Risk
6/4/2012
08:54 AM
50%
50%

Microsoft IE10 Privacy Settings Draw Advertiser Fire

Privacy advocates laud Microsoft's decision to turn on "Do Not Track" by default in Internet Explorer 10.

Windows 8 Preview: Key Features
Windows 8 Preview: Key Features
(click image for slideshow) />
Privacy fans: Microsoft would like Internet Explorer to be your browser of choice.

Last week, Microsoft announced that its forthcoming Internet Explorer 10 would be the first browser to implement the evolving Do Not Track standard with a default setting of "on."

"In Windows 8, IE10 sends a 'Do Not Track' signal to websites by default. Consumers can change this default setting if they choose. This decision reflects our commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online," said Dean Hachamovitch, Microsoft's corporate VP for Internet Explorer, in a blog post.

[ For $99, Microsoft will eliminate the junk manufacturers add to Windows 7 PCs. See Microsoft Bloatware Cleaning Offer Treats You Like Dirt. ]

"IE10 is the first browser to send a 'Do Not Track' (DNT) signal by default," he said. "While some people will say that this change is too much and others that it is not enough, we think it is progress and that consumers will favor products designed with their privacy in mind over products that are designed primarily to gather their data," he said.

The Do Not Track initiative--backed by the likes of Google, Microsoft, Twitter, and Yahoo, as well as the Digital Advertising Alliance (DAA)--is a self-regulatory framework hammered out by technology businesses, privacy and civil rights groups, and advertisers. DNT is designed to give consumers a browser button that they can click to signal to advertisers that they don't want their personal information to be tracked. While the initiative isn't--at least so far--backed by law, the White House made it a cornerstone of the Consumer Privacy Bill of Rights that it announced earlier this year.

But the Association of National Advertisers (ANA), a media and marketing trade association, quickly condemned Microsoft's enabling of DNT by default, saying it would "harm marketers' effectiveness and productivity," increase marketing costs, and lead to an increase in "untargeted, irrelevant online advertising."

"Microsoft's decision, made without industry discussion or consensus, undercuts years of tireless, collaborative efforts across the business community--efforts that were recently heralded by the White House and Federal Trade Commission as an effective way to educate consumers and address their concerns regarding data collection, targeted advertising, and privacy," said Bob Liodice, ANA president and CEO, in a statement. "We reject efforts by any provider or other group to unilaterally impose choices on the consumer in this critical area of the economy."

"On behalf of the ANA's more than 450 members and in conjunction with our sister associations that founded the DAA, we request that Microsoft reconfigure IE 10, which is now in preview mode, to contain a default 'off' browser setting for its 'Do Not Track' function in accordance with the DAA's Self-Regulatory Program," Liodice said.

Likewise, Randall Rothenberg, president and CEO of the Interactive Advertising Bureau (IAB), said in a statement that enabling Do Not Track by default "represents a step backwards in consumer choice, and we fear it will harm many of the businesses, particularly publishers, that fuel so much of the rich content on the Internet."

"We do not believe that default settings that automatically make choices for consumers increase transparency or consumer choice, nor do they factor in the need for digital businesses to innovate and thrive economically," he said. "Actions such as these will undermine the success of our industry's self-regulatory program."

The advertising industry's stated bid to empower users drew a fast response from privacy experts. "After years of tracking users without their knowledge or consent, ad industry suddenly favors a [user's] 'right to choose,'" tweeted security and privacy researcher Christopher Soghoian, further saying that "the 'right to choose' that the ad industry favors is the right to enable Do Not Track (as they want it off by default)."

Advertisers had long advocated that the industry should be allowed to self-regulate. But in late 2010, the Federal Trade Commission released a report warning that "more advanced technologies were enabling 'rapid data collection and sharing that is often invisible to consumers,'" while online privacy policies made it unclear how consumers could protect themselves. In short, the FTC declared that the self-regulatory approach to online consumer privacy had failed.

The FTC's related call for a new, consumed-focused online privacy framework was followed by revelations over supercookies used by some advertisers, which people couldn't detect or block from their browsers, and which enabled persistent tracking across websites. That led to calls by Congress for the FTC to take a closer look at the practices of online advertisers. Before long, such organizations came to the table with browser makers, as well as privacy and consumer rights groups, to begin hammering out the Do Not Track initiative.

Microsoft's move to make Do Not Track enabled by default will now also put Mozilla and Google's approach to DNT in the spotlight. "Mozilla continues to argue Do Not Track choice should be made by users. Microsoft has put them in a very tight spot," tweeted Soghoian.

More than 900 IT and security professionals responded to InformationWeek's 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
6/4/2012 | 2:20:01 PM
re: Microsoft IE10 Privacy Settings Draw Advertiser Fire
My response to the advertisers: vai a farti fottere. My Italian pisani will understand and no doubt agree.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.