret the article correctly?

    I'm not sure I understood the article; here is my take:

    The setting in IE for disabling tracking is problematic and might not prevent people from being tracked. In response to this the Apache guy is going to ignore the setting and always track all users regardless of any preference they might express?

    1. Anonymous Coward
      Anonymous Coward

      Re: Did I interpret the article correctly?

      Pretty much that.

      His commit is actually a default config setting rather than hard-coded logic (which really only serves to further the hypocrisy), so can be disabled by anyone in control of their own Apache config. Anyone on shared hosting may be at the mercy of a default-happy sysadmin.

      His argument is that MS pick a default for the user (they say what it is, but unless you pick "Customise," you get it set to "on"), so HE should get to choose a DIFFERENT default for a webserver that's not even part of the debate. Natch.

    2. h4rm0ny

      Re: Did I interpret the article correctly?

      "The setting in IE for disabling tracking is problematic and might not prevent people from being tracked"

      This part is not really right. DNT works on sending a HTTP header to the server as part of the request. This header is the same whether it's IE10, Firefox or anything else. I.e. it's all the same to the website regardless of your browser. So there's nothing wrong with the way IE10 does this. The issue Fielding has is that IE10 has a default of it being on rather than allowing users to be tracked until they say they don't want to be. I.e. it's opt in to tracking, rather than opt out. Fielding seems to think that this is wrong and so has arbitrarily decided to disregard any preference at all from IE10. Your reading is correct except that the first sentence seems to imply that it is a technical problem when it isn't. IE10 handles DNT fine. The issue is that it encourages users to use it.

  22. Lockwood
    Facepalm

    In Fielding's mind, "M$ R TEH EVULZ ND WOTEVR THEY DO IS GHEY!!!11oneoneone"

  23. Anonymous Coward
    Anonymous Coward

    What a wanker! So I've got to piss about with settings again now!

    No I dont want to be tracked! Why would anyone want to be tracked?

    What the fck has it got to do with any other websiote i've visting, where I have been before?

    None of their business.

    So once again, some tosser thinks he knows best and we've all got to piss about yet again.

    Dickhead!

  24. Nick Kew
    FAIL

    Misinformation

    Both this article and ALL the comments[1] above are based on misinformation.

    >>> "Fielding has updated the code of millions of servers"

    He has done no such thing! So far as we know, he hasn't updated the code of a single server in respect of DNT.

    If the peanut gallery cared about it, they could raise the matter on Apache's mailinglists, where discussion of all aspects of apache are welcome.

    I'm not bothered either way about "DNT" (FWIW I have no problem with harmless ads, but will automatically block anything that moves/animates - noscript is more helpful than adblock).

    [1] Unless I've missed something, which is entirely possible.

    1. Anonymous Coward
      Thumb Down

      Re: Misinformation

      @Nick Kew

      Whether millions of web servers have or have not been updated with this 'patch' is not the point in hand.

      Fieldings position is that a user must be forced to set the DNT header to DNT: 1. He further claims that, should this approach not be adopted, then the DNT header is next to useless. He claims that Microsoft set DNT: 1 by default and this is thus not the users choice but an installation default. On this point he may well be wrong.

      http://www.computerworld.com/common/images/site/features/2012/08/Express_Settings_Win8RTM.jpg

      The above referenced image clearly shows that a user has the choice of on or off. Whether this illustrates a default of on or off is to debate semantics IMO. What is unarguable is that the user has the choice of on or off.

      "If the peanut gallery cared about it, they could raise the matter on Apache's mailinglists"

      I believe you will find that there has in fact been considerable consternation on the same. Whether this update survives the course remains to be seen.

      What this whole debacle does serve to demonstrate however is that Fielding believes his word is law and quite possibly that his association with Adobe has borne influence on his decision.

      FWIW, I think DNT is an absolute joke in that it's not really worth the proverbial paper that it is written on. If they were really concerned at all about user privacy and the rights of the user then DNT (or preferably something enshrined in law) would hold the rights of Joe Public paramount. This is not the case. DNT is about being seen to do 'something' (albeit a next to useless something) whilst attempting to protect the revenue streams of corporate bodies.

      Back DNT with a little EU wise legislation and I might change my mind. Until then, DNT remains a complete sham - irrespective of what Fielding or others say.

