Microsoft and Mozilla edge towards web privacy consensus?

Header debate beats government regulation

Using blade systems to cut costs and sharpen efficiencies

Nothing helps rivals in the private sector find common ground quicker than the threat of government intervention.

Microsoft and Mozilla – makers of dueling browsers Internet Explorer and Firefox – could be headed towards some kind of industry agreement on giving netizens the power to stop ad networks from tracking their behavior.

Mozilla's chief executive Gary Kovacs has told the Wall Street Journal that the US government will probably mandate the use of a do-not-track tool in browsers to stop sites following users. According to the WSJ's Digits blog, he said: "It probably doesn't need to be regulated, but it probably will be... The thing that will give it teeth is what the user decides." He believes netizens will forgo technology and websites that offer simple privacy protections.

He spoke as Microsoft released the latest version of its browser, IE9.

Microsoft has been falling in love with its own reflection on IE9, banging on about "the beauty of the web". But security and privacy wonks will be more interested in the fact that Microsoft has submitted do-not-track technology in IE9 to the W3C standards group for ratification as an industry standard.

Microsoft uses Tracking Protection Lists. These contain web addresses that IE9 will visit only if the user hits that site directly by clicking on a link or typing their address. IE9 users can also make exceptions, letting IE9 "call" sites not actually visited.

It's a commercially friendly proposal that gives Microsoft's IE partners the opportunity to build ready-made lists of sites while also giving users the power to make their own.

Snuck into Microsoft's proposal, however, is the mention of a do-not-track header. A do-not-track header is the same approach being touted by Mozilla.

Microsoft is not talking about why it has included the header in its W3C proposal, and it has not said how this might work in the browser or in conjunction with Tracking Protection Lists.

Mozilla has been more forthcoming on its proposed an HTTP header. Mozilla has said that the HTTP header transmitted with every HTTP request will alert sites and networks to the fact the user doesn't want to be tracked.

Mozilla's proposal defines the syntax and semantics of the header and how websites and services might respond. Microsoft provides next to no detail, and the reference to the header in its W3C proposal is little more than a placeholder.

Contacted several times to explain its header proposal and how, if at all, it differs from Mozilla's proposal, Microsoft declined to provide details.

A Microsoft spokeswoman instead called its W3C submission "an example of Microsoft's commitment to receiving feedback from the standards community." The W3C's acceptance of Microsoft's submission "demonstrates that the industry also takes Microsoft's approach seriously and sees it as a potential solution to help provide choice and control for customers over their online privacy," the spokeswoman said.

The absence of details and Microsoft's unwillingness to discuss the subject suggests the matter is far from settled, and that there's everything's left to play for as the parties involved on this subject debate with each other and lobby regulators.

Further down Mozilla's operation, those closer to the privacy debate expect resolution. Mozilla submitted its header proposal to the Internet Engineering Task Force (IETF) after Microsoft slipped its header to the W3C in the Tracking Protection Lists proposal in February.

Mozilla's global privacy and public policy leader Alex Fowler reckoned it's not a matter of "if" but "how" the subject is resolved. Fowler expects the first thing that will happen is the W3C and IETF will decide among themselves the best venue for settling the subject of do-not-track. Mozilla's man clearly believes the IETV is the best venue.

According to Fowler's blog here: "While the W3C has considerable experience working on privacy-related standards, HTTP is the domain of the IETF. We also understand that the IETF may be a more open venue for stakeholders impacted by DNT who may not be members of the W3C."

Things are coming to a head thanks to politicians' involvement, according to Center for Democracy and Technology director of consumer privacy Justin Brookman.

The browser makers' do-not-track options were rapidly ushered into code following a report by the Federal Trace Commission (FTC) last year that said industry efforts to self regulate were moving too slowly. Among a series of measures, the FTC proposed the inclusion of a do-not-track mechanism with a simple opt-out procedure in browsers.

Brookman's group has been trying to build a consensus around the subject among browser makers, ads companies, and the FTC. It published a report earlier this year on how to handle things like analytics, benchmarking, and market research online through the browser.

He told The Reg that he's happy to see browser makers coming up with new ideas to protect consumers' privacy using do-no-track.

The problem is the options from Microsoft, Mozilla, and Google - the third major browser maker pushing yet another approach, which introduced a Chrome extension that will store your privacy settings with different opt-out programs - require broad industry backing.

As far as Microsoft's Tracking Protection Lists are concerned, they require "a good person running the list", Brookman said. He calls the do-not-track header "the easier idea."

With tech companies reacting to the threat of regulation on do-not-track, it sounds like the next battle will over where the matter is thrashed out - the W3C or IETF. And, in the absence of comment from Microsoft, it seems the company's already prepared the ground to insert a header-based do-not-track approach in IE by inserting big place holder in to its W3C submission.

That place holder will swing into action should Microsoft lose the subsequent debate on who has the best approach for do-not-track, or if regulators move from recommending to insisting their proposals are adopted.

If that happens, it will be Mozilla and Microsoft on the same page with Google as odd man out. ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.