Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Apache does not tolerate deliberate abuse of open standards

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1371878 13f79535-47bb-0310-9956-ffa450edef68
commit a381ff35fa4d50a5f7b9f64300dfd98859dee8d0 1 parent 9843179
authored August 11, 2012

Showing 1 changed file with 10 additions and 0 deletions. Show diff stats Hide diff stats

  1. 10  docs/conf/httpd.conf.in
10  docs/conf/httpd.conf.in
@@ -409,3 +409,13 @@ Include @rel_sysconfdir@/extra/proxy-html.conf
409 409
 SSLRandomSeed startup builtin
410 410
 SSLRandomSeed connect builtin
411 411
 </IfModule>
  412
+
  413
+# Deal with user agents that deliberately violate open standards
  414
+#
  415
+<IfModule setenvif_module>
  416
+BrowserMatch "MSIE 10.0;" bad_DNT
  417
+</IfModule>
  418
+<IfModule headers_module>
  419
+RequestHeader unset DNT env=bad_DNT
  420
+</IfModule>
  421
+

375 notes on commit a381ff3

François REMY

IE10 is respecting the DNT standards. The specification says that the user should select the option, which the user do during the Windows 8 setup. The specification doesn't say how the option should be selected, nor that it shouldn't be inside an option pack!

karl

This is not a reasonable patch and create more harms down the road. A user might decide to install a proxy on his/her computer such as privoxy. This is clearly a decision of the user. It means that now on because the user is using IE10 this decision will not be enforced.

This patch doesn't work at all.

reschke

@FremyCompany: I recently installed Windows 8 and do not recall being asked about DNT. So IE indeed seems to violate a spec requirement: "Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

karl

@reschke The thing is that there is no way for the server to know if the user has chosen it or not. And by doing this, we are imposing another layer of insanity without solving anything for the users. A bad decision on a bad decision doesn't always make it a right one.

reschke

@karlcow I agree that the proposed change negatively affects people who actually did set DNT intentionally and use IE10. I was just pointing out that, IE10, indeed, does violate the spec (and intentionally).

Zack Weinberg

It's not a spec violation. There has to be a default. The IE developers have decided that their users are best served by having IE's default be DNT:1. That is a legitimate decision for them to make and Apache should respect it.

reschke

@zackw no, there doesn't have to be a default. Did you actually read the spec?

karl

The choices of IE10 are irrelevant here in this discussion. This is about Apache doing user agent sniffing, which doesn't

  1. Make the specification better or respect the spec.
  2. Doesn't solve any issues for the users.

The users are taken into hostage in a political game between Roy Fielding (Apache, DNT spec editor) and Microsoft. This is not reasonable and will not help anything.

reschke

@karlcow the whole premise of DNT is, like it or not, that "most" people will not use it, thus advertising/marketing people will accept it. Break that assumption, and the whole initiative is dead. Personally, I'd be more than happy if we didn't need DNT and tracking would be forbidden by law.

karl

@reschke this is unrelated to this patch here.

reschke

@karlcow let's agree to disagree here :-) The server believes the DNT header field has been set incorrectly, thus ignores it.

karl

@reschke The server doesn't know it.

reschke

@karlcow that's why I said "believes". And given the fact that most people do not change defaults or add local proxies changing header fields, it probably would be right most of the time. The problem here is IE's behavior. This is what needs to be fixed.

Note that mo matter what httpd does here by default, other services may choose the same point of view. The proposed config change just highlights the issue.

karl

@reschke sorry but no.

The proposed config change just highlights the issue.

Not at all. It has the opposite effect. By making Apache looks bad. Anyway. I made my point and why it was a bad idea.

Zack Weinberg

@reschke Yes, I read the spec. User-agent implementors have a three-way choice of what the default will be: DNT:1, DNT:0, or no DNT header. Implementors could reasonably conclude that any of these possibilities best serves their users' aggregate interest, therefore any of these possibilities is a legitimate default.

François REMY

@reschke The installation of Windows 8 clearly state that choosing the Express settings will enable Do Not Track (http://t.co/Q9gVOpm4). If you choose the "Personalized" settings, you're even offered an option to enable to disable Do Not Track.

The specification explicitly express that the way this option is proposed to the user is not defined nor covered in the spec so you can't decide on this base whether or not the solution Microsoft implemented is valid or not. The user has the choice so it's valid according to the spec. That the choice is biased toward 'Enable' instead of toward 'Disable' is not an issue here.

Anyway, hiding an option in a place where most people will never see (which seems to be what you want) doesn't guarantee user's preference, it guarantees user's ignorance. Relying on other's ignorance to make sure YOU will not get tracked (because YOU know how to enable that option) is not fair. And just because YOU don't use IE10, you can't decide IE10 users should be punished for doing the things right, helping ignorant people to make the right choice.

I'm starting to hope that the DNT standards will fail, to force the European Commission to issue a law on the matter, as it seems its editor is taking the wrong approach... and his misusing his implication in other projects to enforce it.

Andrew Wilcox

I just wanted to be very clear that using custom settings does, indeed, allow you to disable DNT if you want to: http://uploads.gewt.net/corgi/and-custom-lets-you-change-it.png

I was of the belief that Microsoft deserves praise for enabling DNT by default. After all, isn't the whole point of DNT to prevent the general population from being tracked?

reschke

@FremyCompany Well, I certainly managed not to spot this in the Express Settings. It's good that it's there. And no, I'd prefer that the choice is made very clear to the user.

I also happen to agree that it would be good if the EU required DNT: 1 semantics as default.

Zac Parker

Seeing the image pasted by @FremyCompany ( http://t.co/Q9gVOpm4 ) it's very clear that IE does respect the spec, and this browser sniffing and disrespecting of IE10's settings should be removed. It has no place in Apache.

Roy T. Fielding

The EU already has two directives (ePrivacy and Data Protection) that do not require DNT, and they still apply as the default in the EU when the signal is dropped. This change has no impact on the EU.

The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their user's want one. You can figure out why they want that. If you have a problem with it, choose a better browser.

Apache has a history of stepping in when vendors abuse HTTP. That is why HTTP survived the browser wars, and why the Web will continue to survive past the MS-GOOG war. I can assure you that GitHub would not exist now if Apache had not defended the Web's open standards over the past 17 years.

Oscar Godson

There's just so many things wrong with this commit:

  1. Why is Apache forcing vendors to interpret standards their way and punishing vendors who don't comply?
  2. How is the DNT option not clearly marked?
  3. You don't find it just a little wrong that users are going to think this is turned on, yet you guys are just turning it off? Why are you punishing users too?

This so messed up I wrote this.

Max West
  1. See the last paragraph. "Apache has a history..." Apparently Apache feels this is another chapter in that history.
  2. Whether the option is clearly marked of not is entirely beside the point. It's the default setting that negates functionality of the standard.
  3. Users are being punished by Microsoft, not Apache. By negating the standard, Microsoft has left its users with no DNT option. The Microsoft default setting will be ignored leaving IE users with, effectively, no ability to express their own DNT preference. The problem isn't that "...users are going to think this is turned on...". The problem is that users aren't going to realize that Microsoft has taken away their right to choose.
Mark Rendle

@royfielding I can assure you that grandiose counter-factual assertions do your credibility no good whatsoever.

Mark Rendle

http://www.w3.org/TR/tracking-dnt/#determining

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent's configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”). Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests. For each of these cases, we say that a tracking preference is enabled.

So just to summarise this commit: the "Express Settings" for Windows 8 include setting "Privacy settings: high", which in no way violates the W3C specification, but offends Dr Fielding.

Peter Bright

Imagine if I were to fork Firefox, and produce a new browser named, say, DNTBrowse. Identical to Firefox in every regard, except it sets DNT to 1 by default (and has its own branding, obv.). Imagine if the DNTBrowse homepage were to say explicitly, "When you browse with DNTBrowse, the DNT header is set to 1 to maximize your privacy". Imagine if the download page for DNTBrowse again told the user "Before you download and install DNTBrowse, just remember: we set DNT to 1 to protect your privacy".

Imagine also that the actual DNTBrowse installer offered no ability to change the DNT setting; it only offered the default setting of 1.

Would @royfielding genuinely argue that this DNT default were not somehow the expression of deliberate, explicit user intent?

Thaddee Tyl

The DNT spec depends heavily on being honored by ad agencies. If they don't, the eight bytes in "DNT: 1" have no effect.

As it turns out, those ad agencies have been vocal about their position on MSIE's announcement:
http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0153.html

Ignoring a broken UA does not penalize privacy by design -- it
makes it possible for industry to honor the real preferences of
users with non-broken UAs. Because that's the choice: ignore the
broken UA or ignore all of the UAs.

http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0081.html

Speaking only for myself, IE10 is still DNT On by Default

Individual companies can speak for themselves, but Shane's take on it is the general industry viewpoint.

http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0111.html

If the site does not believe the DNT:1 signal is valid, then why would anyone in the supply chain be expected to honor the invalid signal?

http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0168.html

Oscar Godson

@espadrine So, it's not so much about the validity of what MS did (which most of us agree they're doing it to spec), it's more about making advertisers happy. Good to know apache will change core code to please advertisers...

Mark Rendle

The fact that everybody on that public-tracking list is pretending that any user's preference would be anything other than "please don't surreptitiously track everything I ever do on the internet in order to optimise the omni-present advertising that blights every moment of my online life" simply highlights the risible nature of the whole "Do Not Track" premise.

What it boils down to is: we'll honour the DNT flag as long as you don't tell people it exists.

Thaddee Tyl

@OscarGodson Would you agree that XHTML2 was a very nice effort, but ended up being pointless in retrospect?

@markrendle DNT is better for advertisers than AdBlock. It's also better for users (AdBlock doesn't prevent tracking). As for advertising DNT, it is an ongoing effort, with very mixed results.

Oscar Godson

What it boils down to is: we'll honour the DNT flag as long as you don't tell people it exists.

This

Edwin Perez

The default should be not to show people's personal information (advertising companies should not be stealing people's personal information). I hate to disagree with Apache on this. Open source software is great... however without the backing of companies it wouldn't exist. Thus, we can see how apache is being manipulated by companies that back it up.

Jose Fajardo

Shocked ... Apache should not be sniffing this header out!!

interscaperob-duplicate

@royfielding This checkin is very obviously laced with your personal bias and has nothing to do with anything other than your opinion. It does nothing to protect user's interest, it singles out a particular browser, and it damages the idea of open source. It is bullshit, you are an idiot for doing it, and I hope Apache is smart enough to pull it out. Regardless, you just cemented MY opinion to stop using anything from Apache, so thanks for that.

interscaperob-duplicate

I should start committing code that inserts "Stop using a crappy browser!" into the body of every request that detects Firefox, because that satisfies my personal beliefs, and because I can since it's open source. Next we should start ignoring any application/xml requests and send JSON instead... because that's better for your bandwidth, right? Oh, and we should embed browser upgrade warnings for anyone running IE8 or earlier... because that would make just the web better, which is good for everyone. To hell with user choice. We know what's best.

@royfielding you have a PhD FFS, you should know better than to leverage open source to sneak in your own personal political agenda.

Tonci Jukic

You sir, are misusing your "power" in this project to support your personal bias and opinion. That is a clear sign your rights within the project should be removed for the sake of users and to avoid damaging Apache reputation.

John Yeates

I can't see any difference between this and Google's decision to use trickery to set third-party cookies for Safari users as "no third-party cookies" was the default, and they "couldn't be sure that reflected the user's wishes". Google was lambasted for this, and rightly so. I believe this can only harm Apache's reputation.

There's a more important point:

I'm in the EU, where we have data protection legislation. As far as I can see, using a version of Apache that contains this commit exposes me to legal liability under that legislation, just as soon as an IE10 user complains that the default matched his preferences and I tracked him anyway.

That leaves me with four options:

  1. Don't track anyone (not a valid option for many sites, alas)
  2. Stay on a version of Apache that doesn't contain this commit (and lose all subsequent patches, which may expose me to liability when a since-fixed bug gets exploited and personal data is stolen)
  3. Manually remove this code from each Apache install, and check it hasn't been reintroduced on each upgrade
  4. Switch to nginx

Frankly, option 4 seems to be the least hassle.

I also won't stop installing or recommending Ghostery any time soon, as it's clear the advertising industry can't be trusted to respect the DNT header.

allo-

I think the idea is correct, but not on this layer.

Apache itself should not mess with the headers. If apache would interpret the DNT, it could decide not to react (by not logging) if the header comes from IE10. But apache should not unset the header, as each webapp should be able to decide itself, if it wants to ignore the IE10-DNT-header.

So projects like piwik should consider adding a setting yes/no/yes-but-not-from-IE10, but the webserver should not pass the headers as they are.

AndyCadley

Google Chrome didn't make me sit through a four hour video presentation on DNT and all its implications. Can we assume that a patch will soon be forthcoming to override Chrome's default of allowing tracking? After all, it wasn't made clear to me during the installation, right?

mhstern

I think more bloat on Apache is exactly what is needed. Parse the User-Agent header on every request, please, for something that only matters for some very specific content, for some very specific sites.-sarcasm-

If someone handles DNT server-side, they know of the implications of DNT. DNT is a ethic decision, so the site itself can ethically decide how they deal with it, and how they deal with IE's decisions. Apache should not arrogate itself with that decision.

I agree with tjukic: "That is a clear sign your rights within the project should be removed for the sake of users and to avoid damaging Apache reputation." Also, you are not a coder, and shouldn't mess with code and script: Coders think efficient. Apache needs to be efficient, not bloated with political nonsense.

remeiberlin

@royfielding The handling with the IE10 DTN default settings on this way, you will undermine the users trust in DNT in general. Probably this is exactly what Adobe and all the ad agencies like to deal with it.

wtfftw

It would be nice if IE10 would then detect the webpage is served by an Apache server; and if so, shows an error message, or a warning letting the user knows that website is not respecting his Do Not Track setting.

allo-

When Microsoft would have wanted the user to know what exactly DNT is, they could have made it a setup-wizard "do you want to send sites, that you do not want to be tracked", and everything would be fine. So they will certainly NOT tell the user that the apache filters DNT.

Wander Nauta

@allo-, the choice whether or not DNT will be sent is part of the detailed wizard and the fact that 'yes' is the default here is displayed when you pick the Express setup. See the screenshots linked to above.

allo-

oh, the screenshot looks quite fine. No problem with that, i thought it was a default and no further information were displayed.

Wander Nauta

Indeed. Every single IE10 user that has DNT on is explicitly requesting not to be tracked, as the option is marked clearly and worded almost perfectly. I couldn't agree more with the comments above - with this commit, it seems Microsoft is in fact the one actively following the standard (by giving users a choice and not hiding the fact that they, indeed, have a choice), and Apache is breaking the standard (by interfering with sent headers for no reason except politics).

Robert Harker

This is a really bad idea. If it gets adopted widely it will support the argument that DNT needs to be regulated and enforced by law.
It is the old email optin/optout argument. You rarely see a site that does not have an explicit option to optin or optout check box when you register.
A better patch would be to pop up a DNT dialog box allowing the customer to confirm tracking the first time they visit a site.
And don't tell me this is hard to do. You are already tracking people. This is just another data point to track.

Lennie

@AndyCadley Do you know why Chrome did not ask you about Do-Not-Track ? Because Chrome (at least the Dutch Chrome 21.x.x) doesn't seem to send it by default or have a setting to even set it. Even though it was promised in Feb this year already.

Greg Stein

Why don't you all stop and actually take some time to understand this commit, before expressing your poseur outrage?!

This is a change to a config file. Any sysadmin can simply delete it during setup.

Nobody is forced to accept this change. It is simply a new default. <irony/>

Wander Nauta

Not all users of Apache have access to the configuration file. Correct me if I'm wrong, but it looks like this setting, if set, would not be correctable in .htaccess files, the only configuration possibility many people on shared hosting have.

imanavg

RoyFielding - Please keep your political agenda to yourself. The picture here (http://t.co/Q9gVOpm4) clearly shows that DNT is only enabled if user selects express setup. User is also provided with information that choosing express setting would enable DNT. How much did Google pay you to write this patch?

imanavg

@royfielding - Please keep your political agenda to yourself. As shown here (http://t.co/Q9gVOpm4), IE does provide user option to enable DNT. The user has two choices to make, Express setup or Custom. In express setup, it is clearly listed that DNT would be enabled. It is sad to see that your are trying to use Apache to field your political agenda. How much did Google pay you to do this?

makomk

No, every single IE user is not explicitly requesting not to be tracked, because many of them will just click Next and accept the defaults without reading the fine print. We know this, ironically enough, from the fact that a large number of people are quite willing to click Next and allow the installation of spyware that monitors their web surfing and spams them with an endless barrage of obnoxious pop-up ads yet seem surprised when they get what they "explicitly requested".

Oscar Godson

@makomk A big full page bulleted list is not considered "small print". Also, you think it'd be better to these users who just click next and don't read anything to instead hide this feature away where they won't even know it exists? How's that make any sense?

@Lennie Yeah... That'd be fine if shared hosting didn't exist. How do people change it then? Or do those developers not matter? Even so, why is this even a default? It's a politics game and shouldn't even be in here bloating it up.

AndyCadley

@makomk If we assume that is correct, then there is simply no way you can ever determine the user's preference during the installation process. Nothing you do during the install (even the four hour video presentation with follow up exam) is ever provably "enough" that someone, somewhere can't argue the user was just clicking through in a hurry and therefore chose poorly.

And if we're going to go down that route, we'd be better off just defaulting the setting to the one that common sense says most people will probably want and it's pretty clear that is to enable Do Not Track (if everybody was so keen to be tracked online, the feature wouldn't ever have been needed).

EvilHom3r

If you ask me, I think Microsoft should prevent IE users from visiting websites that use Apache. Apache is violating open standards by not respecting Do Not Track.

Except obviously IE (or any browser) won't do that, since it's against what the user wants. Just like this setting is.

The reason DNT is on by default is because it's what pretty much all users would want. If (for whatever reason) they don't want it, then it's very easily disabled during installation. Microsoft is not enabling this behind anyone's backs, as it's clearly stated during installation that DNT will be enabled unless changed.

I would say I'm shocked and appalled that something like this made its way here, but considering it came from someone who works at Adobe, I can't say I am.

Brian Lee

Can the apache community vote on this change?

lymem

In addition to this patch, every site that implements it needs to explicitly notify IE10 users that they will be tracked, regardles of their DNT settings.

Because it is full disclosure right?

Eric Covener

@EvilHom3r -- the substantiated fear is that DNT on (effectively) by default would just mean nobody doing the tracking would give the setting any consideration.

allo-

@covener: and this commit is enforcing, that noone CAN give DNT any consideration for IE10 users.

So the people can either assume "IE10 = DNT is set" and ignore the users, who disabled DNT, or just use the header as its available and ignore the DNT setting of users, who enabled it (as default or by their own decision).

ellier

@Roy T. Fielding: You have a valid point; yet, you're going way too far with this patch. You're letting users get caught up in your feud with Microsoft. Resolve the issue in a way that does't affect users. You're basically forcing everybody to not use IE10 or to be tracked. That is wrong.

imanavg

This guy needs to be fired for submitting a patch like this.

imanavg

Saale madarchod, how much money G gave u, harami?

Patrick H. Lauke

Since when is it up to the server (rather than the application running on the server) to make such value judgements about whether or not a header was or wasn't explicitly set? The server should simply broker the transaction between the browser and whatever is running on the server. If an app then decides to do its own "if IE10 then ignore...suck on that Microsoft!" then fine, it's up to them, no?

Christoph Anton Mitterer

Being in favour of this patch. The current version of the standard is quite clear; if MS doesn’t obey to standards, they deserved being punished… moreover, this patch gives most IE10 users what they probably want (being tracked in order to get many things working).
So this default config is IMHO reasonable.

Zac Parker

@calestyo You didn't read the spec OR any of the comments, did you?

Christoph Anton Mitterer

@allo- wrong, as this commit affects just a default configuration; not httpd’s real code.... any sysadmin can change this as he likes without problems.

Zac Parker

@calestyo Any sysadmin who isn't on shared hosting.