    2. JimC

      Re: Misinformation

      I interpreted it as "the code used by millions of servers" because I knew he couldn't have pushed any updates onto my Apache servers.

      I always make the assumption that raw headlines may be misleading, eiher to attract eyes, or simply because of excessive/injudicious shortening of the phrasing.

      1. Nick Kew

        Re: Misinformation

        @jimc, true but not in the least relevant. Your comment is still premised on the misinformation that he's changed the apache code.

    3. This post has been deleted by its author

    4. Alasdair Russell
      Thumb Down

      Re: Misinformation

      Roy Fielding committed a change to the trunk version of the Apache HTTP Server less than 2 weeks before a major version release (10 August 2012). This change is live in version 2.4.3 of httpd (21 August 2012) which Apache recommend over all previous releases. Any server on this level by default has this behaviour (and web admins like to keep their servers up to date). Therefore this is indeed potentially live on a VERY large number of servers.

      Not knowing the code locking protocols for Apache before a release I cannot be sure, but it looks like he may have snuck it in just ahead of code freeze. Even if reverted this piece of code is going to stay live in some places for a very long time.

      Whilst it would be possible for a server admin to turn off this behaviour they would have to be aware that it existed. This is also not possible for web sites on shared servers where they often cannot access the required configuration file.

      This is more worrying because Roy T. Fielding is a board member of the Apache Foundation and was its chairman at one point. He has to my mind shown his contempt for the standards process by committing a change which deliberately contravenes the very specification which he helped to author in a much more blatant manner then you could ever argue that Microsoft has. I cannot imagine how he could think that this was a good idea.

      1. Anonymous Coward
        Anonymous Coward

        Re: Misinformation

        W3C: "An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests."

        Fielding: "RequestHeader unset DNT"

        Pot. Kettle. Black.

      2. Nick Kew

        Re: Misinformation

        @Alasdair Russell - since there's no code involved, any talk of a code freeze is a red herring.

        If you want to know about code freezes at apache, you can check the development mailinglist (where you'll see it doesn't work that way).

        1. Alasdair Russell
          Thumb Down

          Re: Misinformation

          Interesting.

          The configuration file is part of the CODE TREE of the httpd project. It is under source control and is distributed with the rest of the code and is patched in the same way the other files are. Thanks for the pointer. Now that I know where to look I can see that it was proposed 4 weeks ealier that the T&R of 2.4.3 be scheduled to start on 10 August (and a reminder went out on the 7th). So the fact that the commit was shortly after midnight at the start of that day is even more suspicious, In the end other issues delayed the T&R by a week but they only arose after the commit. And the T&R is basically a code freeze for the release as no changes can go into the release candidate and if it fails testing (live running for 2-3 days) they choose another trunk tag to base the release upon.

          On the other point if you take a look at the patch in question, what he is adding is not a configuration setting but rather a portion of script which runs on server every time a request is received. So whilst it may not be compiled it is most defintely code.

  25. FrankAlphaXII
    Devil

    If Microsoft or Google had said what this guy said

    And decided to ignore DNT on IIS or on Google's services in Google's case, People would be freaking out about being tracked.

    If it wasn't a developer of a competing project maybe Id give it some more credence. In this case it just pisses me off, it further dilutes an already weak "standard" by making the Web Server with the largest marketshare ignore the standard in what will probably be a large enough segment of the global userbase for it to actually matter.

    Standards are a two way street, you don't throw your toys from the pram and basically destroy the standard because you're pissed at another Vendor's possibly incorrect implementation of the standard, if its incorrect there are ways to let them know without playing the same game and defaulting your software to track the users of the Vendor (who may not be following standards) software. Apache Guy isn't judge, jury and executioner of web standards though his inflated ego may well tell him he is. That responsibility is the Working Group's, which he is a member of (as is Microsoft), and both should really know better.

    Its a really fucking slippery slope: say he gets mad at Google or Mozilla for something they do and makes a change to track them no matter what as well. What would people be saying then about Chrome or Firefox useragents being tracked even if they've opted out.

    In all honesty, fuck this guy. His behavior is no better than Microsoft, actually its worse, Microsoft's trying to protect its customers from being tracked. It might be incorrect but unless the Standard working group says so, its not his place to do something like this.

