Apache Patch To Override IE 10's Do Not Track Setting

← Back to Stories (view on slashdot.org)

Apache Patch To Override IE 10's Do Not Track Setting

Posted by timothy on Saturday September 8, 2012 @12:22AM from the routing-around-it dept.

hypnosec writes "A new patch for Apache by Roy Fielding, one of the authors of the Do Not Track (DNT) standard, is set to override the DNT option if the browser reaching the server is Internet Explorer 10. Microsoft has by default enabled DNT in Internet Explorer 10 stating that it is to 'better protect user privacy.' This hasn't gone down well with ad networks, users and other browser makers. According to Mozilla, the DNT feature shouldn't be either in an active state or an inactive state until and unless a user specifically sets it. Along the same lines is the stance adopted by Digital Advertising Alliance. The alliance has revealed that it will only honor DNT if and only if it is not switched on by default. This means advertisers will be ignoring the DNT altogether no matter how a particular browser is set up. The DNT project has another member – Apache. It turns out that Microsoft's stance is like a thorn to Apache as well. Fielding has written a patch for the web server titled 'Apache does not tolerate deliberate abuse of open standards.' The patch immediately sparked a debate, which instigated Fielding to elaborate on his work: 'The only reason DNT exists is to express a non-default option. That's all it does. [...] It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.'"

33 of 375 comments (clear)

Min score:

Reason:

Sort:

We care about ad networks? by betterunixthanunix · 2012-09-08 00:30 · Score: 5, Funny

This hasn't gone down well with ad networks
To quote Firefly: "Do we care? Is this something we are caring about?"

--
Palm trees and 8
1. Re:We care about ad networks? by mister_playboy · 2012-09-08 00:39 · Score: 5, Insightful
  
  There was content on the web before there were ads, dipshit.
  Anyone who thinks we can't have one without the other is wrong, because that state has already happened.
  
  --
  Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
2. Re:We care about ad networks? by BorgDrone · 2012-09-08 00:50 · Score: 4, Informative
  
  Yes, all improvements to the web are thanks to the ad companies, it has nothing to do with technological progress.
3. Re:We care about ad networks? by silas_moeckel · 2012-09-08 01:02 · Score: 5, Insightful
  
  Why yes it was there was content, not people telling each other what they had for dinner and when they had a BM. When you searched for information about a piece of hardware you got the manual and other useful information not the marking drivel. The noise ratio of the internet has gone up dramatically as it's become more and more commercial.
  
  --
  No sir I dont like it.
4. Re:We care about ad networks? by Celarent+Darii · 2012-09-08 01:03 · Score: 4, Insightful
  
  You think ad networks will be the one who honor DNT? The very same people who profit by tracking?
  
  Frankly I think the whole thing would be better if adblock was just installed by default in every browser.
  
  Ads are nothing less than visual pollution. Tracking is also one of the reasons that we have cookies and all the other security problems with the web. HTTP was meant to be a stateless protocol and should remain so.
5. Re:We care about ad networks? by dissy · 2012-09-08 01:06 · Score: 5, Interesting
  
  If the site is so concerned about money and income, why don't they just use regular ads instead of tracking ads then?
  They can choose. Use tracking ads, have them blocked, and get nothing. Or use regular ads, and get something.
  It's hardly our fault that they choose to abuse their customers and then bitch about getting no money because of it.
6. Re:We care about ad networks? by oldlurker · 2012-09-08 01:11 · Score: 4, Insightful
  
  We care that they care. If they choose to ignore DNT due to Microsoft's actions (or rather, probably deliberate attempt to make the feature ignored) we do care. We prefer that the ad networks honor DNT, and they might, if it's not turned on by default. It's that simple.
  The moment a number of users started to turn on DNT ad networks would find a reason to not honor it anyway. It seems DNT was a privacy standard built on the peculiar premise that it only works as long as it stays unknown to most users ('if few enough know about enabling DNT then maybe the ad networks will leave us that do alone').
7. Re:We care about ad networks? by Seumas · 2012-09-08 01:26 · Score: 5, Interesting
  