AndyCadley

@calestyo Could you explain precisely where IE10 violates the standard? At installation you have to make a choice about whether you want Do Not Track enabled or not. You cannot run IE without having made this choice. That is exactly what the standard requires.

allo-

@calestyo: same problem other way round: the default has much power, because 99% of the users will not change it.

hizanberg

If it’s included in the “Express” settings than that will be what most users will choose. It’s dellusional to think most users actually read and agree with all the default options. Most users will always choose the path of least resistance regardless of what the default options are – so most of the time it means the vendor makes is making the decision, clearly an abuse of the intent of DNT.

The standard quite clearly states that it must be the result of an explicit user choice, not that of the browser vendor or a mega corp pushing their own Agendas. Being included as part of the “Express settings” makes it the OS providers choice, not the users – if there was a stand-alone screen with that as the only question with no default option selected, than that would classify as a user choice – it’s not, so IE 10 is ignored and further dilutes the meaning of DNT for everyone else.

Mark Rendle

@calestyo I'm intrigued as to the nature of the "many things" that will be kept "working" by being tracked. Would you care to elaborate?

Patrick H. Lauke

How about changing this patch so that any IE10 users get redirected to a custom page on the server that asks them explicitly if they want to be tracked or not? This approach already works so well for the EU cookie law, doesn't it?

Mark Rendle

@hizanberg You italicise the word explicit as though it were somewhere in the specification, which it isn't. Here are some things which are:

We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

and

the user might ... make a choice for privacy that then implicitly includes a tracking preference

and

... the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment

and

Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control.

AndyCadley

@hizanberg You explicitly have to make a choice during installation, there is no way you can not. You can argue till your blue in the face about whether or not it's an informed choice or just the user picking the quickest route through, but that's not what the standard mandates and nor is it something that can be determined. You could just as easily argue that burying the option in some hidden config dialog means it's no longer an explicit user choice either, so it should presumably be acceptable for Apache to assume that anyone browsing with Firefox or Chrome wants DNT turned on, they just didn't know how to.

If you disagree with the standard and really want to resolve this, then change the standard so that the method and wording of the selection is part of that standard. Don't just decide to ignore the standard and abuse the decisions made by end-users because it happens to suit the business you work in.

hizanberg

@AndyCadley Do you have any idea what percentage of users go with the defaults? If the default option was to not enable it (which it should've been for opt-in options) do you really think this would have any significance on the % of users that continue to choose the defaults?

The EU BrowserChoice ballot box wasn't mandated for fun, vendor defaults are anti-competitive vendor choices, not users.

You can argue till your blue in the face that the end-user is making this decision, they are not - the browser vendor is, damaging the intent of the standard - to the detriment of everyone else.

AndyCadley

@hizanberg By that argument the end-user isn't making the decision in Chrome, Firefox, Safari etc either. It's still the browser vendor. So you can still only "fix" it by altering the standard to mandate how that decision is made.

The only thing that's very clear is that it is not the for the creator of a middle-tier component (in this case Apache) between the end-user and the web application in question to conceal the user's DNT setting because that is actually forbidden by the standard (section 3).

Adam D

@gstein, most people either won't scroll through the whole config file, notice this and remove it, or their shared hosts have it enabled and they're wondering why their DNT script isn't working.

Christoph Anton Mitterer

@AndyCadley, IIRC the current version of the standard explicitly forbids browsers to set this per default.

@markrendle, well I guess there are sites that use tracking to make their provided services work. Just one has e.g. things like session IDs etc.

Mathieu Jobin

This commit was good for one reason, it allow people to discuss around it. now that we all agree that ignoring IE10's DNT setting is not the way to go. What would be the best solution to protect everyone's privacy?

Mark Adamcin

These are the most important arguments in support of this patch that I can think of:

  1. The people above who have chosen to engage in an argument in a public, online forum by asserting that "everyone" prefers privacy over features like social network integration have already provided sufficient evidence to the contrary.
  2. Windows 8 is not a user agent. IE 10 is a User Agent. It is Windows 8 Setup that is capturing a user's preference to set a default DNT value in another application. Is the configuration presented to new users who were not involved in the installation of the operating system?
  3. DNT does not apply to user data captured by operating systems (like Windows) or closed-ecosystem network providers (like Live). If you are willing to believe that Microsoft is acting out of concern for end-user privacy, then I have a terrific program to sell you that will remove all that nasty spyware you have installed and make your internet really fast! Click here now!
  4. I wasn't involved in the installation of Windows on my work laptop. I predict that if I ever receive a Windows 8 laptop for work, and the default option still exists to set the DNT flag during Windows setup, my IT admins will have chosen for me. They will choose to leave the default, since they care only about managing security in a way that is convenient for them, and they couldn't care less about any abstract and non-specific impact on my user experience, and they certainly aren't paid to worry about complying with an open standard for the good of the community.
  5. All things being equal, adding more headers to an HTTP request will not increase one's privacy. It only makes sense to assert otherwise when taken in the context of an enforced standard. Thus, to claim the benefits of the standard while simultaneously acting in open violation of said standard can only result in the eventual nullification of said benefits. Because of this, Microsoft is essentially choosing to follow the path of a free rider, and that's one massive free rider.

So long as its competitors respect the DNT flag sent by IE10 along with every other browser, Microsoft can claim (read: "advertise") that Windows 8 and IE 10 are more secure than other browsers that default to an unspecified DNT, in which case Microsoft wins. If its competitors stop respecting the DNT flag when the standard becomes moot, Microsoft will be in a strong position to lobby for new government-enforced consumer regulations against its rivals, since the industry clearly could not be trusted to self-regulate. The only way to maintain the standard is to call out Microsoft by nullifying any free rider benefits and ensuring that they get stuck with the appropriate amount of blame for undermining the industry standard.

End-users will remain largely uninformed about DNT unless it is put in front of them with a clear call to action. It's the responsibility of software vendors like Microsoft, Mozilla, Apache, Google, and Apple to conform to and enforce these kinds of open standards if there any hope that they will last. Microsoft still has the market share weight on the client side. The only heavyweight large enough to hold them accountable on the server side is Apache, and this commit is simply fighting default config with default config.

Mark Adamcin

I looked closer at the screenshot of the express install (here: https://img.skitch.com/20120907-tu8m3msxk7sngf61188f8hxm7a.png) and saw that the line immediately following the DNT default preference states, "Help improve Microsoft software, services, and location services by sending us info". And a couple lines below that, "Let apps give you personalized content based on your PC's location, name, and account picture."

This selection of default settings isn't consistent with an exceptionally high regard for user privacy.

imanavg

Why the hell my comments aren't posted.is some asshole too sensitive that they can't accept freedom of speech.

sunseraphic

@adamcin

Apache is not the battlefield for Microsoft-haters to fight counter Microsoft.
Please leave the greatest OpenSource common internet middleware away from your "jihad".

@royfielding

For you, dear Dr, it would be more valuable to push the REST concept to the industry than to involve(start) such dirty ugly political war. Since there is so much pseudo-REST service framework or middleware. Only one blog post is not enough.

Tonci Jukic

While one can understand that Microsoft made it the wrong way and IE should rather clearly present this option when started for the first time, instead of during system installation, there is a serious problem with this kind of solution.

Apache does the very same (wrong) thing here. Even worse maybe. You are defaulting to completely ignore IE10 users who may or may not have deliberately decided to set a DNT flag to true. You can't simply counter Microsoft possible failure by taking a revenge path and by enforcing your own opinion. Who ends up screwed here are end users who want to protect their privacy and who are made fools by this.

If you are really concerned for end-users and their choice and privacy, go ahead and send a forced response that questions users explicitly about DNT, while explaining that since IE sets it as default, you are not sure.

But silently ignoring privacy selection and enforcing personal war is not the right way to do this.

AndyCadley

@calestyo Then I suggest you go re-read the standard, as it makes no statement either way about which way the setting defaults. It even explicitly allows for a systems administrator to have machines configured with a default set however they like. The only requirement is that the user must be free to change it to reflect their personal desire. So a Group Policy setting to enforce a DNT setting would violate the standard (there isn't one). As would a third party piece of software in the middle overriding the DNT headers (like Apache for example) based on someone's personal grudge against IE.

@adamcin

1) If you don't understand that it's perfectly consistent for me to make an active choice to discuss this in public (and using my real name to do so) and yet to not support the hidden tracking mechanisms that the likes of Google and Adobe have been using, then I'm not sure you understand privacy.

2) For the record, no it isn't presented to secondary users.

3) Likewise Google is an advertising company which benefits significantly if Chrome users never find the setting to turn DNT on. So when can we expect your submitted patch to make it appear all Chrome users have opted in? Or is the truth that your opinion is nothing to do with user privacy and everything to do with the fact it's Microsoft who've taken a choice that you dislike.

4) And if you use IE10 at work, you will be able to switch it off yourself. Regardless of what your IT admin does, because the standard requires it and IE is following the standard. The standard requires that you are always in control of the setting, nothing more and nothing less.

5) We wouldn't even be having the discussion about having to add headers to try and protect people's privacy if it weren't for the fact that those providing web services have abused their position to collate more data than most people would feel comfortable about in the name of 'personalisation'. Are you really surprised that anything that undermines their ability to do so is something they want rid of? Do you honestly believe it's coincidence that the patch was submitted by an Adobe employee, given their position in the market? Do you not see how they benefit if the most widely used webserver (Apache) ignores the setting in the most widely used browser (IE)?

Greg Stein

You guys are conspiracy-loving idiots. I know Roy. His integrity is without question. His patch has nothing to do with Adobe. Likely, they may be angry with him, but he will continue to stand up for the Right Thing.

Tonci Jukic

@gstein We don't know and we don't have to know Roy. It is not about him, but about a clear standard violation this patch does and makes Apache faulty DNT related.

Mark Rendle

@adamcin If those are the best, most important arguments you can think of, then you have highlighted just how unsupportable this patch is.

  1. Voluntarily engaging in online discussion of important issues (and doing so on a well-respected site with no ads) is nothing like having random online entities maintain a detailed history of my browsing behaviour in order to serve customised, targeted advertising on every site I visit.

  2. IE10 is part of Windows 8.

  3. All commercial software these days captures user metrics to inform future development of said software, including every major browser and Adobe CS. There is a world of difference between capturing anonymised statistical data showing how often people use a feature or a menu item and capturing personal browsing history.

  4. I'd be very surprised if your admins haven't specified a custom group policy for your company-wide installations, in which the DNT flag will have been explicitly set.

Your point 5 made no sense to me, so I can't offer a rebuttal. Your argument descends into Microsoft-hating conspiracy-theorising after that, and loses objectivity and relevance.

Mark Rendle

I think it's worth explaining for the benefit of some of those engaged in this debate that tracking cookies are not the cookies used by websites to maintain server-side session state (which I assume @royfielding will be disabling in another commit, since persisted session state is a violation of REST). Tracking cookies are the ones put into thousands of sites by advertising companies like DoubleClick and TradeDoubler so that after you spend some time browsing for, say, electronic cigarettes, you'll see advertisements for electronic cigarettes on every site you visit for the next week. It's an insidious little business model that in no way benefits consumers, and the suggestions in this discussion thread and in the specification itself that some people would, if made aware of it, actually choose to have it done to them is either disingenuous or idiotic.

Wander Nauta

@markrendle Yes and no. I disabled Google's advertisement personalization (you can relatively easily opt-out of that if you want), but after a few weeks I got tired of seeing ads for female hygiene producs, garden tools and sports events so I turned it back on. In my case, personalized ads were to Google's benefit as well as mine, and I decided to 'trade' some of my privacy for better (more interesting) ads.

makomk

@AndyCadley You're right, most users won't have made an explicit decision about whether or not they want Do-Not-Track enabled on Firefox and Chrome either, but if they comply with the standard Firefox and Chrome will tell websites that users haven't expressed any preference. They won't claim that users had said they were OK with being tracked because they went with the defaults when they installed the browser, since that would be just as uncompliant with the standard as what Microsoft is doing.

AndyCadley

@wandernauta That's a perfectly acceptable choice and there is nothing to prevent sites from even noticing you have DNT enabled and guiding you through the process of setting it via a "What happened to my personalised ads?" or similar link. If the majority of users out there are massive fans of personalised ads, what will happen is that either change their settings or move to a different browser because "IE broke all my ads". If you genuinely believe that the majority of people out there want tracking enabled even more than the advertisers do, then this is a non-issue. That won't work however if Apache starts getting in the way and users find the setting unreliable, because conventional wisdom will become "Don't bother changing that, webservers ignore it anyway"

@makomk Do you honestly believe any website anywhere will treat "no preference" as anything other than "yup, I'm fine with you tracking me"? So not expressing a preference is implicitly making the choice for the user. Which is arguably far more against the spirit of DNT than anything else.

And to re-iterate what people still seem to be struggling with. Microsoft's implementation DOES NOT violate the standard. If you can find a place it does, please provide a specific reference to the section in the standard they violate, because then we can all read the exact text and move the discussion forward in a sensible manner rather than going round in circles based on what people think is in the standard or what they would personally prefer, neither of which is relevant.

ChodaBoy

Apache does not tolerate deliberate abuse of open standards

Google has already been caught circumventing cookie privacy in Safari. Now Apache will ignore the DNT setting? This "patch" makes one thing perfectly clear: No company or organization can be trusted to ensure the user's right to privacy. Therefore, laws must be introduced to protect the user from the predatory actions of others. No organization has any right to a user's private data. However, in most locations, the users do have a right to privacy. Clearly, the only way to gain access to a user's private data must be through a positive confirmation, or "opt-in", mechanism. Any violators must face harsh penalties similar to the ridiculous fines imposed on individuals caught sharing files. Let these violators pay $650,000 per violation per user per session and see how long they stay in business.

I would like to thank @royfielding for providing proof that open source and not-for-profit organizations cannot be trusted, either.

ellier

It is not the role of the web server to make decisions about privacy on my behalf, the user. This is a POLITICAL PATCH. Use some other medium to go about your war with Microsoft.

Mark Rendle

@wandernauta Horses for courses, I guess. I can count the number of times I've actually clicked on an internet ad on the fingers of one elbow.

Ironically, I don't really use IE because there's no good AdBlock plug-in for it. :)

imanavg
  1. As shown by other people, IE is actually following the standard so this patch itself is not needed.
  2. Even if any browser was not following the standard, it is not Apache's job to fix that. It must adhere to standard instead of being used for political agenda.
  3. Roy shame on you for using Apache to field your agenda. How much did G pay you?

Let us revert this stupid patch ASAP.

interscaperob-duplicate

If you think people actually "want to be tracked", you are just as big of an idiot as @royfielding. Yeah, I really want to have purchased something, and have ads for shit I have already bought or services I have already signed up for plastered all over every page I visit for the next 6 months.

And for anyone thinking the point had merit, the title of the checkin confirms it has nothing to do with any user benefit and is a political statement designed to send a message and "punish" Microsoft. It is that simple. Open Source should not be allowed to be used for that purpose, against anyone. Period. Save the political statements for hacktivists.

imanavg

OSS has hit a new low.

interscaperob-duplicate

As usual, Rafael Rivera neatly summarizes the problem with the standard itself: http://twitter.com/WithinRafael/status/244842640108032000

The standard should opt into tracking, not opt out. Then the problem as determined by a very small minority of people on this thread would cease to exist, because the default would always be equivalent to DNT:1, and you would be assured a variable other than TMP:0 would be explicitly triggered by a human who actually wants to be tracked.

Funny how supposed experts and PhDs can miss the simple solutions.

reschke

@interscaperob if you believe you are smarter than those people trying to make this standard, why don't you go ahead and send feedback to the W3C Working Group?

Thaddee Tyl

@interscaperob Today, the default is tracking. The only way to change that is through a law. Laws on the Internet so far have proved that government intervention in a global Web is very dangerous and easily misdirected.

Do Not Track tries to deal with the issue through an agreement with the ad agencies. If they refuse to default to not tracking, then acting horrified that someone tries to reach consensus on this won't make the problem go away. Refusing DNT as agreed will only make it never be implemented by ad agencies.

Lennie

@interscaperob I believe the standards were created with cooperation with the ad-agencies, I think it was probably a compromise to have the default be 'the user did not make a choice'. It was probably the only way to get their cooperation.

Also I don't know if you know, a number of countries already have a law. And I think the EU does too.

If there is a proper industry wide way to opt-out (or opt-in) like this one which has been agreed on by all parties involved (browsermakers and website builders and users) then the law applies.

If you find an ad-agency does not comply with it, you can probably take them to court.

As this is the Internet, you can probably find a website on which that ad-agency advertises which is hosted or domainname registered or domain owner lives in one of these countries. So you can take them to court in such a country. If you can prove it (which is the hard part probably ?) then you'll probably win the case and ad-agencies will start to think twice about tracking.

So as the laws already exist, you should probably talk to the workgroup at the standardsbody to get them to change the meaning of what it means when no DNT-header is set.

Roy T. Fielding

@Lennie Yes, the laws in EU already exist and they define the default server behavior when no DNT is received. Thus, removing an invalid DNT header field remains compliant with any regional laws. In any case, at the current time, implementations of DNT on the server are only speculative, since the working group has not agreed yet on a definition of what Do Not Track means and the requirements for server compliance. In fact, the default of "unset" (ISSUE-4) is one of few things we have resolved (twice) -- the entire discussion of which can be found in the public mailing list and issue archives (see links in the Tracking Preference Expression draft).

Apache HTTP Server does not yet implement DNT (and makes no claims of compliance) because: (1) DNT impacts first party services differently than third party services and we have no way of knowing which one applies; and, (2) the sections of the specifications regarding server compliance and the tracking status response are still in flux. If we do implement DNT, the implementation would impact code throughout the whole server, and the workarounds for broken browsers might then be more subtle than simply dropping the signal. Browsers have chosen to send DNT already, in spite of it not having a proper definition and not actually doing anything for users, because it is easy for them to claim "privacy" while punting the actual work to servers.

Personally, I prefer the legislative approach for regulations because only good companies adhere to voluntary standards. I am personally in favor of data protection laws in the US, similar to those in the EU, but hopefully easier to understand and implement. For example, the White House initiative on a Privacy Bill of Rights is awesome for a political document; unfortunately, the people who wrote that policy proposal are not the ones who write US laws.

The companies that are participating in the Tracking Protection working group are the good guys—the ones who actually will turn off tracking if the user desires it. What about the others? It should be no surprise to anyone that, as soon as a reasonable technical standard is established, the advocates will push for legislation to force adoption. That's fine with me, provided we have a standard based on user preference and user expectations, not one subject to the whims of a convicted monopolist. Contrary to what some idiots here have said, I like Microsoft—they have good employees, a nice group of representatives in the working group, and are a Platinum Sponsor of the Apache Software Foundation and the over 100 projects we manage. However, their business is still a business, and occasionally their business side chooses to do things that are actively harmful to the Web. No business should be allowed to do that unchecked.

To the astroturfers who only joined github in order to spew lies about what is in the standard: I wrote that section. I know what is says, why it says it, and what that means. It has been formally reviewed by the WG several times to assure that it represents the consensus on ISSUE-4. It is part of an open standard under development, which means the right way to change it is to go through the working group process and request a change. If the working group changes its opinion regarding the "unset" default or how it might be implemented, then I (or someone faster than me) will submit a patch to Apache that corresponds to the new consensus opinion of the working group. Apache has no particular interest in what goes in the open standard -- only in that the protocol means what the WG says it means when the extra eight bytes are sent on the wire.

Mario Liebisch

Seriously, this patch invalidates its own existence on its own: You assume IE10 violates the (unfinished) open standard, so you violate the same open standard (by modifying the user's preference, even if it's set by him intentionally)? That's just plain wrong. I've never read the full document, but the snippets above alone should be enough proof for this patch to be revoked. Layers between the user and the backend (i.e. server side scripts) must not modify the DNT header, no matter what. Yet this patch does that exactly. Let the page provider decide whether he wants to trust IE10 or not. It's his responsibility, not httpd's.

I'm no lawyer or anything, but even from my layman's knowledge, I'd assume that this patch, should it stay in the code base, would open the door for lots of trouble for hosters using Apache httpd. If you use it, you might violate European privacy rights and regulations by invalidating the users' choice to not be tracked. I'm from Germany and if I'm telling a German company/page owner they have to delete any and all personal data they got from me, they have to comply. If I do that by enabling the Do Not Track feature in IE10 and you (in the form of the web server) change it back, I could go to court with this. I don't think any reputable hoster would like to risk such things, in the end dropping Apache httpd in favor of alternative solutions. This patch won't protect personal data, it won't improve the product and it won't help anyone. All it does is damaging the Apache Foundation and its projects, creating even more problems and possible legal issues in a field already having more than enough things to consider or comply with.