  26. toadwarrior
    Facepalm

    Sounds to me like someone got paid off. The fact they're basically saying they won't support it if people exercise their choice not to be tracked.

    So DNT is pointless and rather than worry about the implementation, bin the damned thing if people can't actually use it.

  27. kain preacher

    anti trust issue

    Considering how large Apache is this could cause them some serious issues. For years people complained how MS did not follow standards or broke them.

  28. Dave 15

    Sounds like bull to me

    What a load of crap. If I have a setting that is on by default I don't expect some bigoted idiot to ignore it because I didn't deliberately set it. If this had been some linux browser he wouldn't have had the problem. Get over it, the browser is popular because it fits in with most peoples idea of easy... just like the rest of the OS.

  29. dssf

    Is there any connection between Flash and AdBlock Plus and others?

    For example, by choice, is he violating people's desire do block Flash or java script because those choices to block adverts would block his employerr's Flash?

  30. hollymcr
    WTF?

    I don't get why people find this confusing

    Judging by people's reactions to this DNT stuff, I'd say there's maybe 1% of the population that would go with "please track me, I know what that means", maybe 5% that would be "don't track me" and the rest "huh? DNT what now?"

    The value of a targetted ad is higher than a non-targetted one, for obvious reasons. So to achieve a given revenue you need to show (say) ten times as many non-targetted ones as you would targetted ones.

    So, with DNT off by default but there to be enabled, advertisers can afford to lose that 5% who care without really affecting things, so that 5% get what they want (not to be tracked) and everything carries on otherwise as before.

    With DNT on by default, advertisers lose that 5% but also the 94% "huh?" which means the only way to bridge the gap is to show one hell of a lot more adverts in the hope that one of them interests you without being targetted. Or stop providing the service, or charge for it a different way, or ignore the DNT setting. Of-course that's not an issue because DNT was designed to be off by default so the 5% who care get what they want, and since it's an optional feature for advertisers to pay attention to that's great because the 5% stand some chance of it actually being implemented.

    By ignoring this and turning on DNT by default, MS have ruined this for anyone who wants to use it. In IE10, DNT=Off means "I'm in the 1% who want to be tracked", DNT=On means "I'm almost certainly in the "Huh?" bracket but there's a small chance I do care and don't want to be tracked", which can be summarised as "ignore DNT=On".

    Of-course only IE10 does this, so websites could put exra effort in to implement DNT but ignore IE10, but they won't; they just won't implement it. At least if they use Apache they can just implement DNT and auto-ignore the ones that can't be trusted. Apache are, it would seem, the best hope of rescuing DNT. For anyone in that 5% this is *very good* news.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get why people find this confusing

      Way to completely miss the point. This isn't just about having adverts delivered to you, this is about how much data corporations want to have on you. Important things like where you live, who your family and friends are, your entire online shopping history, where you holiday, who you bank with, the list goes on and on.

      Without controls you have no idea who has this information, what it is being used for or how long it is being stored and you can bet that if they think they can get away with it, it will be stored forever. As other people have pointed out, if this is not stamped on now it won't be long before this kind of behaviour becomes the normal way of doing things and corporations will be able to track your every movement from birth to death quite legally, selling that information on to whoever they please and what privacy you have left will be gone forever.

      If you think they don't want that level of detail on you, they just want to know you're interested in product x so they can sell more of it to you then you are extremely naive. Even if you are correct and they only ever use the info they have on you to sell you something that you want then that opens the door to companies being able to rip you off by charging you more for something that they already know you will probably buy instead of being fair on pricing and this article shows they are already thinking of it

      http://www.theregister.co.uk/2012/09/07/google_price_discrimination_patent/

      1. hollymcr

        Re: I don't get why people find this confusing

        Er, I think it's you who missed the point. You might have a point about targeted ads but that's not what this article was about. It was about DNT and Microsoft/IE10's attitude to it.

        Observing DNT is optional, but if 5% of people use it you can make a business case for implementing it on a website. If 95% of people choose it then there's an even stronger case for implementing it, although the loss of income would have major effects way beyond DNT. But arguing that it's ok for 95% of visits from any one browser to have DNT set when only 5% would actively have chosen to use it just devalues DNT and destroys any business case for supporting it.

        If you dislike DNT then fair enough, but if too wasn't DNT to work then that's at odds with supporting the way IE10 implements it.

