ENDitorial: The Microsoft IE10 Do Not Track “controversy”
This article is also available in:
Deutsch: ENDitorial: Die Microsoft IE10 Do-Not-Track-"Kontroverse"
With online tracking of consumers becoming more and more sophisticated, uneasiness about this technology is growing.
In Europe, there are rules on tracking users for behavioural advertising, where users generally need to consent to being tracked. Elsewhere in the world, there is less regulation. Currently, work on developing a technical (and technologically neutral) “Do Not Track”-standard (“DNT”) at the World Wide Web Consortium (W3C) is ongoing. Once adopted, this would result in a standard by which users could tell their browsers to signal to advertisers that they do not want to be tracked. This would have particular significance in the USA, where the Federal Trade Commission would be able to treat honouring this standard as a contractual obligation. Advertising companies that ignore the standard could then be fined.
In May of this year, Microsoft announced that it would switch DNT on by default, indicating an objection to being tracked in the express settings for Internet Explorer 10 (IE10). On a technical level, this means that the browser would send DNT:1 headers. While this was a choice that reflects the views of the majority of users and is good from a privacy perspective, it also provided some of the participants of the W3C process with a pretext to push for rules that would allow them to ignore DNT:1 headers sent by IE10.
For example, Yahoo! announced on its policy blog that it would ignore DNT:1 when sent by IE10. Earlier, a patch with the same effect had been submitted for Apache, the web server with the biggest market share. The reason given in both cases was that, according to the standard, by default, no DNT header should be sent; users who do not want to be tracked should switch it on specifically. In the end, this argument says: “We’re not sure if everyone who uses IE10 and has DNT:1 set really wanted that, so we’ll treat everyone who uses IE10 as if they did not set it and track them if we want to.” Arguing this way ignores all IE10 users who did indeed think about it and set DNT:1 deliberately, as well as those who might have chosen IE10 precisely because of its DNT default setting.
EDRi finds this position deeply worrisome, especially in light of the evidence that an overwhelming number of users do not expect their browsing habits to be tracked, especially not across different websites. Furthermore, Microsoft clarified that users would see a message saying that these express setting include “turning on do not track in Internet Explorer”. Users can either agree to this or customise their settings. Clicking “agree” when presented with this choice seems – at face value – to meet the criterion that “a tracking preference expression is only transmitted when it reflects a deliberate choice by the user”. For this reason, the argument that Microsoft is violating the standard seems misleading.
However, this discussion can also serve to highlight some deeper problems with the W3C’s draft DNT standard:
(1) First of all, the standard should say that DNT:1 is the default. This would be in line with the intention behind current legislation on direct marketing and the principle of data protection by default in the proposed General Data Protection Regulation, which is currently under discussion in the European Parliament and the Council. It would also reflect the view of internet users, a clear majority of which, according to studies by the Pew Research Center and the Berkeley Center for Law and Technology, do not feel OK with online tracking, and render this whole “controversy” void. Alternatively, browsers should ask users upon first start-up whether they want their browser to have better privacy settings.
(2) Another reason for having DNT:1 as default is that, according to the current draft standard, DNT:unset would in practice mean that users may be tracked. This means that the W3C standard would in fact condone practices that are not in line with EU laws and regulations. It must be said, however, that W3C has also started a process in the DNT workgroup on the regional implications of the standard. We hope the outcome of this ‘global considerations’ process will do more to meet European standards than the DNT standard in its current form does.
(3) The advertising industry’s lobby groups want to reduce the meaning of DNT:1 to “do not show targeted ads”, while still collecting the data (to monetise it in other ways). Here, the standard should clearly say that DNT:1 means that the data must not be collected in the first place.
(4) The advertising industry is heavily involved in drafting the standard and is pushing vehemently for “legitimate uses” that would in fact allow data collection for wide ranges of purpose even when DNT:1 is set. This would render the standard useless.
To sum up: yes, the move by Microsoft was good in principle. But sadly, it can be understood in a way that provides the advertising industry with a pretext to further stall and dilute the draft standard. Whether this was avoidable or not is the subject of disagreement. Having the draft standard diluted and delayed is especially deplorable since a clear majority of internet users do not feel at ease with being tracked. From the users’ point of view, a standard should both do what the name implies and reflect what they want.
DNT draft standard October 2012
DNT draft standard March 2012
Why Yahoo! wants to protect the predators at your office party (31.10.2012)
Yahoo! Policy Blog: In Support of a Personalized User Experience
Computerworld: Windows 8 setup shows ‘Do Not Track’ options (17.08.2012)
Apache patch to ignore DNT:1 headers from IE10
The Atlantic: the advertising industry’s definition of ‘do not track’
doesn’t make sense (30.03.2012)
Pew Research Center: Search Engine Use (9.03.2012)
Privacy and Modern Advertising: Most US Internet Users Want “Do Not
Track” to Stop Collection of Data About their Online Activities (8.10.2012)
Microsoft on the issues: Privacy and Technology in balance? (25.10.2012)
(Thanks to Owe Langfeldt - EDRi Intern & other EDRi members)