For me this is just another instance of that annoying "browser fanatism", where someone tries to force others to use (or not use) the browser of their choice, just due to some weird believings, ideals or simply hate. When Microsoft introduced their Tracking Protection, people complained about them not implementing DNT. Now they do and people try to break it, while complaining about it not being like they expect it to be. Serious? End it now.

IMO this patch should be reverted and this "private war" be ended immediately, including the revocation of commit rights. That's not serious software development, it's kindergarten (breaking other kids' toys because they don't like your own favorites).

Edit:
Just to make it clear: If the user wouldn't have any option (which they do) and IE would just always say "DNT = 1" (which it doesn't), then I'd agree with you. It would be in violation. But even then, I'd take the issue to Microsoft and not force some option people might not be happy with. Maybe they picked it just due to that fact in the first place. I'm using IE9 at home and work, and I'll use IE10 as well WITH DNT set to 1. Why do you invalidate MY explicit choice?

Brian Lee

@royfielding I think it is disingenuous to refer to your opponents on this comment thread as astroturf. I can only speak for myself, but I've been a github member for quite a while. I have nowhere near your legacy of commits and activity, but to insinuate that I am some sort of paid shill by your opponents leads me to believe that you can't attack the message, so you instead attack the messengers by saying they are invalid.

This is very much against the principles that the Apache Foundation has fought for all these years.

Since this issue is obviously contentious, why not just hold a vote on the commit like so many other thousands non-contentious patches over the years. That should put the issue to rest.

If you avoid a vote you are undoing years of Apache meritocracy.

Derek P. Moore

Could Apache support a way for IE10 users to add or modify a header so that it would be respected?

Oscar Godson

No worries everyone. I've sent a pull request to fix this. @derekm this should also do what you're suggesting.

#2

interscaperob-duplicate

@royfielding TL;DR: I wrote the standard so I know what is right, anyone who just joined GitHub is obviously not a coder (because GitHub is the only source code system that matters, and if you haven't been using it for years to check in important code like mine, you are a moron).

It is not the responsibility of Apache or IIS to do a damn thing with the bits that it gets. Web Servers are the MESSENGER, they pass a message on from one party to the other, from the end user, to the CODE. That is it. So Microsoft has created a default and "punted the responsibility" to the people who code web SITES, not web SERVERS. How can web site developers trust the messages they are getting from the web server are legit if the people that make that web server can insert their political agenda into the 1s and 0s they process whenever they want?

There is no other answer but "THEY CAN'T".

And if you think the WG is the way to fix the issues, then why the $%^& did you check in a change that was NOT the result of a WG decision? That is pretty hypocritical. If you were trying to do anything other than to make a political statement, then your checkin title wouldn't have been a political statement.

You can spin it however you want, there is no justification for your actions. Glad someone took the time to undo it.

AndyCadley

@royfielding If you believe IE is violating the standard, then point out the exact section in the standard that you think it violates (they're all handily numbered for just such an occasion). Not what you took away from an outside discussion, not what you think it means but what it actually says because that is the crux of the issue. The rest of the WG has agreed on that wording for a reason, not because they agree with some other meaning that you happen to think has already been agreed.

imanavg

@royfielding - It is sad to see someone bring Apache into their personal vendetta against certain browser.

Mark Rendle

@royfielding

I wrote that section. I know what it says, why it says it, and what that means.

Really? You wrote something so vague, so non-specific, so woolly as to be open to wildly differing interpretations, and to provoke heated debates on the internet as to the actual intent of the original document?

Again?

patheticcockroach

It's funny how some people here are defending the right of MSIE to set their default options in a certain way (DNT=1) and at the same time deny the right of Apache httpd to set their default config file a certain way. Just as with MSIE, if you don't like the default Apache configuration file feel free to edit it.

Tonci Jukic

@patheticcockroach There is a difference: MS IE 10 has a default setting of DNT:1 which every single user can change according to their wishes.
Not a single user can change Apache default setting that ignores especially MS IE 10 (discrimination) and that way ignores what users wish, no matter what they select.
If it happens that a site owner wants to host a web with Apache, they also may not be able to change a default setting which may (as default) ignore DNT setting from MS IE 10 users.

Do you understand the problem?

geodanny

Roy, I recommend consulting with the rest of your working group (and perhaps with Adobe/Apache legal counsel) to clear up any ambiguities in the language you drafted in the Do Not Track (DNT) specification.

I think the plain and clear terms of Section 3 of the draft spec contradict what you say in the comments. http://www.w3.org/TR/tracking-dnt/#determining

The plain language of the specification requires that, as a general rule, the key passed by the browser reflect the user's personal preference. It expressly states that the preference passed may "not [be] the preference of some institutional or network-imposed mechanism outside the user's control." Based on the actual text used in the draft spec, this requirement does not apply to Microsoft's default setting enabling DNT. This is because changing the default preferences provided by Microsoft is within the user's control during installation, setup, and in the browser itself based on the screenshots provided in these comments. Moreover, Microsoft provides clear and conspicuous notice to its users that DNT will be enabled by default during those screen flows and that users have an option to alter those default settings.

Furthermore, the spec does not control how the DNT preference is enabled and leaves the user experience up to the software implementing DNT -- here software made by Microsoft. As section 3 further states, "[t]he remainder of this specification defines the protocol in terms of whether a tracking preference is enabled or not enabled. We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled." This language would strongly suggest that other parts of the spec that suggest an express choice by the user is requried can be ignored --- thus potentially inserting some ambiguity.

That said, I understand the stated goal is for users to express their personal preference regarding Do Not Track (DNT). Section 3 states: "[t]he goal of this protocol is to allow a user to express their personal preference . . . ." But I would not rely on this language. By its very nature a goal is not a commandment, rather it is precatory language more along the lines of a request and is "the end toward which effort is directed."

For the record, I don't think you have an agenda or hold ill will toward Microsoft. The spec is still just in draft form and goes through several revisions and public comments specifically to find and clear up this sort of potential ambiguity before final publication.

patheticcockroach

@tjukic: every single server owner can change the setting according to their wishes. It was already the case before that patch anyway: any server owner could apply the same kind of configuration to ignore DNT from any browser.
@markrendle: a wizard is applicable to MSIE because that's the way people are already used to installing it. I don't know how you install Apache, but I usually review the whole configuration file... so the analogy stands: during the usual set up the setting can be modified. As for shared hosting, well it's up to the people managing the server: again, they could already ignore DNT from any browser should they choose so.
Really, Apache is doing the very same as Microsoft. An eye for an eye, nothing more. Except that Apache users are used to tweaking the default settings, while the same definitely can't be said of MSIE users: generally, an MSIE user who tweaks his browser uses Fx/Chrome/whatever. As for the sponsorship, I don't really think MS cares about Apache's default settings anyway. This even gives them the occasion to play the victims/nice guys...

Mario Liebisch

Tweaking default values is one thing. Explicitly verifying any and all lines in the configuration file is something most probably won't do. For example, if you know you have to change some proxy or virtual host settings, you're looking for these lines explicitly. If you know you'll have to add some modules, you do so. But I don't think anyone would check every single line every time they upgrade the server. They'll most likely just assume the defaults haven't changed without any notice. But even then, especially in a virtual host environment with customers having no access, such a default setting is more likely to cause problems than to be of any use, especially if this preset gets the host to actually apply such things (e.g. he wasn't aware it could be done). Also, from a user/hosting customer point of perspective, this change isn't transparent. IF you drop the flag, you should at least tell the endpoint you did so, e.g. by sending another header like "x-dnt-dropped: 1" (or 0 depending on previous value) or whatever. This won't make the whole patch or idea more valid in my eyes, but hiding the manipulation is even worse.

@patheticcockroach: "Except that Apache users are used to tweaking the default settings, while the same definitely can't be said of MSIE users: generally, an MSIE user who tweaks his browser uses Fx/Chrome/whatever"
Could we keep the "user of x are inferior or dumb" rambling out of play? I use Chrome and Firefox for testing only, otherwise IE all the time. You can tweak quite a lot (even more using the IEAK). Also this is no real argument or anything regarding this discussion.

Yvan Da Silva

I agree with the patch, but hope it won't make it to prod(stable version):

IE DNT bits do not reflect user choice, that choice shouldn't be a system installation preference. But instead a first running execution (and later in browser options) choice, like the search engine and so on.

MS has perfectly the power to patch their browser and make it work with the behavior I mentioned above and so this Apache patch will never make it to production.
But we all know MS, it won't change that behavior, because they want people to believe IE is safer than the other browsers (yeah commercials .... ).
I perfectly understand your point of views related to the problem that the choice of this "Apache behavior" is not available for sysadmins on shared hosts, but other choices aren't also available via shared hosting... That's why it's called so "shared hosting, shared preferences..."
So until MS changes that behavior, I do agree that this config should stay, but it should also be mentioned in the changelog of Apache has a major change. So many sysadmins can decide to keep it, or throw the ignoring IE DNT lines away.

I would say this is the perfect moment to send this patch to MS offices with a simple suggestion to patch their browser and make it more "Fair play".

Patrick H. Lauke

"I agree with the patch, but hope it won't make it to prod(stable version)"

nice, so we agree to use patches to apache as a blackmail bargaining tool? "hey, MS, we don't like your decision...if you don't change your mind, we're going to release this patch".

mature, very mature...

Yvan Da Silva

@patrickhlauke How can you say it differently ?
I do not disagree with the fact that the standard require DNT to be a reflection of the user choice, which isn't. Even there is a way to modify it during the install, what is the probability that a user has changed it ? Most computers come pre-installed.

But I do not agree to discriminate a browser, unless he is playing not fair, and I would hope things turn out good. Not messy like they are now...

Sorry if you think it's immature, but all MS-GOOG-APPLE browser fight is... Come on... Just let the user choose at the run time, is that really difficult ? (Oh yes... certainly because you can't brag about that in your ads and in your demos...)

There is no real solution to this problem on the server side, it's a client issue and like most client issues you have to deal with it on the server side (ask web designer how much time they spend to make their website that respect standards work as expected on IE...)
And what other mean do you have to communicate with IE and clearly state what they are doing is wrong ?

Sebastian Schocke

I don't understand how anybody on here can support this... Just because I choose to use IE10 on Windows 8, I should not have the right to have my DNT settings respected?

That goes against the entire intent of the standard... might as well say it never mattered whether Microsoft implemented this feature... how absurd!

Tonci Jukic

And I believe that most people would and will select DNT=1 if asked. Empirical evidence pending I guess.

Yvan Da Silva

@markrendle So it is a user choice then! And this patch has no reason to be.

But, I wish I could see it on OEM computer pre-installed. (because most come with lots of bloatwares pre-installed and custom configs, and this screen might be bypassed). So if we could confirm that this screen is not bypassed by constructors then this patch should be removed, otherwise I remain favorable to it.

Mario Liebisch

No, the screen will be there. OEMs have the option to preload an installation without ever creating a user account. That's nothing new, it's been the same since XP (or probably even longer, but back then accounts weren't as obvious). The screen is definitely NOT bypassed. The first time you log in, you're presented with the account creation (or login to Windows Live). IIRC it's even a requirement Microsoft sets as a first-boot experience OEMs have to keep intact.

reschke

@tjukic we're getting off-topic here. The reason browsers did not clear flash cookies is because there wasn't a way to do so in the plugin API. That has been defined some time go (yes, with support of Adobe), and nowadays browsers should handle flash cookie just like other cookies. (see https://wiki.mozilla.org/NPAPI:ClearSiteData)

Tonci Jukic

Thanks Reschke, still there seems to be a problem with the way this is being handled here. Apache server is no place for this.

patheticcockroach

@markrendle: anyway, not being tracked is a client issue, not a server issue: just setting some header can't force a rogue site from tracking you nonetheless. For instance I'm not even sure setting DNT to 1 will prevent Google from performing machine learning on you and serving you tailored ("bubbled") results (they say it will for the ads, but I found no mention about the rest). As a user if I don't want to be bothered I take real actions such as Ghostery and such. So whatever happens to DNT won't change the face of the world for those who really care. Still, I agree that ignoring DNT by default for a specific browser isn't very graceful, but enabling DNT by default in said browser isn't better and basically left us with two +/- equally unsatisfying options.

reschke

Just for the record: I just booted Win8, created a new user account ("test", a local account), logged in as that user, started IE and never was asked about Tracking.

Drak

Frankly, :+1: to this change.

Mike Amundsen

Those who understand "choice architecture" know exactly what is at stake here. The proposed standard defines an agreement to provide a consistent "choice model" to everyone; that is: default NULL w/ explicit selection by the user.

Microsoft's decision to provide a different "choice model" (default ON) is a d*ck move.

DanielStrul

You've written a standard that can work only as long as nobody uses it? You are furious that Microsoft broke your toy by making this option a default for all users rather than keeeping it confidential and limited to a few geeky power-users? Your move then was to abuse of your position so as to blackmail Microsoft and/or Microsoft users?
As an astroturfer who registered only to voice my opinion: a standard that works only when nobody uses it is worthless, and this brower-sniffing patch is a complete disgrace. Please revert this insanity: it won't hurt Microsoft in the least, but it might hurt your reputation (right now, I'm wondering if you've gone completely bonkers).

Mike Amundsen

@markrendle

Tell me if you can see any difference in the following choice models:

  1. We are going to track you. Do you want to change this? yes( ) no ( ) (optional)
  2. We are not going to track you. Do you want to change this? yes( ) no ( ) (optional)
  3. Do you want us to track you? yes ( ) no ( ) (required)

The proposed standard defines model #3 and no others.

reschke

@markrendle as far as I can tell you are wrong; at least as far as it concerns a new user being logged in to Win8 for the first time. See a381ff3#commitcomment-1831259. BTW: yelling doesn't help.

patheticcockroach

@DanielStrul: I think there are also other implications: if MS gets away with this, they'll run around advertising MSIE as the privacy browser. Then other browser vendors will likely be tempted to follow, and before you know it every browser will have DNT on "by default" (well, maybe almost by default as detailed by @mamund), which makes it kind of meaningless... and makes a perfect argument IMO for advertisers not to comply with it.

karl

@mamund not exactly.

s/We are going/They are going/

As a note: I would love to have any OS proposing when it's time to install and/or create a new user to have an option saying "Do you want to activate DNT:1 for all your HTTP requests" with an explanation of what is it.

This patch is wrong has it has been said many times in this thread, because it doesn't help the users in any way. I'm involved in quite a lot of patches and hacks for badly configured Web servers on the browser side. A patch is here for helping the users by improving the interoperability. That's all. It is definitely a patch for creating noise and discussions around the choice of IE10. (fwiw, I'm not a microsoft user)

DanielStrul

@patheticcockroach: Yes, I understand the implications of MS actions. De facto, they're killing the DNT standard. But I still got this uneasy feeling that this was a standard that could only exist as long as it was restricted to a minority elite. If that's indeed the case, and I'm waiting for some proof of the contrary, I don't see much point into salvaging it.
@mamund: Thanks for the piece of intel, provided it's accurate. Unfortunately, I can't find this viewpoint anywhere in the standard working drafts. Care to provide a source?

Mike Amundsen

@karlcow: OK, now we're getting somewhere. And yes, s/We/They is a good point.

So, I think we agree that what is needed are explicit (and helpful) requests presented to the user in order to accurately record their DNT preference, right? This is done via choice models and there are quite a wide range of options in order to do accomplish the task. My initial post only listed three, but I can think of a few more.

I think this notion of "choice models" needs to be cleared up in the document. The current sentence:

"The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user."

is not clear enough and allows for muddling of other choice models. Basically, the phrase "deliberate choice by the user" is insufficiently defined in the above quoted sentence; that's why there is a debate on this point.

Mike Amundsen

@DanielStrul:

check my response here for reference w/in the tracking docs:
a381ff3#commitcomment-1831935

The quote is from here: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining

As I mention above, the phrase "deliberate choice by the user" is, IMO, insufficiently defined in the docs and that leads to the debate.

@markrendle (and others) assert that granting a user the ability to skip taking an action ("we will set option Z to value X unless you tell us otherwise") meets the definition of "deliberate choice by the user." @royfielding (and others) do not see it the same way.

Until this point is cleared up, the work is stalled. My suggestion is to take cues from the "Choice Architecture"[1][2] POV and modify the document to define "deliberate choice by the user" in a way that removes the current ambiguity and still allows vendors freedom to craft their UX as they wish while knowing they are within the proposed standard.

[1] http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1583509
[2] http://en.wikipedia.org/wiki/Choice_architecture

karl

@mamund no. We are not getting anywhere. Either people send comments on the public working draft

This document was published by the Tracking Protection Working Group as an Editor's Draft. If you wish to make comments regarding this document, please send them to public-tracking@w3.org (subscribe, archives). All feedback is welcome.

but an HTTP commit is not the place for a discussion about IE10 team decision (bad or good) as this user agent sniffing does not solve anything for the IE10 users who are taken into hostage in that commit.

Mike Amundsen

@karlcow: I see.

I thought you and I were talking about the problem regarding the draft, not this commit.

My bad. Carry on.

reschke

@tjukic please add a 4th option: "I don't want there to be a default".

Tim Williams

"but an HTTP commit is not the place for a discussion about IE10 team decision (bad or good)"

good point. fwiw, github commenting isn't the place for discussing httpd either. http://httpd.apache.org/lists.html#http-dev

DanielStrul

@mamund: thanks for the link, slightly more up-to-date that the version I was checking. Quite frankly, after reading 20 times in a row these two sections, I now see what you mean: to be fully compliant without messing up their install process, MS should have left the DNT option in the disabled state. Without explicit consent from the user, full compliance with the standard simply means not using it. The good news is: IE6 was already fully compliant then...

reschke

@markrendle Microsoft had plenty of time to fix IE; the problem was pointed out months ago.

Michael DeMutis

Pull this patch. How can I ensure my version isn't using this?

patheticcockroach

@Fever905: just check your config file I believe ;) (httpd.conf)

Paweł Paprota

But what is the real impact of this commit - I imagine that the decision to include it (or not) in the Apache configuration will be made by distro packagers and then by sysadmins.

reschke

@markrendle the problem was pointed out right after Microsoft published the public preview (I believe, see http://www.microsoft.com/en-us/news/Press/2012/May12/05-31Windows8RPPR.aspx and https://twitter.com/fielding/status/208344148523229185); since then over three months have passed. As of June 1, the last published spec said (http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/): "Key to that notion of expression is that it must reflect the user's preference".

As of now, IE10/Win8 doesn't seem to even ask a new user on a Win8 system about their preference; it just defaults to "DNT:1". And yes, I tried today. Did you? See a381ff3#commitcomment-1831711 -- I note you did not comment on that and draw my conclusions.

Martin Brenn

And even if this would be a non-conformance with specification (which it is not)...
does this allow Adobe to include a patch into a webserver, also violating the specification and without any discussion, trying to solve a problem at a complete wrong layer to support their business?

"Key to that notion of expression is that it must reflect the user's preference".

And even to boycott my choice to use Internet Explorer 10 and my choice to enable the DNT-Header during installation of Windows 8.

Sorry, this is just a political/business-driven patch and does not fit to Apache's philosophy.

patheticcockroach

@mbrenn: it's just a change in the configuration though. It's not like some bloody hardcoded stuff like the 'Server: Apache' header that you can't remove or forge...

Martin Brenn

If this is just a change in configuration, remove it from repository and add it to your server. Most people trust on the default configuration.

Apache is not a playground for people who don't like certain browsers...use your server!

My opinion, over and out...

Derek Kent

This is absolutely not the right place for this kind of politicking. Not only does it not solve any issue, but it potentially creates new ones.

patheticcockroach

@mbrenn: if you must know, what I'll probably do is disable DNT as a whole on my server, I just don't believe in this "feature". This patch is great because it taught me how :) As I already posted earlier, people who do care use real stuff like Ghostery and not some funky setting relying on big brothers' good will. Last but not least, the only reason I dislike MSIE is because it's a web development nightmare. So 1) I don't dislike MSIE 10 that much (because the nightmare should be kind of fixed now) and 2) I'm more interested in fixing it than crippling it any further ;)
@gamedev8: already pointed out in an earlier post: if you're in a shared environment you already depend on your host's choices: they might already be disabling DNT if they wanted to. And anyway, as a webmaster who doesn't even has the use for a full server, do you really bother (as in, does it change anything for the stuff you're running) about DNT? This thing makes sense for big dataminers, like, a few huge advertising networks, or Quantcast and the likes. Being "tracked" by some local installation of Piwik isn't something many properly informed users would mind.

patheticcockroach

@markrendle: and when the average use sees that dialog (http://www.computerworld.com/common/images/site/features/2012/08/Express_Settings_Win8RTM.jpg), do you really think they even read it before clicking "use express settings"? How do you think all those "non computer people" end up with 5 to 10 yahoo/babylon/google/AVG/spamspamspam toolbars? By not bothering to review the default installation settings... On a side note, I like how the default turns on DNT but also turns on the "occasionally send my activity reports to mothership".

