

An Update on Microsoft’s Approach to Do Not Track - thisisblurry
http://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/

======
forgottenpass
_but we will provide customers with clear information on how to turn this
feature on in the browser settings should they wish to do so_

A smart reaction to the given reason companies were ignoring DNT. But as long
as more than X% of people enable it, websites that want to track will keep
coming up with lame excuses to ignore it.

~~~
ams6110
Would hold a lot more water if it weren't a NEGATIVE affirmation, with an
unreasonable default (assuming most people WANT to be tracked unless they take
the trouble to tell you otherwise?)

Option should have been "Track Me", unselected by default. If a person wants
to be tracked, let them say so.

~~~
remarkEon
I think this is definitely true. If my parents were prompted when they
installed IE with an explicit message that said "Do you want to be tracked by
websites you visit in Internet Explorer?" my dad's response would probably be
"wtf they can do that?" and then promptly select "NO".

~~~
derefr
You have to assume they at least wouldn't allow the question to be presented
in a straw-man manner like that; nobody would agree to being tracked if they
didn't see what the point of the tracking was.

The actual positive form of the question, ignoring the politics and just
thinking about user intent, would be something like "Do you want this computer
to serve a unique fingerprint to websites, allowing companies to both
reconstruct your identity between sites on their network, or to persist your
identity after you have purged cookies and other session data? Companies tend
to use this tracking ability to enhance your advertising experience, to
collect statistics on the usage of their sites, and to ensure they don't
double-count you. Malicious uses of this data are also possible, though
currently rare."

The important bit of the question, when phrased this way, is that it doesn't
just ask about a _mechanism_ (the DNT header), but about the user's intent—and
because of that, it's activation state could be made to control all sorts of
things besides the DNT header. For example, saying "no" to the question should
cause the browser to try to add some per-domain jitter to its answers to
questions about what links are visited, what fonts are installed, what the
User-Agent string is, etc., so that the browser _can 't_ be fingerprinted.

~~~
implicitAgendas
I don't understand your opinion regarding any kind of straw man fallacy. Can
you elaborate on where the fallacy emerges?

The idea that advertising needs "enhancement" sounds suspicious. Couching the
premise of the question in 77 words of pseudo-legalese-style terms and
conditions would muddy the waters, and sow confusion, and probably innure
users to do anything to make the checkbox go away, so they can simply get to
the internet.

Politics aside, that kind of twisting and turning smells like a dark pattern,
in my opinion.

~~~
remarkEon
I think where the straw man fallacy comes from in what I set up is that it's
not the websites themselves that are doing the tracking per se...it's your
computer that's letting the company running the website know that this is a
unique user. Because tracking in this manner isn't specifically illegal, a
terms-and-conditions-may-apply statement probably is what's necessary. My
original hypothetical question likely is too simple to survive a challenge.
The "77 words of pseudo-legalese" that derefr posited would also help someone
like my dad truly understand what's going on in the background and, heck, may
even encourage him to research the matter more. Hopefully on a browser set to
Do-Not-Track.

------
dudus
It was always the intention of DNT to represent the user choice.

It was just not explicit that it should be OFF by default. Reviewers fault.
Microsoft, made a Marketing stunt of enabling it by default 2 years ago, in
practice killing the point of DNT and setting back the industry several years.

With a default option DNT would have no reason to be honored by any site
owner. We could be enjoying native DNT tracking right now if Microsoft hadn't
done that stupid dick move 2 years ago.

How many years we'll need before the number of users that already have DNT set
to ON by default are negligent is hard to measure.

This should be a post apologizing for the trouble they caused and for
destroyed the point of a W3C proposal that set back the industry for several
years. Instead it looks like another Marketing stunt.

~~~
BinaryIdiot
> With a default option DNT would have no reason to be honored by any site
> owner. We could be enjoying native DNT tracking right now if Microsoft
> hadn't done that stupid dick move 2 years ago[...]This should be a post
> apologizing for the trouble they caused and for destroyed the point of a W3C
> proposal that set back the industry for several years. Instead it looks like
> another Marketing stunt.

