Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Apache does not tolerate deliberate abuse of open standards
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1371878 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
royfielding committed Aug 11, 2012
1 parent 9843179 commit a381ff3
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions docs/conf/httpd.conf.in
Expand Up @@ -409,3 +409,13 @@ Include @rel_sysconfdir@/extra/proxy-html.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# Deal with user agents that deliberately violate open standards

This comment has been minimized.

Copy link
@doot0

doot0 Sep 11, 2012

This is entirely subjective.

On whose authority does IE10 violate open standards?

This comment has been minimized.

Copy link
@imanavg

imanavg Sep 12, 2012

Why should MS change their code, they are actually compliant to the spec. This patch overrides a vast majority of user's choice who selects express settings by choice and are sole user of their PC. This patch is really in a hate filled spirit, which is sad.

#
<IfModule setenvif_module>
BrowserMatch "MSIE 10.0;" bad_DNT

This comment has been minimized.

Copy link
@IDisposable

IDisposable Sep 11, 2012

Singles out one version of one browser, who's going to maintain the list of "violates Roy's vision" when he finds another windmill to tilt at?

This comment has been minimized.

Copy link
@mhstern

mhstern Sep 20, 2012

Roy Fiedling simply wants to see who has the bigger one and whether he can make Microsoft buckle before him. As a result, Apache gets more bloat, but who really cares about simple things like that? After all, every administrator can easily spend the two minutes to clean up the mess that one "important man" left in.

</IfModule>
<IfModule headers_module>
RequestHeader unset DNT env=bad_DNT

This comment has been minimized.

Copy link
@IDisposable

IDisposable Sep 11, 2012

Violates the DNT specification by not respecting user's choice

</IfModule>

367 comments on commit a381ff3

@DanielStrul
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist: I said that I wouldn't intervene any more, but this misunderstanding is quite amazing really:

  1. You guys think that this standard is worth fighting for? Most people agree with you on that (I don't but anyway)
  2. You think that MS did something wrong? Some people agree, some disagree
  3. You feel the ASF is entitled to play Internet cops? Very few people agree with you on that. I'll +1 @OscarGodson on this: "I don't WANT Apache to be the standards police. We never elected them to be enforcers of anything."
  4. You feel the path was an appropriate solution? Most ASF supporters see this patch as a dirty hack which should never make it into production.
    If you want to begin to understand what's going on, my advice would be to really pay attention to points (3) and (4). Remaining stuck in your tracks without trying to get some perspective won't lead you very far I'm afraid.

@komputist
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandsidel It is technically possible to particpate in a rigged election. But the value of doing so is low. Microsoft tries, with bad or good intent - I don't know, to take advantage of a standard that requires that all parties abide with it.

@AndyCadley The problem is that the spec says that the way Microsoft has arranged it, is not in line with the standard.

@DanielStrul I don't speak for any party - I just analyse. And my analysis tells me that Apache's move is not about policing. It is a move to save the standard. When striking an agreement - such as a standard, it is important to show that you mean it and defend the deal, even when it can be temporally difficult to do so.

@alandsidel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist what MS does or does not do is not my concern. This crummy, ill-informed, "standards"-breaking patch however is.

As far as MS is concerned, they are just doing what most users want the defaults to do. In so doing, they've illuminated how DNT fails out of the gate, while also exposing a sort of "cliquel" within the ASF that wants to punish them regardless of the impact on the httpd project, the desires of end users (of IE or of apache), or DNT as a whole.

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist Again, where does it say it? What exact words are something Microsoft is not doing. I'm quite happy to believe it if someone can actually point it out, but I've read through the whole thing numerous times and can't find it. And everywhere in this thread and the Apache mailing lists people are simply asserting it as fact, despite nobody seeming to know why.

Step back from what you think you've heard, put aside personal bias, ignore for a moment that it's the big evil Microsoft and read the standard as if it were any other web browser offering exactly the same choice during installation that IE does. Then and only then, decide which part of the standard you think it's actually violating.