Derek Kent

@patheticcockroach If we can assume users read and agree to an EULA, which is significantly longer, then I think it's more than fair to say that they can read a few bullet points (the 3rd of which happens to explicitly notify them of DNT).

patheticcockroach

@gamedev8: works both ways: DNT means DNT, it doesn't mean MS decided I don't want to be tracked. Probably if you really want it changed on your shared hosting you can ask your host to edit the config file. Often they're okay to tweak some trivial settings for their customers.
@dak1: facts of real life: 1) nobody but lawyers and judges assume users read and agree to EULAs - I'm not even sure all lawyers and judges assume users read EULAs ; 2) as a matter of fact, users usually don't even read (as in, really read and understand) a few bullet points during installation. The Yankee Doodle Toolbars are there to prove it. Anyway, if users really read the bullet points, why does MS feel the need to default DNT to enabled while they could say "If you choose express configuration DNT will not be configured" ?

Lennie

@markrendle what is also interesting is that the new user situation does have a modal dialog, which asks the user about enabling smartscreen and compatibility lists.

geodanny

@RoyFielding, I recommend consulting with the rest of your working group (and perhaps Adobe/Apache legal counsel) to clear up any ambiguities in the language you drafted in the Do Not Track (DNT) specification. I think the plain and clear terms of Section 3 of the draft spec contradict what you say in the comments. http://www.w3.org/TR/tracking-dnt/#determining

The specification requires that, as a general rule, the key passed by the browser reflect the user's personal preference. It expressly states that the preference passed may "not [be] the preference of some institutional or network-imposed mechanism outside the user's control." Based on the actual text used in the draft spec, this requirement does not apply to Microsoft's default setting enabling DNT. This is because changing the default preferences provided by Microsoft is within the user's control during installation, setup, and in the browser itself based on the screenshots provided in these comments. This seems to permit Microsoft to put the DNT choice in the install flow for the OS and for it to be set globally by the admin user who sets up the computer. This is because subsequent users retain control and can change that initial setting. Moreover, Microsoft provides clear and conspicuous notice to its users that DNT will be enabled by default during those screen flows and that users have an option to alter those default settings.

Furthermore, the spec does not control how the DNT preference is enabled and leaves the user experience up to the software implementing DNT -- here software made by Microsoft. As section 3 further states, "[t]he remainder of this specification defines the protocol in terms of whether a tracking preference is enabled or not enabled. We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled." This language renders the spec ambiguous as a whole if other parts of the spec can be read to require an express choice by each individual user.

I understand the stated goal is for users to express their personal preference regarding Do Not Track (DNT). Section 3 states: "[t]he goal of this protocol is to allow a user to express their personal preference . . . ." But I would not rely on this language. By its very nature a goal is not a commandment, rather it is precatory language more along the lines of a request and is "the end toward which effort is directed." Spell out requirements as such.

For the record, I do not think you have and agenda or have set out to damage Microsoft. But the fact that you drafted the spec and read it a particular way that conflicts with interpretations of the same text by a number of other people (as reflected in these comments), strongly suggests the spec is ambiguous and that you'll run into similar issues in the future with others implementing DNT. The spec must be airtight if you want legislation to enforce it.

reschke

@markrendle Thanks for checking; I believe we now sort-of agree on the facts with respect to IE. As for the timing: Roy's tweet was read by the IE team (and there was lots of other online activity about this, for instance on G+) -- see for instance https://twitter.com/ericlaw/status/208557591213776896 -- note that I don't want to blame anybody for what's going o here; just pointing out that all of this has been known for months, and whoever decided this @ Microsoft knew fully well what it means.

Mark Rendle

@patheticcockroach Your contempt for "average users" does not constitute a cogent argument in favour of this commit.

DanielStrul

@reschke: As for me, I don't really care that MS knowingly chose to breach a flawed standard. And if the DNT standard could only exist as long as mainstream users didn't use it and were gently nudged into accepting tracking cookies through "choice architecture", it is deeply flawed. My main worry is how the hell the Apache Foundation could get involved into this? Am I the only one to consider that a standard that is meant to be protect the privacy of a few and leave the majority unprotected is unethical?
Earlier today, I discussed the issue with a pro-MS friend of mine. His argument was "you see, I always told you MS were the good guys". Today, I didn't see any way to contradict him.

Mike Amundsen

@DanielStrul: PMFJI here but..

"I don't really care that MS knowingly chose to breach a flawed standard."

first, it's a proposed standard (a draft) and bound to have warts until it is complete; we all know this, second the judgement on "flawed" is your own, not a universally shared POV, third you should care about any and all who breach standards (as some think @royfielding is doing right now)

"And if the DNT standard could only exist as long as mainstream users didn't use it and were gently nudged into accepting tracking cookies through "choice architecture", it is deeply flawed."

not sure where this judgement is coming from (again, I suspect this "as long as ... users didn't use it" and "could only exist" thing is your assertion, not universally determined fact), but the DNT does not rely on users being "gently nudged" at all. since you've used the phrase I introduced into this conv ("choice architecture") i assume you are familiar enough to know that all presented choices are a reflection of their "architects" (as the authors of this theory stipulate). therefore i know you agree that IE10 reflects the choices of MS' choice architects. this is not about nudges but about which choice model to use.

"My main worry is how the hell the Apache Foundation could get involved into this?"

that's fine. "worry" is a cute word, but i get your point. and, of course, you know the answer to your own Q. since fielding is a member and he posted the commit (a month ago, right?); that's how AF is now involved - by association.

"Am I the only one to consider that a standard that is meant to be protect the privacy of a few and leave the majority unprotected is unethical?"

LOL! any sentence that starts with the word "Am I the only one..." has a sure answer: NO. your assertions that this particular commit has the effect of "leav[ing] the majority unprotected" is certainly scary, but an imaginary one. fielding's conf change does not create suddenly new privacy leaks. instead it refuses to honor the elevated privacy requests of a select group of users (and 'majority of users?' hmm...).

"His argument was "you see, I always told you MS were the the good guys". Today, I didn't see any way to contradict him."

well, that's for you to handle. if you think fielding's behavior here renders MS "the good guys" that's your decision. my world doesn't work that way.

what folks need to decide it this:

  1. do you want to talk about Microsoft's decision to change it's UX?
  2. do you want to talk about fielding's decision to change the config?
  3. do you want to talk about the proposed standard?

they are diff problems and muddling them up will ensure no meaningful resolution/agreements.

Mike Amundsen

@gamedev8 : yep, mod the docs.

this 'mod the docs' effort on this single point has been going on since at least Jun 1 (as pointed out already by @reschke earlier in this thread and by his evidence of MSFT discussion on this topic spilling into twitter : https://twitter.com/ericlaw/status/208557591213776896).

check the archives yourself to watch the trainwreck unfold. I think a good place to start is June 2, 2012:
http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0046.html

you might want to check these public expressions on the topic, too:
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/05/31/advancing-consumer-trust-and-privacy-internet-explorer-in-windows-8.aspx
and
https://twitter.com/fielding/status/20834414852322918

another fun spot is in the issue tracker:
http://www.w3.org/2011/tracking-protection/track/issues/4

DanielStrul

@mamund: On the contrary, thanks for jumping in.
Before answering your questions, I'd like to resume the pieces of information I currently have regarding the DNT standard project:
1) It requires the web advertisers to voluntarily refrain from tracking some users;
2) It's unlikely that the web advertisers would agree to stop tracking ALL users;
3) Thus for the web advertisers to comply, the disabling of the user tracking must be limited to a small fraction of the web users;
4) By default-disabling user tracking for all IE10 users, Microsoft is probably (knowingly) killing the DNT standard;
Is my understanding correct? In particular, is point (3) correct : the DNT standard works only as long as mainstream users don't use it?

If so, I stand by my former assessment : I consider the DNT standard project to be deeply flawed from an ethical standpoint. (As a side note: of course I did not mean flawed with regards to its writing! Drafting a standard is hard, step-by-step, work).

BTW, I'd like you to clarify what you mean by "fielding's conf change [...] refuses to honor the elevated privacy requests of a select group of users". Does this mean that DNT tracking opt-out should be reserved to a "select group of users" or not?

So now, back to your main question:

  • Do I want to talk about Microsoft's decision to change it's UX? : Not really, no! Right now, I still have no idea whether or not this standard you're working on is worth anything. As long as the ethical status of this standard remains dubious to me, I don't have much to say about Microsoft, except maybe congratulate them for making me aware of the issue.
  • Do I want to talk about Fielding's decision to change the config? I've already stated my position : whether or not MS is right or wrong, I feel this was the wrong way to deal with the issue. You should now aim at damage mitigation, pull the patch, and make some PR announce so that Fielding does not lose too much credibility with this wrong move. We all do mistakes, let's move on.
  • Do I want to talk about the proposed standard? Yes, of course! More exactly, I'd like to have an answer to one, simple question: can the standard exist if all mainstream users opt out of web tracking, or was there a deal made with the web advertisers ensuring that the practical impact on their business would be limited?
magus424

@royfielding how precisely does it violate the standard when it asks the user if they want to enable it or not?

Mike Amundsen

@DanielStrul

good to see your reply. since this is getting lengthy, i'll bullet-point here and we can take this up on the DNT list, if you like:

  1. as for your 1-4 list. basically, yes, since this is a standards effort, it relies on voluntary support. it's not legislation. so, the assumption is all parties to the convo regardless of their ownership (UA providers, add-in providers, intermediaries, origin servers, etc.) act in accordance w/ the agreement. your assessment of the results of MSFT's work here, the likelihood of ppl complying, etc. is all speculation that i am not interested in digging into here.
  2. as for my "select group of users" phrase. i was pointing out that fielding posted a change to the config that identified a selected group of users (those running IE10) and then refuses to honor the DNT header for those users. it simply sends no header. that is all i meant.
  3. as for what you want to talk about, since you mention #3 in particular, the DNT list is the place to do that. it's an open list and i suspect there will be more to talk about now that, more than 100 days after MSFT announced this change and about 30 days since fielding's commit was voted on and accepted by the Apache Foundation, ppl have finally noticed (i.e. it is in "the press") that the current state of affairs in DNT-land is in a mess.

i, for one, hope that the focus of continued discussion is on the proposed standard rather than the actions of MSFT, ASF, Fielding, etc.

Mark Adamcin

If Microsoft leaves in the ability to set the value for all users the OS setup process, rather than requesting input by each individual user during IE10 first-run, the DNT header will be rendered ineffectual because members of the online marketing industry have already declared that they will refuse up-front to adopt the standard if a major browser vendor like Microsoft transmits the Opt-Out value as a default preference. They have already indicated that they consider Microsoft's method of setting the value during OS install to constitute a default preference. If no advertisers are willing to respect the header in good faith before it is even agreed, then the supposed benefit of Microsoft making the DNT configuration part of the OS install becomes irrelevant and useless for all parties involved, including users of IE10, and Microsoft may as well leave it out at that point. DNT will cease to be. It will become a dead specification with no industry adoption.

This is the inevitable result if no other intervention takes place by other parties, and Microsoft has had the opportunity to consider this outcome: IE10 users will not benefit at all from DNT unless Microsoft changes its method for capturing DNT preference, regardless of whether this change by@royfielding is kept in the httpd.conf files.

As to the correctness of Fielding to commit this change on behalf of the Apache HTTP Server project or even on behalf of ASF, I figured it would be good to find a mission statement to see if this use of httpd to enforce a draft protocol standard would line up with the philosophy of the project.

Here's a snippet from http://httpd.apache.org/ABOUT_APACHE.html

'We realize that it is often seen as an economic advantage for one company to "own" a market - in the software industry, that means to control tightly a particular conduit such that all others must pay for its use. This is typically done by "owning" the protocols through which companies conduct business, at the expense of all those other companies. To the extent that the protocols of the World Wide Web remain "unowned" by a single company, the Web will remain a level playing field for companies large and small. Thus, "ownership" of the protocols must be prevented.'

That last sentence is a pretty strong statement that at least in terms of internet protocols, Apache has staked a political position, and it can be argued that if @royfielding is under the belief or suspicion that Microsofts approach to DNT is similar to its historical approach to implementation of open standards ("embrace, extend, extinguish") then this change is clearly made in the spirit of preventing ownership of a web protocol (DNT) by a single company.

As to the repeated insinuation (@markrendle ) that his status as an Adobe employee represents a significant conflict of interest that calls into question his continued involvement in the Apache HTTP Server project or the Apache Software Foundation, I'm sure that's something that only he and the other members of the ASF can answer. However, considering the entries he lists under "Experience" on his LinkedIn profile (http://www.linkedin.com/in/royfielding) include "Co-Founder and Member (Apache HTTP Server Project)" and "Chairman (The Apache Software Foundation)", you'd have to bring some pretty conclusive evidence in support of your ad-hominem arguments for you not to come off immediately as an uninformed troll or fanboy looking to get some kicks in a good old-fashioned flamewar.

Edit: added link

Mike Amundsen

@markrendle

i've let you last few salvos here pass, but just gotta say...

"The problem here is that the wording of the specification, as drafted by Dr Fielding"
If you think all the text there is the work of a single author you do not understand how the standards draft process works. check the public list and the draft status to see who is writing what and how the wording is working out. this is not the work of one man and not all the text is the document reflects fielding's stated POV.

"...his motives are automatically suspect."
guilt-by-association is common argumentation fallacy. try again.

"...it seems to me that there are many more-active commiters who could have made the change."
sweeping generalizations about the motives behind some source code vis-a-vis who should/should-not commit to a repo based on numbers of occurrence is a h00t. thanks.

"... it's a real pity..."
appeal to pity; and a sarcastic one, too! nice touch.

i suspect that you are tired and upset because the things you are writing now are much more odd than those you offered earlier in the day. you have every right to your POV and to defend it as you see fit and i encourage you to do that. so think through what you are saying, which arguments you want to make here, and the details you want to use to back them up. 'cuz these last items are doozies.

if you like, feel free to write me directly if you want to talk some more (mamund@yahoo.com)

cheers.

Keith Humm

Information above with regards to the standard by @mamund is incorrect. The actual choice sequence defined by the standard is:

  1. Do you wish to set a tracking preference? Y/N (required)
  2. If Y, which preference? Track / Do not track

Microsoft omit the first of the two questions in both the express setup and personalize setup - however, the user still has the choice of not sending a tracking header if they dig a little deeper into the preferences. It's debatable as to whether or not this adheres to the standard. Certainly not clear one way or another. Given that the second question is the more important, and the IE setup is quite simple and explicit in informing the user, I would lean toward it complying.

In either case, this patch simply cannot be accepted. Until the standard clarifies where exactly question 1 needs to be, AND whether or not question 2 can be expressed as an opt-out preference, Apache must remain neutral.

Sorry, @royfielding, but this reeks of politics and/or personal opinion, and has no place in an open source piece of software.

Mike Amundsen

@spronkey: thanks for jumping in.

the choice models i offered are possible ones (not anything in the text) based on a single line in the text (details here: a381ff3#commitcomment-1832026).

are you asserting that the two questions (the order, the wording, etc.) are in the document itself? that these two Qs are required to appear? if yes, please point me to the location in the current draft that outlines the choice model you describe.

if, however, you are saying that your choice model is closer to the spirit of the text, that is another matter. as i mentioned early on, there are a number of possible choice models that could be employed; likely more than one of them will meet the spirit of the proposed standard. at least some of them will not.

and that is the area of debate right now.

Mark Rendle

OK, I let myself descend into vapid Usenet-style bickering and point-scoring here, and it didn't do me any favours, so I've deleted most of my recent comments in this thread, and won't be posting any more.

Mike Amundsen

@markrendle : errmm....

post on! (maybe mentally edit first, but still) post on!

Cheers.

Peter Powell

It disappoints me that Apache is being treated as a political kick toy between @royfielding and Microsoft over DNT. The fact that a program which powers more than a hundred million websites is manipulatable in such ways concerns me greatly. I shall have to evaluate switching to a different HTTP server if this kind of stuff is going to continue happening.

remeiberlin

It's actually pretty easy: Is the apache httpd an instrument to enforce any standards?

No? Then you have to remove the lines.

Yes? Then the patch should remain. But it should be asked why the httpd is not maintained by the w3c.

Derek P. Moore

Does DNT-on-by-default in IE10 really mean that Microsoft & bing & their advertisers won't track?

Seems to me this is a perfect opportunity to change the spec out from under Microsoft.

For Example: The DNT header should have to be more than 8 bytes to be honored, and its contents should contain strong proof of the user's intent. All 8-byte DNT headers only express DNT-capable UA.

IMHO I think DNT was just devised by the advertisers to have the assumptions that users want to be tracked or don't mind - otherwise they could opt-out. Of course advertisers will only honour it as long as nobody (or close to nobody) actually makes use of it. With privacy protection laws becoming tougher (even in the US there is now some movement to actual privacy protection IIRC) advertiser could just say they can't be held liable - since the user has the option of opting out somewhere in the registry or sub-sub-sub-sub menu. So they can take the stance that users actually consent to being tracked - and having given constent to being tracked is one of the core requirements in European data protection laws...

patheticcockroach

@markrendle: it's not contempt, it's facts of life. There's no contempt in stating that most people don't feel it's worth the time to read EULAs or to review the default settings or to search the meaning of bullets they didn't get. It's just called being realistic. That also happens to be the Occam's razor explanation to the Yankee Doodle Toolbars invasion.
@gamedev8: if you want to control your server settings in such minor details so badly you just don't pick shared hosting...

SofiCgr

The most IE users don't know what is DNT. These users trust the default setting Microsoft. What exactly does this Module ? I don't believe my eyes. If the user trust Microsoft for the best setting must be ignored ?? Is not user choice ??? These users choice trust default Microsoft settings and Apache wants to ignore that ??

I don't believe myself 1st time defend Microsoft !!! ... by whom Apache ?? wtf O.O I don't believe my eyes. we live in very strange times...

I agree with @brianalee Apache community mast vote on this change.

I expected from Apache defend users privacy and upgrades DNT in something really useful ... not this.
When Microsoft doing something right we must support and not shoot ... and default DNT for newbie users is right!

baank

Yet another reason for Apache HTTP project's increasing unpopularity.

Apache has NO BUSINESS injecting its opinions in this way.

Honor the request value and let downstream worry about what to do with it.

DanielStrul

@mamund: I am fully aware that the assessment of the standard I and others are making (the standard works only if mainstream users are never told about it) is highly speculative. Unfortunately, speculations are sometimes true. Since nobody in the Apache Foundation seems willing to enter this topic, I will feel free to draw my own, highly speculative, conclusions.
Regarding the drafting of the standard, my understanding of the current wording is as follows:

  • DNT option can be enabled or not enabled
  • As long as DNT is not enabled, no DNT tag should be added to the http header
  • To enable DNT option, the implementers must explicitely ask for the user's choice
  • Once the user has made a choice, DNT can be enabled with two possible states: DNT=1 (user refuses to be tracked) or DNT=0 (user accepts to be tracked).

Based on this understanding of the current draft, I believe that the choice model proposed earlier by @spronkey is fully compliant (without being the sole and only compliant solution).
Pleasing each and every stakeholder while getting a clear enough document must be a hell of a job, so good luck with the writing.

Keith Humm

@mamund I think you're absolutely right in that the spec is inadequate in defining the paragraph surrounding "the choice must reflect the user's preference".

However, In terms of choice flow - I think it's reasonably clear (in the editor's draft, anyway) - they list two choice options:

  • No preference OR Do not track, or:
  • No preference OR Do not track OR Do track

The only other requirements are that any 'default' must be set to no preference, and that when the protocol is used to express a personal preference, it must reflect that user's personal preference. (Section 3, Paragraph 1 doesn't mention having no preference, so only when there is a preference specified must it reflect the user's preference).

