
Yahoo to ignore IE10's "Do Not Track" - jakeludington
http://www.ypolicyblog.com/policyblog/2012/10/26/dnt/
======
ben0x539
I think it is perfectly reasonable to assume that users intend to not be
tracked by the very large number of third parties they are involuntarily
exposed to on the web.

Yahoo are resorting to this whole buzzword-laden meaningless rhetoric around
~user experience~ and ~value proposition~. That just reinforces the impression
that the only reason anyone was prepared to go along with DNT was that they
assumed that 99% of users weren't going to be in a position to express their
~user intent~ to not be tracked. Since, you know, most people have better
things to do than to learn how to teach their computer about obvious
preferences like "please don't spy on me".

Microsoft is simply making the benefits of the DNT scheme more accessible to
its users. It's pretty telling that Yahoo is already backpedaling from
respecting the users' intent, faced with the possibility that more than an
insignificant fraction of users might actually be enabled to benefit from DNT
by this decision.

(Edit: Personally I think rather than squabbling about DNT, browser vendors
should be taking much more aggressive, technical steps to make tracking users
harder, instead of having a default configuration that stops just short of
transmitting the user's SSN via request header. Disabling features like user
agent and referer headers for and quickly discarding cookies from untrusted
(by individual user "intent", not based on SSL certs or anything) hosts would
be a start.)

~~~
geofft
> the benefits of the DNT scheme

The benefit of the DNT scheme was to kill the lie that most users don't care.
If 99% of users take positive action to change a default and say "Don't track
me", it's believable. If a browser vendor says this, it's not.

Bear in mind that Do Not Track has _zero_ technical merit; it's equivalent to
the "evil bit" prank RFC. Any merit it has must be political.

The value in DNT was going to be that we could convince advertisers that
normal users do, in fact, care, and do, in fact, not want to be tracked. IE's
decision is squandering what DNT attempts to communicate, and squandering that
value. And so when you see advertisers _and_ web server developers rejecting
IE 10's DNT indicator, that doesn't mean that the advertisers or web server
developers are bad people -- that just means that you lost the politics.

~~~
wpietri
That puts Microsoft in a bind. Sensible defaults are important; if you can
guess what users want most of the time, then you should just do that.

In their shoes I would have done some focus groups, spending an afternoon with
people and really educating them on the details of tracking, and what the pros
and cons are for them. If at the end of it most typical users would have
turned it on, then this would have been the right default.

After all, if places like Yahoo don't like it, they could ask people to turn
it off. If Yahoo's right, then presumably most people would turn DNT off, or
make an exception for them. But I suspect Yahoo knows that people don't want
to be tracked, and that a lot of their profit comes from keeping their users
in the dark.

~~~
geofft
> Sensible defaults are important; if you can guess what users want most of
> the time, then you should just do that.

That is a good general rule. In the case of DNT, the header was formulated
specifically with the intent that the default would be off, regardless of what
you expect the user to want, so that turning it on communicates individual
user intent. This is a reason to ignore the general rule in this specific
case.

A good related example would be license agreements. Most users want to ignore
them entirely. Focus groups would indicate skipping them. But if you make a
click-through license agreement invisible, while that's a better UX, the
agreement is now completely legally invalid. In order for the agreement to be
valid, you need the user to have an opportunity to read it (even if focus
groups indicate nobody does).

And while you expect 100% of your users to accept the agreement, the default
needs to be "No, I do not accept".

------
powertower
> Recently, Microsoft unilaterally decided to turn on DNT in Internet Explorer
> 10 by default, rather than at users’ direction.

> It basically means that the DNT signal from IE10 doesn’t express user
> intent.

Blatantly false. Not only are you presented with the option to turn off DNT on
first use (that takes up the entire screen), but I'd imagine users would
choose to have advertisers track them about 1-10% of the time if made to
choose. So a default On setting does represent the consumer to a degree that
you can't ignore.