As far as Apache defending the standard, this move kills it stone dead. Instantly. If this patch is allowed to stand, there is no such thing as DNT, regardless of which browser you use, regardless of whether Microsoft's decision was or wasn't compliant. Your freedom to choose not to be tracked has been entirely eradicated by those claiming to be defending it. Even if you believe Microsoft are in violation, or that the spec is a flawed approach (and it is), allowing this kind of behaviour should be unacceptable, since it justifies those who want to track you doing so regardless of DNT on the grounds they don't like the way your browser let you choose.

@DanielStrul
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist: Even if the ASF wanted to save this standard-to-be, using the Apache server near-monopoly to do so was very, very wrong. They are just using the same brute force tactics as MS, and I believe a lot of free software supporters won't easily accept that. Time (and the evolution of the nginx market share) will tell.

@mamund
Copy link

@mamund mamund commented on a381ff3 Sep 13, 2012 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandsidel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mamund

  1. No users of IE10 will be able to change the setting on sites they visit that are running apache with this absurd patch.

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mamund Correction:

  1. All users of IE10/Win8 will be able to easily change the default. Access to the setting works for even the most limited of user accounts as these are always per-user level settings (they can't change what the system default would be if they aren't Administrators, but that pretty much a no-brainer)

@mamund
Copy link

@mamund mamund commented on a381ff3 Sep 13, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandsidel : yep, forgot that one:

  1. No users of ASF will be able to change the setting on the user agents that are running IE10 wiith it's [insert your emotional characterization]

thanks for the reminder

@komputist
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AndyCadley The exact spec text that Microsoft is not following, has been cited at least 3 times on this page. But Apache is not defending a piece of paper but the signatures of that paper and the process around it. That's an important difference.

@alandsidel This is a standard. A convention. It is not a law. Where I live, I can get a stamp from the postal service and place it on my (snail) mail box to avoid receiving ads. But I have to place it there myself. Then the postal service stops sending me unaddressed ad mail. I myself have not placed that stamp there. And I don't want my neighbors to place it there "by default" for me. I want to control it myself. If law forbids ads, then, OK. But we are not there.

@spronkey
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jimjag I certainly wouldn't commit a patch that blatantly disregards what I can only deem to be a valid piece of data (without further contextual information). And that's the problem, the working group has not made a decision on whether IE10 is compliant. ASF has, but ASF aren't the authority here. You have to assume at this stage that the header sent is sent from a compliant user agent, and utilise or forward it!

Noone here is at consensus as to whether IE10 is compliant. Some think yes, some think no. httpd is making an assumption about a technically valid header based on data that does not exist, thereby unequivocally breaking the standard.

But, as many have said, it's not the point. Apache isn't a political sandbox!

@sschocke
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jimjag

No, but if someone is about to kill your wife, you are certainly within your right to smack him in the leg with a shovel

That would be debatable...

I understand the issue. The DNT standard only works if the majority of users never know of it's existence, or CHOOSE to never make use of it, as @royfielding would have us believe. That's because it's not a law. So it's a standard that allows a select few to benefit...

Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me. Can I prove that he did in fact want to kill my wife? Is it illegal to carry a knife in the street? Have I broken any laws? Who do you think will win this case?

The answers are simple: No, I can't prove it. No, it's not. Yes, I have. He will win.

Even if there were witnesses, the defense will ask them "How can you be sure he intended to stab Mrs X?" The answer is they can't. They can assume it, based on his behavior and carrying a knife in a threatening manner. But assumption is not beyond reasonable doubt.

Before I ramble any more, let's get back to the point. The ASF has decided to take millions of IE10 users hostage to try and enforce a standard... it's as simple as that. This is not the actions of a respectable open source foundation... it's the tactics of a monopolistic mega-corporation. The kind of tactics Microsoft would get crucified for (and have been crucified for in the past.)