IE10 provides all three options as available choices. The set-up wizard gives access to two of those (to have a preference either way), while the advanced configuration options provides the third option (to have no preference). It also provides no default (given that default means without user intervention).

Yeah, you could argue that MS are attempting to persuade the user by offering an easier route to select a particular choice. But the spec only says that you have to give them the choice.

@royfielding - whether or not you and fellow spec editors think this is clear is irrelevant. It's unclear enough for there to be legitimate debate about whether IE follows spec or not. Apache's job is to GFTO of that debate, and this patch has no place.

Now, I digress, but I would also suggest that the entire section 3 in the spec could be rewritten as follows:
1. The user agent must default to: unset
2. The user agent must present three alternative choices in all places a "Do Not Track" preference is available to configure: unset, DNT:0, or DNT:1.

Depending on exactly what you want to accomplish, you could then add something like:

  • The user agent must not suggest a preference, unless that preference is "unset"
  • The user agent must not suggest a preference, unless the user agent is a special purpose user agent with the explicit intention to provide greater privacy than a general purpose user agent.

If you want to be really thorough, you can add the wafty 'controlled network environments' paragraph as well. Seriously, how do you guys make this stuff so wordy and complex?!

Greg Stein

@DanielStrul wrote: "Since nobody in the Apache Foundation seems willing to enter this topic, ..."

There are a number of people from the Apache Software Foundation that are reading these comments. Myself, @royfielding, @covener are all part of the Apache HTTP Server Project, among a number of other roles. We've commented a few times, but we are not "participating" because this is entirely the wrong forum. If you want to talk to the HTTP Server community, then use its mailing lists. If you want to talk to the people behind the Tracking specification, then use their mailing lists.

GitHub may allow comments on individual commits, but this is not where the communities perform their work. This is simply a mirror of the true, upstream repository. For constructive engagement, you need to interact with the right community. And that is not here.

interscaperob-duplicate

In other words, meet the masters where they want to be met or they don't give a shit. What elitist crap.

Greg Stein

The internet is a big place. Are you suggesting that all of the people in these communities monitor every possible location on the internet for discussion and interaction? That doesn't scale.

The community has a focal point. To properly engage them, head there. That's not elitist, but simple common sense.

Roy T. Fielding

If you are not a troll and want to know a little about Apache history, read Brian's chapter from Open Sources "http://oreilly.com/catalog/opensources/book/brian.html". You should be able to figure out that this commit was a proposal applied to trunk, that it was voted on and applied to the release branch by other members of the Apache HTTP Server PMC, and was released in 2.4.3 after another formal vote of the entire PMC. I am the only one on the PMC who happens to work for Adobe. I did not discuss this with my employer before the release. I never ask for permission before committing a patch to trunk.

If you are a troll, please do the world a favor and stop using all of the software that I created or defined and gave to you for free.

DanielStrul

@gstein: Fair enough, thanks for clarifying.

Mark Rendle
Remy

We're blessed with AdBlock to get rid of the terribly, annoying ads. Now only if it was implemented into the browser so that it would prevent the deliberate abuse of privacy by tracking the users and we're set for saving privacy to last in the future.

If company's wish their commercial agenda's to succeed they should not undermine these kind of protect-the-user-privacy moves.

Todd

Shame on you, Apache. DNT on by default is a good thing - tracking on-line should be opt-in only. Why are you standing with advertisers rather then users?

It's been a good run but I'll be looking for alternative web servers, now. Hello, Nginx.

Sanne Foltz

Salute to this commit. Default settings are crucial and have mega impact. This action from MS makes the whole system useless. Chrome and Firefox will optin this default to compete if Apache didn't do this is my guess.

But speaking on a higher level. just like the patent system, the whole ad system isn't that great. There could be better ways to not use adblockers and still making the internet free. Like a spotify initiative for instance. If you pay 10$ a month to be ad-free, I would opt in. That money goes to webmasters of sites you visit for longer than 30 sec for instance.. It should be global and mega secure of course. If ads move from webpages to the browser - so actually IN chrome/firefox etc. (like iOS ads in a way), the security lays with browser vendors. They can also control the cpu bandwidth. And making good use of privacy but also on impressions rather than clicks.

Just brainstorming live here.. bottom line; there are ways to improve and don't have these silly wars that end up nowhere and eventually nobody gets helped and a lot of people invested time and frustration in it.

Drak

The entire concept of DNT is that people specifically opt-out, as opposed to opting into tracking. Microsoft's approach here is definitely against the spirit of the standard and I also salute this slap across their face. MS have for far too long, attempted to model the web in their own image...

Michael DeMutis

This is a joke! How does one guy speak for all of apache anyway.

Remy

@drak

This is further from a slap to the face of Microsoft as it is a slap to the face of the user. Whether or not Microsoft is wrong for their standard setting or how they let users choose isn't the issue at stake anymore.

Say you choose that you Do Not want to be Tracked. Apache effectively says: F you. That is the current issue. And if they're doing this just to bug Microsoft, they also show how little they care about the users.

Mario Liebisch

@drak It's not a slap across the face of Microsoft. It's a slap across the face of anyone using IE. And that's the primary issue here. Noone would complain would someone take this discussion to Microsoft or anything. But by simply removing the status submitted by IE is the wrong solution as it's in no way better than the initial default. Microsoft's default can be changed by the end user (website visitor), Apache's can't..

Todd

Thank you for making it easy to move to Nginx from Apache. I cannot support someone that would put advertisers before users.

Drak
Drak
Remy

Yes we understand this is an assault on Internet Explorer. Nobody is fund of that browser. But when you are trying to make the users bleed, you might as well join them. Trying to make yourself look better by wording it differently: "Apache does not tolerate" ... tolerate? You guys are worse than Microsoft is in this case, how about wiping the dust off of that mirror of yours.

imanavg

Till dumbster like @royfielding remains on this project, I am never going to use Apache. They can keep playing their political game under the OSS name. Shame on them though!

imanavg

Till dumbster like @royfielding remains on this project, I am never going to use Apache. They can keep playing their political game under the OSS name. Shame on them though!

Oscar Godson

@drak I'm sure most of us hate developing for IE, but for one this won't "teach" anyone to use a better browser because users won't know this being ignored. Also, I'm not sure I get your rewrite the web comment. All this commit does is screw over the users.

Oscar Godson

@gstein Why even put your code on GitHub then if you're not going to participate? That's the entire concept of GitHub and why there's almost 200 comments here. We're not saying to keep up with conversations everywhere, but GitHub is fairly standard these days and you're hosting a project on it so you should participate in your own projects. Also, you're basically saying the almost 200 comments on this are fairly meaningless unless we write in a mailing list. That's just, well, silly. I hope you read that most of the people HERE, in the real world community, outside of your mailing list bubble greatly dislike this change and believe it gives Apache a bad name and is the wrong way to handle people not following specs. "Punishment" is so not the right way to handle this especially when it really only punishes users.

patheticcockroach

@OscarGodson: +1 on the mailing list sect. MLs are just so last millennium... Anyway, otherwise I don't really think it's a "punishment", just the only possible move to save DNT a chance to be adopted by advertisers. If you want to see it like a punishment, just think about exactly who is being "punished". This change doesn't punish MS (they don't care), nor does it punish the 99.9% of MSIE users who will let DNT on just because they don't bother to review or alter the default settings. The only people it punishes are the 0.00001% weirdos who claim to care about (not) being tracked yet still use MSIE alone with DNT=1 instead of some other browser + Ghostery + AdBlock (+VPN/Tor?).

Allen Landsidel

What an absolute failure of the "process." MS treads the thin line between adhering to a standard or violating it, and some self-righteous jerk with an axe to grind comes along, and like a three year old throwing a tantrum, disables the system entirely for all users of the questionable product.

The obvious next step in the maturity wars is for services like Squid and haproxy to default to turning the header on regardless of UA or initial state.

DNT was useless to start with and this commit just drives the point home.

AndyCadley

@royfielding It doesn't really matter whether or not you discuss it with your employer. You work for a company that makes a significant amount of its revenue via online tracking. Its profitability and by extension your job is potentially threatened by too many people taking advantage of DNT. There is clear potential for a conflict-of-interests there and this commit only demonstrates your inability to act impartially.

Having read through the ISSUE-4 discussions, it's clear that the decision was to leave the business of whether or not there was a default and or what that would be entirely up to the makers of user agents. The only condition on that being that once a user has made a choice (even if that is to choose to use the defaults someone else set for them) that choice MUST be respected by all parties and not overridden by corporate decisions or other intermediaries. That decision is, as far as I can see, reflected in the current draft of the spec. Now, that may not be what you think you agreed to, but that is an entirely separate point.

reschke

@OscarGodson this git repository is just a mirror. httpd uses svn and a mailing list. See https://httpd.apache.org/dev/ and http://git.apache.org/.

interscaperob-duplicate

Note: Anyone that disagrees with @royfielding is a troll. He is a genius and benevolent for giving us all his ideas for free, and how dare we question his actions or motives... even when he checks in code that questions other's actions or motives.

DNT is basically a DoNotCall list for the web. DNC is honored NO MATTER WHAT, because you get FINED when you violate it. Maybe that's what we need to do, is call up Congress and get them involved. Then dumbasses like Roy Fielding will have ZERO control over the process, and consumers stand a higher chance of actually being protected.

And for the record, I use Windows 8, and I explicitly chose to turn DNT on in the Advanced Settings. So what makes you think you know better than I do what my intentions were? What part of the HTTP standard includes filtering for intent? It is amazing how a guy can work on an HTTP message pipeline and ompletely lose sight of the purpose of an HTTP message pipeline in the first place.

Congrats. You just made me decide to move off of all Apache platforms, including Cordova.

And by the way, if a site does track me anyways, because it uses Apache and is unable to honor my setting because the pipeline was modified, guess who I am suing: The Apache Foundation and Roy Fielding. And I have ample evidence right here that I was tracked with intent, based on browser discrimination.

Bet you didn't think of THAT, Mr. Genius PhD.

@interscaperob

While you might not agree with @royfielding it is still common curtesy to use appropriate language.

Marc Brooks

Violates the DNT specification by not respecting user's choice

Marc Brooks

Singles out one version of one browser, who's going to maintain the list of "violates Roy's vision" when he finds another windmill to tilt at?

Oscar Godson

@reschke Yes, I know. And? Repos dont mirror themselves.

Marc Brooks

Instead of having meta discussions about why or why this isn't right... why not add code-review comments on the lines that are obviously bad coding practice as I have.

Mike Amundsen

@interscaperob : wheee!

your last post here (a381ff3#commitcomment-1838186) was a h00t.

pretty sure your decision to dump the entire line of work from ASF due to your disagreement w/ the actions of a single person puts you on a path of diminishing returns. Unless you figure there is some group/company that puts out software that does not now (never has, never will have) associations w/ folks who's behavior pisses you off and that you'll always know about all the bad behavior of all these folks such that you can dump their software, too.

anyway, thanks for the entertainment and best of luck.

reschke

@OscarGodson the point being that a open source community can choose where to do it's work, and in this case it's simply not here. If you really want to influence where httpd is going then you'd better become part of that community.

I've been looking for an excuse to bin Apache for a while.

I guess this is it. At least using nginx won't get me sued for violation of my users' privacy.

This is entirely subjective.

On whose authority does IE10 violate open standards?

reschke

@doot0 you are aware that his patch affects just the default config which can be easily changed, right?

Oscar Godson

@reschke As many, many of us have said, yes you can change it if you have access to it. Not everyone has their own boxes tho.

AndyCadley

@reschke As has been pointed out several times, that doesn't help in many shared hosting scenarios where Apache is frequently used. It also means that, by default, Apache would ship in a non standards-compliant configuration. The FSF have a term for that - "Defective By Design"

@reschke As previously mentioned by @OscarGodson and @AndyCadley, I am indeed aware of it.

The point I was trying to make is covered by @AndyCadley.

patheticcockroach

@AndyCadley: as has been pointed out several times, there aren't many shared hosting scenarios where what you actually run on the shared hosting is actually affected by DNT. As for "defective by design", it means locked in a way that prevents interoperability, not shipped with a debatable default configuration that you can change in a couple of seconds.

DanielStrul

@reschke: This patch is meant to blackmail Microsoft into changing their default settings by taking hostage all IE10 users. From where I'm standing, it's a lot more than a default config that may be easily changed: it's a monopoly abuse and a complete breach of trust with regards to the whole ASF. And if you have a look at the reactions worldwide, you might notice that many people feel that way.

ellier

To @royfielding, @covener, @gstein, and any other members of the Apache Foundation.
The negative publicity this patch has brought upon the Apache Foundation, and what it stands for, should be enough to remove this patch. It's irrelevant whether Microsoft is wrong on this issue, Apache is not the ground where you wage this war to force them to change their default settings. Please, reconsider.

vcarel

If you're not happy with Apache httpd, just don't use it ! And try Nginx ^^

interscaperob-duplicate

I should point out that IIS runs any code that Apache can, and there are many situations where its use is free or close to it (try Windows Azure Websites).

@mamund Didn't have anything on Apache that can't run under IIS. And we had just started a project using Cordova, so haven't lost much. Will move to Mono instead.

Funny how ASF seems to be content to shoot themselves in the foot here. Far more people seem to be against the patch than for it.

Mike Amundsen

@interscaperob : glad you're happy with your tools. hope it stays always so for you.

FWIW, I am not happy w/ the patch. but rather sure it's not based on the same POV you've offered here. the patch is an effect, not the cause.

AndyCadley

@patheticcockroach I'm not convinced by that argument. There are lots of sites running on shared hosting today that include Google Analytics, YouTube videos or have those Facebook/Google+ "Like" buttons plastered all over them.

As it stands, the users who visit those sites in IE10 wouldn't have their DNT preferences respected and even the site owner wouldn't be in any position to do anything about it (short of stripping out all third party functionality for all their users). And, to be very clear on the matter: I am posting this using IE10 now, I have chosen my DNT tracking settings based on a very informed position and so they are absolutely 100% reflective of my personal choice. And yet @royfielding is telling me that it isn't and so my choice should be negated. That's simply unacceptable.

ChrisTX

@royfielding I wonder one thing: If this commit was committed to the trunk on August 11th, only 10 days after the Windows 8 (and IE10) hit the RTM milestone and 4 days before the first wave of public availability (TechNet, MSDN, Windows 8 Enterprise evaluation) - did you review the situation and validate the situation in the actual final product?

There has been a significant change from the Release Preview, which the announcement Microsoft made refers to, to the actual final version, the RTM on this issue:

In the Release Preview, DNT was enabled by default, sending DNT:1 unless explicitly disabled. As far as the current Editor's Draft is concerned, this is clearly a violation to what is being said under point 3, no doubt at all.

However, in the RTM, this option isn't set by a default, rather it was added to the privacy questions in the initial setup, meaning you cannot install Windows 8 RTM without answering whether you want DNT or not. There is no 'default' for the DNT header anymore, since you can't evade making a choice as user.
You could consider the "Express" mode a default setting, but then again, it disables Microsoft's own feedback options and data sharing as well as it lists "Do Not Track is being enabled" as setting it makes. From my understanding of the draft, this would be a valid method of determining user preference, as the software product (Windows in this case, to which IE belongs to) asks for your preference upon the first launch and the "Express" settings can be considered a “Privacy settings: high” option, even more so since it's listed as being an option it enables.

Maybe it would help to end this discussion if you could explain why you believe the situation as is in the RTM to violate the current draft. I understand that you're the editor and likely have the best insight in the subject of any commenter here, but I believe that many of those who you called "trolls" wonder the same thing. It's not doubtful that the situation in the Release Preview is against the current draft - but that's not the final product. The final product is having a setup experience in that the user is definitely informed of the state in which "Do Not Track" is, on or off - which is from my best understanding a user choice.

However, if you voted on this commit and it was committed on August 11th, this certainly raises the question how this is chronologically possible. The only logical explanation in my opinion is that you didn't even took the time to review the situation of the final product but rather voted on base of a pre-release product which is possibly (and in this case it was) subject to change condemning the final product.

DanielStrul

@mamund: As to the primary cause, it seems to boil down to a struggle between competing corporations and business models. I'll speculate that the W3C and the ASF have decided to side with their sponsors. Saying that the ASF is fighting to defend open-source standard in this occasion seems total BS as far as I can tell. A physicist once recommended "to put one's mouth where one's money is" : I guess this is a logical course of action, although a sad one, for the ASF.

Todd

There is a certain irony in Roy Fielding committing a patch that doesn't respect a users option because he's upset about someone not providing an option to a user.

Hypocrite much?

Tim Williams

@DanielStrul said... "I'll speculate that the W3C and the ASF have decided to side with their sponsors."

Are you a witting speculator? Which sponsor would you say the ASF is 'siding with' here?

http://www.apache.org/foundation/thanks.html

Sebastian Schocke

I would say that regardless what Microsoft did, regardless of what what the DNT spec says regarding user choice, and regardless of who gains what from this, this is the most obvious hypocritical BS I have ever seen in my life on an Open Source project, ever!

@royfielding , complaining about a company not respecting the "intent" of your specification, and then proceeding to blatantly contravene your own specification? Really?! You are at least just as guilty as Microsoft of violating the specification.

@gstein Apache has always been a model for my own Open Source philosophy as proof that FOSS really does work but if the ASF voted on this, and voted this change into mainstream, they just lost 90% of my respect. It's always been about user choice, and Open Source has always been about providing choice... when did it become "you can choose, just don't choose Microsoft"

And for anybody wishing to bring up the "it's just a config file change" argument again... yes it is, but so is IE10's DNT setting, and it's easier to change than the server's config file.

I will be writing and recommending the inclusion of a patch to the Gentoo portage tree to automatically remove these lines from any 2.4.3+ version of Apache's configuration file automatically to ensure that Gentoo stays compliant to the DNT specification - seeing as the ASF seem to have no interest whatsoever to handle it upstream where it should be.

patheticcockroach

@AndyCadley: thanks a lot for this clarification of your view of the problem, which I guess explains why so many people seem to be worried about the implications on shared hosting. Let me clarify in my turn then: when you run your site on shared hosting and include Google Analytics on it, Google Analytics doesn't run on your server, it runs on Google's servers. So, as long as Google's servers enforce DNT, Google Analytics will, even if your server doesn't. Same for any third-party ad or tracking network (or Facebook/Google+ button) you might include in your pages.

reschke

@ChrisTX thanks for the clarification. How do you see the behavior for the case where an additional user is added to the system? As far as I can tell, he/she never gets asked and just gets the system default behavior. Still ok?

remeiberlin

@patheticcockroach Except you are running piwik on your own server. Piwik is widely used by site owners who respect the users privacy. With this patch piwiks support for DNT (since 1.8) is broken.

patheticcockroach

@remeiberlin: yes but this is a minor issue. The real privacy problem with tracking is with tracking as in "big data about your visit path across many sites serving tracking code from the same ad/stat/social network". Being tracked by an independent, local install of Piwik during a few minutes long visit is nowhere close being tracked 24/7 by Google search + mail + youtube + analytics + adsense + reCaptcha + maps + etc. The difference is actually so massive that, now that I think of it, I think DNT should maybe have 3 values: off, on for cross-site tracking, on for everything.

DanielStrul

@williamstw: Thanks for the breaking news, but I was already aware that MS is a Platinum sponsor for the AFS. This patch made me wonder (I mean really wonder) where the ASF money comes from, so I had obviously checked.
In any case, I'll rephrase my statement so as to be more accurate: it seems that the AFS and W3C decided to side with the majority of their sponsors, such as Google or Adobe, whose very existence depend on advertising money, against one isolated sponsor, Microsoft, who don't care that much about advertising money because they have other revenue sources and have repeatedly failed to capture this market anyway, so that they might enjoy bringing the whole advertising market down as it would hurt their competitors much more than it would hurt them, and so that they might hope to recapture the whole market once they have managed to seriously weaken their opponents.
At the end of the day, I still consider we're just talking corporate wars here, and the ASF taking the stance of "defending open standards" is complete bullshit, except if "open standards" really is a synonym for "advertising money for all".
BTW, since you cared to inform me of the origin of the ASF money (I already knew, but thanks anyway), here is what I could find about the W3C money: http://www.w3.org/Consortium/sponsor/. What a surprise, it seems the golden sponsors are, again, Google, Adobe and Microsoft

Greg Stein

@DanielStrul that is a wonderfully and completely unsubstantiated conspiracy theory... have fun with that. kthxbai.

