The latest proposed draft of the Do Not Track specification published Wednesday requires that users must choose to turn on the anti-behavioral tracking feature in their browsers and software.
That means that Microsoft IE 10, which the company announced last week will have Do Not Track turned on by default, won’t be compliant with the official spec. Which means that tech and ad companies who say they comply with Do Not Track could simply ignore the flag set by IE 10 and track those who use that browser. Which means Microsoft has no choice but to change the setting.
Microsoft’s surprise announcement last Thursday was interpreted by many as a way to gouge Google, which runs an ad system based on tracking cookies. But it also enraged many online ad companies and industry groups, who saw the move as overly aggressive and a threat to their business model.
The proposal, put forward by the leading privacy voices on the specification, is not yet accepted by the entire group which includes privacy advocates, browser makers, technology firms and online ad companies. But as it includes major concessions by privacy groups, it’s likely to be accepted by and large.
The proposed draft specification (.pdf) states:
Explicit Consent Requirement
Note: This section was recently added and has not been extensively discussed with stakeholders. Please consider it a preliminary position.
An ordinary user agent MUST NOT send a Tracking Preference signal without a user’s explicit consent.
Example: The user agent’s privacy preferences pane includes controls for configuring the Tracking Preference signal.
Example: On first run, the user agent prompts the user to configure the Tracking Preference signal.
If that’s not clear enough, a summary of a working group conference call today sent out later Wednesday made the change clearer:
(1) Today we reaffirmed the group consensus that a user agent MUST NOT set a default of DNT:1 or DNT:0, unless the act of selecting that user agent is itself a choice that expresses the user’s preference for privacy. In all cases, a DNT signal MUST be an expression of a user’s preference. []…]
Implication A: Microsoft IE, as a general purpose user agent, will not be able to claim compliance with DNT once we have a published W3C Recommendation. As a practical matter they can continue their current default settings, since DNT is a voluntary standard in the first place. But if they claim to comply with the W3C Recommendation and do not, that is a matter the FTC (and others) can enforce.
That said, there’s still no total agreement on whether third parties can ignore Internet Explorer 10′s DNT signal, according to working group member Jonathan Mayer, a privacy researcher at Stanford.
“Google, Yahoo, and Adobe pushed for that, but Mozilla, Apple, and privacy advocates have objected,” Mayer told Wired by e-mail after this story was originally published.
Do Not Track doesn’t attempt to block cookies — instead it is a browser setting that sends a message to every website you visit saying you prefer not to be tracked. That flag is currently optional for sites and web advertising firms to obey, but it’s gaining momentum with Twitter embracing it late last month.
The proposal also has the backing of the FTC, which has grown deeply skeptical of the online ad industry’s willingness to play fairly with users and has threatened to call for online privacy legislation. After initially opposing the idea, the online ad industry is now seeking to soothe the feds by hammering out rules that aren’t too tough on data collection. The hope then is that not many users avail themselves of the tool, and then not much has to change in how ad companies build profiles of users in order to sell premium-priced targeted ads.
But Microsoft’s announcement threw a wrench in those plans, since it’s likely that eventually something like 25 percent or more of the net’s users will upgrade to IE 10 over time and would then have DNT on by default.
Mayer, one of the spec’s authors, announced the newest draft spec Wednesday, saying that the group had made much progress and that privacy groups had made large compromises on the final three sticking points, which included the question of default settings for browsers.
“As you review the draft, please recognize that it is a compromise proposal,” Mayer wrote. “The document is not a retread of well-worn positions; it reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it.”
The final three issues he identified are:
- May a user agent enable Do Not Track by default?
- May a website share its information with corporate affiliates?
- May a third-party website continue to set tracking cookies (or use an equivalent technology for collecting a user’s browsing history)?
The compromise answers are: 1) Require explicit consent for enabling Do Not Track, 2) Allow affiliate information sharing and 3) Prohibit tracking cookies.
All of which means that there’s no likelihood now that Microsoft IE 10, or any other browser, will ship with DNT turned on by default, though they could come with a very easy way for users to turn it on. And there’s also nothing in the specification that would prohibit browsers from blocking tracking cookies by default by refusing “third-party” cookies, as Apple’s Safari browser has done for years.
But the lifetime of a browser with DNT turned on by default is clearly measured in internet time. IE 10 with DNT turned on lived for six days before getting its death sentence.
Photo: Peter Nijenhuis/Flickr