If you insist on removing the DNT header sent by IE10, at least find a way of informing the user that you have done so. Silently removing a user preference(whether they picked it via Express settings or not) is atrocious.

I agree that MS are basically willfully trying to kill the DNT standard, What I don't agree with is the "eye for an eye" behavior.

PS. I have been following the httpd-dev mailing list, and see there is a general feeling of "we need to fix this", even if @royfielding and @gstein don't share that sentiment. I'm glad to see it.

@ellier
Copy link

@ellier ellier commented on a381ff3 Sep 14, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a joke. Screw it, I'm tracking everyone in every site I build, host or support. User information is precious, and if Apache can ignore the choice of some users, so can I. Hey, I can even blame Apache for the tracking. Hey, I could even add every single browser out there to this patch. Let me change "MSIE 10.0;" to ".+".

< IfModule setenvif_module>
BrowserMatch ".+" bad_DNT
< /IfModule>
< IfModule headers_module>
RequestHeader unset DNT env=bad_DNT
< /IfModule>

Just forget this DNT thing ever existed. Happy tracking.

@williamstw
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surprisingly... oddly... now'd be a good time to add a reference to Stand Your Ground[1]...

@sschocke: "Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me."

The answers aren't "simple"... but in a 'stand your ground' state, you'd wish for more than a shovel such that he doesn't proceed... the defense isn't likely to question... but then, it'd suck to be your wife if the 'legal ramifications' are in your calculations of that particular situation:) yeah... that analogy has run its course:)

[1] - http://en.wikipedia.org/wiki/Stand-your-ground_law

@sschocke
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@williamstw Why am I not surprised somebody would bring up a US state law. I was referring to an actual case, right here, in good old South Africa where I stay. See, it's not so clear cut as you believe. The analogy was a stupid one to begin with, as is usually the case with analogies.

The point I was trying to make right from the start is that responding to a perceived violation by a definite violation is hardly ever the right course of action. In self-defense, maybe it can still be acceptable. But who exactly is Apache defending with this patch? Definitely not itself because as repeatedly stated, Apache has no stake in the success or failure of DNT... or does it?

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist No, it hasn't. I presume you think it's this bit, which has been hand-wavingly suggested a few times:

"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

Which rather vague wording at best (note it does not include any good standards language like MUST NOT, SHOULD NOT etc). So it's interpretation is largely down to the reader to determine (which makes it a type (2) problem by the number scheme I suggested above).

Breaking it down and comparing against IE:

a) Key to that notion of expression is that it must reflect the user's preference - well the user made a choice, they either chose to go with the Express settings or Custom ones. Either way it is clearly written on the screen what the result of that choice means for your DNT preference. So it can't be violating this part.

b) "not the preference of some institutional or network-imposed mechanism outside the user's control" - At all times the user is in control of their DNT setting, from the moment they install (and make a choice) onwards it's always their decision. Even if that decision is to click Express settings and leave everything the way Microsoft recommends. Still not a violation.

Note the standards says absolutely nothing about the following (they were dismissed as UI issues, beyond the scope of the DNT standard:

  1. Is there a default setting?
  2. If there is a default, what should it be?
  3. What constitutes an informed choice? And, more importantly, under what circumstances can a choice be considered uninformed and thus ignorable?
  4. To what extent can a browser vendor suggest that a user should select a preference either way.
  5. To what extent can a browser vendor recommend a particular setting either way.

Key to the discussion is the number of people claiming the standard says the browser must default to unset, when in fact it says no such thing whatsoever. And the very reason it doesn't is because you simply can't say there must be a default of "unset" without answering all those other more difficult questions.

@jalfd
Copy link

@jalfd jalfd commented on a381ff3 Sep 14, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this commit not "deliberate abuse of open standards"? Heck, let's assume that IE10's default setting is indeed "deliberate abuse", and that it should not be tolerated by Apache.

How does that justify Apache deliberately ignoring said open standard for all those IE10 users who intentionally keep DNT enabled?

