By EDRi

This article is also available in:
Deutsch: [ENDitorial: Die Microsoft IE10 Do-Not-Track-“Kontroverse” | https://www.unwatched.org/EDRigram_10.21_ENDitorial_Die_Microsoft_IE10_Do-Not-Track-Kontroverse?pk_campaign=edri&pk_kwd=20121107]

With online tracking of consumers becoming more and more sophisticated,
uneasiness about this technology is growing.

In Europe, there are rules on tracking users for behavioural
advertising, where users generally need to consent to being tracked.
Elsewhere in the world, there is less regulation. Currently, work on
developing a technical (and technologically neutral) “Do Not
Track”-standard (“DNT”) at the World Wide Web Consortium (W3C) is
ongoing. Once adopted, this would result in a standard by which users
could tell their browsers to signal to advertisers that they do not want
to be tracked. This would have particular significance in the USA, where
the Federal Trade Commission would be able to treat honouring this
standard as a contractual obligation. Advertising companies that ignore
the standard could then be fined.

In May of this year, Microsoft announced that it would switch DNT on by
default, indicating an objection to being tracked in the express
settings for Internet Explorer 10 (IE10). On a technical level, this
means that the browser would send DNT:1 headers. While this was a choice
that reflects the views of the majority of users and is good from a
privacy perspective, it also provided some of the participants of the
W3C process with a pretext to push for rules that would allow them to
ignore DNT:1 headers sent by IE10.

For example, Yahoo! announced on its policy blog that it would ignore
DNT:1 when sent by IE10. Earlier, a patch with the same effect had been
submitted for Apache, the web server with the biggest market share. The
reason given in both cases was that, according to the standard, by
default, no DNT header should be sent; users who do not want to be
tracked should switch it on specifically. In the end, this argument
says: “We’re not sure if everyone who uses IE10 and has DNT:1 set really
wanted that, so we’ll treat everyone who uses IE10 as if they did not
set it and track them if we want to.” Arguing this way ignores all IE10
users who did indeed think about it and set DNT:1 deliberately, as well
as those who might have chosen IE10 precisely because of its DNT default
setting.

EDRi finds this position deeply worrisome, especially in light of the
evidence that an overwhelming number of users do not expect their
browsing habits to be tracked, especially not across different websites.
Furthermore, Microsoft clarified that users would see a message saying
that these express setting include “turn[ing] on do not track in
Internet Explorer”. Users can either agree to this or customise their
settings. Clicking “agree” when presented with this choice seems – at
face value – to meet the criterion that “a tracking preference
expression is only transmitted when it reflects a deliberate choice by
the user”. For this reason, the argument that Microsoft is violating the
standard seems misleading.

However, this discussion can also serve to highlight some deeper
problems with the W3C’s draft DNT standard:

(1) First of all, the standard should say that DNT:1 is the default.
This would be in line with the intention behind current legislation on
direct marketing and the principle of data protection by default in the
proposed General Data Protection Regulation, which is currently under
discussion in the European Parliament and the Council. It would also
reflect the view of internet users, a clear majority of which, according
to studies by the Pew Research Center and the Berkeley Center for Law
and Technology, do not feel OK with online tracking, and render this
whole “controversy” void. Alternatively, browsers should ask users upon
first start-up whether they want their browser to have better privacy
settings.

(2) Another reason for having DNT:1 as default is that, according to the
current draft standard, DNT:unset would in practice mean that users may
be tracked. This means that the W3C standard would in fact condone
practices that are not in line with EU laws and regulations. It must be
said, however, that W3C has also started a process in the DNT workgroup
on the regional implications of the standard. We hope the outcome of
this ‘global considerations’ process will do more to meet European
standards than the DNT standard in its current form does.

(3) The advertising industry’s lobby groups want to reduce the meaning
of DNT:1 to “do not show targeted ads”, while still collecting the data
(to monetise it in other ways). Here, the standard should clearly say
that DNT:1 means that the data must not be collected in the first place.

(4) The advertising industry is heavily involved in drafting the
standard and is pushing vehemently for “legitimate uses” that would in
fact allow data collection for wide ranges of purpose even when DNT:1 is
set. This would render the standard useless.

To sum up: yes, the move by Microsoft was good in principle. But sadly,
it can be understood in a way that provides the advertising industry
with a pretext to further stall and dilute the draft standard. Whether
this was avoidable or not is the subject of disagreement. Having the
draft standard diluted and delayed is especially deplorable since a
clear majority of internet users do not feel at ease with being tracked.
From the users’ point of view, a standard should both do what the name
implies and reflect what they want.

DNT draft standard October 2012
www.w3.org/TR/2012/WD-tracking-dnt-20121002/#determining

DNT draft standard March 2012
http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/#determining

Why Yahoo! wants to protect the predators at your office party (31.10.2012)
http://www.privacysurgeon.org/blog/incision/why-yahoo-wants-to-protect-the-predators-at-your-office-party/

Yahoo! Policy Blog: In Support of a Personalized User Experience
(26.10.2012)
http://www.ypolicyblog.com/policyblog/2012/10/26/dnt/

Computerworld: Windows 8 setup shows ‘Do Not Track’ options (17.08.2012)
http://www.computerworld.com/s/article/9230362/Windows_8_setup_shows_Do_Not_Track_options

Apache patch to ignore DNT:1 headers from IE10
https://github.com/apache/httpd/commit/a381ff35fa4d50a5f7b9f64300dfd98859dee8d0#diff-0

The Atlantic: the advertising industry’s definition of ‘do not track’
doesn’t make sense (30.03.2012)
http://www.theatlantic.com/technology/archive/2012/03/the-advertising-industrys-definition-of-do-not-track-doesnt-make-sense/255285/

Pew Research Center: Search Engine Use (9.03.2012)
http://www.pewinternet.org/Reports/2012/Search-Engine-Use-2012.aspx

Privacy and Modern Advertising: Most US Internet Users Want “Do Not
Track” to Stop Collection of Data About their Online Activities (8.10.2012)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2152135

Microsoft on the issues: Privacy and Technology in balance? (25.10.2012)
http://blogs.echnet.com/b/microsoft_on_the_issues/archive/2012/10/25/privacy-and-technology-in-balance.aspx

(Thanks to Owe Langfeldt – EDRi Intern & other EDRi members)