  31. Herby

    Shades of Scott McNealy

    "You Have Zero Privacy Anyway. Get Over It."

    Words to live by!

    P.S. Please follow standards Microsoft, not morph them into your own perverted self serving lock everyone else out dictates.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shades of Scott McNealy

      There is no DNT standard, just a draft!

      "not morph them into your own perverted self serving lock everyone else out dictates."

      Did you actually read the article?

    2. h4rm0ny

      Re: Shades of Scott McNealy

      "P.S. Please follow standards Microsoft, not morph them into your own perverted self serving lock everyone else out dictates."

      Would you similarly object if you realize that the draft was added to after the Windows 8 previews appeared and someone somewhere realized that IE10 could hit ad revenues so they "morphed" the draft to try and make IE10 non-compliant?

      Or does your objection to people manipulating standards for their own benefit only apply in one direction?

  32. Ilgaz

    What will happen is worse than profiling

    If everyone wonders around with do not track enabled, sites (pushed by advertisers) will ship their "apps" which does far more than tracking analytics to win app store.

    Every "app" will mean more distance from real, open web.

    You don't need to be "Ph.D.", just look to app stores (especially Android, transparent permissions) and question if those "apps" of news sites can't be done with a new standards based mobile sites.

  33. bazza Silver badge

    Anyone can undo the change

    Fielding is misguided and ill informed in this action. I would wish to write something more rude, but I'm not ticking the AC box.

    I've had a look at the actual file Fielding has changed on Github. It's the default config file for Apache, and there's no copyright notice at all in it. Presumably there's nothing to stop any Apache developer logging into Github and undoing the change, apart from risking the Wrath of Fielding. No copyright notice = he doesn't own or control the file, or at least he's not claiming that.

    A bit of speculation follows:

    I presume that anyone upgrading their Apache server won't necessarily be looking to revert their config files back to the default. And presumably the update process for Apache doesn't necessarily overwrite any existing config files either (just imagine how irritating that would be if you had made changes to the config file!). So presumably it will only be new installs of Apache that will get this behaviour. That would mean that it will take some considerable time for all those existing Web servers to actually pick up this config file. Is DNT armageddon not going to happen overnight?

    1. Alasdair Russell
      Meh

      Re: Anyone can undo the change

      This is already logged as a bug for correction in the Apache BugList. Unfortunately it is in the version released 3 weeks ago, so may not be addressed for a bit.

      53845|New|Nor|2012-09-08|Remove DNT settings from httpd.conf

      In fact there is a bit of a thread going on:

      The URL is: https://issues.apache.org/bugzilla/show_bug.cgi?id=53845

      1. bazza Silver badge
        Thumb Up

        Re: Anyone can undo the change

        I took a look at that thread (thanks for the link). Fielding doesn't seem to have many supporters there just at the moment!

        "This is already logged as a bug for correction in the Apache BugList."

        In the circumstances not surprising I suppose, and good to see!

    2. Nick Kew
      Thumb Up

      Re: Anyone can undo the change

      You're much closer to the truth than the article's author, or most of the commentators. Indeed, if the purpose of Fielding's apache change was as everyone (including you) assumes, you'd be spot-on.

      Your speculation is insightful too: a server upgrade isn't going to mess with your config (that would indeed make every upgrade a headache for every sysop).

    3. vagabondo
      Unhappy

      Re: Anyone can undo the change @bazza

      > And presumably the update process for Apache doesn't necessarily overwrite any existing config files either

      The problem is that the _default_ behaviour of Apache has been changed. This means that you would need to add an entry to the httpd.conf files in order to prevent IE10 DNT headers from being ignored.

      At a minimum Apache should make this clear, and give advice on how to maintain the expected behaviour in the release announcement.

    4. Vic

      Re: Anyone can undo the change

      > No copyright notice = he doesn't own or control the file

      Well, the file is copyrighted anyway; no notice jsut makes it harder to work out who owns which copyrights.

      Nevertheless, a copyright notice has no bearing whatsoever on whether or not someone else can change the file. All it needs is someone with commit access. This is Free Software...

      Vic.

