Slashdot Mirror
IE10 Will Have 'Do Not Track' On By Default
An anonymous reader writes "As Microsoft released the preview of the next version of its Internet Explorer browser, news that in Windows 8 the browser will be sending a 'Do Not Track' signal to Web sites by default must have shaken online advertising giants. 'Consumers can change this default setting if they choose,' Microsoft noted, but added that this decision reflects their commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online.' This step will make Internet Explorer 10 the first web browser with DNT on by default. And while the websites are not required to comply with the users' do-not-track request, the DNT initiative — started by the U.S. Federal Trade Commission — is making good progress."
It's nice on the one hand that Microsoft is making the privacy option the default, but if DNT is unenforceable, wouldn't "DNT by default" give certain entities an excuse to ignore the DNT flag by default?
You are not alone. This is not normal. None of this is normal.
I've come to like complexity in villainous characters. I know, I know, it's all the rage now; I'm just saying this is a bandwagon I jumped on. They can't all be Saurons, give me a Jaime Lannister now and then.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Google makes it money from tracking users and selling customized ads. Google would look bad if they didn't honor DNT. Microsoft is setting the standard that DNT should be on by default, which reduces the ability for Google to track you all over the web. MS is not an ad company, so they really won't feel this as much.
"I have never let my schooling interfere with my education." - Mark Twain
Microsoft is making a bold (translate: risky) move with the huge changes in Windows 8, and they will need all the consumer sympathy they can muster. I classify the decision to include Flash support for select sites (e.g. disney.com) is in the same category with this default DNT policy. When October comes around, get out the popcorn.
Sorry, but Windows has phoned home for at least 10 years, and sent data without user knowledge to 3rd party companies that could be traced to MS. IE may claim to have DNT on by default, but let's be clear. You will still be sending all kinds of tracking information to MS.
Seems to me to be a ploy to make money selling data to Google perhaps that Google gets now on their own.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Will the next version of Windows be the first in decades to not collect personally identifiable information from every user, by way of activation and other control schemes?
It might make the marketeers feel all good inside to spout platitudes like "private by default' in an era when so much user data is collected online," but let MS apply the same sacrosanct wisdom to its own practise.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
I disabled 3rd-party cookies in FF and everything was fine for years till my bank changed their online banking. For the longest time I couldn't get it to work then one day I enabled 3rd-party cookies and BAM it worked. Yeah it just seems wrong when an online banking site requires you to also connect to a 3rd-party domain for some unknown reason. The 3rd-party domain is "billdomain.com"
It's nice on the one hand that Microsoft is making the privacy option the default, but if DNT is unenforceable, wouldn't "DNT by default" give certain entities an excuse to ignore the DNT flag by default?
Expect browser add-ons to work around this. Their EULAs will mention this so there may be no DNT enforceability issue, the user clicked yes. Google, Facebook, etc will surely have various add-ons that will "enhance" the IE10 experience.
Take that, Google.
(or, in reality, an alternative three words beginning with the letter f.)
How can we ever be sure that the server is actually honoring the Do Not Track request? Even if it was mandated by the law, I believe it's hard to monitor what's happening behind the scenes of some website.
300,000 bytes is less than 9MB, idiot.
What do I know, I'm just an idiot, right?
This is a potential disaster in my eyes. We're talking about destroying the commercial web here. Advertising, for all its foibles, underpins vast amounts of free content and services. Data largely drives that value these days, by making ad distribution more efficient. The vast majority of the data underpinning this is anonymous - no names, no email addresses, no phone numbers - just general preferences inferred from the types of sites people visit. DNT is not defined yet, but I suggest that a lot of your favourite websites are supported or helped by this data. Even slashdot has advertising these days. Slashdotters have a choice by nature of knowing how things work, but there's also some pretty decent advertising industry programs aimed at giving information and choice to consumers. Blanket DNT could seriously destroy businesses at-scale. I'm really worried about this move.
Thus encouraging content providers that get revenue from collecting info from ignoring the request (by default)
MS is a major investor in facebook
DNT might be on but if you like every other website than facebook will be getting a lot of data that google won't be
Ooops left out the "kilo".