That strikes me as far more deliberate abuse than anything IE10 does. You're literally taking an open standard, and saying "we're going to ignore it, and make it fundamentally impossible for users to opt-in because we can't entirely rule out that someone, further down the line, may have also abused the same open standard.

IE10 is merely making an assumption about which setting users would prefer. But they make it possible for the user to make the choice they prefer. Apache is making it impossible for IE10 users to opt in to DNT. So clearly, Apache doesn't merely tolerate, but actively engages in, deliberate abuse of open standards to an extent far beyonf anything IE10 does.

This is insane.

The interesting question is not whether Microsoft's decision is correct, or conformant with the DNT spec.
The question is how Apache can justify violating DNT for those IE10 users who have made an informed decision on the subject.

Suppose I download IE10, and just to show my intention, I open its settings, and disable DNT, and use that setting for a few hours. Then I go back and re-enable DNT. That is very much a deliberate action by me, the user, and it is perfectly conformant with the spirit and letter of DNT. What IE10 does by default, and what other IE10 users do, is completely irrelevant. I have made a deliberate choice to actively and manually enable DNT, and thus, I expect the setting to be honored.

And yet, according to this commit, Apache should ignore my deliberate choice, and strip away the DNT headers.

If that is not "deliberate abuse", I don't know what is.

@DanielStrul
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW:

@sschocke
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanielStrul thanks for sharing the link to the bug report. It has been a real eye opener. Not only does it show that the W3C consider IE10 to be compliant (at present at least), a sentiment that most people share, but also that the ASF is definitely not acting out of concern for the standard or users.

Secondly, the pretentiousness of @royfielding to close a bug report on something he did wrong with a simple WONTFIX just goes to show how far gone he is. He simply cannot admit that what he did was wrong, as if he is somehow above reproach because he did some good in the OSS community. Give me a break... Humility is the mark of true genius, not thinking you are better or smarter than everyone else.

@komputist
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sschocke You claim that "Not only does it show that the W3C consider IE10 to be compliant". But to be a member of the W3C working group does not give @jonathanmayer the authority to speak on behalf of W3C. (And I don't see that he claims to do so either - though he does claim to know what the group’s negotiations mean.)

@sschocke
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist

Justin Brookman from the Center for Democracy and Technology, another Editor, has helpfully summarized where the draft text stands on the released version of Internet Explorer 10:
It is inaccurate to say that IE10's implementation is inconsistent with the spec . . . . The Windows flow presents information about DNT along with several other options; as an opt-in flow, you could argue that DNT should be called out more prominently, but I have seen a lot worse

I did not say that Jonathan said any such thing. Simply that a comment made by him included the above statement. A compliance editor for the specification said it was inaccurate to say that IE10's implementation is inconsistent with the spec. And, let's be clear here... IE10 preview release was not up to spec. IE10's final implementation is. @royfielding submitted this patch days before the RTM version of IE10 was even available for testing, so he must have based his opinion on IE10 preview release.

Also, a comment such as this on the working groups mailing list :

certainly not through any action by the spineless W3C.
....Roy

just confirms how self-important he considers himself to be.

@DanielStrul
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@komputist, @sschocke: I hope my former post was not misleading. I believe @jonathanmayer only expressed his own POV, and never claimed otherwise. It seems to show, however, that @royfielding and/or the ASF (I'm not sure) acted or their own, without any explicit consent nor without any explicit dissent from the W3C.
This hypothesis seems confirmed by the archives of the W3C's TPWG public mailing list, where some members have proposed to change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag (http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0166.html), thus specifically forbidding this very patch.

@patheticcockroach
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanielStrul "change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag" => Hm, I hope this would only apply to default configurations and not impose a lock of some sort...

@DanielStrul
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@patheticcockroach: I wouldn't worry to much about that, really. From what I've seen, @royfielding posted a rebuttal, and the discussion more or less stopped at that point. This proposal only shows that there is no real agreement within the Tracking Privacy Working Group to support the Apache config patch, but I'd suppose that there is no real agreement to oppose this patch either. With so many conflicting interests, it's generally difficult to reach an agreement on anything at all!