You're taking this really far out into left field and what you're saying is
incorrect. DNT is a useless standard; it requires the visiting site to receive
the preference and act appropriately on it. There is no way to enforce that
the site acts appropriately. Sites that want to track users were always going
to anyway. Except for maybe a few exceptions (such as I would expect browser
makers to follow the standard) almost no one was ever going to honor this even
before Microsoft's decision.

If you have a business where tracking users can make it more profitable and
the W3C came along with a standard that said "if you receive this bit pretty
please don't track the user please" why would you even care? There is nothing
anyone can do about whether you track or not. At worst someone on a blog
publishes a rant about how you're ignoring it but big whoop; countless other
sites are also going to be ignoring it.

~~~
sp332
I think evidence goes the other way. You can ask web crawlers not to index
certain pages with robots.txt even if it would be better for their business if
they did. And this is widely respected. Now imagine that IIS put "* deny" in
the default site config; it would get a lot less respect.

~~~
fixermark
This example actually highlights an interesting difference between the two.

I think one of the reasons robots.txt is generally respected is that there's a
stick behind that carrot; hypothetically (what with us all using so much cloud
these days), a site administrator that noticed a traffic spike commensurate
with something ignoring robots.txt can respond by treating the requests as
attacker-originated, which most "legitimate" sites would want to avoid.

What's the stick behind the carrot for do not track?

~~~
sp332
You can block cookies or even block ad networks.

~~~
mynameisvlad
Yeah, sure, your average end-user is _totally_ going to do that.

That's the difference between the two scenarios. A sysadmin will know what to
look for and will know how to appropriately react to it. Your average end user
probably doesn't know, care, or know how to react to it. And a built-in
browser implementation will never happen because all the major companies have
it in their best interests not to implement such a feature. If that weren't
the case, we'd have had that feature _long_ ago.

~~~
sp332
I doubt an average sysadmin would ever notice, let alone knowing what to do
about it, let alone putting in the time and effort to do it.

Anyway I'm not sure I put the responsibility on the right group. It will
probably be down to websites choosing ad networks that respect their users'
DNT settings. Just like they choose ad networks that don't host malicious ads
or ads that take over the whole page.

~~~
mynameisvlad
That's a lot more probable, yeah. I doubt anything were to happen on the end
user side to enforce this.

------
sgift
Probably a good approach to deprive companies tracking users of some of their
excuses ("it's not really the will of the people if you pre-activate it" ...
yeah, sure), but I feel a working DNT implementation will need law support and
very harsh punishments. That would be at least far more useful than the EU
cookie law in helping people.

------
ShannonSofield
The fact that I still get snail mail spam catalogs in my mailbox each day,
with no mandated option to opt-out, I see no way that marketers will respect
DNT. The gov't seems to believe that the economy relies on its ability to
market to consumers, even if they don't want to be targeted.

~~~
mynameisvlad
[http://www.consumer.ftc.gov/articles/0262-stopping-
unsolicit...](http://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-
mail-phone-calls-and-email) may help with unsubscribing.

------
Panino
Consider the possibility that DNT does more harm than good:

1) Since it's not default, it makes browsers more unique and thus _more
trackable_.

2) It gives many (perhaps even most?) non-technical users a false sense of
security, making them less likely to take more effective measures.

Weighed against what miniscule good DNT might do (I think it does next to
none), these two reasons alone make DNT harmful.

------
cm2187
The debate on DNT is completely sterile as this thing is absolutely toothless.
It's like advertising a flag "do not infect me" as an anti-virus technology.

~~~
azakai
A fence might also be easy to climb over, but can still clearly indicate where
private property begins, and that trespassing there is wrong.

~~~
rascul
It's more equivalent to painting a line on the ground than a fence. Climbing a
fence takes more effort than ignoring DNT.

~~~
azakai
Good point. But painted lines on the ground still have social power, for
example in parking lots, where most people obey them. Hopefully the same is
true for DNT as well.

------
danbruc
This whole thing is pretty silly. If you are not sending a DNT signal then
almost surly only because you don't know about it or you don't care enough,
almost surly not because you really prefer being tracked. Or is there really a
relevant group of users preferring to be tracked? If yes, why?

~~~
kllrnohj
Because I rather like that my search results are improved, my ads are less
random, and recommendations are useful.

Sure if you ask the question "do you want to be tracked?" you'll get an
obvious no. If you ask the question "do you want better search results?"
you'll get an obvious yes.

Biased questions lead to biased answers.