  The best content on the internet is produced out of a passion for creating the content, rather than a desire to make a buck. The commoditization of the internet will ruin it, yet. We can't even escape marketing and obnoxious advertising *here*. The majority of people just want to make a buck, right down to the last mommy-blogger that plasters her five-views-a-month blogger page with adsense just so she can eek a nickel out of every last word.
  Remember when people did shit because they cared? They didn't have to monetize every square inch of every page of their website? The created services and content because they loved doing it or cared about the community they were doing it for? Remember when sysops built communities for free? They bought the hardware, they maintained everything, they paid for the phone lines, they spent hundreds of hours adding content, connecting their services to multi-node door games, setting up FIDOnet, accounting, etc. And they did it because they enjoyed it. And if people appreciated it enough, they chipped in some cash. Not because they were asked to, but because they wanted to. And you didn't have to be confronted with ads.
  I'm not saying the whole internet has to be like that, but does *EVERYONE* have to eek a penny out of every last spot they can? Not just big websites with huge advertising contracts, but right down to every jackhole with a dinky little website or blog?
  When I started my site in 1997, I did it with the specific intention of never monetizing it. I didn't charge money. I didn't charge fees. I didn't sell ads. Nothing. I did it because it was enjoyable and it served a purpose for people that they found valuable. I'm sure they'd have paid if I asked, but I didn't. It felt dirty. It felt unnecessary. I thought it was a righteous and reasonable thing to do.
  Almost a decade later, I met someone in a bar and it turned out she was a long-time member of my site. We got to talking about it for awhile and when I brought up advertising, she paused and said that she actually had never even noticed that there was no advertising on the site. I couldn't believe it. I feel so accosted by advertising every fucking where I turn that I sure as hell notice it on sites and appreciate the lack of it on others. And here, I discovered that regular people neither give a shit nor even notice whether there are or aren't any ads.
8. Re:We care about ad networks? by moronoxyd · 2012-09-08 02:00 · Score: 5, Insightful
  
  Tracking should be something users should have to opt in to, not out of.
9. Re:We care about ad networks? by Opportunist · 2012-09-08 02:13 · Score: 5, Interesting
  
  We had worthless crap spewed by some amateur individuals instead of worthless crap being spewed by some professional agencies.
  I fail to see the big improvement.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:We care about ad networks? by Celarent+Darii · 2012-09-08 02:49 · Score: 5, Insightful
  
  An optional flag that has no enforcement mechanism is just asking for government intervention. In any case I don't think DNT will survive, and something else will come in to make ad companies rethink their strategy.
  
  Do you remember the debate about blocking pop-up windows? Very similar complaints from advertisers who said they were 'financing the development of the web' (what a bunch of bullshit, they are just profiting from it). Yet every browser blocks them by default now. I await the day when (tracking) ads will be blocked by default by most major browsers. It's time to take the web back. HTTP is meant to be a stateless protocol.
11. Re:We care about ad networks? by sjames · 2012-09-08 03:20 · Score: 5, Insightful
  
  I guess hell is freezing over now because I am forced to side with Microsoft on this one. I can't think of anyone who actually wants to be tracked like a bear with a radio collar. The express install has DNT as a default setting because most people really don't want to be tracked. For the few that do, they can choose custom settings and not choose DNT.
  I will be ripping that patch OUT of any Apache I install. If it were a physical thing, I would then piss on it and burn it. It is deeply disrespectful to the end user. All it does is lend credence to the idea that the whole DNT thing was a big fat LIE by the ad networks (liars for hire).
12. Re:We care about ad networks? by 1u3hr · 2012-09-08 05:50 · Score: 4, Interesting
  
  As I remember, UseNet spam was a huge problem before Google Groups came along. UseNet had a way to delete spam from the entire network, but they had a rule against using content-based filters to decide which messages were spam.
  There was no "rule" at all.
  Almost all ISPs had usenet servers and filtered spam. The ones that didn't were blacklisted by the others. Until Google came along. Then many ISPs stopped providing usenet feeds and told their users to use Google. And Google didn't filter spam. It enabled spammers to use throwaway accounts. Didn't matter that the account was deleted later, they could get a new one immediately and keep going. Some premium hosts blocked Google posts, but that also blocked many legitimate posters who didn't want to pay form a usenet feed.
  Anyway, where before you could filter out all the crap from Russia, China, India, etc, now the biggest usenet host of all in the world was generating the most spam. Those cunts killed usenet. .
It does not protect anyone's privacy... by Neil_Brown · 2012-09-08 00:32 · Score: 4, Informative

It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization
By being set, it protects my privacy as long as "recipients" abide by it without question — it only becomes an issue when "recipients" qualify when they will abide by it.
If active choice is not an option, a default in favour of not tracking seems a better position to me but, then again, I am not an ad network executive.
1. Re:It does not protect anyone's privacy... by Anonymous Coward · 2012-09-08 01:10 · Score: 5, Interesting
  
  The point is, DNT only works, at present, on a voluntary basis. As you say, your stance (privacy by default) is not what any ad company will voluntarily choose -- but as long as only a few users opt-in, it can make sense to roll with it for good PR, and to keep the people who care about privacy placated so they don't agitate for privacy regulations the ad men would have to comply with.
  
