We'll track you anyway —

Apache webserver updated to ignore Do Not Track settings in IE 10

Critics say world's biggest webserver is subverting IE privacy preferences.

Developers of Apache, the Internet's most widely used webserver application, have released an update that causes websites to ignore privacy settings in the upcoming release of Microsoft's Internet Explorer.

The changes, which came to light late last week, suppress privacy settings controlled by Do Not Track, a proposed Web standard that is intended to give end users a simple means to register their request that their browsing habits not be tracked by Websites and ad networks. The patch was written by Roy Fielding, one of the architects of Do Not Track, who publicly accused Microsoft of violating requirements in language accompanying the standard dictating that Do Not Track preferences be sent to websites only when users specifically enable them in configuration settings. Fielding is also an employee of Adobe Systems, developer of the ubiquitous Flash Player.

"The only reason DNT exists is to express a non-default option," Fielding wrote in a post defending the change. "That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."

Fielding went on to say, "Microsoft deliberately violates the standard."

The text of the Do Not Track standard states, "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties." It goes on to say:

"Key to that notion of expression is that it must reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Critics of the Apache update contend Microsoft's Do Not Track implementation, which will be included in the upcoming version 10 of IE, is in compliance with the standard. A screen that is displayed when a user first uses the operating system offers two choices: Express settings and a more detailed Customized settings. The same screen explicitly states that choosing the Express option will turn on Do Not Track.

Some critics of the Apache update also claimed it was motivated by financial considerations, since many websites and most ad networks stand to profit by serving ads tailored to a specific viewer's browsing habits. Fielding is an employee of Adobe, whose widely used Flash Player is required to view many online ads.

"Adobe is actively trying to subvert privacy," privacy researcher Chris Soghoian wrote in a tweet over the weekend. "If Roy Fielding was not drawing a paycheck from Adobe, would he have submitted that patch?" he wrote in another.

Adobe and Microsoft spokespersons declined to comment for this article, but the latter company recently defended its implementation of Do Not Track and said there were no plans to change it.

Channel Ars Technica