  34. Anonymous Coward
    Anonymous Coward

    IE10 patch to follow

    Perhaps MS should implement a patch that identifies the web server, and if the server is apache it pops up a big warning box on the screen (a la SSL certificate not trusted), which warns the user that the site they are about to connect to may not respect their privacy settings...with the following options 'I don't care about my privacy anyway' , 'reload page pretending to be IE9' or 'get me out of here'. that should do wonders for the revenue of those trading in privacy-related information - not.

    Or.....why doesn't somebody, anybody, just make a browser that actually refuses to store or pass any tracking information at to a web site unless it is part of an approved cookie interchange - is that really so hard to do?

    1. Never disclose browser history, or HTTP forward information to ANYBODY

    2. Block all access to cookies unless from the issuing site

    3. Randomize (with certain criteria) the browser agent string and browser capabilities

    etc

    The best I have so far is SRIron but even that needs some add-ons

    PS. The first word that came into my head when I read the article was also 'Wanker' as posted earlier.

    1. Nick Kew

      Re: IE10 patch to follow

      "Or.....why doesn't somebody, anybody, just make a browser that actually refuses to store or pass any tracking information at to a web site unless it is part of an approved cookie interchange - is that really so hard to do?"

      Nope, not hard at all. In fact it's been standard since sometime last century though some implementations (e.g. early Firefox versions) have had their own problems. But it's a browser option: accept or reject third-party cookies.

      It's a shame that's not all that's involved. The real crap is things like (paraphrasing HTML syntax):

      <img size=0 src=tracking url>

      or of course equivalent tricks with other elements like object, iframe, etc. The key point is that the tracking URL is at the site that sets cookies and supplies data to advertisers.

  35. John McCallum

    Default ON

    Or default OFF or user ON or user OFF it seems to me that they are in effect the same thing it is either on or off,so tell me how does a piece of software or programme on a server somewhere know whether it has been turned on by the user or turned off by the user or is on or off by default?Can you explain in normal language what the differance,if any,is.

    1. h4rm0ny

      Re: Default ON

      "tell me how does a piece of software or programme on a server somewhere know whether it has been turned on by the user or turned off by the user or is on or off by default?Can you explain in normal language what the differance,if any,is."

      The server doesn't know and cannot know. It's just a HTTP header sent by the browser. So if a user of IE10 deliberately and legitimately chooses to turn on Do Not Track, Apache with this commit will disregard the user's preference and remove the Do Not Track preference. In effect, what Fielding has done is commit a code patch that removes any user of IE10's ability to use Do Not Track because he thinks it shouldn't be enabled by default.

      1. Nick Kew

        Re: Default ON

        "The server doesn't know and cannot know."

        The server absolutely does know. If it cares, which mine (among many) doesn't.

        DNT: [anything] - someone explicitly set it

        No DNT header, default behaviour, noone set it.

        And of course, noone has committed a code patch to apache.

        1. h4rm0ny

          Re: Default ON

          "The server absolutely does know. If it cares, which mine (among many) doesn't.

          DNT: [anything] - someone explicitly set it

          No DNT header, default behaviour, noone set it."

          In practice, not so much. Open up Firefox and with a proxy or Firebug or whatever you like, make a basic GET request to any given site. Make sure that "Tell websites I do not wish to be tracked" under Options->Privacy, is ticked. In the Request headers you will see DNT:1. Now untick it and request the same site. This time you will see that there is no DNT header included at all. Not DNT:0, no header. So tell me how the server can know if I have ticked or unticked that box by choice or if it is by default behaviour.

          Unlike Firefox, which by default never presents the user with a choice, IE10 actually does so. Are you really going to argue that presenting users with a choice is a bad thing? And if so, do you really think that most users would chose to have private corporations track and compile data on every site they go to? If not, then surely both presenting that choice and suggesting no as a default are more inline with what most users would want.

          "And of course, noone has committed a code patch to apache."

          There is a commit to the code base here: Commit or are you arguing that because the specific change to the code base is to a config file, that it is not a change to the CODE base? The article states that a change was committed that disables IE10 privacy settings, which is an accurate claim.

  36. Grogan Silver badge

    I don't see what the big deal is. I have never cared if advertisers track me to deliver targeted ads. I don't really pay much attention to ads anyway, but I let them display in case the site gets paid for impressions. If they get paid more because advertisers use tracking cookies, so be it. I'll spread my cheeks for them if they want to crawl up where it's nice and warm.

