Microsoft has been warned that its decision to enable Do Not Track (DNT) by default in Internet Explorer 10 for Windows 8 violates the specification of the standard, and that it faces the risk of websites simply ignoring its setting. Now, the warnings are coming to fruition, with a recent commit to the code base for the Apache webserver that deals with the IE10 setting by simply overwriting it, reports Wired. The patch is part of the most recent stable version of Apache, the open source server software behind some 60 percent of sites on the web.
During the Windows 8 installation process, users are presented with a choice between default system settings (called Express) and a more customized setup. At issue is whether showing users the phrase "turn on Do Not Track in Internet Explorer" in the Express settings description (before having them click through) is truly an expression of preference, and not "the choice of some vendor, institution, or network-imposed mechanism outside the user’s control."
"The only reason DNT exists is to express a non-default option."
Roy Fielding, author of the patch, co-founder of Apache, and contributor to the DNT specification, believes the case falls squarely under the latter, saying "the only reason DNT exists is to express a non-default option… It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."
Fielding points out that Apache doesn’t yet have an implementation in place for DNT; it merely passes users' DNT state on to the code it's hosting — either "unset" (default, DNT not enabled), "DNT:1" (DNT enabled), or "DNT:0" (DNT enabled). The patch, titled, "Apache does not tolerate deliberate abuse of open standards," would work by sniffing to see if the user is using IE10, and if so, changing the value of DNT from "DNT:1" to "unset," overwriting Microsoft’s setting.
"Only good companies adhere to voluntary standards."
Unlike European privacy intitiatives, Do Not Track is entirely opt-in from the perspective of individual websites, creating the classic problem of getting sites to comply with something that isn't in their immediate financial interest. In Fielding’s words, "only good companies adhere to voluntary standards". The only way to establish some kind of mandatory compliance is through legislation; an approach Fielding prefers, "provided we have a standard based on user preference and user expectations, not one subject to the whims of a convicted monopolist."
But some criticize Fielding for taking an activist stance; insisting that it isn’t the server’s responsibility to determine whether Microsoft is adhering to the DNT standard. In other words, they believe Apache ought to transparently pass the DNT request on to the actual web code, and let it determine how to respond. And it's easy to side with an injured Microsoft standing up for user privacy, regardless of what its decision means for wider adoption of, and adherence to, the specification.