Slashdot Mirror
Apache Patch To Override IE 10's Do Not Track Setting
hypnosec writes "A new patch for Apache by Roy Fielding, one of the authors of the Do Not Track (DNT) standard, is set to override the DNT option if the browser reaching the server is Internet Explorer 10. Microsoft has by default enabled DNT in Internet Explorer 10 stating that it is to 'better protect user privacy.' This hasn't gone down well with ad networks, users and other browser makers. According to Mozilla, the DNT feature shouldn't be either in an active state or an inactive state until and unless a user specifically sets it. Along the same lines is the stance adopted by Digital Advertising Alliance. The alliance has revealed that it will only honor DNT if and only if it is not switched on by default. This means advertisers will be ignoring the DNT altogether no matter how a particular browser is set up. The DNT project has another member – Apache. It turns out that Microsoft's stance is like a thorn to Apache as well. Fielding has written a patch for the web server titled 'Apache does not tolerate deliberate abuse of open standards.' The patch immediately sparked a debate, which instigated Fielding to elaborate on his work: 'The only reason DNT exists is to express a non-default option. That's all it does. [...] It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.'"
It's obvious that its scumbag advertisers and Google (maybe I'm repeating myself here) behind this. They want a way to track every user and all their behaviors. They want things like these to either not exist or be disabled by default. They live for all the user data they can gather. This also means they are available for law enforcement and any other party with interest to gather that data, now and in the future.
It's already starting to bother me. I'm seeing these advertisements here on Slashdot too. After I've searched for something on Google, the related advertisements start to come up EVERYWHERE on the internet. Seriously, they come after you. If you search for specific flights you start to see ads for that everyone. It'll haunt you and there's nothing you can do.
Google already got into trouble over Safari privacy violations. Did you know that Safari is currently the only browser that blocks third party blocking cookies like those used by advertising networks (Google)? All the other browsers than Safari and IE are in bed with advertisers because both Firefox and Opera get revenue directly from Google. Chrome of course is the worst because it's designed by the advertising network itself.
You know what's the worst thing? I have a developing case of paranoid schizophrenia. The behavioral advertisements are driving me nuts! It's pure hell when you have such case. I have tried to ease me by blocking such things but still Google gets thru something. They literally follow my every step everywhere. Imagine how paranoid you feel when you're already sick. What am I going to do, stop using the internet? That's really nice.
So for the love of god Apache Project, stop taking bribes from Google and doing evil things like this!
This hasn't gone down well with ad networks
To quote Firefly: "Do we care? Is this something we are caring about?"
Palm trees and 8
It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization
By being set, it protects my privacy as long as "recipients" abide by it without question — it only becomes an issue when "recipients" qualify when they will abide by it.
If active choice is not an option, a default in favour of not tracking seems a better position to me but, then again, I am not an ad network executive.
How it seems to me, in a simplified way, is that advertisers feel they have the right to serve you ads. Off the bat, I disagree with this notion, however I do see that without ads many websites would not be around or would be forced to hide behind a paywall.
At the same time, what guarantee do advertisers give users that their ads are not a potential attack vector, or what standard do they follow that their ads are not intrusive and degrade the performance of a users machine or overly distract and irritate the users? How invasive do their ads and data collection get to be?
Overall, I see where they are coming from but at the same time all I hear is a bunch of self-entitled whiners. Is there any good reason to instantly get tracked as soon as you visit your first website, or should you be allowed to later reveal yourself to the world if you so desire the features this advertises and data miners claim to provide? The most obvious being targeted ads and more relevant searches when using Google.
If you want to be a good netisen developer, and support those that don't want/care about personalisation, then how about making an effort to support scriptless browsing?
A cynical person could think that it's Microsoft trying to make DNT completely useless. Rather than mostly useless.