ChrisTX

@reschke An additional user won't be presented the initial out-of-the-box experience where their stance on DNT is being asked for. However, I think that if you've got a local computer where another user (being local administrator) creates a new account for a user, this would be a "controlled network environment" as listed under section 3: A user might be unable to install new software (if they're not being made local administrator), but can set his own DNT preference (IE treats this as a user setting inherited from the system - you can change it) or install a browser that doesn't require administrative privileges for its setup, like Google Chrome.

The question is what a "controlled network environment" is in this context. However if a "public access terminal" and a "managed corporate intranet" are valid scenarios, then I believe a local computer managed by another user is, too. A public access terminal is basically a computer another user set up and for which they gave you login credentials.

Leaving that aside, the only environments where this is a questionable matter at all are multi-user computers one user set up and further users are added to the system. I believe this scenario is also permitted by section 3 as I said above, but that's not even the point. In the cases of enterprises, single-user systems, internet Cafés, Windows RT-based tablets, and so forth this section is definitely not challenged. It would be simply unfair to ignore their DNT preferences because in some system configurations DNT might only be relying on an interpretation of what isn't defined in the first place, this obscure term "controlled network environment".

DanielStrul

@gstein : Indeed, I'm sure there's no money involved at all. It's just for semantic reasons that the WG couldn't even agree on what "tracking the users" really means (issue 117) so that "there is no agreed definition, which means that nobody can implement this protocol as specified" (Fielding's words, not mine, quoted from issue 136).
Anyway, this is getting just as boring for me as it is for you. Feel free to consider me as a sad conspiracist, while I will feel free to consider this whole thing as a sad joke. Over and out, moving on.

remeiberlin

@patheticcockroach Sure, DNT is far from be perfect. But it is an attempt to restore the trust of the users again. The patch undermines confidence in DNT, the website operators and the Browser. (And the ASF of course)

marijank

I've been reading this all day, and I can't belive that "Roy T. Fielding" isn't already removed from his position within Apache foundation. If Apache will tolerate such behaviour where will this lead Apache to PRIVATE chaos ?
This is VERY simple, you cannot put personal ideas into Apache period. discussion is closed.
Sanctions MUST accompany such behaviour so that people don't think they can do whatever the "H" they want.

Eric Covener

@marijank total nonsense.

marijank

@covener total nonsense is when you put your private ideas into Apache project, that should be completely out of the question.
The real question here is:
Is Roy bigger than Apache and will command as he likes?
or
is APACHE bigger than some guy named Roy?

Mil. dollar question is:
Who is running Apache, Roy and Adobe, little green man or Apache Foundation ?

Eric Covener

@marijank I had to stop reading because your post was dangerously close to containing private ideas and I canot allow myself to be subjugated by them.

marijank

@covener actually what you should be doing is stop using computer, so we don't have to read your pointless words. Spare us of your comments, adult as like grown ups are talking here go and check disney channel.

Eric Covener

Thanks for your continued constructive feedback!

Drak

Roy's commit was the result of a vote on the Apache board, it was not his sole decision.

Eric Covener

Drak, I don't think you're characterizing that correctly. The change was committed by Roy and voted on before being backported to a stable release. Anyone with interest in how that happens is welcome to participate.

Drak

Doesn't change the fact is is not a one man decision and is very much supported by the Apache board. All this trolling about how Roy is acting like a south american dictator is frankly alarmist and ill informed. This is Apache's decision. Like it or don't use it. the Don't use it's will be in the vast minority http://w3techs.com/technologies/overview/web_server/all

Allen Landsidel

The old "love it or leave it" defense? There's a 3rd option. Apache can reverse the decision to include the commit, since it's in poor taste and obviously disliked by a great segment of the community.

Drak

Or MS can sort their act out...

imanavg

Why should MS change their code, they are actually compliant to the spec. This patch overrides a vast majority of user's choice who selects express settings by choice and are sole user of their PC. This patch is really in a hate filled spirit, which is sad.

imanavg

Why should MS change their code, they are actually compliant to the spec. This patch overrides a vast majority of user's choice who selects express settings by choice and are sole user of their PC. This patch is really in a hate filled spirit, which is sad.

Oscar Godson

@drak What act? The majority of us think MS didnt break the spec and in fact did it the best way. There's no act to work out.

Leif Halvard Silli

@OscarGodson No. The «we» is not agreeing with you. I just read through this thread (thus far) and as far as I can tell, most of those that disagree with the patch that @royfielding effectuated, nevertheless agree that Microsft breaks the proposed standard.

@drak Cudos. I share your perspective.

By the way, regarding Microsoft: Everyone says that Microsoft knew full well what they are doing. And may be they did. However, my impression of Microsoft is that they participate much less - in the public - in standardissation work. As such, I believe that many of Internet Explorer’s deviations and shortcomings over the years is due to the issue that Microsoft discusses things inside their own walls. I could be wrong. But this is how I think. That doesn't excuse them, however.

Oscar Godson

@komputist really? Must be skimming too fast. What is the vote then on it?

Sebastian Schocke

I see the ASF representatives are still point blank ignoring the fact that this patch violates the DNT specification which they are claiming to be enforcing... interesting

Allen Landsidel

MS breaking the standard or not is irrelevant. The apache httpd project isn't the place to try and scold them over it, certainly not at the expense of users. Doing so just accelerates DNTs already rapid trip towards the dustbin of historical irrelevance while also diminishing apache's already shrinking userbase. Those supporting the change don't care about the impact on end users or the apache project. Their hubris doesn't allow it.

Leif Halvard Silli

@OscarGodson Vote? You said «The majority of us», by which I thought you meant to speak on behalf of those who have expressed themselves on this very page. You can for instance read the respondents from Opera — I believe I disagree with them in their critisism of @royfielding's patch. But I also believe that they have not blessed what Microsoft did (which is what you do).

AndyCadley

@komputist If the majority agree that Microsoft has violated the spec, why is it that not one single person can actually point to the part of the spec they've supposedly violated? Meanwhile several people have pointed out the exact sections of the spec which strictly forbid Apache from doing what this patch does.

@drak That doesn't make it better, if anything it makes it worse. Because either the Apache board just greenlights patches from certain individuals without proper consideration, or there should be serious questions about how much influence the advertising industry has on the board if they're prepared to violate open standards to protect the revenue of the advertising industry.

Leif Halvard Silli

@alandsidel I think you are pushing "end users" in front of you. This is about "managing consent". DNT won't work unless all are aboard. Thus, Microsoft are undermining DNT - the policy. There could be other ways of solving the same problem - such as law. Or independent efforts. But DNT is an attempt at joint agreement. Such is my undrstanding, at least.

Leif Halvard Silli

@AndyCadley Some persons have pointed out what MS violates - just read this page form the start to end. (I'll let this be my final word.)

AndyCadley

@komputist I've read this page. I've read the standard. I've even read the discussions on ISSUE-4 to see if there was a consensus there which has been badly phrased in the standard. There simply is no violation, other than in the imagination of a few and that is why nobody can quote chapter and verse from the standard any part which Microsoft's implementation actually has violated.

Oscar Godson

@komputist Who's from Opera here? Did you open every persons profile to see where they're from? And I did say the majority of us because Ive read this page many times. I keep getting more people that say MS did not do wrong on the spec then who said they did. I'm asking your "vote" as in your tally. I still believe, from reading all this, more than half (majority) are saying MS is not at all at fault.

Allen Landsidel

@komputist This is not about MS, this is about Apache and Roy. This "patch" does not belong in apache, period.

ChrisTX

It should be noted that this patch is violating the DNT standard, too: "Implementations of HTTP that are not under control of the user must not generate or modify a tracking preference." That's exactly what this patch will cause Apache to do. Punishing an (alleged) violation of a standard with a violation of the same standard is not an acceptable measure.

Allen Landsidel

Chris, that has been pointed out several times already, and completely ignored. The adolescent tit for tat ("Oh MS violated the standard so we'll violate it right back") is just making the project look bad.

ellier

Yeah, everybody continues to argue here whether MS violated the standards. That is irrelevant, and it's a shame people don't get what the real issue with this patch is and how it affects Open Source.

schlaup

@royfielding: You wrote: "Yes, the laws in EU already exist and they define the default server behavior when no DNT is received. Thus, removing an invalid DNT header field remains compliant with any regional laws."

This is not correct.

This patch violates EU law, because the patch does filter - what you consider - "invalid DNT headers" but it also filters valid DNT headers. A user who did read the setup screen and who did make an implicit and informed choice is sending a valid DNT header to the Apache server - even if it comes from IE10. Nevertheless Apache is filtering the valid DNT header as well and by doing so is violating EU laws.

If an "invalid DNT header" is not filtered, there are no legal implications. If a valid DNT header is filtered and not respected it is breaking the law. By patching Apache to ignore all IE10 DNT headers you are doing harm to all users and all companies who are using Apache server.

So, yes, a default installation of Apache with this patch applied is in violation of EU law and anyone who does not remove this patch from their configuration file might be sued in the EU.

I hope that the Apache Foundation and its members who voted to include this commit are aware of the legal liability.

Drak
Jim Jagielski

Wow... So much hate. So much ignorance. The simple fact is that, despite claims by many here (who are hardly experts in the field), MS is violating the standard. If you disagree, then this is not the place to argue your case. Apache httpd is here to implement and enforce the standards. It's called compliance. Should Apache httpd allow violations of the standard, then of what use are standards in the first place? So, with it understood that MS is violating the standard in this particular case, Apache httpd is simply taking action which removes that violation. It could be argued that Apache httpd could be justified in returning an error on those requests, but that is way too heavy handed.

Todd

@jimjag So how do you feel about Apache violating the precious "standard" to enforce a "standard"?

Brian Lee

@jimjag First, I want to apologize for some of the vitriole here. What started as a decent discussion on this commit has spiraled, unfortunately, into an almost useless set of ranting. I appreciate yours and Roy's comments on this thread to allay some of my concerns about this commit.

Had I come to this thread around post #200, I probably wouldn't have added anything. But I want to let you know there is at least one honest, concerned developer interested in this issue (and I hope many more).

I've always appreciated Apache from my youth as a developer and as my career progressed. Apache embodies the ideals of transparency, openness, community and software excellence that I hold pretty close. I'm reassured that this wasn't a brash commit but had discussion and consensus on the httpd mailing lists (where development discussion belongs). I've been lax in not following these discussions and this commit only came to my attention due to the pretty handy social aspects of GitHub.

As a developer who is completely not involved in the creation of httpd I rely on those who actually live in it to make technical decisions to continue to improve the server.

One thing I haven't seen addressed though is how httpd will deal with being non-compliant in dealing with honestly set DNT preferences in IE10. If there are users who explicitly set DNT=1 or DNT=0 on their requests will there be a way for httpd to allow these honest users to pass their preference along (aside from not applying the patch or editing it out of httpd.conf). Or are these users considered collateral damage until Microsoft correctly implements the DNT standard?

I'm primarily concerned with how these IE10 users are treated by httpd; not whether Microsoft is or is not implementing the standard properly.

I don't have the time to spend on the httpd dev mailing list, but I appreciate the httpd devs participating on this github thread. I just wanted to let you know that there are users and developers of downstream apps and services that have honest concerns for user preferences and app behavior who are completely unrelated to Microsoft and their agenda with DNT.

PS- of course thanks to you for all the software you've written and thanks to Roy for all the software he's written. The contributions that y'all have made are immense and literally the software world owes you a debt.

TL;DR; Thanks and what about IE10 users who set DNT themselves?

Jim Jagielski

@brianalee The hope is that IE10 users who care about the issue will encourage MS to change their stance and move back to compliance with the spec. Certainly this thread shows that there are involved, energetic and passionate people involved in this issue, and I think it would be a Good Thing if some of that was directed also towards a directed effort towards MS and having them adjust IE10.

ChrisTX

@drak No it's definitely not. If you run a proxy to conceal your User Agent's identifier and set it to MSIE 10.0 (DNT doesn't forbid this), as well as run for instance Firefox as browser, you definitely have made a valid choice for your DNT preference, using an implementation entirely compliant with the latest DNT draft. This configuration would send a valid header.

Now, if you ignore valid DNT headers in the EU, that's clearly against the law. Roy Fielding acknowledged this, but said the removal was fine because the headers were "invalid". In the scenario of a spoofed user agent, they are under no circumstances.

If you'd mind stop yelling 'FUD' if somebody disagrees with your POV, that'd help this discussion a lot.

@jimjag Where is it violating the standard? When the Release Preview was released, it's behavior was permitted. Now, the Apache PMC can't even have voted based on the RTM (see my comment above on the time line) and the RTM does not have a default. No matter how you install Windows 8 - if you read what it says, you'll have made your choice. That's not a violation.

I don't doubt the Apache PMC's and Mr. Fielding's insight in the DNT spec, but I very well doubt their knowledge about the situation of Windows 8 unless somebody can prove me they can look at least 4 days in the future. This hasn't anything to do with the field. An ad verecundiam argument doesn't help the case here.

And lastly, this is a breach with the spec, too - on Apache's side.

Keith Humm

@jimjag Negative. Apache isn't removing the violation. It's creating a second, even less desirable violation of its own.

Regardless, the most popular - some might say trusted - web server around is not a political battleground. httpd's job is to accept whatever dog food it's given. Does the header comply? Yes! So GTFO!

patheticcockroach

@ChrisTX: if you're smart enough to forge your user agent you're probably smart enough to use Ghostery and such stuff that don't rely on the big brothers' goodwill and/or not to pick the one user agent that will get your DNT ignored...
And again, this is just a default setting, which you can change, etc (cf above).

ChrisTX

@patheticcockroach that's not the point. If it is possible to use a UA forge to make you as server owner do something illegal (that being the removal of legitimate DNT headers) then that can lead into people with bad intentions sueing you for something where the law is on your side.

Yes, it is just a default - but if that default can lead to legal implications in the entire EU, that's a terrible default. Apache shouldn't make it dangerous to run it with the default configuration in countries - especially not because the authors want to make a political statement.

Eric Covener

@ChrisTX FWLIW I believe the RTM IE behavior is a "default". I respect that other people might disagree that it is a default, or think it's a great default. I also suspect that it spells doom for (voluntary) DNT as you can guess which interpretation the people doing the tracking will lean towards.

Jim Jagielski

@spronkey "accept whatever dog food it's given"? I am certainly glad that you don't code or implement standards. "This is a completely invalid Range request, but my job is to accept whatever I'm given so I gotta try to do something with it".

If that's the best "argument" and "rationale" you can come up with, then I'd suggest another tactic.

Jim Jagielski

Actually @spronkey , I see you do try to implement a standard (php-amqplib)... Tell me, does it accept whatever dog food it's given? If the first frame on a connection doesn't contain an 'open' performative, as it MUST, does your implementation just "accept" it?

Allen Landsidel

I don't understand why people like yourself, @jimjag, aren't grasping the essential concept here. The apache project has intentionally and clearly violated the standard itself in order to address a perceived (but unproven) violation of the same standard on IEs part. It's as simple as that. The end result of this is easy to predict: Complete failure of DNT as expected, and a lessening of the apache projects reputation.

Jim Jagielski

@alandsidel Funny, I thought that the essential concept was that MS created a violation of the standard and that Apache httpd is attempting to address that violation. Also, if one's point is that Apache httpd, in its action, is itself a violation, then you must also admit that MS's action is also a violation.

ellier

You guys continue to argue about MS violating the standards. The point here is whether Apache should be used as a tool to force MS into compliance based on the opinions of some.
With this patch, Apache is not respecting the decision of the users who DO set DNT to true. This is another violation. This patch should only be implemented if Apache could determine that the user did not set DTN to true. If not, this is a violation.

Derek P. Moore

@ellier: No, the point is that MS will not respect its own DNT flag.

Allen Landsidel

@jimjag, no, I must not "admit that MS's action is also a violation." Their behavior is arguably within the spec. No argument can be made that this patch is within the spec : it violates it outright, with no room for debate, as the spec specifically says that nothing not under control of the user may modify the header.

Sebastian Schocke

@jimjag : granted, if we accept that Microsoft is violating the intention of the standard, can we go ahead and then understand that Apache is intentionally violating that standard? Is that what you are saying?

So, by your definition, if somebody goes and beats up my wife, you classify it as perfectly acceptable for me to go and kill him?!? Because that is essentially what is happening here... A perceived violation is countered by a definite violation

Looking forward to your rebuttal

ellier

@derekm: So when MS decides not to respect DNT, then Apache decides not to respect those users who willingly set the DTN flag to 1. WHAT?!

The Apache Foundation seems to be using httpd as a stick to beat MS into submission without any regards for those users WHO DO set the flag to 1. In other words, lets fix a violation with another violation.

Do you see the irony?

Leif Halvard Silli

@derekm My understanding is that the DNT standard is a negotiated agreement between different interest groups. As a negotiated agreement, it means that one party in the deal has agreed to hold itself back from doing something which is within its power - to track - on such and such conditions.

Microsoft’s move can be compared to a goverment who wants to strike a voluntary deal with the tobacco companies: "If you place ugly antismoke ads on your cigarette packages, we will avoid raising the tax a 100%." OK, says the companies. But in the end, the government raises the tax 100% anyhow. As a result, the tobacco companies would of course remove their negative ads. (The tobacco companies, in this analogy, would be the adverticers. The goverment is Microsoft. And Apache is the out-sorced tax collector.)

AndyCadley

@jimjag See section 4.2: An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests.

Apache, in it's default configuration, is therefore clearly in violation of the spec.

See how easy that was? So why, if IE is actually in violation of the spec, can nobody post a similar quote from the spec indicating the section which it supposedly violates? The only possible justification for the action Apache is taking here is solid evidence that IE is non-compliant (although I'm not convinced that it's ever acceptable to violate the privacy of IE10 users who might have actively made the choice and there is no way Apache can possibly know this).

As it stands, it looks very much from the outside that Apache is being used in political posturing by the advertising industry. If the combination of Apache (the most widely used web server) and IE (the most widely used web browser) always ends up in a "no preference" DNT setting, then the DNT "standard" is effectively dead in the water and the advertisers get what they want, unlimited permission to track users whilst being able to claim they're complying with user's DNT preferences.

ChrisTX

@jimjag

Also, if one's point is that Apache httpd, in its action, is itself a violation, then you must also admit that MS's action is also a violation.

Apache is violating a sentence of section 3 in a very direct way:

Implementations of HTTP that are not under control of the user must not generate or modify a tracking preference.

The difference is that IE10 RP did not violate any parts of the most current specification when it was released and still doesn't violate anything but the latest editor's draft. As for the RTM, nobody could explain here how it violates the specification. If you look below, "Express" can't be it.

@covener

FWLIW I believe the RTM IE behavior is a "default".

I can't tell you what to believe, but you'd need to explain me why the "Express" settings wouldn't be covered by the implicit settings group in section 3. It even names DNT being enabled as option is contains. The standard explicitly does not mandate how to determine the setting. And specifically,

For example, a user might select a check-box in their user agent's configuration, ...

Doable in "Custom" mode or IE's settings per user. "Always send a DNT" will send it regardless of other means.

... install an extension or add-on that is specifically designed to add a tracking preference expression ...

If you install a TPL in IE9/10 that will cause DNT to be enabled

... or make a choice for privacy that then implicitly includes a tracking preference

Which "Express" is.

The standard does not forbid the express settings for privacy (!) to contain this choice. If I make two options "Privacy: high" and "Custom privacy" which is what "Express"/"Custom" are after all, then where is the user choice not being made?

Instead, this way of argumentation goes like this: Nobody will read what "Express" says and just press continue - but it's the same deal with for instance EULAs. If a browser made a selection box: "Do you want to be tracked? Yes (grey, sad smiley) / No (green, happy smiley) (recommended)" that would be perfectly within the demands of the section. You can call it a 'default' as you like - it isn't by the means section 3 defines them.

I also suspect that it spells doom for (voluntary) DNT as you can guess which interpretation the people doing the tracking will lean towards.

To be honest, I'm with the EC here: DNT should be an opt-out standard. Most advertisers are residing either in the US or in the EU and they could be effectively regulated. In my opinion, DNT as a non-overseen standard is a choice a lot worse than if there was a binding law. I don't see why advertisers would have the right to track you. - But that's just my personal opinion. It doesn't change the law as-is. And from current law, yes DNT is optional.