  It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization
  Yeah, that is bull. The recipients don't care that it's set by a real human being, they care that it's set on a small enough fraction of UAs that the PR is worth more than the value of the data they forgo. The former (for now) satisfies the latter, but if enough people started setting it, it'd still be too many, and they'd start ignoring it.
  Now you may (as I do) consider the whole situation laughable, because it by design secures privacy for a few by throwing the masses to the wolves, but that's the system we have, and IE's default breaks the conditions under which that system can continue to exist. There's only three ways it can play out (so long as it's the same voluntary cooperation):
  (A) ad networks see IE's market share as "too much", disregard DNT altogether.
  (B) ad networks see IE's market share as acceptable losses and continue to respect DNT across the board; Firefox etc. eventually copy IE's default; ad networks then disregard DNT altogether.
  (C) ad networks see IE's market share as "too much", disregard DNT only on IE, nobody copies IE -- at the very least the system continues to work for people who care enough to set DNT on non-IE UAs, and there's the possibility IE switches back to opt-in DNT, after which the ad networks will restore the status quo.
  A and B are total losses (of the voluntary scheme; the aftermath may or may not result in new privacy regulations); C maintains the status quo for many users, and has the possibility to return to status quo across the board.
  
  By being set, it protects my privacy as long as "recipients" abide by it without question — it only becomes an issue when "recipients" qualify when they will abide by it.
  Oh, come off it. It protects your privacy when those qualifications don't affect you. So don't run IE, and it still protects your privacy. Now if you meant "it protects everyone's privacy as long as "recipients" abide by it without question" , then yes. But since we all know the DNT system is designed to operate by throwing ignorant or apathetic individuals to the wolves, protesting that it doesn't protect everyone's privacy is kinda disingenuous.
How it seems... by p0p0 · 2012-09-08 00:32 · Score: 4, Interesting

How it seems to me, in a simplified way, is that advertisers feel they have the right to serve you ads. Off the bat, I disagree with this notion, however I do see that without ads many websites would not be around or would be forced to hide behind a paywall.
At the same time, what guarantee do advertisers give users that their ads are not a potential attack vector, or what standard do they follow that their ads are not intrusive and degrade the performance of a users machine or overly distract and irritate the users? How invasive do their ads and data collection get to be?

Overall, I see where they are coming from but at the same time all I hear is a bunch of self-entitled whiners. Is there any good reason to instantly get tracked as soon as you visit your first website, or should you be allowed to later reveal yourself to the world if you so desire the features this advertises and data miners claim to provide? The most obvious being targeted ads and more relevant searches when using Google.
1. Re:How it seems... by Motard · 2012-09-08 00:50 · Score: 4, Insightful
  
  Tracking is not required to serve ads. I don't mind seeing billboards on the side of the road, but if the billboard is photographing my license plate and sending that to a central server, I have a problem with that.
2. Re:How it seems... by martin-boundary · 2012-09-08 01:53 · Score: 4, Insightful
  
  Tracking can be beneficial for both the advertiser and the user - we all like to be offered relevant content, and the advertiser likes to offer it to people who he thinks will be interested.
  
  No, we do NOT. We do NOT all like to be offered RELEVANT content. That is one of the insidious fallacies that ad peddlers (and Google is a prime offender) like to claim so they can justify their practices.
  Ads are noise, whether they are relevant or not. Take your favourite kind of music, say your favourite songs from your favourite band. Do you want to hear those songs ALL THE TIME? While you're driving to work, while working, after work when watching TV, etc? Clearly NOT.
  NEARLY ALL THE TIME, PEOPLE DON'T WANT ADVERTISING, RELEVANT OR NOT (caps to make it easy on the stupid Googlebot ;-)
  The whole idea that we need to be aware of available choices and having choices is good is bullshit. What we need is to be able to control our environment, and if we want choices we'll ask our friends first, thanks very much.
Re:Gee, How Much Google Paid For This by Stormthirst · 2012-09-08 00:33 · Score: 4, Insightful

Ad-block FTW
A roundabout way of saying that DNT is... by John+Hasler · 2012-09-08 00:40 · Score: 4, Insightful

...useless and silly.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Two wrongs do not make a right by another+random+user · 2012-09-08 00:50 · Score: 4, Insightful

Ignoring the issue around if IE10 should set the DNT flag by default or not, this patch only makes the situation worse.