...useless and silly.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
So let's see if I have this straight? The marketroids are saying that, by their default, I want to hear all the crap they are paid to push and unless I explictly say, "get lost', they'll continue to bug me until I collapse under the weight of junk product info?
Did Bill Hicks have a great point?
bang goes my karma... again...
But if you say another word we will take it away...
No surprise there. The only unknown was how the advertisers were going to rationalize that.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
With this patch, even if the user has explicitly chosen to set the DNT flag, the server will ignore it. They claim this patch has to be done because IE 10 ignores part of the spec:
"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."
This patch however also ignores this same element of the spec, in that no matter what the user may or may not of done, there will be a "mechanism outside the user's control" (the Apache server) which decides on what they want the preference to be.
I do agree that the DNT setting should be a user choice, perhaps given when the user first installs the browser as well as having the option to change it at any time, but to me this is not the right response to having a default set - although I'm sure if the default setting was that tracking was allowed, the add people would for some reason not be complaining about having a default...
-1 troll is not supposed to be used simply because you don't agree
There were many of the same arguments to why pop-up blockers should not block popups by default, but only if it was set by the user and represented the active preference of the user. That websites were dependent upon such tactics to get necessary revenue to serve us content, so it shouldn't be undermined.
When using IE10 for the first time (per user) you get a screen where you can choose "express settings". The screen clearly spells out what that means, *including* what DNT will be set to. Arguably, the user *has* made a decision by selecting express settings. How does Roy Fieldings patch determine how much of that text the user read before continuing?
And how does the patch determine when a user *explicitly* sets the DNT.
Yes, Microsoft probably does this because it will annoy Google and hurt them more than it will hurt Bing. But at the same time it does help protect users' privacy. What a joke if Apache accepts this patch. What a sell-out. Disgusting.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
How is this any different from Google circumventing the default privacy settings in Apple's Safari?
Google was sued here. Since Apache isn't a company, is this the way for the likes of Google and others to get their bidding done?
Should be standard procedure, and we shouldn't need some new protocol to argue over.
Its invasive, and wrong. Period.
---- Booth was a patriot ----
I would laugh so much if MS include an ad block in IE and turn it on by default.
In case it has faded from people's memory, PRIVACY IS A FUNDAMENTAL HUMAN RIGHT - enshrined in laws across the planet.
That wasn't some arbitrary, weird, one-man-and-his-hobby-horse decision, this was the result of a serious amount of very costly and capable people sitting together and hammering out basic principles. A bit like the US Constitution that US politicians appear so keen to ignore.
So, from that principle, not wanting to be tracked IS the legally correct default, DNT should have never been needed, only a "DT" ("Do track, because I don't care about my rights"). If Mr Roy Fielding is writing a patch to override what should have been a default to start with (the jammering and global breaking of this principle by marketing people across the globe does not define breaking the law as rule), then Mr Roy Fielding is effectively on his way to break the law in practically any part of Europe.
DNT is an excuse to casually ignore the fact that fundamental principles were already broken by companies raking it in on the back of breaking fundamental principles (yes, Google and Facebook, I'm looking at you).
Let me put it this way - if this patch goes live anywhere in Europe, a complaint to the relevant government department in charge of Data Protection WILL be made. No ifs, no buts, no maybes.
It's time we start working on people's rights - because with such idiocy and cow-towing to money nobody is going to do it for you.
Never thought I'd see the day when Apache is the Bad Guy vs. Microsoft.
The DNT setting applies to everyone, and ironically it appears MS are about the only ones that abide by it. I having DNT by default seems to me to be the intelligent choice, The default should always err on the side of a users privacy. Why the fuck are people suddenly supporting the right to be tracked??? You should require explicit permissions from the person in order to track them.
Microsoft are setting DNT on Windows 8 (and by extension their phones and tablets) so that competing advertising services like Google et al are shut out of their ecosystem. I bet whatever terms and conditions pop up when a Windows 8 starts for the first time, or via those Bing apps means that the DNT setting don't apply to Microsoft itself.