We can only speculate why MS did this in the first place: Was it purely pro bono? Was it because they wanted to weaken Google, Facebook and the likes? - We don't know. I hope ultimately for a legislation that will mandate DNT as opt-out, maybe no tracking being allowed until DNT:0 is sent.

AndyCadley

@komputist And that's why those sort of agreements get written down. So that when one side or the other breaks the agreement, it's very clear what has been agreed. In the case of DNT, that is the standards document. The one NOBODY seems capable of finding any such agreement in.

Leif Halvard Silli

@AndyCadley The point with the tobacco industry example was to demonstrate that it is not at all self-evident who the good guy and the bad guy is: Would a doubled tax on tobacco in combination with positive ads save more lives than a "normal" tax in combination with negative ads? Who knows? We only know that without regulations, tobacco companies are not very much trusted - to put it that way.

Microsoft does not make the all dominating browser anymore - but Microsoft's position is still such that this move could put the acceptance of the standard at risk. Apache is here demonstrating that it stands by the standard - which in my book is a move that could save the acceptance of the standard. Convincing Microsoft to revert its move, is only one part of the picture. Keeping the other parties with a stake in it in, is probably the crucial thing that Apache's move tries to secure.

AndyCadley

@komputist I think you're missing the point. One of the following must be true:

1) The standard is an accurate description of the agreement. Microsoft have violated it and since any violation will contradict something written in that document, it will be very easy to point to that section. (So far, nobody has done this in the case of IE)
2) The standard is a vague or entirely inaccurate representation of what was agreed. In which case any "violation" is down to faults in the writing of the standard. So the correct approach is to fix the wording of the standard to clarify the position. Given the @royfielding is involved in writing that document, it would be infinitely more sensible to take that route than to purposely break the standard in yet another product.
3) The standard is an accurate description. Microsoft haven't violated it.

In the case of (1) somebody should have been able to make the issue clear by now instead of simply asserting that Microsoft have violated the standard without any justification whatsoever. Everyone would be clear on the issue and the conversation would be about what, if anything, Apache could or should do about it (which still wouldn't be entirely clear cut).

However, given that any evidence for (1) seems to have eluded everyone, we can only assume we're dealing with either (2) or (3) and in both those cases it should be blindingly obvious to everyone that making Apache non-compliant is an extremely bad idea and something that should never be allowed to happen.

Leif Halvard Silli

@AndyCadley It has been pointed out where Microsoft violates the standard. I am citing @reschke, who cited the standard: "Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

Allen Landsidel

It's blindingly obvious (to anyone without an anti-MS agenda) that this patch is a bad idea, even if the case were (1). It's also becoming apparent that the project has no intention of correcting the issue and pulling this patch, for reasons I cannot fathom beyond simple pride.

Allen Landsidel

@komputist, how exactly is IE in violation of that particular statement? There is no institutional or network-imposed mechanism involved here. Whatever MS has or hasn't done is irrelevant -- this patch itself is a blatant violation of the standard, on that there can be no argument.

Jim Jagielski

@alandsidel First of all, calling this an "anti-MS agenda" is baseless and false. It is certainly anti-violation.

Secondly, as anyone who is following the actual development list (and not this fairly useless thread) knows, the developers are looking at additional ways to address this issue.

And thirdly, is your last sentence ("It's also becoming...") directed towards MS or Apache? Sorry, but I know it's directed at Apache, but why not the same energy and sentiment towards MS, who could REALLY fix this issue by simply not violating the standard?

I have a great idea: knowing that MS is violating the standard, what would you suggest Apache do? No, simple "pull the patch" or "nothing" knee-jerk responses are allowed. Give us some concrete ways in which Apache httpd can force compliance w/ the standard? @royfielding implemented one which, no matter what else you can say, has brought this issue to the fore. What's your (or anyone else's) patch?

Jim Jagielski

@sschocke No, but if someone is about to kill your wife, you are certainly within your right to smack him in the leg with a shovel.

My point is that everyone who is complaining that this patch also violates the spec (and there is an argument to be made there) and uses THAT as ammunition for its removal, completely ignores the base reason for the patch in the first place, which is that MS's action is the primary violation of the spec, and this patch is in reaction to that. And despite claims otherwise, MS's action is a violation.

Allen Landsidel

@jimjag If it's a violation, cite exactly what part of the spec it violates, and how it is violated. So far, nobody has done that, least of all with an RTM version of IE10. Not one person. If it's so "certainly" a violation, there would be far more consensus on the issue than there is. What is certain is that this patch causes apache to violate the spec. Period.

Whatever the developers are doing right now is irrelevant. This patch is not the solution and needs pulled. If an alternative solution is forthcoming (which I highly doubt), then it can be addressed in a patch of its own. There is no reason at all to have allowed this patch in the first place, nevermind to have left it here in the face of so much controversy.

The last sentence of that post was aimed squarely at apache. The Apache project has openly and intentionally violated the standard (to be precise, shipped a default config which violates the standard) with this patch. My energy and sentiment belongs squarely where it is.

My patch for apache? It does not need one, no matter if you say that is "not allowed." Client-specific patches for browsers in apache have historically only been implemented to enhance compatibility between apache and broken browsers. Not once in the history of the project has there been a patch like this one, and rightly so.

Jim Jagielski

DNT is a privacy setting, and should be set/unset/specified with that criteria in mind. It shouldn't depend on what kind of "Express" install was made. Express, in and of itself, is NOT a privacy setting.

Allen Landsidel

Express, in and of itself, says clearly that is is going to set a default privacy setting, which enables DNT. Now you're claiming what... that unless it's on a page labeled "privacy" that it's no good?

Jim Jagielski

@alandsidel "Not one person"? Oh puh-leese.

And "Not once in the history of the project ..."?? By a "patch like this" do you mean "a patch designed to enforce the standard"? In which case, you are way, way wrong.

AndyCadley

@komputist I'm using IE10 to write this now. I chose a DNT setting. There has been no institutional or network-imposed mechanism out my control forcing it. It entirely and accurately represents my personal choice of DNT setting. Apache ignores this.

@jimjag I would argue, as has been known by systems developers for decades, that it is fundamentally impossible to determine a user's intent through software alone. Fundamentally you just have to accept that the settings and options they select are what they wanted to do. Until someone invents psychic computers, that's what we're stuck with. Take the issue to the US/EU courts if you really believe Microsoft is abusing it's position, but do not abuse end users privacy to try and make a point.

Consider the precedent this action sets. Anybody who wants to track you can do so, regardless of your DNT setting and should you complain they can argue "Well, we felt the DNT settings dialog in Firefox/Safari/Opera/Chrome wasn't clear enough and so clearly didn't represent its user's informed consent. So we figured we'd just ignore it and track them anyway. After all, that's exactly what the Apache team decided to do". The very justification being used here (and on the mailing list) for this patch fundamentally undermines the entire DNT standard completely.

Allen Landsidel

Not one. If you're the one, proceed to support it. So far all you're doing is talking in circles, attempting to claim that the blatantly obvious "This will enable DNT" during express is somehow "not good enough." It's not like it's hidden, obfuscated, or in any way unclear about what selecting Express will do.

By a "patch like this" I mean one that intentionally violates a standard, which is what this entire discussion is about.

Jim Jagielski

@alandsidel

From the standard: "Key to that notion of expression is that it must reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

So if one chooses Express, it is making a decision for the person... What if someone wants Express and DOESN'T want DNT? In this way, Express forces a user's preference, simply because that preference is overloaded with a whole bunch of other stuff.

Do you even understand what DNT is, and what it is trying to do? Or are you just breaking in a new keyboard?

Allen Landsidel

@jimjag you are just talking in circles again. If one chooses express, it says right on the screen what that means WRT DNT, and the user has made that decision for themselves. Regardless, what Express does or does not do is irrelevant. This patch causes Apaches default state to be in clear (rather than interpreted) violation of the standard, and in light of that alone, it should be pulled.

Oscar Godson

@jimjag

I have a great idea: knowing that MS is violating the standard, what would you suggest Apache do?

Nothing. I don't WANT Apache to be the standards police. Why do you? We never elected them to be enforcers of anything. They should get in touch with Microsoft and deal with it there. If or if not this is a violation, who cares, I don't want anyone using force to enforce a spec, ever. That is not how you handle this. Not after everything we learned during the browser wars. As I've said before, getting browser vendors to support a spec should be organic. Forcing standards makes it not even a standard, it becomes a "law" browsers have to follow or get punished.

Allen Landsidel

If it makes it any more clear, look at it from the standpoint of the principle of least harm.

Patch In:

  • IE10 may or may not be in violation. This is, quite obviously, open to interpretation
  • Apache, by default, violates the standard.
  • No IE10 users preferences are respected, regardless of where they came from.

Patch out:

  • IE10 may or may not be in violation. This is, quite obviously, open to interpretation
  • No harm to anyone beyond that point, outside of apache's control.
Mario Liebisch

If I use IE10 and explicitly set DNT to 1 (NOT using the express setup) and visit a web page served by Apache, Apache is going to remove my DNT preference by it's own (right now being "we don't accept you having any DNT preference). That's in clear violation of that line you've just quoted. And its outside my control unless it's my own server.

I think most here will agree that, if you think MS violates the standard, that's something you can clearly think or state. That's your opinion and it's fine. What people are upset about (me included) is the action taken by this patch/commit: It removes our preference, just because we use the browser of our choice. The "Microsoft doesn't violate the standard" vibe is there because of the wording etc. but we should really leave that one aside here. I agree with you. IF you can be sure the submitted DNT value is forged or not the user's choice, remove it. That is perfectly fine. However, don't ever touch it if you're unsure (in doubt, trust the flag/user). And that's something that's being ignored here.

For those arguing about acceptable value ranges and other computer science stuff: The flag might have either the value 0 or 1 or it must not be present at all. And that's the case, no matter whether you're using Chrome, Firefox or IE10. If IE10 would submit something like "DNT: Yes!", then you could throw it away any time you want. But that's simply not true. The value is perfectl fine, valid and within the acceptable range described in the standard.

Allen Landsidel

If IE10 would submit something like "DNT: Yes!", then you could throw it away any time you want

Even then, it would not be "permissible" for Apache to toss the header -- it's up to the web developers backend (Rails, PHP, Perl, whatever) to do that. Touching this stuff at all before the web developer gets their hands on it is inexcusable. As long as the request is properly formatted, and is not going to cause an incompatibility with the server, it should be passed along as-is.

Does apache toss other "invalid" headers? No. Not one. This one is exceptional in that regard. Why? Agenda.

Leif Halvard Silli

@MarioLiebisch User preferences do not govern servers - users use user agents. So the Apache patch is not a violation of the cited requirement that DNT in user agents must be set by user's own choice.

It is Microsoft who has removed the choice for you. You can compare it with a political election between "yes" and "no" where the default is supposed to be "did not participate in the vote". If, in your constituency, they change the default to "no" so that even those that do not participate are counted as no votes, then those counting the votes cannot know whether the "no" votes are for real. And so, they must annulate the election. Which would be very pity. Especially for the sincere no voters. To, in that situation, point to the election rules and state that "it is not written in the rules that the election can be annulated if the rules are broken" would not bring anyone very far.

Allen Landsidel

@komputist Microsoft did not "remove the choice from you" for crying out loud. It's right there on the screen when (if) you choose Express, and regardless of chosing express or not, you can change your mind at any time in the future. You're really stretching (as are all on that side) to claim MS has done something wrong here, when it's painfully obvious that this patch does far more harm than the supposed violation by MS.

AndyCadley

@komputist The DNT preference is a preference for web applications. It's something between the end user and the web application. As it stands Apache is sat in the middle, silently changing this without the consent of either party.

And Microsoft haven't removed that choice. Nobody is arguing that. At worst, Microsoft suggested a setting to you and you blindly accepted it (which, arguably is true of every single browser), but at any point an IE10 user can go in and change that to whatever they want. They can do that during install, they can do it later, they can even sit there toggling it on and off to there hearts consent if it pleases them. Whatever they do, however, Apache is assuming they don't know what they're doing and choosing for them. Apache is effectively replacing it with "the preference of some institutional or network-imposed mechanism outside the user's control."

DanielStrul

@komputist: I said that I wouldn't intervene any more, but this misunderstanding is quite amazing really:
1) You guys think that this standard is worth fighting for? Most people agree with you on that (I don't but anyway)
2) You think that MS did something wrong? Some people agree, some disagree
3) You feel the ASF is entitled to play Internet cops? Very few people agree with you on that. I'll +1 @OscarGodson on this: "I don't WANT Apache to be the standards police. We never elected them to be enforcers of anything."
4) You feel the path was an appropriate solution? Most ASF supporters see this patch as a dirty hack which should never make it into production.
If you want to begin to understand what's going on, my advice would be to really pay attention to points (3) and (4). Remaining stuck in your tracks without trying to get some perspective won't lead you very far I'm afraid.

Leif Halvard Silli

@alandsidel It is technically possible to particpate in a rigged election. But the value of doing so is low. Microsoft tries, with bad or good intent - I don't know, to take advantage of a standard that requires that all parties abide with it.

@AndyCadley The problem is that the spec says that the way Microsoft has arranged it, is not in line with the standard.

@DanielStrul I don't speak for any party - I just analyse. And my analysis tells me that Apache's move is not about policing. It is a move to save the standard. When striking an agreement - such as a standard, it is important to show that you mean it and defend the deal, even when it can be temporally difficult to do so.

Allen Landsidel

@komputist what MS does or does not do is not my concern. This crummy, ill-informed, "standards"-breaking patch however is.

As far as MS is concerned, they are just doing what most users want the defaults to do. In so doing, they've illuminated how DNT fails out of the gate, while also exposing a sort of "cliquel" within the ASF that wants to punish them regardless of the impact on the httpd project, the desires of end users (of IE or of apache), or DNT as a whole.

AndyCadley

@komputist Again, where does it say it? What exact words are something Microsoft is not doing. I'm quite happy to believe it if someone can actually point it out, but I've read through the whole thing numerous times and can't find it. And everywhere in this thread and the Apache mailing lists people are simply asserting it as fact, despite nobody seeming to know why.

Step back from what you think you've heard, put aside personal bias, ignore for a moment that it's the big evil Microsoft and read the standard as if it were any other web browser offering exactly the same choice during installation that IE does. Then and only then, decide which part of the standard you think it's actually violating.

As far as Apache defending the standard, this move kills it stone dead. Instantly. If this patch is allowed to stand, there is no such thing as DNT, regardless of which browser you use, regardless of whether Microsoft's decision was or wasn't compliant. Your freedom to choose not to be tracked has been entirely eradicated by those claiming to be defending it. Even if you believe Microsoft are in violation, or that the spec is a flawed approach (and it is), allowing this kind of behaviour should be unacceptable, since it justifies those who want to track you doing so regardless of DNT on the grounds they don't like the way your browser let you choose.

DanielStrul

@komputist: Even if the ASF wanted to save this standard-to-be, using the Apache server near-monopoly to do so was very, very wrong. They are just using the same brute force tactics as MS, and I believe a lot of free software supporters won't easily accept that. Time (and the evolution of the nginx market share) will tell.

Mike Amundsen
Allen Landsidel

@mamund

5) No users of IE10 will be able to change the setting on sites they visit that are running apache with this absurd patch.

AndyCadley

@mamund Correction:

4) All users of IE10/Win8 will be able to easily change the default. Access to the setting works for even the most limited of user accounts as these are always per-user level settings (they can't change what the system default would be if they aren't Administrators, but that pretty much a no-brainer)

Mike Amundsen

@alandsidel : yep, forgot that one:

6) No users of ASF will be able to change the setting on the user agents that are running IE10 wiith it's [insert your emotional characterization]

thanks for the reminder

Leif Halvard Silli

@AndyCadley The exact spec text that Microsoft is not following, has been cited at least 3 times on this page. But Apache is not defending a piece of paper but the signatures of that paper and the process around it. That's an important difference.

@alandsidel This is a standard. A convention. It is not a law. Where I live, I can get a stamp from the postal service and place it on my (snail) mail box to avoid receiving ads. But I have to place it there myself. Then the postal service stops sending me unaddressed ad mail. I myself have not placed that stamp there. And I don't want my neighbors to place it there "by default" for me. I want to control it myself. If law forbids ads, then, OK. But we are not there.

Keith Humm

@jimjag I certainly wouldn't commit a patch that blatantly disregards what I can only deem to be a valid piece of data (without further contextual information). And that's the problem, the working group has not made a decision on whether IE10 is compliant. ASF has, but ASF aren't the authority here. You have to assume at this stage that the header sent is sent from a compliant user agent, and utilise or forward it!

Noone here is at consensus as to whether IE10 is compliant. Some think yes, some think no. httpd is making an assumption about a technically valid header based on data that does not exist, thereby unequivocally breaking the standard.

But, as many have said, it's not the point. Apache isn't a political sandbox!

Sebastian Schocke

@jimjag

No, but if someone is about to kill your wife, you are certainly within your right to smack him in the leg with a shovel

That would be debatable...

I understand the issue. The DNT standard only works if the majority of users never know of it's existence, or CHOOSE to never make use of it, as @royfielding would have us believe. That's because it's not a law. So it's a standard that allows a select few to benefit...

Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me. Can I prove that he did in fact want to kill my wife? Is it illegal to carry a knife in the street? Have I broken any laws? Who do you think will win this case?

The answers are simple: No, I can't prove it. No, it's not. Yes, I have. He will win.

Even if there were witnesses, the defense will ask them "How can you be sure he intended to stab Mrs X?" The answer is they can't. They can assume it, based on his behavior and carrying a knife in a threatening manner. But assumption is not beyond reasonable doubt.

Before I ramble any more, let's get back to the point. The ASF has decided to take millions of IE10 users hostage to try and enforce a standard... it's as simple as that. This is not the actions of a respectable open source foundation... it's the tactics of a monopolistic mega-corporation. The kind of tactics Microsoft would get crucified for (and have been crucified for in the past.)

If you insist on removing the DNT header sent by IE10, at least find a way of informing the user that you have done so. Silently removing a user preference(whether they picked it via Express settings or not) is atrocious.

I agree that MS are basically willfully trying to kill the DNT standard, What I don't agree with is the "eye for an eye" behavior.

PS. I have been following the httpd-dev mailing list, and see there is a general feeling of "we need to fix this", even if @royfielding and @gstein don't share that sentiment. I'm glad to see it.

ellier

This is a joke. Screw it, I'm tracking everyone in every site I build, host or support. User information is precious, and if Apache can ignore the choice of some users, so can I. Hey, I can even blame Apache for the tracking. Hey, I could even add every single browser out there to this patch. Let me change "MSIE 10.0;" to ".+".

< IfModule setenvif_module>
BrowserMatch ".+" bad_DNT
< /IfModule>
< IfModule headers_module>
RequestHeader unset DNT env=bad_DNT
< /IfModule>

Just forget this DNT thing ever existed. Happy tracking.

Tim Williams

Surprisingly... oddly... now'd be a good time to add a reference to Stand Your Ground[1]...

@sschocke: "Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me."

The answers aren't "simple"... but in a 'stand your ground' state, you'd wish for more than a shovel such that he doesn't proceed... the defense isn't likely to question... but then, it'd suck to be your wife if the 'legal ramifications' are in your calculations of that particular situation:) yeah... that analogy has run its course:)

[1] - http://en.wikipedia.org/wiki/Stand-your-ground_law

Sebastian Schocke

@williamstw Why am I not surprised somebody would bring up a US state law. I was referring to an actual case, right here, in good old South Africa where I stay. See, it's not so clear cut as you believe. The analogy was a stupid one to begin with, as is usually the case with analogies.

The point I was trying to make right from the start is that responding to a perceived violation by a definite violation is hardly ever the right course of action. In self-defense, maybe it can still be acceptable. But who exactly is Apache defending with this patch? Definitely not itself because as repeatedly stated, Apache has no stake in the success or failure of DNT... or does it?

AndyCadley

@komputist No, it hasn't. I presume you think it's this bit, which has been hand-wavingly suggested a few times:

"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

Which rather vague wording at best (note it does not include any good standards language like MUST NOT, SHOULD NOT etc). So it's interpretation is largely down to the reader to determine (which makes it a type (2) problem by the number scheme I suggested above).

