Another Blow to Privacy: Internet Explorer Turns Off "Do Not Track" Default Setting

Until earlier this month, the Microsoft’s default setting for Internet Explorer was to disable tracking of users' browsing behavior by default. On April 3, that changed; Microsoft announced that the Do Not Track will no longer be the default setting.

In 2011, the W3C (the World Wide Web Consortium) issued a draft specification for Tracking Preference Expression, better known as “Do Not Track” (DNT). As the spec noted:

"It has become common for Web site owners to collect data regarding the usage of their sites for a variety of purposes, including what led the user to visit their site (referrals), how effective the user experience is within the site (web analytics), and the nature of who is using their site (audience segmentation). In some cases, the data collected is used to dynamically adapt the content (personalization) or the advertising presented to the user (targeted advertising)."

In response to the possibly intrusive nature of the tracking, the spec defined an HTTP mechanism through which a user can specify their preferences: allow tracking or don’t allow tracking. When the user turns on DNT, the browser sends a “Do Not Track” request when a user browses to a web site.

Shortly after the draft was published, Microsoft announced that Internet Explorer would set the user preference to not allow tracking. In other words, DNT was set to “on.” Users who wished to allow web sites to track their behavior would have to change the default setting to allow that, but users who did not wish to be tracked would not have to take any actions.

In October 2012, curiously, the spec was updated to say:

"Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed."

In other words, if the user doesn’t say to turn off tracking, tracking is permitted. Despite the fact that Internet Explorer was not in compliance with this part of the spec, Microsoft maintained the default DNT setting of “on” in Internet Explorer. Both Chrome and Firefox are in compliance with the spec – by default, both browsers do not provide information about a user’s tracking preference to a web site. It’s possible to argue about Microsoft’s motivations, but the net effect was that the Internet Explorer default helped the those users unaware of this setting to remain untracked – and there are certainly many such users.

The spec has since gone through additional revisions, most recently earlier this year. The spec used the same language that the earlier versions have used, that “In the absence of user choice, there is no tracking preference expressed.” Interestingly, Microsoft announced earlier this month that Do Not Track will no longer be the default setting. Microsoft added that they will continue to supply Internet Explorer users with information as to how to turn the “Do Not Track” setting on in the browser settings. This information will be available when a new PC is set up and when Windows or Internet Explorer is upgraded. And for those users who are diligent about reading all of the information that is supplied in a new PC set-up or in a software upgrade, that should work reasonably well. For all of the rest of us, however…

More from the Digital Guardian Data Security Knowledge Base:


Harriet Cohen
Related Articles
Friday Five: 4/10

Financial companies leave database exposed, Maze ransomware targets an oil giant, and Facebook releases location data to help the fight against COVID-19 - catch up on all the week's news with the Friday Five.

Facebook, Ad Blockers and the End of the Open Web

The web was designed as an open platform, a way for people and machines to communicate with each other regardless of borders or other barriers. The network’s architects meant for it to remain that way, but over time it has gradually become more segmented, by nations as well as corporations, and that’s to the detriment of users everywhere.

Friday Five: 10/5 Edition

Bloomberg's supply chain compromise story scandal, the crisis of election security, and selling patient data on the darkweb. Dig into some of the week's best infosec stories with this roundup.

Harriet Cohen

Harriet Cohen is a senior product manager at Digital Guardian where she works in the Office of the CTO to turn innovative ideas for enhanced threat protection into product reality. Harriet has over ten years of experience in the security arena, encompassing both data protection and identity and access management.

Please post your comments here