Actually, it seems IE10-team has a pretty independent focus on user experience. On my Windows 8 test machine it has proactively several times recommended to remove addins from Microsoft to speed up performance (from Bing, from Windows Live, from Office!). I'm guessing those other MS divisions must be livid. I know we've loved to make fun of IE for quite some time, but it is a good thing that IE10 is shaping up quite nicely (we don't want to replace "made for IE6" with "made for webkit", and you can see what more is coming at http://html5labs.interoperabilitybridges.com/
For one, yeah, the pre-commercialization web of NCSA Mosaic was awesome. (Not being sarcastic.) It was content-heavy. Down-homey. Come as you are.
It's really nice to be able to read content by people who are just writing down their thoughts and aren't constrained by have to dream up a certain number of words every day for the sake of pageviews.
Yet I have trouble finding that stuff anymore. Any normal web query you do will lead to the big sites (HuffPo, etc.) in the SERPs. And if you click on "blog" in Google, you'd expect to find posts by "real people". Instead, everything from the erstwhile AolNews to Time is included in "blog".
Anybody have a good handle on finding that old-time content? Gopher?
I'm not a lawyer, but I play one on the Internet. Blog
Article is misleading. DNT is enabled if you setup Windows 8 with express settings, at which point it actively states DNT will be set 'on'. Until that point there is no configured values. This is Apache caving into advertiser pressure, pure & simple IMO.
throw new NoSignatureException();
If you do not want to be tracked, DO NOT SEND REQUESTS. ... did anyone *really* expect that to work?
But sending requests with a "please handle this one but dont use it to track me or put it in logfiles" comment
How much tracking is done via log file analysis alone?
Not Logging requests that the user specifies makes it a standard for script kiddies only.
If it was intended for just not putting a cookie... well fail?
Thats what browser settings are for and what could have been done with more aggressive browser settings alone.
Sorry to say that, but this whole standard seems to not ever made sense at all...
This is not an attack on privacy. This is the only valid option.
If you look at the details of the Do Not Track Header, you'll see that there's not much to it. It's an optional HTTP header that represents the user's request not to be tracked. There is no mechanism to actually enforce this choice; any party can easily just ignore the header and track you regardless. The entire purpose of the header is to express a user's intent, and, therefore, the entire value of the header is derived from that intent.
It's like the "Baby on Board" car signs: If I place one in my car's windowpane, polite drivers should see that sign and grant me additional driving space and courtesies, and I may be able to drive in the carpool lane. Imagine, now, that everyone always puts that sign in their car by default because they want the additional driving space and courtesies. The value of my sign is significantly diluted; not only does standard driving operation make it impossible to honor those requests, but my own actual situation gets lost in the noise. Drivers will surely ignore the little yellow sign altogether, and it becomes worthless.
Unless "Do Not Track" is actually an explicit expression of a user's conscious intent, it will face the same hypothetical fate and become yet another ignored standard. Its only value is derived from its explicit intent, and Apache and Fielding are taking steps to ensure that the value is not compromised.
Isn't this precisely the sort of argument W3C is for?
This is a really bad idea. If it gets adopted widely it will support the argument that DNT needs to be regulated and enforced by law.
It is the old email optin/optout argument. You rarely see a site that does not have an explicit option to optin or optout check box when you register.
A better patch would be to pop up a DNT dialog box allowing the customer to confirm tracking the first time they visit a site.
And don't tell me this is hard to do. You are already tracking people. This is just another data point to track.
Perhaps the use of ie10 is my active choice, knowing that it has this privacy set by default. It's not, but consider the possibility.
The alliance has revealed that it will only honor DNT if and only if it is not switched on by default.
Dear Digital Advertising Alliance - No one* wants you to track them. MSIE enabling DNT by default means nothing more radical than defaulting US releases of Windows to use English.