    If I don't want to be tracked, I'll go all stealthy but under normal browsing conditions I give not one tapered turd who sees where I go or what I do.

    Enabling it by default just systematically defeats a mechanism used by advertisers so that the ads they deliver might be more relevant. (In my opinion). I can't say I would blame anyone for ignoring that setting if that's the case.

    I do have to say that it should not be up to the web server software to make that decision though. Individual sites should be free to honour it or not. I think that's a pretty wrong headed decision, at the web server level. Let's give Microsoft more market share by giving them something else to campaign against with their "Get The FUD" style ads.

    But then again, distributors (or even users) of Apache software are free to revert those changes as they see fit and people are free to choose those implementations as they see fit. That's the whole point of open source/free software.

  37. Bucky 2
    WTF?

    Does nobody know how to administer a site anymore?

    Oh geez: Bitch, moan, whine.

    You program your site like this:

    A visitor either has do-not-track ON, in which case he needs to buy a subscription for the content, OR he has do-not-track OFF, in which case he is selling his use patterns in exchange for the content.

    Totally fair. Totally compliant with the standards. Totally doesn't matter which setting is on or off by default.

    Either way, the content provider is getting paid a fair value for his content.

    Why is this hard?

    1. h4rm0ny

      Re: Does nobody know how to administer a site anymore?

      "Why is this hard?"

      Well it wasn't until someone committed a patch to Apache that meant your web application wouldn't be able to tell if a user had DNT on or not. But it is now.

      1. hollymcr

        Re: Does nobody know how to administer a site anymore?

        You will be able to tell if the user selected that option, unless they use IE10, in which case regardless of Apache you can't tell if they choose to enable DNT.

        IE10 presents a misleading header, the server ignores it.

        The best fix is to IE10 but I'm guessing that Apache don't have access to that source code.

        1. h4rm0ny

          Re: Does nobody know how to administer a site anymore?

          "IE10 presents a misleading header, the server ignores it."

          No. The HTTP header is the same whether it is sent from Firefox, Chrome, Opera, IE10, whatever. It is the same header. The only difference is that the user is presented with an option to choose whether or not to enable it when they set up Windows 8 as opposed to, e.g. Firefox, where the user is not asked and if they want to enable DNT they have to firstly know about it and then bring up the Options panel, go to the Privacy tab and locate the option for it.

          "The best fix is to IE10 but I'm guessing that Apache don't have access to that source code."

          If they did, then no doubt Fielding would be making unilateral decisions on how it should work over the heads of most of the other developers as he has with Apache. A lot of Apache developers are pretty pissed off about this, looking at all the ire on the commit log and that his change is now an official bug in the project.

          1. hollymcr

            Re: Does nobody know how to administer a site anymore?

            I'm not sure I follow your argument: they use the same header but in a different way from all the other browsers, therefore it's not misleading?

            I'm not really wanting to defend Fielding so much as criticise Microsoft as that's where the problem lies. The Apache code is open so Fielding's change was open and transparent and easily reversed. What *should* happen is exactly the same as usually happens when MS "embrace"a standard: detect the browser in the application code and (once again) code around it.

            1. h4rm0ny

              Re: Does nobody know how to administer a site anymore?

              "I'm not sure I follow your argument: they use the same header but in a different way from all the other browsers, therefore it's not misleading?"

              I'm not sure I follow your interpretation of my argument. (Seriously - not trying to score points. I don't think that's what I'm saying but I'm not quite sure what you're getting at). Just to re-iterate, there's no technical difference between the header being sent from IE10 and from any other browser. I don't get your premise that it is used in a "different way to all other browsers". The only difference is that the user is made aware of the choice and one is actually set. Talk of the headers is really focusing below the level of the issue. There's no way for the server to tell what the users intention is other than based on the header or its absence. As pointed out, Firefox, when you turn DNT off, actually just doesn't send the header (rather than sending DNT:0). The change to Apache means that at the web-application level (where application behaviour based on DNT should actually be placed), you can't tell what IE10 has sent because Apache has overridden it before it gets passed up to the application layer.

              "I'm not really wanting to defend Fielding so much as criticise Microsoft as that's where the problem lies"

              That's the thing. I don't agree that presenting the user with an actual choice when they set the system up, rather than burying the setting somewhere and deliberately keeping users ignorant that they even have a choice, is a fault on Microsoft's part.