~~~
jrajav
I also did a double-take on that first sentence you quoted. I'm pretty sure I
read earlier that they will be prompting first-time users on what their
preference will be, and that the "default" basically just means which position
that switch will be in when the choice is presented. However, I did some quick
fact-checking and I couldn't find anything to back that up; if you don't mind,
where did you find that IE10 presents that option?

~~~
ben0x539
I had the same reaction. I found [1], which seems consistent with what I
remembered.

[1]:
[http://blogs.technet.com/b/microsoft_on_the_issues/archive/2...](http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-
not-track-in-the-windows-8-set-up-experience.aspx)

------
pbiggar
In all the comments here, I can't find anybody who thinks that Yahoo is doing
the right thing here. Well, I do. I think what Yahoo is doing is the right
thing for them, for their users, and for the web.

If the web is going to be ad supported, then its going to have to be targeted
advertising or its going to be both shit and annoying. Remember "punch the
monkey", or ads that took over the entire screen? Now, through tracking, we
are able to get really really good ads - things you might even be interested
to see and buy.

If DNT was supported by everybody and on by default, that's the end of online
advertising in its current form. So we can choose from the following options:
ignore DNT, ignore DNT for IE10, or go back to non-targeted advertising.

Let's assume the last of those, which leads us to the following options:
revert to shit ads, make users pay for content directly, or pack up your
content-producing company and go home. None of these are best for the users or
the web.

The DNT founders know this - that's why it was default null in the spec and in
Firefox. IE10 is doing this deliberately even though they know it can't work,
and there are choices here: they are trying to improve the world but are
incredibly wonderfully naive, they want to undermine Google, or they want to
undermine DNT. I'd love to believe its the first, but no-one has ever claimed
that about MS.

~~~
ihsw
Or we could have non-intrusive ads and non-targeted ads, there's nothing wrong
with that.

~~~
pbiggar
Except that no-one would click them. We barely click on ads tailors to our
behaviour - we'll never click on ads that aren't (and we never did).

~~~
ihsw
Personally I'm fine with that.

~~~
pbiggar
Unfortunately, if nobody pays for the content, it will go away. That's
probably bad (lets leave aside discussions of how high the quality on ad-
supported content is, and presume that there are people who like to read it).

~~~
ihsw
That seems like the 'too big to fail' argument once used in favor of the
established banks, albeit simplified.

Advertisers and bankers may be unpleasant allies and we've never wondered what
life would be like without them, so let's try it and find out.

------
theevocater
I know people celebrated Microsoft's decision to do this in IE10, but this is
what many of us were saying would happen. The relationship with the Do Not
Track flag was always tenuous so flagrantly ignoring the spec (which indicates
that default on is wrong) was simply going to cause companies to ignore the
flag completely.

Regardless, this whole thing is silliness in the extreme. I wonder if this
means yahoo is going to start allowing requests with the evil bit set as well
:).

(<http://en.wikipedia.org/wiki/Evil_bit>)

 __EDIT __: also, didn't IE revert this change?

[http://blogs.technet.com/b/microsoft_on_the_issues/archive/2...](http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-
not-track-in-the-windows-8-set-up-experience.aspx)

Well ... Sort of

> DNT fits naturally into this process. Customers will receive prominent
> notice that their selection of Express Settings turns DNT “on.” In addition,
> by using the Customize approach, users will be able to independently turn
> “on” and “off” a number of settings, including the setting for the DNT
> signal.

~~~
technoslut
Advertising companies can be shameless. What makes you think they ever would
have respected DNT even if was opt-out?

~~~
Karunamon
They support the NAI which enables you to turn off various tracking bits.
Let's not go around shitting on a whole type of business wholesale because of
a few bad actors, hm?

~~~
technoslut
You say "they" like all advertisers support this initiative. They don't. I was
careful not to include all.

I can assure you that not everyone will follow it. Google is a part of NAI and
they were found guilty by the FTC to be circumventing Safari preferences.

~~~
Karunamon
And you say "they" like all advertisers are skeevy and wouldn't honor the DNT
flag.

------
nanoanderson
Maybe Yahoo should respect IE10's DNT defaults, but display huge modal screens
that tell the user "Your browser vendor is inhibiting our value proposition.
Please allow us to track your behavior for maximum value extraction."

~~~
wonderyak
They should give you a medal. That's how you create upward revenue stream
dynamics!

------
jtchang
Took me a second to figure out this whole DNT business.

So basically it is just an HTTP header your browser sends to the server that
tells it not to track. Seems kind of like the wrong way to do it. If I was
some nefarious website wouldn't I have straight up ignore it? There isn't any
incentive for me to not track a user. In fact aren't a lot of companies around
advertising based on the fact that you CAN track users?

More info here: <http://donottrack.us/>

~~~
ktsmith
The thing about DNT is that the advertising industry (not malicious/shady
websites) are supportive of it as a voluntary standard that they will comply
with it. All the major players are saying they won't play nicely with IE10 due
to the default on flag instead of a default null (no intent expressed) flag.

~~~
jlarocco
In other words meaning they're not going to support it...

"We're only going to support it if it's not turned on by default" is not
really supporting DNT. It really shows they're business model depends on
people being computer illiterate. And now that DNT is on by default they're
revolting because they know few people will ever go out of their way to opt-in
and get tracked.