BTW where did you get 9MB? I come-up with 300,000 bytes == ~292KB == ~ 0.29MB. Nowhere near 9MB.
"idiot."
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
They hacked Safari's privacy measures previously.
http://www.huffingtonpost.com/2012/02/17/google-tricked-apples-saf_n_1284551.html
They also ignored IE's p3p setting.
http://blogs.msdn.com/b/ie/archive/2012/02/20/google-bypassing-user-privacy-settings.aspx
Expect Google fanboys/employees to slag MS for protecting the users' privacy in the comments.
This space for rent.
Can we have a +1 Bafflingly Nonsensical?
Maybe IE10 could also automatically add you to the Do Not Kill list. Microsoft can use all the incentives it can find to coax people into using IE.
FIX: (Really? A single tab open to slashdot requires 300,000 [kilo]bytes of RAM?) I don't expect # 10 to be any better and will continue using Firefox or Opera.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
My comment was directed at the AC, not at you.
What do I know, I'm just an idiot, right?
Yeah, both the FTC guidelines and the current W3C DNT draft both state that users should opt-out of tracking, not opt-in. Furthermore, the advertizing industry groups like that have had the most successful with self-regulation efforts have flat-out said that while they will respect the user's chose to opt-out, they will ignore any system that opts users out automatically.
Microsoft's decision here is completely counter productive. At best, it means that sites will add code to ignore theDNT header if the UA is IE. At worst it will derail the entire process.
This step will make Internet Explorer 10 the first web browser with DNT on by default.
define 'web browser'. I believe none of the following track anything
Lynx
Links
Dillo
I'm sure there are many others,...
no need to disable the dnt. by installing or agreeing to using any google service you'll give them permission to track you. they'll need to start giving the cookie notice anyways, they'll wrap a nice long eula to it and be done with it.
I wonder what is in Android's EULA, if Google has some tracking authorization in there?
Industry solutions (like DNT) are voluntary, unenforceable, empty gestures. DNT has almost no meaning, simply expressing the desire that things were different somehow, without defining how they should be different. DNT is less then an EULA -- it doesn't even ask for an "I Agree" response from the server. Will IIS implement a DNT response? Chrome 12 stopped downloading files without a content length header, so why aren't we reading about browsers demanding a valid DNT response?
It isn't surprising or disappointing that companies would engage in such an empty gesture, but Mozilla really let us down by encouraging this.
DNT: 1
tomorrow who's gonna fuss
Along with Do Not Install any OS but WinOS, aka UEFI, which is starting to sound more and more like UFIA.
"Microsoft does not yet respond to the DNT signal, but we are actively working with other advertising industry leaders on what an implementation plan for DNT might look like, with a goal of announcing more details about our plans in the coming months."
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/05/31/advancing-consumer-trust-and-privacy-internet-explorer-in-windows-8.aspx
So basically, this is all about screwing anyone who honors DNT by competitively disadvantaging them in the marketplace relative to Microsoft -- a statement I'll happily retract as soon as they start honoring DNT themselves, rather than just using it as an anticompetitive weapon in IE10.
This pretty much implies they are once again wielding their monopolistic power in the marketplace to promote their own products and services. Isn't this what got them into trouble last time?
-- Terry
If only they would have the "Do Not Exploit With Malware" option turned on.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
The point is to give users the choice to choose not to be tracked.
If everyone is "choosing" not be tracked by default then no one will honor it.
After this comes out, I'll give it a try on Ubuntu.
Actually, we're talking about destroying DNT. The whole point of DNT is that its opt-in for users. Honoring the DNT flag is voluntary, and no one is going to honor it if major browser vendors reverse the design to make it opt-out.
I disabled 3rd party a long time ago and none of the sites I use had any problem.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Not for tracking, no. But if I end up taking legal action because a Web site collected data about me and it ended up harming me (eg. it got stolen and used to impersonate me, causing me to have to clean up the financial mess that resulted), I have something I can bring up in court: "There is a standard way of indicating to the site that I do not consent to having data about me collected. I used that standard method to tell the site I did not consent. The site knew about this standard. The site knew or should have known I had refused to consent, and willfully ignored this and collected the data anyway. They are liable for the consequences of their decision.". Having a standard DNT signal doesn't prevent the site from collecting data, but it makes it harder for them to shrug and say "Not our problem." when the data gets abused.
