[PET] Fwd: Apache Webserver Update Ignores IE10 Privacy Settings

Paul Syverson syverson at itd.nrl.navy.mil
Wed Sep 19 17:25:38 BST 2012

More generally: every little bit helps, and keeping the honest people
honest is a larger contribution than is generally recognized by tech
folk. Nonetheless, something like the main comment from Fielding
quoted in the Ars Technica article bears saying every single time DNT
is brought up to undermine the trend towards overstating its
significance. More or less in keeping with what Ben said:

   "The only reason DNT exists is to express a non-default option,"
   Fielding wrote in a post defending the change. "That's all it
   does. It does not protect anyone's privacy unless the recipients
   believe it was set by a real human being, with a real preference
   for privacy over personalization."

I believe another prominent member of the PETs community who I shan't
name was recently joking (or not?) about giving an invited talk on DNT
with no shirt on and "Do not look at my chest" written on his chest.
(Shades of Abbie Hoffman who used to write "FUCK" on his forehead on
days he didn't want to be photographed or videotaped by the mainstream
media, back when that would actually deter being photographed by the
mainstream media.)


On Wed, Sep 19, 2012 at 04:58:40PM +0100, Ben Laurie wrote:
> On Wed, Sep 19, 2012 at 4:22 PM, Wright, Matthew <mwright at uta.edu> wrote:
> > Interesting implications for privacy?
> Dunno. But IMO Microsoft are not following the standard. Cherry
> picking a different part of the requirements makes it clearer:
> "Key to that notion of expression is that it must reflect the user's
> preference, not the choice of some vendor, institution, or
> network-imposed mechanism outside the user's control. The basic
> principle is that a tracking preference expression is only transmitted
> when it reflects a deliberate choice by the user. In the absence of
> user choice, there is no tracking preference expressed."
> It seems pretty obvious to me that no matter what your screen says, if
> you are offering a quick setup vs. a customised one, this is _not_ a
> reflection of the users preference for privacy, just a reflection of
> their preference to not tweak a bazillion configuration options.
> >
> > Begin forwarded message:
> >
> > From: "Pierce, Sean" <seanp at UTA.EDU>
> > Date: September 18, 2012 11:21:15 PM CDT
> > Subject: [ISEC] Apache Webserver Update Ignores IE10 Privacy Settings
> > Reply-To: CSE Information Security Lab <ISEC at LISTSERV.UTA.EDU>
> >
> > It is interesting to see that a company is trying to protect customer
> > privacy while a (community driven) open source project is not:
> >
> > Apache Webserver Update Ignores IE10 Privacy Settings
> > (September 10, 2012)
> > An update for the Apache webserver makes websites ignore Do Not Track
> > (DNT) settings in Internet Explorer 10 (IE10). Roy Fielding, a DNT
> > architect, who was vocal in his disapproval of Microsoft's decision
> > earlier this year to make DNT on by default in IE10, wrote the patch.
> > Fielding says that Microsoft violated the standard requiring DNT
> > preferences to be transmitted to websites only when users specifically
> > enable the feature in their configuration settings. Others maintain that
> > Microsoft complies with the requirement by displaying a screen during
> > the operating system set-up process that explicitly tells users that if
> > they choose the Express set-up option, DNT will be turned on in IE10.
> > http://arstechnica.com/security/2012/09/apache-webserver-updated-to-ignore-do-not-track-settings-in-ie-10/
> > [Guest Editor's Note (Pescatore): The W3C specification for Do Not Track
> > says "We do not specify how tracking preference choices are offered to
> > the user or how the preference is enabled: each implementation is
> > responsible for determining the user experience by which a tracking
> > preference is enabled." Microsoft's approach meets this, and other,
> > language in the spec - and is the much better way to go. Apache software
> > ignoring IE 10 settings is equivalent to Google subverting the Safari
> > browser settings and the FTC has already ruled on that.
> > (Swa Frantzen): The real issue behind the name calling is that the
> > standard is a compromise between an advertising industry that
> > desperately wants to track users and privacy advocates who do not want
> > anybody to be tracked. As with any compromise if one vendor starts to
> > shift the balance of the compromise itself, the entire compromise is at
> > risk. And if that happens those of us who did set DNT manually will get
> > happily ignored by the advertising industry.]
> >
> >
> >
> > _______________________________________________
> > PET mailing list
> > PET at lists.links.org
> > http://lists.links.org/mailman/listinfo/pet
> >
> _______________________________________________
> PET mailing list
> PET at lists.links.org
> http://lists.links.org/mailman/listinfo/pet

More information about the PET mailing list