~~~
ktsmith
> "We're only going to support it if it's not turned on by default"

No, they are only going to support it if it is _actually_ the users intent,
not a vendors intent. This is completely reasonable and the actions of MS are
undermining the efforts to get this voluntary standard going. Keep in mind,
DNT is completely voluntary.

~~~
waterlesscloud
What method are they using to determine if it's _actually_ the user's intent?

~~~
dialtone
You have to explicitly set it on, that means the user had to take a specific
action, and that means there was an intent to do it.

------
tvladeck
They key thing to understand is that if IE10 did not have DNT enabled, that
the default setting would be _just as arbitrary_ and would still therefore not
"map to user intent" in their words. There has to be a default in one
direction or the other.

That, and many users will use IE10 knowing that it ships with DNT pre-enabled.
To ignore this is totally immoral and unethical. This is totally shameful.

~~~
ktsmith
>They key thing to understand is that if IE10 did not have DNT enabled, that
the default setting would be _just as arbitrary_ and would still therefore not
"map to user intent" in their words. There has to be a default in one
direction or the other.

The default is to send a null value in the header meaning that no intent has
been expressed, that's not arbitrary.

> That, and many users will use IE10 knowing that it ships with DNT pre-
> enabled. To ignore this is totally immoral and unethical. This is totally
> shameful.

Most users will have no idea what DNT is, nor will they bother to switch the
flag. MS setting it to do not track by default undermines the effort being put
into the standard. No one is going to comply with a voluntary standard if one
of the largest browser vendors turns it on by default.

~~~
tvladeck
> The default is to send a null value in the header meaning that no intent has
> been expressed, that's not arbitrary.

My statement that there has to be a default in "one direction or the other" is
clearly wrong, as you've indicated. I would still argue that a null value is
arbitrary and does not map to the user's wishes. My opinion is that having it
'on' is no more or less arbitrary than having no wishes expressed.

~~~
ktsmith
> I would still argue that a null value is arbitrary and does not map to the
> user's wishes.

It's not arbitrary though, it clearly spells out that the browser vendor
doesn't know what the users intent it.

~~~
tvladeck
Again, fair point - but then by definition the second clause of my statement
is correct - the user's wishes are unknown, so any direction taken is then...
arbitrary? :)

At any rate, you seem well-versed in this area, so let me ask you a question:
what is the difference the website's behavior between a "null" and a "track
me, please" value in the header?

~~~
ktsmith
It's not binary, it's ternary. 1 opt out, 0 opt in, null unknown choice.

In practice the difference between null and don't track me please are probably
non existent. However, in the future if this were to take off it's possible
that someone would come up with creative benefits/uses for tracking that
provide incentive for users to be tracked.

edit: Don't think I addressed your question. The difference between null or
tracking ok and don't track are likely just to be generic advertisements shown
to a user instead of targeted ads, the prevention of some back end selling of
user interaction data and some other things that most people have no idea is
going on. If you can't track users across sites you lose some of your ability
to build up profiles for them. Advertisers will argue that the ads will have
significantly less value without those secondary or tertiary ways to monetize
eyeballs and I suppose you could see some decline in what advertisers are
willing to pay for impressions. Ultimately I've been removed from advertising
for a few years so I'm not entirely sure how much it will make a difference.

~~~
tvladeck
This is really helpful - thanks.

------
wonderyak
> In our view, this degrades the experience for the majority of users and
> makes it hard to deliver on our value proposition to them.

I know Yahoo! has to maintain their business which depends on things like ads
and content delivery; but to say it with such sterile marketing jargon just
makes me nauseous.