It's like "No Trespassing" signs on a fence: the sign doesn't stop anyone from hopping over the fence, they can't claim later that they didn't know they weren't allowed on the property.
Oh, give him a break... he's an IE user.
You do not have a moral or legal right to do absolutely anything you want.
Actually, IE9 is faster than Chrome in some respects (like canvas animations, to name one). Dramatically faster in some. In others it's slower (and in a few, dramatically slower). I use both it and Chrome every day. In general use, there's not a huge difference.
- Spryguy
There are three kinds of people in this world: those that can count and those that can't
I agree to a point. It's not that the gesture is empty, but it's impossible to implement correctly because it's unintelligible, vague, and opens web hosts up to possible privacy suits because "Do Not Track" is so ill defined.
Ignoring all the costly updates to many custom websites back-ends that I've developed for others, including non-profit groups: What does this mean for my own sites? I have a few personal websites, and one for an indie game that a few other folks and I are working on in our spare time. My problem is that the behaviour is TOTALLY UNDEFINED as to what action I should take when I encounter a DNT: 1 HTTP header.
Let's say you're registering an account for our forums. Should I delete the registration request from the database in an effort to automatically comply with the fact that you're telling me not to track the data you've entered? Look, I'm not trying to be facetious, I'm serious. If someone walked up to you and asked you if you wanted to fill out a survey or sign a petition, and you filled it out, then wrote: DO NOT TRACK THIS then WTF do you even mean?! What should I do with that data? Should I just toss it in the trash? That's really what I'm thinking of doing. Why? That would be dumb of me? NO. What would be dumb would be to NOT cover my ass, and track the data you just told me not to.
The users of our game will be able to run their own game servers. The game server will respond to an HTTP request with a statistics page to give a bit of info about the game you could embed in your own website, but mainly to help scrapers generate a list of servers to play on... So, what should my code do when it sees a DNT: 1? What I currently do with the 3rd party tracking data (not a cookie, a munged URL or generated ?= query string), is allow users to reserve a spot in one of the servers, while they're browsing a list of games (it sucks to go and launch a client to find out the game is full). DNT kills this feature and many others.
OK, us geeks & nerds here all know how HTTP & TCP/IP works, right? I mean... TCP and UDP don't mean shit until we get near the top of the networking stack. Before that layer, all the packets are just that -- simple blobs of data going from one endpoint to another. Agreed? Alright. So, to differentiate which packet goes to which user what do we do? WE TRACK YOUR IP ADDRESS AND PORT NUMBER. We record that data so we can correlate it with the next packet of data that has the same info and we call that a "connection". So, my question is -- when I see a DNT: 1 shouldn't I just TERMINATE the TCP connection? This way I'm not tracking your info anymore?
What am I not supposed to track? Even if I was a marketer, your PC is what connected to MY site, and YOUR browser is storing the cookie... So, DNT is supposed to help people when they already have all the tools in their hands already? Don't want someone tracking you? Don't connect to that IP -- blacklist it. Don't want a cookie to be stored? DON'T ACCEPT IT. That's what I do, and it works beautifully.
I'm not some marketing sleeze-bag. I don't run ads on my sites. I'm just trying to comply with this UBER Moronic & Nebulous Bullshit that users now have at their fingertips. I realize what DNT: 1 is supposed to do -- But the execution is Pants On Head Retarded. I couldn't comply if I wanted to! I don't have much money in the Just In Case Privacy Lawsuit box. This means I can do one of two things:
0. I just don't do anything online because I can't fucking afford to pay the lawyers. Yay! Innovation! Ugh.
1. I see a DNT header and just terminate the connection to ensure my ass is fully covered.
Guess which one I'm doing until this DNT: 1 nonsense is better defined? Oh can't use some sites? Well, that's what you get for being an early adopter. Protip: Never use the first iteration of any new technology. Always wait till the bugs are worked out.
My advice: Hold out for: DNT: 2
But if I end up taking legal action because a Web site collected data about me and it ended up harming me (eg. it got stolen and used to impersonate me, causing me to have to clean up the financial mess that resulted), I have something I can bring up in court: "There is a standard way of indicating to the site that I do not consent to having data about me collected.