              "The Apache code is open so Fielding's change was open and transparent and easily reversed."

              Actually this isn't as wholesome as you make it sound. For a start, this commit came out of nowhere with no discussion and was put in early in the morning right before a code freeze for a major release. To remove it they have had to actually file a bug report and it's going to take a few weeks to get it out again. Additionally, many on the Apache project feel that it was an abuse of Fielding's position to put a politically motivated change in and in a manner and timing that suggests he wanted to force it through by virtue of careful timing.

              "What *should* happen is exactly the same as usually happens when MS "embrace"a standard: detect the browser in the application code and (once again) code around it."

              Thing is, IE10 is compliant with the draft standard. They even changed the standard after the Win8 preview appeared in order to try and make MS non-compliant. But it didn't actually succeed because MS actually are presenting the user with a choice which is what the standard calls for. Also, it's really not the appropriate place for this to be addressed. I do not want Apache choosing to removed HTTP headers invisibly before it reaches the application layer. The standard states that relaying services for the HTTP requests should not alter the DNT header. And yet that is exactly what this code commit makes Apache do. You have it the wrong way round - IE10 is actually compliant. Fielding has actually made Apache be non-compliant. Your ire should be directed at Fielding if you care about standards.

              1. hollymcr

                Re: Does nobody know how to administer a site anymore?

                "Just to re-iterate, there's no technical difference between the header being sent from IE10 and from any other browser"

                I don't see why you see this as an argument in your favour (also not trying to score points...). If MS choose to implement non-standard behaviour then they should use a non-standard header. Like others, my brief experience with installing W8/IE10 never lead me to a point where I was given a choice about this setting, so my view is coloured by this. We clearly disagree about whether IE10 uses DNT in the same way that other browsers do.

                "I don't get your premise that it is used in a "different way to all other browsers". The only difference is that ..."

                It's that "only difference" that I consider makes it "different".

                Ultimately one of two things will happen as a result of this. The setting will be ignored by the majority of websites (whether just for IE10 users or in general), or sites will use the setting to direct people at a paywall or subscription service. The first seems more likely, at least in the short term, and means that anyone hoping to make use of DNT will be disappointed. The second is probably inevitable in the longer term, which will likely result in fewer independent websites and more large web brands, which is a shame.

                I do get why people don't like being tracked but nobody seems to have come up with an alternative method of paying for content on the web. The sort of tracking we're talking about is little different from using a credit/debit/loyalty card in a supermarket and maybe as paywalls spring up for people with DNT enabled more people will turn the setting off.

                In effect, IE10 pushes things too hard in a direction that's too fast for "the web" to cope, thus making DNT a lame duck. It's unlikely that this wasn't MS's intention (after all the next step after "embrace" is "extinguish", right?)

  38. Doug Glass
    Go

    BFD

    AdBlock, BetterPrivacy, TrackMeNot, Ghostery and NoScript work just fine. Get over it, get a life and move up out of mommy's basement.

  39. Jason Bloomberg Silver badge
    Stop

    Direct Action Bazinga

    If Fielding is trying to provoke a collective epiphany then maybe he has a point. In the immediate aftermath it looks to have been as effective as shooting a child in the face to institute gun control changes. Maybe we'll have a calmer debate when the outrage dies down?

  40. nuked
    Facepalm

    Sorry, but

    ...this entire subject is the largest pile of steaming irrelevance I've seen for a while.

    1. Anonymous Coward
      Anonymous Coward

      Vive la révolution!

      "...this entire subject is the largest pile of steaming irrelevance I've seen for a while."

      If by that you mean DNT is a complete waste of time I would agree. It's a toothless, next to useless piece of crap as it stands. But the subject does raise genuine questions that need to be addressed.

      Unfortunately the W3C is turning into an ineffectual debating society, bogged down by corporate and personal prejudice, infighting and, occasionally, self-serving bombastic opinion. It's becoming the United Nations of the internet - lots of debate and little real action where it matters.

      1. Anonymous Coward
        Anonymous Coward

        Re: Vive la révolution!

        I agree, there should be less mass debating and more real action.

