Apache Patch To Override IE 10's Do Not Track Setting

hypnosec writes "A new patch for Apache by Roy Fielding, one of the authors of the Do Not Track (DNT) standard, is set to override the DNT option if the browser reaching the server is Internet Explorer 10. Microsoft has by default enabled DNT in Internet Explorer 10 stating that it is to 'better protect user privacy.' This hasn't gone down well with ad networks, users and other browser makers. According to Mozilla, the DNT feature shouldn't be either in an active state or an inactive state until and unless a user specifically sets it. Along the same lines is the stance adopted by Digital Advertising Alliance. The alliance has revealed that it will only honor DNT if and only if it is not switched on by default. This means advertisers will be ignoring the DNT altogether no matter how a particular browser is set up. The DNT project has another member – Apache. It turns out that Microsoft's stance is like a thorn to Apache as well. Fielding has written a patch for the web server titled 'Apache does not tolerate deliberate abuse of open standards.' The patch immediately sparked a debate, which instigated Fielding to elaborate on his work: 'The only reason DNT exists is to express a non-default option. That's all it does. [...] It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.'"

It does not protect anyone's privacy...

[Neil_Brown]

It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization

By being set, it protects my privacy as long as "recipients" abide by it without question — it only becomes an issue when "recipients" qualify when they will abide by it.

If active choice is not an option, a default in favour of not tracking seems a better position to me but, then again, I am not an ad network executive.

Re:We care about ad networks?

[BorgDrone]

Yes, all improvements to the web are thanks to the ad companies, it has nothing to do with technological progress.

Re:Gee, How Much Google Paid For This

[heypete]

It's already starting to bother me. I'm seeing these advertisements here on Slashdot too. After I've searched for something on Google, the related advertisements start to come up EVERYWHERE on the internet. Seriously, they come after you. If you search for specific flights you start to see ads for that everyone. It'll haunt you and there's nothing you can do.

Not true: you can change your Google Ad Preferences [google.com] or opt-out.

Similarly, you can use the NAI's opt-out page [networkadvertising.org] to opt-out of Google and other ad network tracking.

There's plenty of browser plugins that work to block ads entirely (such as AdBlock) and ones that ensure that the "opt-out" cookies stay in existence even if you clear your other cookies.

All the other browsers than Safari and IE are in bed with advertisers because both Firefox and Opera get revenue directly from Google.

The default search box in those browsers comes configured to use Google, yes. They do get income from ad revenue stemming from searches from the box. You're not forced to use that search box, nor are you forced to use the default settings -- you can add other search providers (like DuckDuckGo, ixquick, etc.) -- Firefox, for one, doesn't have ad agreements with anyone other than Google.

So for the love of god Apache Project, stop taking bribes from Google and doing evil things like this!

Is there evidence that the Apache project is "taking bribes from Google"?

My understanding from the article is that an individual contributed a patch to the the Apache httpd.conf source code and does not reflect the official viewpoint of the Apache Foundation, nor that the patch has been approved for inclusion. Naturally, I welcome any corrections.

Re:A roundabout way of saying that DNT is...

[Moxon]

Well, yes. Expecting ad agencies to honor DNT seems about as clever as firewalling based on the April fool's "evil bit". In both cases, the people doing something you don't want have to choose to honor your wish. Good luck with that.

Re:Gee, How Much Google Paid For This

[bmo]

Just a FYI.

I went to NAI's opt out page and tried it. I have Adblock-plus. To get all of them, you have to turn off Adblock-Plus, hit the "all of them" button, and then re-enable. Otherwise, you only get 50-some-odd out of 95.

--
BMO

Re:Gee, How Much Google Paid For This

[TrueSatan]

You don't mention this but DNS Crypt is only, officially, supported on Windows and Mac but it can be made to work on GNU/Linux and BSD with a little work. The following site gives the details you would need to do this https://johnfail.wordpress.com/2012/07/24/dnscrypt-for-linux/ [wordpress.com]

Re:Gee, How Much Google Paid For This

[Karzz1]

While I agree with your sentiment I have seen where this patch is referred to as a patch against "source code";in your post and even (from the article page comments) "core source code" and I disagree with that. This is a *configuration file* patch. I don't know of anyone other than a home user trying Apache for the first time who uses the default configuration file; not to mention this patch is not even approved by or included with Apache (yet).

This may be an argument in semantics but it seems to me a true source code patch (ie. one in which once the server is compiled no configuration option will allow a setting one way or the other) is much more worrisome than a simple configuration change.

From what I am reading, unless/until this patch is included with Apache by default, this is really a non-issue. Someone who wants to ignore DNT can do it. Someone who wants to honor it can do so as well. This choice is left up to the company that is using the software (and believe me, even if DNT was hard-coded into the source code, sites that don't want to honor it would simply patch Apache internally). As I mentioned elsewhere in this thread, DNT reminds me of the "Evil Bit" RFC.

DNT not ON by default

[Toreo asesino]

Article is misleading. DNT is enabled if you setup Windows 8 with express settings, at which point it actively states DNT will be set 'on'. Until that point there is no configured values. This is Apache caving into advertiser pressure, pure & simple IMO.

Re:What has Apache got to do with this?

[Simon Brooke]

This is not Apache's territory. they should not be doing anything to affect my browsing session. Nothing at all. Period.

Apache isn't doing this. One person has posted a patch. It has not, as I understand it, yet been accepted by the Apache Foundation. Even if it were, Apache HTTPD is by design a highly configurable web server which has modules to do all sorts of things, but on any typical web server only a few of those modules will be enabled. This particular patch - even if it were accepted as part of the distribution - only works if both the 'setenvif' and 'headers' modules are enabled, which, on my servers, is not the case. Furthermore, the 'patch' is five lines in a configuration file; if you don't like 'em, comment them out.

Slow news day, storm in a teacup, nothing to see here, move along.