~~~
danbruc
I did not want to imply any bias in the formulation of the question. I
personally don't want to see any ads at all, I don't want to live in a search
bubble and I don't care about recommendations. I can not see any way in which
tracking and creating a profile about me could provide me enough additional
value that I would be willing to compromise on privacy.

But this is of course only me, I hear rumors that there are actually people
valuing ads. But I am still not convinced, the right question is neither »Do
you want to be tracked?« nor »Do you want better search results?« but »Do you
want better search results at the price of being tracked?«. My personal answer
is a definitive no but I can't really tell in case of the general population.

------
jgrowl
People that aren't tech savvy and won't understand how to configure their
browser are exactly the reason why DNT should be default.

Sites that ignore DNT should be blacklisted.

~~~
chc
What does Do Not Track even mean if it does not signify the user's wishes? Why
would people be expected to respect a request not to be recognized that
somebody doesn't even know they're making?

In its current state, Do Not Track is literally meaningless. Any company that
respects Do Not Track is probably just not tracking anyone at all, because as
long as Do Not Track is the default, it does not actually represent a user's
preference.

~~~
teacup50
_Why_ would a user want to be tracked?

~~~
chc
Well, for example, I've heard more than one person say things along the lines
of, "If I'm going to see ads, I would rather see relevant ones than irrelevant
ones."

But more importantly, this isn't a binary flag. People might want to be
tracked, they might want not to be tracked, or — most likely in my opinion —
they might not give two hoots. Similarly, when people walk into an physical
place, they might want to be looked at, they might not want to be looked at,
or they might not be particularly concerned with whether anyone in particular
is looking at them.

~~~
teacup50
That's nonsense used to justify invasive and immoral tracking, nothing less.

------
npizzolato
> Without this change, websites that receive a DNT signal from the new
> browsers could argue that it doesn’t reflect the users’ preference, and
> therefore, choose not to honor it.

With this change, websites could argue that _they don 't care_ and choose not
to honor it. Is there any actual enforcement of Do Not Track? If not, the
whole idea seems broken at its core.

------
yuhong
I wonder if anyone used IE11's interface for getting user permission before
tracking.

------
higherpurpose
> As a result, DNT will not be the default state in Windows Express Settings
> moving forward

I _always_ disable all of Microsoft's "on" settings when installing Windows,
as they usually try to pass some sneaky stuff by me, and even if I don't fully
understand what something does, I feel safer having disabled it.

As for the DNT option, I've never really cared for it, as I never use IE for
anything.

But my point is that Microsoft tries to _hide_ these "user choices" in its
Express Settings when installing Windows, so _of course_ this doesn't reflect
people's true choices.

Now if only Microsoft approached their "default settings" there in the same
way, and didn't assume stuff like "you want to use a Microsoft account, rather
than a local account, don't you?" (This is actually represents _two_ of the
top 3 request in Windows 10 user feedback in the Security section - not
requiring a Microsoft account by default).

[https://windows.uservoice.com/forums/265757-windows-
feature-...](https://windows.uservoice.com/forums/265757-windows-feature-
suggestions/category/87210-security-privacy-and-accounts)

~~~
mynameisvlad
What?

That was in Win8:
[http://www.theeldergeek.com/windows_8/win8_install_setup_per...](http://www.theeldergeek.com/windows_8/win8_install_setup_personalization_screens.htm)
(Sign in without a Microsoft Account)

And Win8.1:
[http://www.theeldergeek.com/windows_8/win_8_1_install_setup_...](http://www.theeldergeek.com/windows_8/win_8_1_install_setup_personalization_screens.htm)
(Create Account > Sign in without a Microsoft account)

At no point were you _required_ to use a MSA, it was always the preferred
option (since you get the sync, OneDrive, as well as automatically signing
into the store and any other Microsoft services) but you _always_ had the
ability to turn it off in the setup screens, and the option was always clearly
labeled. If you didn't want an MSA, local accounts worked _perfectly_ fine as
the default account on the box, and you can always convert to and from within
the PC settings.