Since you have decided you know better than we do, I will therefore block all ads and tracking technologies until you make them "opt-in" only.
And then I will opt out.
* Morons who consider Facebook as somehow "better" than the worst of you marketing parasites aside.
No Web server can determine whether a do-not-track (DNT) setting was the inherent default or explicitly set by the end-user. Apache is specifically blocking recognition of DNT for Internet Explorer 10 only because they discovered that Microsoft made DNT the default.
By the way, telemarketing is as important to commerce as are Web ads. But in the U.S., I can (and did) put my phone number in the government's do-not-call list. It is illegal for a telemarketer to call me. (Some still do. I report them to the Federal Trade Commission for enforcement.) How is do-not-call different from do-not-track? Apparently, they are not very different since a bill is in Congress to require Web sites to honor DNT, which (of course) will make Apache's patch illegal.
Fielding thinks his options should be "use another browser." Well fuck you Mr. Fielding. Thanks for coming up with a standard that you are going to cheerfully ignore while giving users the false impression that you are going to honor their wishes.
Do we need and involuntary standard to get advertisers to behave? Because that's where this sort of shit may be leading.
Or do you want a war with Microsoft? Maybe they'll patch IE to identify and disable Apache servers by default, or send them spoofed and anonymized information by default.
The more protection the better!
https://chrome.google.com/webstore/detail/hhnjdplhmcnkiecampfdgfjilccfpfoe?hl=en
Facts do not cease to exist because they are ignored. - Aldous Huxley
If DNT is disabled by default it is a user choice (to disable it), if it is enabled by default it is not a user choice (to enable it)?
How can you not have a default setting for this (or any configuration option)? And who is to tell which one is better? User has the ultimate choice in both cases to change it to what they please.
Since when was it necessary to scoope into the most intimate corners of your mind to simply show you an ad? And why do you need to know my browsing history to register if I clicked an ad or viewed an a banner?
This tracking issue has gone completely over the board. How difficult could it be to simply be an advertisement network? Why do they also have to become our very own big brother?
But... the future refused to change.
I agree with DNT not being set by default. Make it an option on the default browser home page, then people can set it whenever they like, or just ignore it. Done.
But to Apache: "we do not support breaking open standards" hold no water what so ever when your way to express your love for standards is to patch your product such that it can completely ignore a generally accepted standard by default. That to my mind is a text-book example of hypocrisy.
And to the ad servers saying "if X then we'll just ignore DNT" I say fine: if you won't honour DNT I feel no guilt at all in completely blocking all your content. Thanks for playing. I only block ad networks that get on my nerves (auto playing sounds, overly irritating animations, malware riddled shite, and so forth), but this is on my list of things that get on my nerves.
For what it is worth I don't think DNT will make any difference at all, as it relies on everyone to play ball server-side and I barely trust anyone with a commercial or other interest in tracking people to play ball in anything other than hollow words, but that is no reason to not be irritated when you hear people say "we know and understand your preferences, but fuck you".
They can choose to ignore DNT for whatever reasons they choose. However, I did deliberately set DNT in my browser. Any party choosing to ignore that setting will find me remarkably lacking in sympathy for them if they wind up tracking me contrary to that setting.
There are a few reason why some people object though, including but not limited to:
Why is Apache doing this? Shouldn't it be up to the webmaster and developers whether to ignore IE10's DNT or not?
Why is Apache doing user agent sniffing(a no no usually for even web apps) and overriding web applications by default? The patch doesn't even give a choice to the webmaster to configure Apache to disable this action. So it's being forced on Apache users because of the ego of the DNT spec writer? Lets say IIS turns on DNT for all browsers, how will Mr. Fielding feel then? Apache is being used as a pawn in this power game and this move will help no one. Let the advertisers ignore DNT from IE10 if they want to, why block DNT flag on at the web server level?
This space for rent.
