Adobe’s Roy Fielding patches Apache to ignore IE10 Do Not Track privacy request

Adobe’s Roy Fielding, who is also the original author of the W3C’s Tracking Preference Expression draft, has patched Apache, the open source web server, to ignore the Do Not Track header sent by Microsoft’s Internet Explorer 10, the browser in Windows 8:

image

Under the heading “Apache does not tolerate deliberate abuse of open standards,” Fielding’s patch sets Apache to remove the Do Not Track request header if IE10 is the web browser.

Fielding’s argument, one presumes, is that IE10 breaches clause three in the Tracking Preference Expression draft:

Key to that notion of expression is that it must reflect the user’s preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user’s control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.

However the document goes on to say (highlighting is mine):

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent’s configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). The user-agent might ask the user for their preference during startup, perhaps on first use or after an update adds the tracking protection feature. Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.

Here is what happens in Windows 8 after startup. This is among the first screens you see when installing Windows 8, before you get full access to the operating system:

image

One of the settings specified is “Turn on Do Not Track in Internet Explorer. If you click Learn more about express settings you get this:

image

If you click Customize you get this:

image

Does this respect the user’s preference? It seems to me a reasonable effort. The only objection I can see is if you consider that any user agent that defaults to setting Do Not Track on cannot be respecting the user’s preference. The draft specification does not state what the default should be.

It is also worth noting that clause 3 in the Tracking Preference Expression draft has changed; the wording about “not the choice of some vendor” was inserted in the 7th September draft, after Windows 8 was released to manufacturing. Here it is in the latest (March 2012) W3C Working draft:

Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism…

Even if you agree with Fielding’s views on browser defaults, quietly patching the world’s most used web server to ignore the IE10 setting looks hard to defend, especially on a matter that is far from clear cut. Fielding is personally involved, not only as the author of the Tracking Preference Expression document, but also as an employee of Adobe, which specialises in digital marketing and may be more aligned with the vendors and their brands which may want to track user activity wherever their ads appear, rather than with end users.

Of course Apache is an open source project and Fielding’s patch has attracted the attention of the Apache community and may not survive.

It is also possible that a future draft of the Tracking Preference Expression document will state that Do Not Track must be off by default; but even if it does, patching the web server to ignore the browser’s header strikes me as a contentious solution.

Finally, it is worth noting that sending the Do Not Track header has little effect on whether or not your activity is tracked, since its meaning is unclear and respecting its value is a a choice made by third-parties, so this is a debate with little practical impact for the time being.

32 thoughts on “Adobe’s Roy Fielding patches Apache to ignore IE10 Do Not Track privacy request”

  1. “Some people would like this default, but as many have pointed out it defeats the intended purpose.”

    Nice try Bill. This whole thing is a crock. The spec. is a joke. If he can change Apache to ignore DNT because defaulting it to on doesn’t give doesn’t necessarily reflect the users wishes then we should change it to automatically put in for everyone because browsers that default it to tracking are just as likely (I think if people understood what was going on it would be more likely) to not reflect the users decision. Oh what a tangled Web we weave…

  2. I’m with Lazarus. Fielding is a control freak…he’s singled out MSFT and is a chump for abuse of power.

  3. @Tim WRT the patch denying user choice as you put it. This is on IE for breaking the standard, not on Apache. You should blame IE for building a browser that doesn’t allow you to indicate that you wish to not be tracked (it allows you to indicate that you want to be tracked, but that’s not part of the standard).

Comments are closed.