  41. mikebartnz
    Meh

    Default values

    Why does IE10 need to have a default value at all for this and then it would be a true user choice as we all know that the majority of PC users just click next/ next and never read what is happening and that is why viruses and malware do so well.

    1. h4rm0ny

      Re: Default values

      You can't really get away from a default. Not setting it is treated as if you had agreed to it. The setting is prominently displayed when you configure your PC. It's right there in front of the user and clear what it means even to very non-technical users. The simple truth is that the vast majority of people would opt not to have all their online activity monitored and compiled by private businesses. The only way you're going to get a lot people opting in is if you conceal from them the choice not to. Are some here really arguing that hiding people's choices is a good or ethical thing? IE10 lets the user know about this option in a clear and unambiguous way. Some other browsers such as Firefox (approx. revenues from "search royalties" in 2006, $60million), never show it unless the user knows to look for it and it buries the setting under tabs in the options menu. Yet some here have been looking for reasons to show that this is better, either because they are anti-Microsoft or because they would prefer a system where a very few (them) can opt out by agreeing that everyone else will be monitored.

  42. Adam Inistrator

    smell advertisers fear

    there is a lot of money at stake here. you can smell the fear and self interest in the worm tongued arguments against dnt. legal backing for dnt in the future must be in their nightmares too. should advertisers track and stalk people who dont state their preferences? my instinct tells me no, but it is debatable.

    1. h4rm0ny

      Re: smell advertisers fear

      Very well put.

      Look at DNT from the advertising companies' view. They are bringing about a level of monitoring and profiling that is unprecedented in human history and more intrusive than advertising has ever been before. This is the sort of thing that can provoke legal limits on them. But if they can establish some sort of voluntary self-regulation and make this a standard and can say: "people have a choice which we respect, so legally we're fine", then that's greatly to their advantage. At least, assuming that they can also ensure that few people exercise that choice by, e.g. burying it in the settings somewhere or otherwise making it hard to maintain.

      DNT is not as much an advantage to the public as it is an advantage to the advertising industry and companies such as Google. They get to say that there's already a privacy standard in place and that anyone they are tracking has the option not to be tracked. Great arguments to bring to the EU or US governments when privacy becomes too big an issue for them not to move on. But the moment it becomes easy and common for people to exercise that choice, the advantage to the advertisers is gone.

      That's what people are really saying when they say that IE10 risks advertisers withdrawing from DNT. DNT is a fig leaf strategy to ensure greater monitoring. DNT is not an actual problem for Google et al. DNT is a strategic asset. Microsoft are undermining that, however.

      1. This post has been deleted by its author

      2. Adam Inistrator

        Re: smell advertisers fear

        I suppose you mean "DNT with default off is a fig leaf strategy to ensure greater monitoring."

        since DNT with default ON appears to be the raising of the hammer over the whole concept of untrammelled monitoring

        1. h4rm0ny

          Re: smell advertisers fear

          Yes, I believe so. DNT itself is the strategy because so long as it is there, advertisers have a way of saying to the EU (or USA or others) that the tracking is voluntary on the users' part and thus okay. But yes, if the default were not off, then the strategy falls apart and will be abandoned. What I'm saying is that DNT is presented as a concession wrung from advertisers, but in actual fact, it is to their advantage. All they have to do is to make sure that it is off for the overwhelming majority of people which they can do if they can force all the major browser manufacturers to bury the setting somewhere. Firefox already does this voluntarily. What we are seeing, is arguments that IE should be forced to do so. The draft has already been changed in response to IE10, post fact.

  43. mikebartnz

    @h4rmOny Re: Default values

    Quote"You can't really get away from a default."

    Absolute crap it is dead easy to implement.

  44. Vin King
    WTF?

    Man, I'm surprised at the voting on comments in this article. There's apparently a lot of people who just love the idea of tracking people for advertising purposes.

  45. Zombieman

    I'm not 100% sure but I believe for a brief period of time the DRAFT of the standard did state that in the absence of clear user preference it the setting should be off (I think I read something to that effect on W3C's site a while ago). However as far as I can see this sentiment does not appear in the current version of the draft, nor the allegedly previous version, in fact it goes out of its way to say the spec only defines HOW the user's preference is communicated and not what any default should be.

    P.S. I notice this change to Apache's default configuration file has been explicitly reverted on GitHub by the way.

This topic is closed for new posts.

Other stories you might like