With this patch, even if the user has explicitly chosen to set the DNT flag, the server will ignore it. They claim this patch has to be done because IE 10 ignores part of the spec:

"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."
This patch however also ignores this same element of the spec, in that no matter what the user may or may not of done, there will be a "mechanism outside the user's control" (the Apache server) which decides on what they want the preference to be.

I do agree that the DNT setting should be a user choice, perhaps given when the user first installs the browser as well as having the option to change it at any time, but to me this is not the right response to having a default set - although I'm sure if the default setting was that tracking was allowed, the add people would for some reason not be complaining about having a default...

--
-1 troll is not supposed to be used simply because you don't agree
1. Re:Two wrongs do not make a right by Likes+Microsoft · 2012-09-08 01:23 · Score: 5, Interesting
  
  Advertisers and sites that depend on them don't want to admit that choosing to use a certain browser and allowing itts default settings *is* a choice. They are also free to request the user to turn DNT off before they serve up key features. They apparently *really* don't like the idea of having to explicitly ask, "can I follow you wherever you go after this"?
  
  --
  -- Who am I? How did I get here? My God, what have I done?!
Re:Gee, How Much Google Paid For This by heypete · 2012-09-08 00:58 · Score: 5, Informative

It's already starting to bother me. I'm seeing these advertisements here on Slashdot too. After I've searched for something on Google, the related advertisements start to come up EVERYWHERE on the internet. Seriously, they come after you. If you search for specific flights you start to see ads for that everyone. It'll haunt you and there's nothing you can do.
Not true: you can change your Google Ad Preferences or opt-out.
Similarly, you can use the NAI's opt-out page to opt-out of Google and other ad network tracking.
There's plenty of browser plugins that work to block ads entirely (such as AdBlock) and ones that ensure that the "opt-out" cookies stay in existence even if you clear your other cookies.

All the other browsers than Safari and IE are in bed with advertisers because both Firefox and Opera get revenue directly from Google.
The default search box in those browsers comes configured to use Google, yes. They do get income from ad revenue stemming from searches from the box. You're not forced to use that search box, nor are you forced to use the default settings -- you can add other search providers (like DuckDuckGo, ixquick, etc.) -- Firefox, for one, doesn't have ad agreements with anyone other than Google.

So for the love of god Apache Project, stop taking bribes from Google and doing evil things like this!
Is there evidence that the Apache project is "taking bribes from Google"?
My understanding from the article is that an individual contributed a patch to the the Apache httpd.conf source code and does not reflect the official viewpoint of the Apache Foundation, nor that the patch has been approved for inclusion. Naturally, I welcome any corrections.
So when is it a default setting, mr. Fielding? by benjymouse · 2012-09-08 01:05 · Score: 5, Interesting

When using IE10 for the first time (per user) you get a screen where you can choose "express settings". The screen clearly spells out what that means, *including* what DNT will be set to. Arguably, the user *has* made a decision by selecting express settings. How does Roy Fieldings patch determine how much of that text the user read before continuing?
And how does the patch determine when a user *explicitly* sets the DNT.
Yes, Microsoft probably does this because it will annoy Google and hurt them more than it will hurt Bing. But at the same time it does help protect users' privacy. What a joke if Apache accepts this patch. What a sell-out. Disgusting.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Re:Gee, How Much Google Paid For This by bmo · 2012-09-08 01:23 · Score: 5, Informative

Just a FYI.
I went to NAI's opt out page and tried it. I have Adblock-plus. To get all of them, you have to turn off Adblock-Plus, hit the "all of them" button, and then re-enable. Otherwise, you only get 50-some-odd out of 95.
--
BMO
Re:Gee, How Much Google Paid For This by Karzz1 · 2012-09-08 01:37 · Score: 5, Insightful

Choosing to ignore a standard is not what they should be doing either.

To be honest this is kind of a ridiculous standard anyway. The way I read it, it seems to me the sites I would least want to track me are the exact sites that are most likely to ignore DNT completely. This standard reminds me of the Evil Bit RFC.

