[PET] Fwd: Apache Webserver Update Ignores IE10 Privacy Settings

Ben Laurie ben at links.org
Wed Sep 19 16:58:40 BST 2012

On Wed, Sep 19, 2012 at 4:22 PM, Wright, Matthew <mwright at uta.edu> wrote:
> Interesting implications for privacy?

Dunno. But IMO Microsoft are not following the standard. Cherry
picking a different part of the requirements makes it clearer:

"Key to that notion of expression is that it must reflect the user's
preference, not the choice of some vendor, institution, or
network-imposed mechanism outside the user's control. The basic
principle is that a tracking preference expression is only transmitted
when it reflects a deliberate choice by the user. In the absence of
user choice, there is no tracking preference expressed."

It seems pretty obvious to me that no matter what your screen says, if
you are offering a quick setup vs. a customised one, this is _not_ a
reflection of the users preference for privacy, just a reflection of
their preference to not tweak a bazillion configuration options.

> Begin forwarded message:
> From: "Pierce, Sean" <seanp at UTA.EDU>
> Date: September 18, 2012 11:21:15 PM CDT
> Subject: [ISEC] Apache Webserver Update Ignores IE10 Privacy Settings
> Reply-To: CSE Information Security Lab <ISEC at LISTSERV.UTA.EDU>
> It is interesting to see that a company is trying to protect customer
> privacy while a (community driven) open source project is not:
> Apache Webserver Update Ignores IE10 Privacy Settings
> (September 10, 2012)
> An update for the Apache webserver makes websites ignore Do Not Track
> (DNT) settings in Internet Explorer 10 (IE10). Roy Fielding, a DNT
> architect, who was vocal in his disapproval of Microsoft's decision
> earlier this year to make DNT on by default in IE10, wrote the patch.
> Fielding says that Microsoft violated the standard requiring DNT
> preferences to be transmitted to websites only when users specifically
> enable the feature in their configuration settings. Others maintain that
> Microsoft complies with the requirement by displaying a screen during
> the operating system set-up process that explicitly tells users that if
> they choose the Express set-up option, DNT will be turned on in IE10.
> http://arstechnica.com/security/2012/09/apache-webserver-updated-to-ignore-do-not-track-settings-in-ie-10/
> [Guest Editor's Note (Pescatore): The W3C specification for Do Not Track
> says "We do not specify how tracking preference choices are offered to
> the user or how the preference is enabled: each implementation is
> responsible for determining the user experience by which a tracking
> preference is enabled." Microsoft's approach meets this, and other,
> language in the spec - and is the much better way to go. Apache software
> ignoring IE 10 settings is equivalent to Google subverting the Safari
> browser settings and the FTC has already ruled on that.
> (Swa Frantzen): The real issue behind the name calling is that the
> standard is a compromise between an advertising industry that
> desperately wants to track users and privacy advocates who do not want
> anybody to be tracked. As with any compromise if one vendor starts to
> shift the balance of the compromise itself, the entire compromise is at
> risk. And if that happens those of us who did set DNT manually will get
> happily ignored by the advertising industry.]
> _______________________________________________
> PET mailing list
> PET at lists.links.org
> http://lists.links.org/mailman/listinfo/pet

More information about the PET mailing list