Skip to main content

Apache patch disables DNT for all IE10 users

An Apache developer has released a patch that would completely bypass the "Do Not Track" setting in the upcoming Internet Explorer 10.

The new Apache patch, currently available on Github, would instruct the Web server to ignore the DNT setting if an Internet Explorer user visits the website. This patch comes courtesy of Roy Fielding, a principal scientist at Adobe Systems who is also part of the group working on the DNT specification for the World Wide Web Consortium. In other words, websites on Apache servers with Fielding's patch applied will be able to track users if they are running Internet Explorer, regardless of user preference.

Microsoft announced earlier this year that Windows 8 will enable DNT automatically in IE10 to "better protect user privacy." Users who don't want DNT have the option to turn it off using the Express and Customise settings during the Windows 8 setup.

"Apache does not tolerate deliberate abuse of open standards," Fielding wrote on Github, in reference to claims that Microsoft is violating the DNT specification by turning on DNT by default.

The DNT specification, which is still in draft form and not yet a finalised standard, is a mechanism for users to tell websites to not track their behaviour online.

The DNT Controversy

Microsoft's original announcement caused an uproar, as many organisations who otherwise supported DNT criticised Microsoft for taking the decision out of user hands. Mozilla's Firefox was the first major Internet browser to support the initiative, but argued that users need to manually turn on, or turn off, DNT in order for it to count.

"It's important that the signal represents a choice made by the person behind the keyboard and not the software maker, because ultimately it's not the browser being tracked, it's the user," Alex Fowler, the global privacy and public policy leader at Mozilla, wrote on the Mozilla blog back in May.

Fielding took the same stance when defending his Apache patch on the Github comments page. "[DNT] does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization," Fielding wrote.

Ignoring DNT

The Digital Advertising Alliance has already said it would honour DNT only if users manually set the setting instead of having it on by default. The problem with this position, which is essentially what Fielding is pushing for Apache, is that there isn't a way to tell if the DNT signal comes from an IE10 user who wants the setting, or from a user who didn't notice the setting during the setup process. So users who are privacy-conscious and aware using IE10 will find websites ignoring their preferences entirely.

There is a debate in the comments as to whether giving users the chance to turn of DNT was the same as getting explicit consent. Regardless of that discussion, many users were upset at the prospect of their preferences being ignored.

"Now, users will think they have DNT on, yet little do they know, Apache decided to screw them over because IE didn't do it a way Apache deems acceptable and therefore no one gets DNT on IE10," Oscar Godson, a JavaScript engineer at Yammer and open source contributor, wrote on his blog.

Other users were concerned about the implications for individual Internet administrators on a shared hosting environment. It does not appear at this time that an individual website owner can override the anti-IE10 settings if the server administrator applies the patch on the Web server.

Apache is the most popular Internet server software, powering nearly 600 million websites, or 60 per cent, of what is online, according to Netcraft's statistics.

This looks like a way to pressure users into not using IE, or a blackmail attempt to force Microsoft to back down from how it implemented DNT. Either way, the server has no role being part of this discussion, which should be left between the website owner and the end-user.

"Adobe is actively trying to subvert privacy," privacy researcher Chris Soghoian wrote on Twitter, referring to Fielding's employer. When other users pointed out that Fielding co-founded Apache and likely created the patch on his own and not as an Adobe employee, Soghoian asked, "When Roy @Fielding participates in the W3C tracking protection working group, he represents Adobe but when Roy @Fielding submits a patch to Apache to ignore DNT set by IE browsers, he is wearing his Apache hat & not Adobe?"