--
Beware of he who would deny you access to information, for in his heart he dreams himself your master.
DNT not ON by default by Toreo+asesino · 2012-09-08 01:54 · Score: 4, Informative

Article is misleading. DNT is enabled if you setup Windows 8 with express settings, at which point it actively states DNT will be set 'on'. Until that point there is no configured values. This is Apache caving into advertiser pressure, pure & simple IMO.

--
throw new NoSignatureException();
Nobody's attacking privacy... by Jahava · 2012-09-08 02:18 · Score: 4, Insightful

This is not an attack on privacy. This is the only valid option.
If you look at the details of the Do Not Track Header, you'll see that there's not much to it. It's an optional HTTP header that represents the user's request not to be tracked. There is no mechanism to actually enforce this choice; any party can easily just ignore the header and track you regardless. The entire purpose of the header is to express a user's intent, and, therefore, the entire value of the header is derived from that intent.
It's like the "Baby on Board" car signs: If I place one in my car's windowpane, polite drivers should see that sign and grant me additional driving space and courtesies, and I may be able to drive in the carpool lane. Imagine, now, that everyone always puts that sign in their car by default because they want the additional driving space and courtesies. The value of my sign is significantly diluted; not only does standard driving operation make it impossible to honor those requests, but my own actual situation gets lost in the noise. Drivers will surely ignore the little yellow sign altogether, and it becomes worthless.
Unless "Do Not Track" is actually an explicit expression of a user's conscious intent, it will face the same hypothetical fate and become yet another ignored standard. Its only value is derived from its explicit intent, and Apache and Fielding are taking steps to ensure that the value is not compromised.
1. Re:Nobody's attacking privacy... by pla · 2012-09-08 02:45 · Score: 4, Funny
  
  It's like the "Baby on Board" car signs: If I place one in my car's windowpane, polite drivers should see that sign and grant me additional driving space and courtesies
  
  Wait, people buy those because they actually believe it will make other drivers more courteous???
  
  Heh... Personally, I take it as a warning - "This car will go way too slow and has a frequently-distracted driver. Please pass me ASAP, and treat me as you would a potential drunk driver".
Re:Noncommercial content by oakgrove · 2012-09-08 02:34 · Score: 5, Interesting

Try this search engine. It remove the top million sites. Might be what you're looking for.

--
The soylentnews experiment has been a dismal failure.
No thank you, now FOAD please? by pla · 2012-09-08 02:42 · Score: 5, Insightful

The alliance has revealed that it will only honor DNT if and only if it is not switched on by default.

Dear Digital Advertising Alliance - No one* wants you to track them. MSIE enabling DNT by default means nothing more radical than defaulting US releases of Windows to use English.

Since you have decided you know better than we do, I will therefore block all ads and tracking technologies until you make them "opt-in" only.

And then I will opt out.

* Morons who consider Facebook as somehow "better" than the worst of you marketing parasites aside.
Re:Gee, How Much Google Paid For This by Mashiki · 2012-09-08 03:38 · Score: 5, Insightful

Ad-block FTW
Pretty much, along with cookie blockers. Anyone who doesn't use one on the internet these days is either mad or insane. Perhaps both. I don't care that site users are whining and crying that they're losing revenue, it's stuff like what was mentioned in the article itself(too long to repeat) that ensure that I'm going to keep using them. Plus the long list of abusive ads themselves that like to run with their volume at 11, or inject malware.
I'd be happy with ads, no really. If companies weren't being so stinking abusive over it. I'd call the entire thing an abusive relationship, you even get companies promising "we don't do this, don't worry we've changed." And next time, they're right back to doing it. Sounds familiar doesn't it?

--
Om, nomnomnom...
Re:What has Apache got to do with this? by Simon+Brooke · 2012-09-08 21:16 · Score: 4, Informative

This is not Apache's territory. they should not be doing anything to affect my browsing session. Nothing at all. Period.
Apache isn't doing this. One person has posted a patch. It has not, as I understand it, yet been accepted by the Apache Foundation. Even if it were, Apache HTTPD is by design a highly configurable web server which has modules to do all sorts of things, but on any typical web server only a few of those modules will be enabled. This particular patch - even if it were accepted as part of the distribution - only works if both the 'setenvif' and 'headers' modules are enabled, which, on my servers, is not the case. Furthermore, the 'patch' is five lines in a configuration file; if you don't like 'em, comment them out.
Slow news day, storm in a teacup, nothing to see here, move along.

--
I'm old enough to remember when discussions on Slashdot were well informed.