Microsoft sticks to its guns, keeps Do Not Track on by default in IE10

Microsoft announced today that it hasn’t backed down from its contentious decision to enable Do Not Track by default in Internet Explorer 10. In a blog post from Chief Privacy Officer Brendon Lynch, the company said that Windows 8 will inform users of the Do Not Track preference during the first run experience. Customers using the Express (default) settings will have Do Not Track turned on, and those using the Custom settings option will have the ability to turn it off.

“Do Not Track” is a Web privacy scheme that tells online advertisers not to collect or use information specific to a user’s Web requests and responses. Advertisers can still show advertisements, but they’re not allowed to, for example, record that a user browsed several hotel websites to then show ads for other hotels.

The scheme uses an HTTP header sent with every request to every Web server to indicate the user’s preference. The Do Not Track header, named “DNT,” can either have the value 1, indicating that the user does not wish to be tracked, or 0, meaning that tracking is acceptable. The DNT header can also be missing entirely, which leaves the decision up to the advertiser.

The fundamental problem faced by Do Not Track (or any other similar privacy mechanism) is that sending a header doesn’t do anything in and of itself. Advertisers need to both look for the header and honor it if it shows that the user does not want to be tracked. This is problematic, because it’s not actually in advertisers’ interest to not track users. Tracking Web users enables advertisers to show ads that are more relevant to the user, and hence more likely to be clicked on.

Nonetheless, advertisers were tentatively getting on board with the Do Not Track scheme, likely motivated by their fear of something worse. Governments around the world are taking a closer look at the issue of Web privacy, and voluntary support for a privacy scheme could prevent the imposition of more onerous government mandates. While Do Not Track may not be ideal from an advertiser standpoint, it certainly beats something more drastic, such as a government ban on such tracking activities.

Microsoft’s June announcement threatened this tentative agreement between privacy advocates and advertisers. The company said that its browser would not only support the Do Not Track header, but that, by default, it would opt out of tracking. Internet Explorer is still the most widely used browser on the Internet. Internet Explorer 10 is likely to see significant adoption once it is released. In turn, this means that a significant number of Web users are likely to be sending the DNT header and opting out of tracking by advertisers.

Unsurprisingly, advertisers had a fit. While they were willing to give their tentative support to Do Not Track, they were only willing to do so on the basis that it was something that users had to explicitly enable. The advertisers know that most users don’t bother to change the default behavior of their systems, and so were unlikely to bother enabling Do Not Track. Only a particularly privacy-conscious minority of users would opt out of tracking, and these privacy conscious customers are likely to be the kind of Web users who never click on advertisements anyway.

An explicitly enabled Do Not Track was therefore a pretty safe thing to support. An implicitly enabled Do Not Track, however, ran the risk of large-scale opting out of targeted advertising, and subsequently significant damage to the advertisers’ businesses.

Within days, the group creating the Do Not Track specification released an update saying that the Do Not Track header only counted when it was explicitly chosen by the user. Browsers that sent the header by default wouldn’t be compliant with the specification. This in turn would give the advertisers some latitude to ignore its stipulations. Specifically, advertisers argue that, in the face of such non-compliant implementations, they can ignore the header entirely.

Microsoft, however, argues that software should be private by default, saying that its decision “put[s] people first,” and that the textual description during the Windows 8 setup process provides adequate information to let users know what’s going on, and the ability to customize the setup gives users enough control. It may be a default, but it’s an informed default that the user has explicitly agreed to.

Regulators have weighed in on the subject, and Microsoft’s stance has some backing. In late June, the European Commission’s director-general for Information Society and Media, Robert Madelin, wrote to the World Wide Web Consortium’s Tracking Protection Working Group (the group of industry experts working on the Do Not Track specification) saying that in the European Commission’s view, browser-specified defaults do not undermine consumer choice and should not be penalized by the specification. In the EC’s view, such behavior could distort the marketplace.

Moreover, Madelin wrote that the Do Not Track specification should expect browsers to both inform users of the Do Not Track option, and to opt out of tracking by default.

The EC’s stance echoed that of the Congressional Privacy Caucus. Co-chairs Edward Markey (D-MA) and Joe Barton (R-TX) wrote that “browsers that default to Do Not Track provide consumers with better control and choice with respect to their personal information.” Microsoft’s policy was specifically endorsed, with the congressmen asking W3C “to make the protection of consumer privacy a priority and support Microsoft’s announcement by endorsing a default Do Not Track setting.”

FTC Commissioner J. Thomas Rosch, meanwhile, took the contrary view, saying in a letter to W3C that “Microsoft’s default [Do Not Track] setting means that Microsoft, not consumers, will be exercising choice as to what signal the browser will send.”

Second-guessing the DNT header sent by browsers is fraught with difficulties. A browser could market itself as being private by default, and even enumerate in its feature list that it sends the DNT header, opting out of tracking, by default. The mere decision by a user to install this browser would be a positive step taken toward opting out of tracking. Such a thing is hardly inconceivable; there are already browsers that vaunt their privacy as their unique selling proposition.