Friday, September 7, 2012

Apache contributes to reduction of Consumer Privacy in Do Not Track (DNT) debate

First things first, definition of Do Not Track (aka DNT): Lets say that you went to a retailer's web site and searched for an LCD Television. Few minutes later, lets say that you are on a different web site. Have you noticed that "LCD TV" advertisements magically come up on that site? This is because you are being tracked across the web sites! What you do in one place, is now visible to many other web sites and they can tailor their offerings according to your taste. This is called "personalization". This happens without the user's consent. To prevent this, a Do Not Track (DNT) option is available in most of the web browsers today. Once the user sets it, the browser tells the web site(s) that the user doesn't want to be tracked. Beauty of the Web is that as users have a choice, so do the web sites, in that they are free to ignore it! There is no law forcing the web sites to obey the DNT choice of the users. (Official standards are published by Tracking Protection Working Group). Only a few web sites honor this user choice.

For the technically oriented, this is a HTTP header named DNT, sent by the browser when it accesses a web site. If DNT = 1, then the user has opted out of tracking, i.e., doesn't want to be tracked, if DNT = 0 then the user has opted in, i.e., wants to be tracked and if the header is not sent all, then the user hasn't expressed a preference. The default behavior of the browsers is to not send the header. From this behavior we can see that the user not expressing a preference has the same result on the user's privacy as the user opting in. The web sites will track the user in both of these cases. They will not track, only if the user has opted out. Of course, this conforms to the standards published by the Tracking Protection Working Group.

Now comes Microsoft with their release of Windows 8 and Internet Explorer 10 (IE10). They did an awesome thing. They turned on (DNT=1), i.e., opt out by default. The user has the option of turning off DNT (i.e., opt in) as part of Windows 8 Setup. Technically, this is a violation of the published standard, because as per the standard, the browser is supposed to remain neutral, and not send any header. But we have already seen that remaining neutral, is not actually neutral, but is equivalent to opting in!

Lets digress. Have you ever received in the mail a 10 page booklet explaining the privacy policy of your credit card company? The privacy policy would be published in a 0.1 font size, and if you manage to read it, you will find something akin to this: "we will share your information with our business partners and affiliated companies for business purposes". No one will tell you what these business purposes are, but the behavior of all these financial institutions is "opt in" by default. This is wrong. The behavior should be "opt-out" by default, just like the IE10 from Microsoft. Today, you have to specifically send them a signed letter in the mail, asking them not to share your information. Most of us don't do it, and hence our data is very easily discoverable. If a business has enough money, say a few tens of thousands of dollars, it can buy the entire data of the entire US consumer population. And all this is legal. Believe me folks, this is true.

Then comes Roy Fielding, scientist par excellence. I looked at Mr.Fielding's bio, and respect him for what he is. He is one of the architects of HTTP protocol, one of the founders of the Apache Web Server (aka HTTP Server) project and one of the proponents of the DNT standard itself! But guess what, just like many of the luminaries, he also has a holier-than-thou attitude. He has come up with a patch for the Apache Web Server (note: Apache Web Server is the most widely used web server in the world) that will ignore the DNT option if the browser is IE10. He wants to do this, because Microsoft has violated the DNT standard by not being neutral. His argument is that DNT option does not protect anyone's privacy unless the web sites respect it (as I have said at the beginning of this post). That is correct, but spending time and energy and coming up with a software patch to defeat one particular browser's setting? I call this crazy! He is probably one of the many people who hate Microsoft for no reason. IE10's default setting of opt-out is a small step in the direction of increasing consumer privacy and we should all support it (even though many web sites don't respect that option). The right course of action for Mr.Fielding (and his esteemed colleagues at the W3C) would be to change the DNT standard with the default setting of opt-out. Do what is good for the consumers, don't let that chip on your shoulder come in the way.

The argument from Internet Advertisers and the web sites is this. They are providing a service free of charge (like most of our email, photo storage, blogs etc... are free). Hence they are entitled to track the user's behavior, sell it and make money off of it. Ok, I agree that a business should make a profit, but the users should have the option of protecting their privacy and pay for the services if they so wish. Not giving the users choice, ignoring the users choice or disabling the users choice by creating ingenious software patches is reprehensible.

I implore the Apache Foundation to reject Mr.Fielding's patch. I implore Microsoft to not budge and continue with the current setting of opt-out as default.

No comments :

Post a Comment