Breaking it down and comparing against IE:

a) Key to that notion of expression is that it must reflect the user's preference - well the user made a choice, they either chose to go with the Express settings or Custom ones. Either way it is clearly written on the screen what the result of that choice means for your DNT preference. So it can't be violating this part.

b) "not the preference of some institutional or network-imposed mechanism outside the user's control" - At all times the user is in control of their DNT setting, from the moment they install (and make a choice) onwards it's always their decision. Even if that decision is to click Express settings and leave everything the way Microsoft recommends. Still not a violation.

Note the standards says absolutely nothing about the following (they were dismissed as UI issues, beyond the scope of the DNT standard:

1) Is there a default setting?
2) If there is a default, what should it be?
3) What constitutes an informed choice? And, more importantly, under what circumstances can a choice be considered uninformed and thus ignorable?
4) To what extent can a browser vendor suggest that a user should select a preference either way.
5) To what extent can a browser vendor recommend a particular setting either way.

Key to the discussion is the number of people claiming the standard says the browser must default to unset, when in fact it says no such thing whatsoever. And the very reason it doesn't is because you simply can't say there must be a default of "unset" without answering all those other more difficult questions.

jalfd

How is this commit not "deliberate abuse of open standards"? Heck, let's assume that IE10's default setting is indeed "deliberate abuse", and that it should not be tolerated by Apache.

How does that justify Apache deliberately ignoring said open standard for all those IE10 users who intentionally keep DNT enabled?

That strikes me as far more deliberate abuse than anything IE10 does. You're literally taking an open standard, and saying "we're going to ignore it, and make it fundamentally impossible for users to opt-in because we can't entirely rule out that someone, further down the line, may have also abused the same open standard.

IE10 is merely making an assumption about which setting users would prefer. But they make it possible for the user to make the choice they prefer. Apache is making it impossible for IE10 users to opt in to DNT. So clearly, Apache doesn't merely tolerate, but actively engages in, deliberate abuse of open standards to an extent far beyonf anything IE10 does.

This is insane.

The interesting question is not whether Microsoft's decision is correct, or conformant with the DNT spec.
The question is how Apache can justify violating DNT for those IE10 users who have made an informed decision on the subject.

Suppose I download IE10, and just to show my intention, I open its settings, and disable DNT, and use that setting for a few hours. Then I go back and re-enable DNT. That is very much a deliberate action by me, the user, and it is perfectly conformant with the spirit and letter of DNT. What IE10 does by default, and what other IE10 users do, is completely irrelevant. I have made a deliberate choice to actively and manually enable DNT, and thus, I expect the setting to be honored.

And yet, according to this commit, Apache should ignore my deliberate choice, and strip away the DNT headers.

If that is not "deliberate abuse", I don't know what is.

DanielStrul

FWIW:

Sebastian Schocke

@DanielStrul thanks for sharing the link to the bug report. It has been a real eye opener. Not only does it show that the W3C consider IE10 to be compliant (at present at least), a sentiment that most people share, but also that the ASF is definitely not acting out of concern for the standard or users.

Secondly, the pretentiousness of @royfielding to close a bug report on something he did wrong with a simple WONTFIX just goes to show how far gone he is. He simply cannot admit that what he did was wrong, as if he is somehow above reproach because he did some good in the OSS community. Give me a break... Humility is the mark of true genius, not thinking you are better or smarter than everyone else.

Leif Halvard Silli

@sschocke You claim that "Not only does it show that the W3C consider IE10 to be compliant". But to be a member of the W3C working group does not give @jonathanmayer the authority to speak on behalf of W3C. (And I don't see that he claims to do so either - though he does claim to know what the group’s negotiations mean.)

Sebastian Schocke

@komputist

Justin Brookman from the Center for Democracy and Technology, another Editor, has helpfully summarized where the draft text stands on the released version of Internet Explorer 10:
It is inaccurate to say that IE10's implementation is inconsistent with the spec . . . . The Windows flow presents information about DNT along with several other options; as an opt-in flow, you could argue that DNT should be called out more prominently, but I have seen a lot worse

I did not say that Jonathan said any such thing. Simply that a comment made by him included the above statement. A compliance editor for the specification said it was inaccurate to say that IE10's implementation is inconsistent with the spec. And, let's be clear here... IE10 preview release was not up to spec. IE10's final implementation is. @royfielding submitted this patch days before the RTM version of IE10 was even available for testing, so he must have based his opinion on IE10 preview release.

Also, a comment such as this on the working groups mailing list :

certainly not through any action by the spineless W3C.
....Roy

just confirms how self-important he considers himself to be.

DanielStrul

@komputist, @sschocke: I hope my former post was not misleading. I believe @jonathanmayer only expressed his own POV, and never claimed otherwise. It seems to show, however, that @royfielding and/or the ASF (I'm not sure) acted or their own, without any explicit consent nor without any explicit dissent from the W3C.
This hypothesis seems confirmed by the archives of the W3C's TPWG public mailing list, where some members have proposed to change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag (http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0166.html), thus specifically forbidding this very patch.

patheticcockroach

@DanielStrul "change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag" => Hm, I hope this would only apply to default configurations and not impose a lock of some sort...

DanielStrul

@patheticcockroach: I wouldn't worry to much about that, really. From what I've seen, @royfielding posted a rebuttal, and the discussion more or less stopped at that point. This proposal only shows that there is no real agreement within the Tracking Privacy Working Group to support the Apache config patch, but I'd suppose that there is no real agreement to oppose this patch either. With so many conflicting interests, it's generally difficult to reach an agreement on anything at all!

Allen Landsidel

@patheticcockroach @DanielStrul

1) IE10 is in full compliance with the last (now expired) IETF draft

6.3. Default

A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
It MUST NOT transmit OPT-IN without explicit user consent.

2) IE10 is in full compliance with the current proposal.

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent
(... and ...)
We do not specify how tracking preference choices are offered to the user or how
the preference is enabled: each implementation is responsible for determining the
user experience by which a tracking preference is enabled

3) IE (non-)compliance is irrelevant to the patch itself, which leaves apache in violation in its default configuration.

An HTTP intermediary must not add, delete, or modify the DNT header field in
requests forwarded through that intermediary unless that intermediary has been
specifically installed or configured to do so by the user making the requests
(... and ...)
Implementations of HTTP that are not under control of the user MUST NOT
generate or modify a tracking preference.

A lack of consensus does not indicate a lack of facts required to reach consensus. In this case, it simply appears that the facts are being ignored in order to push a "punish MS" agenda.

ChrisTX

@alandsidel I doubt it really has any point discussing that here - nobody relevant is listening anymore. You're wasting your time on some folks who are apparently unable to read that "Express" is a privacy setting (it says that in the screen's title) or that you can use custom to adapt it if you like.

It isn't about whether MS violated the standard or not here. If you look back, @royfielding has never said where he believes the RTM violates anything. It should be clear from the time line of events that the Apache PMC hasn't voted on the RTM. The weasel word 'default' riddles this thread mixed through by the claim that the "Express" settings were some kind of default, while they're not.

Furthermore, this doesn't even matter. Even if you want to see a violation on MS' side (the spec isn't too clear about what it says under 3 - it is fairly easy to interpret a violation in somewhere), this patch doesn't become more acceptable.

If the Apache PMC judged a release product based on a pre-release version of it, and accepted a patch that causes people in the EU to not be able to run Apache legally in the default configuration anymore (of which both things itself are unacceptable) - then it should be pretty clear that this was never intended to be a fair judgment of Microsoft's product in the first place. This is a political vendetta - and that's why arguing against those who claim it was a violation isn't worth your breath.

There will be lots of fanboys who don't want to understand that the PMC can't have judged IE RTM but want to see how MS gets kicked because of personal MS hate.
I originally joined this thread to point out the important differences between the PR and the RTM considering this matter while being sure that the RTM wasn't even judged. Personally, I believe there are better ways than a thread nobody reads to point this out. I'm out.

Sebastian Schocke

@ChrisTX I believe you have the right of it. It can be shown that the W3C feel this patch is unwanted, that some members of the ASF have come around to seeing it as well, and that @royfielding acted mostly out of his own - using a pre-release version of IE10 to base his decisions on. I am unwatching this thread, as there is no discussion anymore.

Michael DeMutis
mhstern

Roy Fiedling simply wants to see who has the bigger one and whether he can make Microsoft buckle before him. As a result, Apache gets more bloat, but who really cares about simple things like that? After all, every administrator can easily spend the two minutes to clean up the mess that one "important man" left in.

pcomitz

Unbelievable. Apache is no longer an open standard. A sad day for all. Has Apache become a vehicle for developers such as @royfielding to promote personal hatred and business bias ? This is pure bullshit. Fielding has a clear conflict of interest. He should not be allowed to participate in open standards - which Apache httpd is not anymore because of this. Let @royfielding do whatever he wants in his own companies proprietary products. He should not be allowed to put proprietary practices into so called open standards. Just unf*&^ing believable.

Eric Covener

@pcomitz -- It's hard to tell if you're making stupid comments about a standard or stupider comments about a webserver, but I appreciate the Saturday morning puzzle.

Mark Rendle

@covener I notice that you never respond to well-reasoned, evidence-based criticisms of your team's actions from people who have taken the time to read the various drafts of the specification, the Express Settings screen in Windows 8, and the working group's mailing list archives.

Not so much of a puzzle, that.

Eric Covener

@markrendle that's because I'm not particularly interested in chapter and verse of DNT drafts, how Windows is configured, or what people on the WG mailing list have to say -- much less interested in them as some kind of validation or reproach of the teams "actions". I've primarily responded when the naivety or invective here has bubbled over. I don't feel obliged to respond to anything here.

Jim Jagielski

@OscarGodson

Nothing. I don't WANT Apache to be the standards police. Why do you?

The web of today ONLY exists because open source software like Apache (especially Apache) required and emforced the standards and protocols of that early web. Apache is supposed to be a fully compliant, basically reference implementation. That requires it being a standards police.

Todd
Oscar Godson

@jimjag interesting. I've always thought and seen open standards followed organically. But, if you have an example where "open" standards were forced and if not followed the implementors were punished by a third party let me know. I've just never heard of that. I've always thought open standards were great because they were standards that every agreed upon enough to follow along and that users also had a voice by deciding which software they liked more.

Jim Jagielski

@OscarGodson Standards are protocols only work if they are agreed to and, just as important abided by. That's how standards work. Your electrical plug is designed to abide by a standard. How would you feel if a plug manufacturer just decided to make both prongs "fat" instead of just the neutral one?

As far as "punished by a third party" I really don't understand your argument... But before you try to explain, do yourself a favor and do some investigation into what open standards and protocols actually mean, and how they work.

Oscar Godson

@jimjag if a manufacturer made that plug no one would buy it. Simple. And thats how standards work. Maybe you should read up on it. Open standards are no laws, which Apache and you feel like they are, they're standards. Google "define:standard" for more clarification.

Mark Rendle

@jimjag

Apache is supposed to be a fully compliant, basically reference implementation.

Please supply a link to the standard this reference implementation patch is fully complying with.

imanavg

Btw for the record, Eric Covener seems like a fucked up loser. As someone pointed, he never responds to well reasoned arguments and replies like a douche bag. Someone, throw him out of Apache with his balls tied to Roy's via an aluminum string.

Oscar Godson

It appears someone on the Apache team is deleting new posts by people against this. @imanavg and @toddmbloom aren't showing despite getting emailed about the posts, but posts by people like @jimjag which are for the pull request are showing up.

AndyCadley

@covener Unfortunately that attitude comes across to everyone else as a rather naïve approach on your part to assuming commits by the likes of @royfielding are automatically in the best interest of Apache, which is clearly not the case.

@jimjag Right now Apache is the one that's not abiding by the standards, wheras IE is (or at least is in an arguably grey area). Apache most certainly isn't a "fully compliant, basically reference implementation" by any stretch of the imagination. Trying to take a moral high ground, when the actions of ASF are far worse than any supposed violation of the standard they're claiming to protect, is simply not going to wash.

Eric Covener

@OscarGodson I do think someone at the ASF can moderate them, but at least one of the those referenced comments is up in the annotated revision section at the top instead of down in the thread.

Eric Covener

@AndyCadley I don't know what comments you're referring to, but to clarify my lack of interest in arguing about DNT and working groups has nothing to do with how much benefit of the doubt I give to @royfielding or any other contributor.

ellier

For @royfielding and anyone at the Apache Foundation.
http://www.zdnet.com/why-do-not-track-is-worse-than-a-miserable-failure-7000004634/

From the article: 'When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”'

What a waste of time and resources.

karl

For the paper trail, a new version of the DNT specification has been published today. Determining user preference

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as "SuperFred", but might imply a preference if invoked as "SuperDoNotTrack" or "UltraPrivacyFred". Likewise, a user agent extension or add-on MUST NOT alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.

You can check the diff

AndyCadley

Well that's another epic @royfielding fail then. The phrase "unless a specific tracking preference is implied by the decision to use that agent" is quite possibly the most woolly and vague statement ever to make it into a specification. What exactly about an agent is supposed to imply a default tracking preference other than unset? As it stands, that's so open to interpretation that choosing a default is effectively up to the vendor.

The biggest irony of that, however, is that it's still entirely nullified by the subsequent paragraph "We do not specify..." so even if the decision to use Internet Explorer isn't enough to imply a different default, the choice screen given during install still means that IE is complying with the standard.

The one and only very clear improvement is in the following paragraph though: "Implementations of HTTP that are not under control of the user MUST NOT generate or modify a tracking preference. " - which now makes it abundantly clear the Apache violates the standards whilst this patch is in place.

Oscar Godson

"Implied". Never use that word in laws or specs. You never really know what's implied and you can argue either way. Specs should be explicit.

Robert Bradley

Is there any particular reason why the core of Apache should care about DNT: at all? User tracking outside of the standard access/error logs should be dealt with by the web developers. The CGI/mod_whatever code has access to the user agent and custom headers, and can implement whatever policy is desired including simply not caring about the header from any user agent.

I imagine that long-term, Do-Not-Track will be a waste of time and end up in the same position as the P3P standard, which is all but ignored today. The only "solution" to tracking that I can see at present is going to be passing more legislation like the now-infamous cookie law (Directive 2002/58) around the world and enforcing it properly. The odds of that happening are around nil. (I make no claims as to whether that particular law is a good thing or not, merely that I cannot see why advertisers would voluntarily implement Do-Not-Track on the server end.)

Rob-S

The spec is pretty clear (now at least). "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with ..." "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Thanks, Apache for helping keep vendors on track to continue making forward progress. Progress with HTML came to a halt between 1997 and the end of 2010 because some vendor diverged from the standard (http://www.Html-5.com/html-versions-and-history.html#html-versions). Personal privacy options need to be implemented consistently, or they become useless to the developers.

http://Google.com/+RobertSimpson

Mark Rendle
AndyCadley

@Rob-S "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead.

patheticcockroach

"Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead."
This bad faith is getting tiring. The casual user doesn't bother to review default settings, period. If you don't know it, you should have a walk in that remote thing we call the real world.

Rob-S

Prior to IE 10 and Windows 8, that was true, AndyCadley, but Microsoft changed those versions and is taking it upon themselves to set it by default: http://news.cnet.com/8301-10805_3-57448795-75/microsofts-do-not-track-default-in-ie10-violates-new-specs/ , http://news.cnet.com/8301-10805_3-57488991-75/windows-8-sticks-with-ie10-do-not-track-by-default/ By doing that, they have taken away the ability of the server to determine whether the USER has set the option or not, which is the requirement to determine when to disable tracking. In the older versions of IE where the server CAN determine the user's preference, you are not getting the choice of ASF (nor Microsoft's), but rather the user's, per the specs.

MarkRendle - I'm not sure whether or not you were being sarcastic or not regarding my comment about Microsoft going against the standards ... again ;-)

AndyCadley

@patheticcockroach If the argument is that the number of people who change the defaults is insignificant (which is probably true) then NOTHING at all represents a user's choice because, in effect, the only choice being made is that of the software provider in the vast majority of cases. You may dislike the way the choice is presented, but the standard explicitly excludes that from its scope.

@Rob-S IE does not have a default. There is an option during install at which the user has to make a choice. And the user is free to subsequently change their mind about that choice as much as they like. User's who are happy to be tracked can indicate to that effect at any point they like, just as user's who'd prefer not to be tracked can. At no point is that decision up to Microsoft. However, what Apache is doing is entirely out of the control of the end-user, the preference is entirely the choice of ASF.

I'm using IE10 right now. I am very aware of what DNT is and what it means. I have actively chosen to have DNT enabled in my browser. Apache is deliberately overriding that choice and making it appear that I don't mind being tracked. In what possible sense is that following the spirit of the standard, let alone the wording?

johnfc2012

One thing I have noticed about this patch is that it is in a conf file rather than being in one of the source files. This is down to the administrator of the Apache server this is being installed on to change the conf files accordingly.

As an administrator, it would be nice to see the full list of headers and their meanings to see what else can be fixed, if required.

If something that is supposed to be off by default until a user turns it on, but its on by default - Its broken. Microsoft should fix their broken browser in the next patch release and then Apache wouldn't need to override the user's choices. Its a pity that there isn't a way to tell from the headers that DNT is turned on by the browser or by a human.

@johnfc2012

For once, Microsoft didn't break anything. A choice is presented by the user and the user accepts it.

Robert Bradley

The present configuration file has the change present but commented out (3dd6fb6), which should keep most people happy.

@johnfc2012: In terms of Do-Not-Track, the header values are:

DNT: 0: Opt-in to tracking.
DNT: 1: Opt-out of tracking.
No header: Default option, i.e. whatever is done at present. Presumably this means that tracking is enabled.

All of the above assumes that the end server supports DNT, is not wilfully ignoring the header, and that no other rules or laws apply regarding consent to tracking. (DNT: 0 alone is probably not enough to avoid the drop-down cookie prompts that have become popular.)

karl

Second, the DNT standard should not let websites "second-guess" or disregard
user choices. Recently, there were reports about a popular web server
introducing a feature that amounted to overriding the DNT signal; in effect,
ignoring users' wishes. I find that troubling, and undesirable.

Speech Transcript about DNT by European Community VP Neelie Kroes

Michael DeMutis

I daresay that DNT is dead now anyway:

The tracking community still wants to log and track even if you say you don't want to be - http://www.zdnet.com/the-do-not-track-standard-has-crossed-into-crazy-territory-7000005502/

And in the EU seems to think that DNT isn't enough for uniform opt-out of tracking - http://www.out-law.com/en/articles/2012/october/eu-steps-back-from-insistence-that-do-not-track-standard-is-cookie-law-compliant/

theitsystem

Wow! I'm brand new to this world, so for all intent purposes I'm a user not a developer (16 years of Microsoft dev for desktops has taught me none of what I'm now dedicated to learning about web dev).

I want my browser to be intelligent and know what I use it for. The fact that I don't use IE anyway makes this a pretty moot point, but I am a fan of Microsoft still.

My take on the reasoning behind defaulting to a paranoid escape hatch is that Microsoft wants to cut off revenue streams to Google. It's a shortsighted approach and a great way to diminish value in their own browser and possibly even their operating system. The end result is going to be this: [I'm using IE on Windows 8 and having a crappy experience, how do I fix that? I'll download Chrome or FireFox and I won't have this problem.] If Apache is doing anything for Microsoft it's a favor not harm.

All of that said, my 2 cents is that unless you can show how breaking the end users settings whether they chose it or not is going to make communication between the browser and the site work better, then this is a personal vendetta or an architectural vendetta between those who voted to commit and the makers of the browser that it affects. Reading this makes me think that Roy (the guy whose finger pressed the button) has been unfairly singled out. If everyone else on the Apache board bows to Roy then shame on them for being so weak, but stop beating on him as an individual.

The bottom line is that this is transparent, we are lucky to have such transparency, and anyone attacking a person instead of just moving to their preferred server and letting bad products die is wrong in their moral choices. There is no crying in software!

Tobias "ToBeFree" Frei

Full support! I don't think the patch is "in a hate filled spirit"; it just shows how bad Microsofts decision to violate this standard was.

cellardoorstop

I'm no expert on this but ... Since it's known that a vast majority of folks do not want to be tracked, why don't standards simply say Do Not Track Ever? And then somebody can create an Add On that does track those few folks that do want to be tracked.

Tobias "ToBeFree" Frei

@cellardoorstop: Guess what, because no advertising company would implement DNT then.

Please sign in to comment.
Something went wrong with that request. Please try again.