Google did not kill Usenet; AOL killed Usenet in 1993, when they started sending millions of rude and uneducated users to Usenet without bothering to explain basic Usenet conventions or etiquette.
Palm trees and 8
Dang, MillionShort is the best new idea in search I've seen in years. I'm going to go play with it soon.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Now I have to side with m$ on this one? Is it in preparation for the end of the world in December? What's going on?
none
You can also have useful content without ads. A popular web forum can be run for $25/month and 8-10 hours/month as a hobby. I know because I did it for years. http://www.cadillacpower.com/forum . No ads. No spam. NO tracking or data mining. EVER.
Well if the users asked are the marketing department at google otherwise....
While I'm sure he is impartial. they should have chosen someone else to write the patch.
Roy works for Adobe, who owns Omniture. one of the major tracking companies out there.
Microsoft are setting DNT on Windows 8 (and by extension their phones and tablets) so that competing advertising services like Google et al are shut out of their ecosystem.
Then what do you make of the fact that ad-supported Win8 Metro apps can serve Google (or Apple, or whoever) ads rather than just Bing ones?
I find it useful, but ideally I want to control who does that. I use a lot of Google services - including things like Latitude that go beyond tracking on the Internet - and so I want them to track me to establish context. So I do actually get something useful out of that. I wouldn't want another online ad agency to track me, though.
I think it's more that nobody wants to be tracked all the time
There are times when I mind tracking, and times I don't.
If I were - for example - browsing "adult" sites, I'd probably not want to be tracked, particularly if said tracking manages to tie my browsing history between home and work, etc.
On the other hand, if advertisers want to use tracking to determine that I like geeky stuff and am shopping for a new gaming rig, I'm not going to complain if they show me ads for CPU's that are on sale etc.
I'm fairly sure guys that are sick of seeing ads for feminine hygeine products etc might be in for replacing their *existing* advertising with something for deals on beer, or superbowl tickets, or whatever happens to float their personalized boats.
An opt-in setting would mean the vast majority will not get the benefit. Basically this is the Ad companies saying we don't mind if a few people prevent us tracking them but if it becomes the norm we are going to ignore you. Well they can go fuck themselves, Sounds to me like time for government to step in and regulate them if they wish to ignore a persons right to privacy.
Welcome to Internet Explorer 11 first time setup.
Do you wish to have privacy or do you want to expose yourself to the mercy of advertisers?
_yes, I want privacy
_no, I want to be at the mercy of advertisers
[user chooses "no"]
[big red letters]
ATTENTION, Internet Explorer 11 has detected an error during first-time user setup. First-time-user setup settings have been lost. Internet Explorer 11 will now restart.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I having DNT by default seems to me to be the intelligent choice, The default should always err on the side of a users privacy. Why the fuck are people suddenly supporting the right to be tracked???
You sound really shocked. Maybe that should have been a clue that you were lacking some rudimentary understanding of the situation? You could have... perhaps, done a little bit of reading before hitting the Post button and whipping out a knee-jerk response, just maybe?
You should require explicit permissions from the person in order to track them.
Unfortunately, advertisers don't share this belief and we have neither the technical capability nor the legislative willpower to force them. DNT is an attempt to ask them nicely. It's a social approach, and it requires their cooperation to work... it's not like it's some magic switch that cuts off their ability to track us (in fact, at a technical level, it allows them to track you easier than before via browser thumbprinting).
If you're going to enable DNT by default everywhere, why don't you just write a letter to all internet tracking firms asking them to please go out of business? It would be easier to implement and more likely to get results (e.g,. still not a chance in hell).
-1, Too Many Layers Of Abstraction
My estimate is closer to one or two percent. I say that because there will always be those dumbasses and advertising dickheads that just have to be different. But they're a minority; anyone in their right mind values their own privacy. I wonder if this Fielding asshole uses the DNT option himself.
Along the same lines is the stance adopted by Digital Advertising Alliance. The alliance has revealed that it will only honor DNT if and only if it is not switched on by default.
