Feeds

Microsoft and Mozilla edge towards web privacy consensus?

Header debate beats government regulation

3 Big data security analytics techniques

Nothing helps rivals in the private sector find common ground quicker than the threat of government intervention.

Microsoft and Mozilla – makers of dueling browsers Internet Explorer and Firefox – could be headed towards some kind of industry agreement on giving netizens the power to stop ad networks from tracking their behavior.

Mozilla's chief executive Gary Kovacs has told the Wall Street Journal that the US government will probably mandate the use of a do-not-track tool in browsers to stop sites following users. According to the WSJ's Digits blog, he said: "It probably doesn't need to be regulated, but it probably will be... The thing that will give it teeth is what the user decides." He believes netizens will forgo technology and websites that offer simple privacy protections.

He spoke as Microsoft released the latest version of its browser, IE9.

Microsoft has been falling in love with its own reflection on IE9, banging on about "the beauty of the web". But security and privacy wonks will be more interested in the fact that Microsoft has submitted do-not-track technology in IE9 to the W3C standards group for ratification as an industry standard.

Microsoft uses Tracking Protection Lists. These contain web addresses that IE9 will visit only if the user hits that site directly by clicking on a link or typing their address. IE9 users can also make exceptions, letting IE9 "call" sites not actually visited.

It's a commercially friendly proposal that gives Microsoft's IE partners the opportunity to build ready-made lists of sites while also giving users the power to make their own.

Snuck into Microsoft's proposal, however, is the mention of a do-not-track header. A do-not-track header is the same approach being touted by Mozilla.

Microsoft is not talking about why it has included the header in its W3C proposal, and it has not said how this might work in the browser or in conjunction with Tracking Protection Lists.

Mozilla has been more forthcoming on its proposed an HTTP header. Mozilla has said that the HTTP header transmitted with every HTTP request will alert sites and networks to the fact the user doesn't want to be tracked.

Mozilla's proposal defines the syntax and semantics of the header and how websites and services might respond. Microsoft provides next to no detail, and the reference to the header in its W3C proposal is little more than a placeholder.

Contacted several times to explain its header proposal and how, if at all, it differs from Mozilla's proposal, Microsoft declined to provide details.

A Microsoft spokeswoman instead called its W3C submission "an example of Microsoft's commitment to receiving feedback from the standards community." The W3C's acceptance of Microsoft's submission "demonstrates that the industry also takes Microsoft's approach seriously and sees it as a potential solution to help provide choice and control for customers over their online privacy," the spokeswoman said.

The absence of details and Microsoft's unwillingness to discuss the subject suggests the matter is far from settled, and that there's everything's left to play for as the parties involved on this subject debate with each other and lobby regulators.

Further down Mozilla's operation, those closer to the privacy debate expect resolution. Mozilla submitted its header proposal to the Internet Engineering Task Force (IETF) after Microsoft slipped its header to the W3C in the Tracking Protection Lists proposal in February.

Mozilla's global privacy and public policy leader Alex Fowler reckoned it's not a matter of "if" but "how" the subject is resolved. Fowler expects the first thing that will happen is the W3C and IETF will decide among themselves the best venue for settling the subject of do-not-track. Mozilla's man clearly believes the IETV is the best venue.

According to Fowler's blog here: "While the W3C has considerable experience working on privacy-related standards, HTTP is the domain of the IETF. We also understand that the IETF may be a more open venue for stakeholders impacted by DNT who may not be members of the W3C."

Things are coming to a head thanks to politicians' involvement, according to Center for Democracy and Technology director of consumer privacy Justin Brookman.

The browser makers' do-not-track options were rapidly ushered into code following a report by the Federal Trace Commission (FTC) last year that said industry efforts to self regulate were moving too slowly. Among a series of measures, the FTC proposed the inclusion of a do-not-track mechanism with a simple opt-out procedure in browsers.

Brookman's group has been trying to build a consensus around the subject among browser makers, ads companies, and the FTC. It published a report earlier this year on how to handle things like analytics, benchmarking, and market research online through the browser.

He told The Reg that he's happy to see browser makers coming up with new ideas to protect consumers' privacy using do-no-track.

The problem is the options from Microsoft, Mozilla, and Google - the third major browser maker pushing yet another approach, which introduced a Chrome extension that will store your privacy settings with different opt-out programs - require broad industry backing.

As far as Microsoft's Tracking Protection Lists are concerned, they require "a good person running the list", Brookman said. He calls the do-not-track header "the easier idea."

With tech companies reacting to the threat of regulation on do-not-track, it sounds like the next battle will over where the matter is thrashed out - the W3C or IETF. And, in the absence of comment from Microsoft, it seems the company's already prepared the ground to insert a header-based do-not-track approach in IE by inserting big place holder in to its W3C submission.

That place holder will swing into action should Microsoft lose the subsequent debate on who has the best approach for do-not-track, or if regulators move from recommending to insisting their proposals are adopted.

If that happens, it will be Mozilla and Microsoft on the same page with Google as odd man out. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.