Microsoft and Mozilla edge towards web privacy consensus?

Header debate beats government regulation

The Essential Guide to IT Transformation

Nothing helps rivals in the private sector find common ground quicker than the threat of government intervention.

Microsoft and Mozilla – makers of dueling browsers Internet Explorer and Firefox – could be headed towards some kind of industry agreement on giving netizens the power to stop ad networks from tracking their behavior.

Mozilla's chief executive Gary Kovacs has told the Wall Street Journal that the US government will probably mandate the use of a do-not-track tool in browsers to stop sites following users. According to the WSJ's Digits blog, he said: "It probably doesn't need to be regulated, but it probably will be... The thing that will give it teeth is what the user decides." He believes netizens will forgo technology and websites that offer simple privacy protections.

He spoke as Microsoft released the latest version of its browser, IE9.

Microsoft has been falling in love with its own reflection on IE9, banging on about "the beauty of the web". But security and privacy wonks will be more interested in the fact that Microsoft has submitted do-not-track technology in IE9 to the W3C standards group for ratification as an industry standard.

Microsoft uses Tracking Protection Lists. These contain web addresses that IE9 will visit only if the user hits that site directly by clicking on a link or typing their address. IE9 users can also make exceptions, letting IE9 "call" sites not actually visited.

It's a commercially friendly proposal that gives Microsoft's IE partners the opportunity to build ready-made lists of sites while also giving users the power to make their own.

Snuck into Microsoft's proposal, however, is the mention of a do-not-track header. A do-not-track header is the same approach being touted by Mozilla.

Microsoft is not talking about why it has included the header in its W3C proposal, and it has not said how this might work in the browser or in conjunction with Tracking Protection Lists.

Mozilla has been more forthcoming on its proposed an HTTP header. Mozilla has said that the HTTP header transmitted with every HTTP request will alert sites and networks to the fact the user doesn't want to be tracked.

Mozilla's proposal defines the syntax and semantics of the header and how websites and services might respond. Microsoft provides next to no detail, and the reference to the header in its W3C proposal is little more than a placeholder.

Contacted several times to explain its header proposal and how, if at all, it differs from Mozilla's proposal, Microsoft declined to provide details.

A Microsoft spokeswoman instead called its W3C submission "an example of Microsoft's commitment to receiving feedback from the standards community." The W3C's acceptance of Microsoft's submission "demonstrates that the industry also takes Microsoft's approach seriously and sees it as a potential solution to help provide choice and control for customers over their online privacy," the spokeswoman said.

The absence of details and Microsoft's unwillingness to discuss the subject suggests the matter is far from settled, and that there's everything's left to play for as the parties involved on this subject debate with each other and lobby regulators.

Further down Mozilla's operation, those closer to the privacy debate expect resolution. Mozilla submitted its header proposal to the Internet Engineering Task Force (IETF) after Microsoft slipped its header to the W3C in the Tracking Protection Lists proposal in February.

Mozilla's global privacy and public policy leader Alex Fowler reckoned it's not a matter of "if" but "how" the subject is resolved. Fowler expects the first thing that will happen is the W3C and IETF will decide among themselves the best venue for settling the subject of do-not-track. Mozilla's man clearly believes the IETV is the best venue.

According to Fowler's blog here: "While the W3C has considerable experience working on privacy-related standards, HTTP is the domain of the IETF. We also understand that the IETF may be a more open venue for stakeholders impacted by DNT who may not be members of the W3C."

Things are coming to a head thanks to politicians' involvement, according to Center for Democracy and Technology director of consumer privacy Justin Brookman.

The browser makers' do-not-track options were rapidly ushered into code following a report by the Federal Trace Commission (FTC) last year that said industry efforts to self regulate were moving too slowly. Among a series of measures, the FTC proposed the inclusion of a do-not-track mechanism with a simple opt-out procedure in browsers.

Brookman's group has been trying to build a consensus around the subject among browser makers, ads companies, and the FTC. It published a report earlier this year on how to handle things like analytics, benchmarking, and market research online through the browser.

He told The Reg that he's happy to see browser makers coming up with new ideas to protect consumers' privacy using do-no-track.

The problem is the options from Microsoft, Mozilla, and Google - the third major browser maker pushing yet another approach, which introduced a Chrome extension that will store your privacy settings with different opt-out programs - require broad industry backing.

As far as Microsoft's Tracking Protection Lists are concerned, they require "a good person running the list", Brookman said. He calls the do-not-track header "the easier idea."

With tech companies reacting to the threat of regulation on do-not-track, it sounds like the next battle will over where the matter is thrashed out - the W3C or IETF. And, in the absence of comment from Microsoft, it seems the company's already prepared the ground to insert a header-based do-not-track approach in IE by inserting big place holder in to its W3C submission.

That place holder will swing into action should Microsoft lose the subsequent debate on who has the best approach for do-not-track, or if regulators move from recommending to insisting their proposals are adopted.

If that happens, it will be Mozilla and Microsoft on the same page with Google as odd man out. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.