@alandsidel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@patheticcockroach @DanielStrul

  1. IE10 is in full compliance with the last (now expired) IETF draft

6.3. Default

A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
It MUST NOT transmit OPT-IN without explicit user consent.

  1. IE10 is in full compliance with the current proposal.

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent
(... and ...)
We do not specify how tracking preference choices are offered to the user or how
the preference is enabled: each implementation is responsible for determining the
user experience by which a tracking preference is enabled

  1. IE (non-)compliance is irrelevant to the patch itself, which leaves apache in violation in its default configuration.

An HTTP intermediary must not add, delete, or modify the DNT header field in
requests forwarded through that intermediary unless that intermediary has been
specifically installed or configured to do so by the user making the requests
(... and ...)
Implementations of HTTP that are not under control of the user MUST NOT
generate or modify a tracking preference.

A lack of consensus does not indicate a lack of facts required to reach consensus. In this case, it simply appears that the facts are being ignored in order to push a "punish MS" agenda.

@ChrisTX
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandsidel I doubt it really has any point discussing that here - nobody relevant is listening anymore. You're wasting your time on some folks who are apparently unable to read that "Express" is a privacy setting (it says that in the screen's title) or that you can use custom to adapt it if you like.

It isn't about whether MS violated the standard or not here. If you look back, @royfielding has never said where he believes the RTM violates anything. It should be clear from the time line of events that the Apache PMC hasn't voted on the RTM. The weasel word 'default' riddles this thread mixed through by the claim that the "Express" settings were some kind of default, while they're not.

Furthermore, this doesn't even matter. Even if you want to see a violation on MS' side (the spec isn't too clear about what it says under 3 - it is fairly easy to interpret a violation in somewhere), this patch doesn't become more acceptable.

If the Apache PMC judged a release product based on a pre-release version of it, and accepted a patch that causes people in the EU to not be able to run Apache legally in the default configuration anymore (of which both things itself are unacceptable) - then it should be pretty clear that this was never intended to be a fair judgment of Microsoft's product in the first place. This is a political vendetta - and that's why arguing against those who claim it was a violation isn't worth your breath.

There will be lots of fanboys who don't want to understand that the PMC can't have judged IE RTM but want to see how MS gets kicked because of personal MS hate.
I originally joined this thread to point out the important differences between the PR and the RTM considering this matter while being sure that the RTM wasn't even judged. Personally, I believe there are better ways than a thread nobody reads to point this out. I'm out.

@sschocke
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ChrisTX I believe you have the right of it. It can be shown that the W3C feel this patch is unwanted, that some members of the ASF have come around to seeing it as well, and that @royfielding acted mostly out of his own - using a pre-release version of IE10 to base his decisions on. I am unwatching this thread, as there is no discussion anymore.

@Fever905
Copy link

@Fever905 Fever905 commented on a381ff3 Sep 17, 2012 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pcomitz
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unbelievable. Apache is no longer an open standard. A sad day for all. Has Apache become a vehicle for developers such as @royfielding to promote personal hatred and business bias ? This is pure bullshit. Fielding has a clear conflict of interest. He should not be allowed to participate in open standards - which Apache httpd is not anymore because of this. Let @royfielding do whatever he wants in his own companies proprietary products. He should not be allowed to put proprietary practices into so called open standards. Just unf*&^ing believable.

@covener
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pcomitz -- It's hard to tell if you're making stupid comments about a standard or stupider comments about a webserver, but I appreciate the Saturday morning puzzle.

@markrendle
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@covener I notice that you never respond to well-reasoned, evidence-based criticisms of your team's actions from people who have taken the time to read the various drafts of the specification, the Express Settings screen in Windows 8, and the working group's mailing list archives.

Not so much of a puzzle, that.

