Another Blow to Privacy: Internet Explorer Turns Off "Do Not Track" Default Setting



Until earlier this month, the Microsoft’s default setting for Internet Explorer was to disable tracking of users' browsing behavior by default. On April 3, that changed; Microsoft announced that the Do Not Track will no longer be the default setting.

In 2011, the W3C (the World Wide Web Consortium) issued a draft specification for Tracking Preference Expression, better known as “Do Not Track” (DNT). As the spec noted:

"It has become common for Web site owners to collect data regarding the usage of their sites for a variety of purposes, including what led the user to visit their site (referrals), how effective the user experience is within the site (web analytics), and the nature of who is using their site (audience segmentation). In some cases, the data collected is used to dynamically adapt the content (personalization) or the advertising presented to the user (targeted advertising)."

In response to the possibly intrusive nature of the tracking, the spec defined an HTTP mechanism through which a user can specify their preferences: allow tracking or don’t allow tracking. When the user turns on DNT, the browser sends a “Do Not Track” request when a user browses to a web site.

Shortly after the draft was published, Microsoft announced that Internet Explorer would set the user preference to not allow tracking. In other words, DNT was set to “on.” Users who wished to allow web sites to track their behavior would have to change the default setting to allow that, but users who did not wish to be tracked would not have to take any actions.

In October 2012, curiously, the spec was updated to say:

"Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed."

In other words, if the user doesn’t say to turn off tracking, tracking is permitted. Despite the fact that Internet Explorer was not in compliance with this part of the spec, Microsoft maintained the default DNT setting of “on” in Internet Explorer. Both Chrome and Firefox are in compliance with the spec – by default, both browsers do not provide information about a user’s tracking preference to a web site. It’s possible to argue about Microsoft’s motivations, but the net effect was that the Internet Explorer default helped the those users unaware of this setting to remain untracked – and there are certainly many such users.

The spec has since gone through additional revisions, most recently earlier this year. The spec used the same language that the earlier versions have used, that “In the absence of user choice, there is no tracking preference expressed.” Interestingly, Microsoft announced earlier this month that Do Not Track will no longer be the default setting. Microsoft added that they will continue to supply Internet Explorer users with information as to how to turn the “Do Not Track” setting on in the browser settings. This information will be available when a new PC is set up and when Windows or Internet Explorer is upgraded. And for those users who are diligent about reading all of the information that is supplied in a new PC set-up or in a software upgrade, that should work reasonably well. For all of the rest of us, however…
 

More from the Digital Guardian Data Security Knowledge Base:

 

Harriet Cohen
Related Articles
Friday Five: 5/3 Edition

When coding is criminal, why HIPAA mandates breaches be reported after 60 days, and evaluating GDPR's nearly one year anniversary are all covered in this week's Friday Five.

Friday Five: 10/18 Edition

A new bill that could put execs in jail for not taking privacy seriously, Singapore hires 500 data protection officers, and more - catch up on the news of the week with the Friday Five!

Friday Five: 5/1 Edition

Australia's contact tracing app sparks privacy concerns, Shade ransomware ceases operations, and Google Play deals with malicious apps. Catch up on the week's news with the Friday Five!

Harriet Cohen

Harriet Cohen is a senior product manager at Digital Guardian where she works in the Office of the CTO to turn innovative ideas for enhanced threat protection into product reality. Harriet has over ten years of experience in the security arena, encompassing both data protection and identity and access management.

Please post your comments here