Yep, and since I must track your IP address and port number to maintain any TCP/IP connections, I'm now risking legal action if I do anything other than just drop the fucking connection.
It's like "No Trespassing" signs on a fence: the sign doesn't stop anyone from hopping over the fence, they can't claim later that they didn't know they weren't allowed on the property.
No, it's like entrapment. Here's a website I'm giving a bunch of data to, and I'm telling them not to do anything with it, but expecting a service from them based on this data they're not supposed to do anything with. That's the most moronic, ill conceived, and contradictory thing I've ever read... and I've read the Bible!
I'm working on compliance code right now. When you connect to my sites, as soon as I see a DNT: 1 header, you'll get a dropped connection. It's the only way to cover my ass against frivolous lawsuits from litigious asshats like you.
Google is the infamous search giant:
1) to which Microsoft now presents some competition, in the search engine industry, with Bing
2) already competing with Microsoft, in mobile operating systems industry
3) rumored to have lots of user data, as in some relation to Google AdSense(tm) technology.
4) which allows users to voluntarily opt in to browser history tracking, with such as Google Web History and the Google toolbar - and to my understanding, that feature is not enabled by default, the user actually has to opt into it, just as I've had to, for so much as search history tracking.
5) all of the above
It sounds to me like Microsoft may be suggesting some doubt towards companies collecting data about user browsing habits. I wouldn't be the least bit surprised, then, if Google may be the main FUD target they could have in mind, at that. Fortunately, though, no one company owns the discussion.
Yep, and since I must track your IP address and port number to maintain any TCP/IP connections, I'm now risking legal action if I do anything other than just drop the fucking connection.
Nope. You need to know the IP address and port while the connection's maintained, but you don't need to collect and store that information. You can let the OS forget about it the moment the connection's closed. And since you didn't collect or store it, it isn't there to be abused.
No, it's like entrapment. Here's a website I'm giving a bunch of data to, and I'm telling them not to do anything with it, but expecting a service from them based on this data they're not supposed to do anything with.
Again, nope. Receiving the data's a completely different matter from collecting and storing it. It's entirely possible to receive the data, do what you need to do with it and discard it as soon as you're done. You send the page back to the browser, close the connection and chuck the information in the bit bucket and presto, no more problem. This seems to be a common theme among certain types: that if they aren't allowed to store positively every single scrap of information and do anything they please with it forever, they can't do business at all. That's like saying that if the 7-11 store can't run a full credit report on you they can't sell you a can of soda for cash, and it's just as laughable. You won't be able to offer some services if people don't permit some degree of collection of data, but I've seen very very few Web sites that couldn't operate with "DNT: 1" set (I've run into many that won't, but that's usually because the site designers chose to make it that way and not because they had to).
As Roy pointed out to them on Twitter, this is a blatant violation of the spec; DNT is designed to reflect the USER's preference, not a default.
http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/#determining
"""
The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties.
Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control. Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents. In contrast, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from blanket limitations on what sites can or cannot be accessed through that network.
"""
Yeah, both the FTC guidelines and the current W3C DNT draft both state that users should opt-out of tracking, not opt-in. Furthermore, the advertizing industry groups like that have had the most successful with self-regulation efforts have flat-out said that while they will respect the user's chose to opt-out, they will ignore any system that opts users out automatically.
Microsoft's decision here is completely counter productive. At best, it means that sites will add code to ignore theDNT header if the UA is IE. At worst it will derail the entire process.
I think Microsoft's action here is simply intended to reduce Google's ad profits.
And you forgot one more argument: ad companies would not mind to respect an opt-in DNT program because users who cared to opt-in would be those few paranoid NoScript types who don't click on ads anyway. So following the DNT program would cost them nearly nothing, and would be good PR.
But thanks to Microsoft, any ad company who follows DNT will be losing serious money. Hopefully they will ignore DNT only when the UA is MSIE so the rest of people can still get DNT.
Yes you can and I have it set to prompt me each time however it doesn't seem to work when you uncheck "Accept 3rd party cookies" even after adding the domain to the accept list. I tried.