@covener
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markrendle that's because I'm not particularly interested in chapter and verse of DNT drafts, how Windows is configured, or what people on the WG mailing list have to say -- much less interested in them as some kind of validation or reproach of the teams "actions". I've primarily responded when the naivety or invective here has bubbled over. I don't feel obliged to respond to anything here.

@jimjag
Copy link
Member

@jimjag jimjag commented on a381ff3 Sep 22, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OscarGodson

Nothing. I don't WANT Apache to be the standards police. Why do you?

The web of today ONLY exists because open source software like Apache (especially Apache) required and emforced the standards and protocols of that early web. Apache is supposed to be a fully compliant, basically reference implementation. That requires it being a standards police.

@OscarGodson
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jimjag interesting. I've always thought and seen open standards followed organically. But, if you have an example where "open" standards were forced and if not followed the implementors were punished by a third party let me know. I've just never heard of that. I've always thought open standards were great because they were standards that every agreed upon enough to follow along and that users also had a voice by deciding which software they liked more.

@jimjag
Copy link
Member

@jimjag jimjag commented on a381ff3 Sep 22, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OscarGodson Standards are protocols only work if they are agreed to and, just as important abided by. That's how standards work. Your electrical plug is designed to abide by a standard. How would you feel if a plug manufacturer just decided to make both prongs "fat" instead of just the neutral one?

As far as "punished by a third party" I really don't understand your argument... But before you try to explain, do yourself a favor and do some investigation into what open standards and protocols actually mean, and how they work.

@OscarGodson
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jimjag if a manufacturer made that plug no one would buy it. Simple. And thats how standards work. Maybe you should read up on it. Open standards are no laws, which Apache and you feel like they are, they're standards. Google "define:standard" for more clarification.

@markrendle
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jimjag

Apache is supposed to be a fully compliant, basically reference implementation.

Please supply a link to the standard this reference implementation patch is fully complying with.

@OscarGodson
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears someone on the Apache team is deleting new posts by people against this. @imanavg and @toddmbloom aren't showing despite getting emailed about the posts, but posts by people like @jimjag which are for the pull request are showing up.

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@covener Unfortunately that attitude comes across to everyone else as a rather naïve approach on your part to assuming commits by the likes of @royfielding are automatically in the best interest of Apache, which is clearly not the case.

@jimjag Right now Apache is the one that's not abiding by the standards, wheras IE is (or at least is in an arguably grey area). Apache most certainly isn't a "fully compliant, basically reference implementation" by any stretch of the imagination. Trying to take a moral high ground, when the actions of ASF are far worse than any supposed violation of the standard they're claiming to protect, is simply not going to wash.

@covener
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OscarGodson I do think someone at the ASF can moderate them, but at least one of the those referenced comments is up in the annotated revision section at the top instead of down in the thread.

@covener
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AndyCadley I don't know what comments you're referring to, but to clarify my lack of interest in arguing about DNT and working groups has nothing to do with how much benefit of the doubt I give to @royfielding or any other contributor.

@ellier
Copy link

@ellier ellier commented on a381ff3 Sep 23, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For @royfielding and anyone at the Apache Foundation.
http://www.zdnet.com/why-do-not-track-is-worse-than-a-miserable-failure-7000004634/

From the article: 'When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”'

What a waste of time and resources.

@karlcow
Copy link

@karlcow karlcow commented on a381ff3 Oct 2, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the paper trail, a new version of the DNT specification has been published today. Determining user preference

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as "SuperFred", but might imply a preference if invoked as "SuperDoNotTrack" or "UltraPrivacyFred". Likewise, a user agent extension or add-on MUST NOT alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.

You can check the diff

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well that's another epic @royfielding fail then. The phrase "unless a specific tracking preference is implied by the decision to use that agent" is quite possibly the most woolly and vague statement ever to make it into a specification. What exactly about an agent is supposed to imply a default tracking preference other than unset? As it stands, that's so open to interpretation that choosing a default is effectively up to the vendor.