This is why we need laws and regulations. This was obvious the minute DNT was announced. I think I posted a few comments back then. Of course they will find excuses to not honour it. If it weren't this one, it would be something different.
In an ideal world, they would be fined $1000 for every single time they ignore the flag, that would put them out of business within a week.
Of course, in the real world we live in, such ridiculous fines are reserved for unemployed mothers downloading a few music tracks for their kids.
Assorted stuff I do sometimes: Lemuria.org
So Adblock Plus it is, then.
They had one chance to convince us that they aren't evil, greedy bastards and meet us in the middle, with us accepting reasonable ads that don't mess with us in ways we don't like.
They fucked it up.
So I'll feel even more justified in recommending Adblock Plus to absolutely everyone whose browser window I ever see.
You didn't want to compromise, assholes, so for all I care, you can all go broke.
Assorted stuff I do sometimes: Lemuria.org
For the same reason Gnu doesn't support user freedom -- and has decided that the Corporate POSIX standard will be enforced on all user systems. They've sold out -- been bought and paid for.
You think "rm -fr ." would remove all files in the current dir, or "rm -fr foo/."
would remove all files IN foo (but not foo). These are no longer options -- the "f" no longer overrides errors and continues.
What's worse -- when removing recursively, rm has to remove the contents BEFORE trying to remove the current directory. So you'd still expect rm -fr . to remove all files under . then fail at the last on "." -- which you wouldn't see due to the "-f" flag. Nope.
POSIX requires "." to be checked for out of order - first, and requires the force flag not to ignore this error.
Result: rm can no longer remove all files under a directory w/o also removing the directory, by itself. You'll have to use the shell to type .files except . & .. -- unless the user has turned that off.). A note in POSIX claimed they were protecting against accidentally typing in "rm -r *" -- which doesn't address the case of including the "-f" flag nor the easier mistake to type in which is just as
in wild cards and hope they expand the way you want on a target system. ( * includes
disastrous "rm **" which will delete all files under the current point (but leave the empty directories!)... Completely nonsense -- yet GNU has been given over to mindless supporting the corporate POSIX standard.
Free software is being sold off to corporations just like proprietary software. Only difference is the free software you can create your own patched copy for your own use -- but try distributing it as a new version to replace the old... fat chance.
Obviously this will never be respected. Like ads, we have to take active measures such as using the ghostery add on to block all known tracking methods (there is still some server side fingerprinting involving your browser version/os etc).
Nowdays you HAVE TO block this stuff; people often complain their browsing is slow, and then you discover the insane amount of traffic sent to third parties before content is even displayed in most sites. Of course using Chrome is suicidal, it belongs to a corporation who does both ads and tracking for business.
Active blocking most always needs Noscript and the discipline to use it property. This is because they use scripts to bypass/detect blocking, so for firefox adblock/ghostery/noscript are usually all needed. Because cookies and referrer are also used sometimes, you might as well add cookie monster and RefControl. In short, you have to whitelist those "features" from trusted sites and only a few things from each trusted site in order to have a decent browsing experience again. Block by default and only allow what you need.
This is done not for paranoia, but for bandwidth and latency reasons.
Artix
Your Linux, your init.
Ad Block Lite, not Plus. Plus has an option to "allow unobtrusive ads" which is enabled by default...
Also we are talking about tracking here, not just ads, so you will also need Ghostery as well. But because they will try to detect and disable your blocking, then you are forced to enter the world of Noscript, Cookie Monster and RefControl (or equivalent combo).
The web is hostile, and for this we need to take active measures whitelisting only the few elements from the pages we trust.
Artix
Your Linux, your init.
The patch as been pulled: https://github.com/apache/httpd/pull/2
Maybe if you weren't anonymous and flashed your actual qualifications and education on the matter they might be more willing to listen to your legal advice?
Change is certain; progress is not obligatory.