Risk
6/4/2012
08:54 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft IE10 Privacy Settings Draw Advertiser Fire

Privacy advocates laud Microsoft's decision to turn on "Do Not Track" by default in Internet Explorer 10.

Windows 8 Preview: Key Features
Windows 8 Preview: Key Features
(click image for slideshow) />
Privacy fans: Microsoft would like Internet Explorer to be your browser of choice.

Last week, Microsoft announced that its forthcoming Internet Explorer 10 would be the first browser to implement the evolving Do Not Track standard with a default setting of "on."

"In Windows 8, IE10 sends a 'Do Not Track' signal to websites by default. Consumers can change this default setting if they choose. This decision reflects our commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online," said Dean Hachamovitch, Microsoft's corporate VP for Internet Explorer, in a blog post.

[ For $99, Microsoft will eliminate the junk manufacturers add to Windows 7 PCs. See Microsoft Bloatware Cleaning Offer Treats You Like Dirt. ]

"IE10 is the first browser to send a 'Do Not Track' (DNT) signal by default," he said. "While some people will say that this change is too much and others that it is not enough, we think it is progress and that consumers will favor products designed with their privacy in mind over products that are designed primarily to gather their data," he said.

The Do Not Track initiative--backed by the likes of Google, Microsoft, Twitter, and Yahoo, as well as the Digital Advertising Alliance (DAA)--is a self-regulatory framework hammered out by technology businesses, privacy and civil rights groups, and advertisers. DNT is designed to give consumers a browser button that they can click to signal to advertisers that they don't want their personal information to be tracked. While the initiative isn't--at least so far--backed by law, the White House made it a cornerstone of the Consumer Privacy Bill of Rights that it announced earlier this year.

But the Association of National Advertisers (ANA), a media and marketing trade association, quickly condemned Microsoft's enabling of DNT by default, saying it would "harm marketers' effectiveness and productivity," increase marketing costs, and lead to an increase in "untargeted, irrelevant online advertising."

"Microsoft's decision, made without industry discussion or consensus, undercuts years of tireless, collaborative efforts across the business community--efforts that were recently heralded by the White House and Federal Trade Commission as an effective way to educate consumers and address their concerns regarding data collection, targeted advertising, and privacy," said Bob Liodice, ANA president and CEO, in a statement. "We reject efforts by any provider or other group to unilaterally impose choices on the consumer in this critical area of the economy."

"On behalf of the ANA's more than 450 members and in conjunction with our sister associations that founded the DAA, we request that Microsoft reconfigure IE 10, which is now in preview mode, to contain a default 'off' browser setting for its 'Do Not Track' function in accordance with the DAA's Self-Regulatory Program," Liodice said.

Likewise, Randall Rothenberg, president and CEO of the Interactive Advertising Bureau (IAB), said in a statement that enabling Do Not Track by default "represents a step backwards in consumer choice, and we fear it will harm many of the businesses, particularly publishers, that fuel so much of the rich content on the Internet."

"We do not believe that default settings that automatically make choices for consumers increase transparency or consumer choice, nor do they factor in the need for digital businesses to innovate and thrive economically," he said. "Actions such as these will undermine the success of our industry's self-regulatory program."

The advertising industry's stated bid to empower users drew a fast response from privacy experts. "After years of tracking users without their knowledge or consent, ad industry suddenly favors a [user's] 'right to choose,'" tweeted security and privacy researcher Christopher Soghoian, further saying that "the 'right to choose' that the ad industry favors is the right to enable Do Not Track (as they want it off by default)."

Advertisers had long advocated that the industry should be allowed to self-regulate. But in late 2010, the Federal Trade Commission released a report warning that "more advanced technologies were enabling 'rapid data collection and sharing that is often invisible to consumers,'" while online privacy policies made it unclear how consumers could protect themselves. In short, the FTC declared that the self-regulatory approach to online consumer privacy had failed.

The FTC's related call for a new, consumed-focused online privacy framework was followed by revelations over supercookies used by some advertisers, which people couldn't detect or block from their browsers, and which enabled persistent tracking across websites. That led to calls by Congress for the FTC to take a closer look at the practices of online advertisers. Before long, such organizations came to the table with browser makers, as well as privacy and consumer rights groups, to begin hammering out the Do Not Track initiative.

Microsoft's move to make Do Not Track enabled by default will now also put Mozilla and Google's approach to DNT in the spotlight. "Mozilla continues to argue Do Not Track choice should be made by users. Microsoft has put them in a very tight spot," tweeted Soghoian.

More than 900 IT and security professionals responded to InformationWeek's 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
6/4/2012 | 2:20:01 PM
re: Microsoft IE10 Privacy Settings Draw Advertiser Fire
My response to the advertisers: vai a farti fottere. My Italian pisani will understand and no doubt agree.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.