The biggest irony of that, however, is that it's still entirely nullified by the subsequent paragraph "We do not specify..." so even if the decision to use Internet Explorer isn't enough to imply a different default, the choice screen given during install still means that IE is complying with the standard.

The one and only very clear improvement is in the following paragraph though: "Implementations of HTTP that are not under control of the user MUST NOT generate or modify a tracking preference. " - which now makes it abundantly clear the Apache violates the standards whilst this patch is in place.

@OscarGodson
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Implied". Never use that word in laws or specs. You never really know what's implied and you can argue either way. Specs should be explicit.

@rb12345
Copy link

@rb12345 rb12345 commented on a381ff3 Oct 4, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any particular reason why the core of Apache should care about DNT: at all? User tracking outside of the standard access/error logs should be dealt with by the web developers. The CGI/mod_whatever code has access to the user agent and custom headers, and can implement whatever policy is desired including simply not caring about the header from any user agent.

I imagine that long-term, Do-Not-Track will be a waste of time and end up in the same position as the P3P standard, which is all but ignored today. The only "solution" to tracking that I can see at present is going to be passing more legislation like the now-infamous cookie law (Directive 2002/58) around the world and enforcing it properly. The odds of that happening are around nil. (I make no claims as to whether that particular law is a good thing or not, merely that I cannot see why advertisers would voluntarily implement Do-Not-Track on the server end.)

@Rob-S
Copy link

@Rob-S Rob-S commented on a381ff3 Oct 6, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec is pretty clear (now at least). "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with ..." "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Thanks, Apache for helping keep vendors on track to continue making forward progress. Progress with HTML came to a halt between 1997 and the end of 2010 because some vendor diverged from the standard (http://www.Html-5.com/html-versions-and-history.html#html-versions). Personal privacy options need to be implemented consistently, or they become useless to the developers.

http://Google.com/+RobertSimpson

@markrendle
Copy link

@markrendle markrendle commented on a381ff3 Oct 6, 2012 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Rob-S "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead.

@patheticcockroach
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead."
This bad faith is getting tiring. The casual user doesn't bother to review default settings, period. If you don't know it, you should have a walk in that remote thing we call the real world.

@Rob-S
Copy link

@Rob-S Rob-S commented on a381ff3 Oct 7, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prior to IE 10 and Windows 8, that was true, AndyCadley, but Microsoft changed those versions and is taking it upon themselves to set it by default: http://news.cnet.com/8301-10805_3-57448795-75/microsofts-do-not-track-default-in-ie10-violates-new-specs/ , http://news.cnet.com/8301-10805_3-57488991-75/windows-8-sticks-with-ie10-do-not-track-by-default/ By doing that, they have taken away the ability of the server to determine whether the USER has set the option or not, which is the requirement to determine when to disable tracking. In the older versions of IE where the server CAN determine the user's preference, you are not getting the choice of ASF (nor Microsoft's), but rather the user's, per the specs.

MarkRendle - I'm not sure whether or not you were being sarcastic or not regarding my comment about Microsoft going against the standards ... again ;-)

@AndyCadley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@patheticcockroach If the argument is that the number of people who change the defaults is insignificant (which is probably true) then NOTHING at all represents a user's choice because, in effect, the only choice being made is that of the software provider in the vast majority of cases. You may dislike the way the choice is presented, but the standard explicitly excludes that from its scope.

@Rob-S IE does not have a default. There is an option during install at which the user has to make a choice. And the user is free to subsequently change their mind about that choice as much as they like. User's who are happy to be tracked can indicate to that effect at any point they like, just as user's who'd prefer not to be tracked can. At no point is that decision up to Microsoft. However, what Apache is doing is entirely out of the control of the end-user, the preference is entirely the choice of ASF.

I'm using IE10 right now. I am very aware of what DNT is and what it means. I have actively chosen to have DNT enabled in my browser. Apache is deliberately overriding that choice and making it appear that I don't mind being tracked. In what possible sense is that following the spirit of the standard, let alone the wording?