How about you guys do what everyone else has had to do since the beginning;
create something awesome and let people use it with a minimal barrier to
entry. Right now, Yahoo! is like a giant skyscraper tenented only by iPhone
case kiosks.

~~~
wpietri
The problem is that Yahoo's customers aren't their users. Yahoo's users are
the veal calves. They don't seem to understand what to do with businesses
where the customers _are_ the users. Flickr, for example.

------
fitztrev
Issue aside, I'm curious about this site itself. The first thing I noticed is
that they're running a pretty old version of WordPress. They're on 3.0.3
(December 2010) when the latest version is 3.4.2. For security purposes, I'm
surprised they don't stay on top of that.

Also I was really confused if this was an official Yahoo site. No real mention
anywhere on it. After some quick digging, it appears to be. But I'm surprised
it's not hosted under the Yahoo.com domain somewhere.

------
ajays
The only reason Microsoft is making DNT the default is because it will
directly impact Google's bottom line (and Microsoft loses money in its online
division, so they won't hurt as much). Since when did Microsoft really start
caring about the users?

------
donohoe
_I left this as a comment on their blog which I assume will never be
approved:_

    
    
      "We fundamentally believe that the online 
      experience is better when it is personalized"
    

Um, doing so is not impeded by DNT as that does not relate to ads. That a bit
of a white-lie to imply that it is they way you've worded that first
paragraph.

    
    
      "It basically means that the DNT signal 
      from IE10 doesn’t express user intent."
    

Actually I think it does - you think your average person on the street wants
targeted ads? Seriously - who is writing this.

    
    
      "In principle, we support “Do Not Track” (DNT)"
    

In principle China, Syria, Iran etc support Human Rights...

    
    
      "Ultimately, we believe that DNT must map to 
      user intent — not to the intent of one 
      browser creator, plug-in writer, or third-
      party software service."
    

Again - seriously - what reality are you apart of?

I had hoped for a Yahoo turn-around of sorts, I really did. You've lost me.

~~~
netcan
Both side are playing an Orwellian game, pretending they are concerned with
users intentions & desires when in reality both are assuming that users have
no intents and desires coherent enough to act on.

They are fighting over the default because they know that in 95% of cases, the
default is all that matters.

------
teuobk
This is surprising, given that Microsoft is the provider of ads on Yahoo
Search (and perhaps other properties).

------
calbear81
It's obvious that Microsoft doesn't have as much to lose with a DNT default
setting in IE10 when their profit center is tied to Windows and business
software. They have MSN.com and Bing but both are money losers and at this
point, hurting Google and Yahoo might be a better strategy even if it means
"cutting off your nose to smite your face". They also hope that this will stem
the defects from IE and help sell more Windows 8 upgrades and Surface tablets
in general.

In regards to how people feel about tracking, people are always asked in
isolation about tracking and of course everyone say's they hate it and they
don't want to be tracked. The better question is asking them if they will
accept the alternative. Scared of Facebook? Put a $5 fee per month to replace
lost ad revenues and users will depart en masse. The reality is a big chunk of
the internet and the services people rely on, love, and use daily are ad
supported and if given the alternative of a free ad supported model vs. a paid
model, they would choose ad supported.

------
leeoniya
To be honest, i actually don't care if yahoo tracks me on yahoo properties -
in fact, i _expect_ them to. What i DO NOT want is for them to track me across
the entire internet through injected javascript, iframes and dedicated
tracking domains that serve same-origin analytic scripts from hundreds of
sites - that is unethical.

Currently using adblock plus, noscript and ghostery on my FF setup with
specific additional controls in ABE for Twitter and FB domains.

~~~
taf2
it's also a very useful feature of the internet, that browser's like safari 6
have broken. there are other uses to third party cookies besides tracking -
a/b testing. many web properties are shared between multiple top level
domains. ecommerce sites will do this for example to sell different product
lines, but they might want to have similar user preferences shared between the
top level domains... you can't do that if you kill third party cookies... or
block the same features that we'd use in ad networks to track you... IE10
isn't so bad it's just saying don't do this... so - we'll happily ignore it.
safari 6 is the real story that hasn't gotten enough attention in
comparison... thankful it's not as widely used or is it... iphone,ipad...

------
Steko
Am I mistaken or did the FTC not just fine Google $22.5 million over the exact
same behavior for a considerably smaller share of web users.

If I'm Microsoft I am making a very public appeal to the FTC over this Monday
morning. $22.5 million is a lot more money to Y! than Google. And as wary as
consumers are of Microsoft long term they've got to degrade the Google/Firefox
brand to start gaining any traction. Why not go full bore on
tracking/creepiness?

~~~
csoghoian
The FTC reached a settlement with Google this year for a $22 mil fine because
Google violated a previous consent order over Buzz.

Yahoo is not under an existing consent order with the FTC. For the most part,
the FTC does not get fines unless a company violates an existing consent
order.

Furthermore, Google didn't get fined because it circumvented Safari's privacy
settings, but rather, because it lied about the extent to which users could
opt out of tracking.

I've not seen anything that suggests that Yahoo is lying about the extent to
which they will respect or ignore the DNT header.

The FTC's deception powers aren't going to be of much use against Yahoo here.

(Disclosure: I worked at the FTC between 2009-2010, and worked on the
investigations of Facebook, MySpace and Twitter).

------
mikegirouard
No comments on the post? Hmm... I'm curious what they are getting but haven't
approved.

