Sunday, June 10, 2012
Microsoft ruffled feathers in the online privacy community this week by announcing that Internet Explorer 10 would enable Do Not Track technology by default. Many have lauded the move as an instance of Microsoft putting consumers’ interests above those of behavioral advertisers — which, ironically, includes itself. However, Microsoft’s stance may run afoul of the W3C committee that’s actually drafting the Do Not Track standard. Right now, they’re saying browser makers must only send a Do Not Track signal with a user’s explicit consent.

What is Do Not Track and how can it protect your privacy? And is Microsoft’s stance about protecting consumers…or whittling away at Google’s dominant position in the online advertising world?

Do Not Track is a proposed technology standard intended to enable inI may dividual Web users express whether or not they consent to having their online activities monitored and collated, mostly for the purpose of being served targeted advertising. It was originally proposed back in 2009 by Christopher Soghoian, Sid Stamm, and Dan Kaminsky in the wake of the Federal Trade Commission indicating it was looking into the idea of implementing a “Do Not Track” list similar to the “Do Not Call” list that has reasonably successfully in letting consumers opt out of telemarketing calls in the United States. However, Do Not Track is not backed by any legislative or regulatory authority: it’s purely a voluntary effort from the technology community — and one many hope will help stave off any government involvement in consumer tracking issues. Do Not Track is not yet a finalized standard: as with most things at the W3C, progress is slow as working groups assemble, stakeholders weigh in, and drafts get circulated.

At a very basic level, Do Not Track is elegantly simple. If Do Not Track is active, a user’s Web browser sends a single HTTP header to remote servers along with every request for pages, images, and any other constituent items that make up a Web page. Whenever you load a Web page, your browser sends a flurry of headers to the remote system indicating not just the specific page you want, but what types of media you can handle, your preferred languages, any cookies the site had previously set for you, information about your Web browser, and more.

The Do Not Track header is called, logically, enough, DNT. If the value of that header is “1,” the header serves as a signal to the server that the user does not wish to be tracked. If the value is a “0,” it means the user consents to being tracked. If the header is missing, it means the user isn’t supplying any preference at all about tracking.

There’s a lot more to Do Not Track — it’s rolled into a larger specification called “Tracking Preference Expression” which includes JavaScript APIs, server responses, machine-readable policies, and much more. But that 0 and 1 are the basics...