@johnfc2012
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I have noticed about this patch is that it is in a conf file rather than being in one of the source files. This is down to the administrator of the Apache server this is being installed on to change the conf files accordingly.

As an administrator, it would be nice to see the full list of headers and their meanings to see what else can be fixed, if required.

If something that is supposed to be off by default until a user turns it on, but its on by default - Its broken. Microsoft should fix their broken browser in the next patch release and then Apache wouldn't need to override the user's choices. Its a pity that there isn't a way to tell from the headers that DNT is turned on by the browser or by a human.

@sjau
Copy link

@sjau sjau commented on a381ff3 Oct 8, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johnfc2012

For once, Microsoft didn't break anything. A choice is presented by the user and the user accepts it.

@rb12345
Copy link

@rb12345 rb12345 commented on a381ff3 Oct 8, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The present configuration file has the change present but commented out (3dd6fb6), which should keep most people happy.

@johnfc2012: In terms of Do-Not-Track, the header values are:

DNT: 0: Opt-in to tracking.
DNT: 1: Opt-out of tracking.
No header: Default option, i.e. whatever is done at present. Presumably this means that tracking is enabled.

All of the above assumes that the end server supports DNT, is not wilfully ignoring the header, and that no other rules or laws apply regarding consent to tracking. (DNT: 0 alone is probably not enough to avoid the drop-down cookie prompts that have become popular.)

@karlcow
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second, the DNT standard should not let websites "second-guess" or disregard
user choices. Recently, there were reports about a popular web server
introducing a feature that amounted to overriding the DNT signal; in effect,
ignoring users' wishes. I find that troubling, and undesirable.

Speech Transcript about DNT by European Community VP Neelie Kroes

@Fever905
Copy link

@Fever905 Fever905 commented on a381ff3 Oct 11, 2012 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sjau
Copy link

@sjau sjau commented on a381ff3 Oct 11, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I daresay that DNT is dead now anyway:

The tracking community still wants to log and track even if you say you don't want to be - http://www.zdnet.com/the-do-not-track-standard-has-crossed-into-crazy-territory-7000005502/

And in the EU seems to think that DNT isn't enough for uniform opt-out of tracking - http://www.out-law.com/en/articles/2012/october/eu-steps-back-from-insistence-that-do-not-track-standard-is-cookie-law-compliant/

@makeanything
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow! I'm brand new to this world, so for all intent purposes I'm a user not a developer (16 years of Microsoft dev for desktops has taught me none of what I'm now dedicated to learning about web dev).

I want my browser to be intelligent and know what I use it for. The fact that I don't use IE anyway makes this a pretty moot point, but I am a fan of Microsoft still.

My take on the reasoning behind defaulting to a paranoid escape hatch is that Microsoft wants to cut off revenue streams to Google. It's a shortsighted approach and a great way to diminish value in their own browser and possibly even their operating system. The end result is going to be this: [I'm using IE on Windows 8 and having a crappy experience, how do I fix that? I'll download Chrome or FireFox and I won't have this problem.] If Apache is doing anything for Microsoft it's a favor not harm.

All of that said, my 2 cents is that unless you can show how breaking the end users settings whether they chose it or not is going to make communication between the browser and the site work better, then this is a personal vendetta or an architectural vendetta between those who voted to commit and the makers of the browser that it affects. Reading this makes me think that Roy (the guy whose finger pressed the button) has been unfairly singled out. If everyone else on the Apache board bows to Roy then shame on them for being so weak, but stop beating on him as an individual.

The bottom line is that this is transparent, we are lucky to have such transparency, and anyone attacking a person instead of just moving to their preferred server and letting bad products die is wrong in their moral choices. There is no crying in software!

@cellardoorstop
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm no expert on this but ... Since it's known that a vast majority of folks do not want to be tracked, why don't standards simply say Do Not Track Ever? And then somebody can create an Add On that does track those few folks that do want to be tracked.

Please sign in to comment.