Microsoft Goes Out on a Limb for Online Privacy Protection

Microsoft made a big and controversial announcement last Thursday: in its new operating system, Windows 8, Internet Explorer 10 will have the “Do Not Track,” or DNT, feature set to “on” by default.

This is different from what most American companies have done to date on behavioral advertising, where the default has been that the tracking occurs. The change in policy sets a precedent, at least for voluntary corporate action on privacy, which puts Microsoft in the ballpark with Mozilla and is likely to win the attention of online privacy advocates. At the same time, the move has drawn the ire of industry groups.

With this announcement, Microsoft is saying it’s ready to move toward a more European-style prior consent privacy policy, and it will be interesting to see how consumers react, in particular how many people will opt in to having their online activity tracked in exchange for better advertising and targeting from websites and search engines.

Here are some of the details from a blog post by Microsoft’s chief privacy officer:

The idea of a DNT signal was in part born out of the work of the U.S. Federal Trade Commission which, in a December 2010 report, called on the technology and advertising industries to create a more uniform and comprehensive consumer choice mechanism for online behavioral advertising targeting. Very soon after that announcement, we included the opportunity for consumers to turn on the DNT signal, by adding DNT to IE9 in February 2011.

Our efforts to advance privacy, choice and control in Windows 8 build on the work we have done with Windows and IE in recent years. IE9 includes important privacy features, including Tracking Protection Lists (TPLs), which provide consumers with a powerful tool to manage their privacy and are only available in IE. While today’s announcement focuses on DNT, we remain committed to TPLs in IE10 in Windows.

We’ve made today’s decision because we believe in putting people first. We believe that consumers should have more control over how information about their online behavior is tracked, shared and used. Online advertising is an important part of the economy supporting publishers and content owners and helping businesses of all shapes and sizes to go to market. There is also value for consumers in personalized experiences and receiving advertising that is relevant to them.

Of course, we hope that many consumers will see this value and make a conscious choice to share information in order to receive more personalized ad content. For us, that is the key distinction. Consumers should be empowered to make an informed choice and, for these reasons, we believe that for IE10 in Windows 8, a privacy-by-default state for online behavioral advertising is the right approach.

While this is all significant, there remains the issue of what exactly “Do Not Track” means. The new Internet Explorer 10 will send a Do Not Track signal automatically to websites the user visits. However, there is no guarantee that websites will honor the signal. That Microsoft has said its own websites will honor the DNT signal is noteworthy but unsurprising, given its attempt to set a new precedent and seize the moral high ground with consumers.

Precisely what the DNT signal tells websites to do is also significant. Thursday’s announcement suggests Microsoft for its own websites has chosen to go with the least restrictive version of DNT, based on the principles set forth by the Digital Advertising Alliance, or DAA. The DAA is the industry association for online advertisers who use behavioral data to target Internet adds. The DAA standard, which is based on self-regulation and relies on websites to voluntarily recognize and abide by DNT signals, is seen by many to be a pro-industry stance lacking in several key protections. Here’s the blurb on this from the Microsoft blog post:

Defining DNT for Websites

Sending a DNT signal from a browser is only part of the process. Obviously, for DNT to be effective, it is also important that websites have a common understanding of what the consumer expects when their browser sends the DNT signal. As well as engineering the world’s most used browser, Microsoft also owns and manages a growing advertising business – including a network that provides advertising to our own and other Web properties, so we have a unique perspective into this discussion.

At the moment there is not yet an agreed definition of how to respond to a DNT signal, and we know that a uniform, industry-wide response will be the best way to provide a consistent consumer experience across the Web. We also know from experiences – such as the P3P standard recommended by the World Wide Web Consortium (W3C) – that initiatives to advance privacy are much less effective if other industry leaders don’t join in adopting the approach.

With this in mind, we are doing two things. First, we are committed to using our positions on the relevant industry, government and standards bodies to push for a clear action for advertising networks to respect a browser DNT signal and opt users out of behavioral advertising. Second, as we announced in February, Microsoft Advertising intends to treat the do-not-track browser signal as an opt-out of behavioral advertising under the Digital Advertising Alliance’s self-regulatory program. Microsoft does not yet respond to the DNT signal, but we are actively working with other advertising industry leaders on what an implementation plan for DNT might look like, with a goal of announcing more details about our plans in the coming months.

Our decision to turn on DNT by default in IE10 for Windows 8 should be seen as part of this discussion, as it helps to provide clarity on one side of the discussion – when and how browsers send the DNT signal – and because it advances the idea of privacy as the default state.

An Important Step to Build Trust Online

In a world where consumers live a large part of their lives online, it is critical that we build trust that their personal information will be treated with respect, and that they will be given a choice to have their information used for unexpected purposes. While there is still work to do in agreeing on an industry-wide definition of DNT, we believe turning on Do Not Track by default in IE10 on Windows 8 is an important step in this process of establishing privacy by default, putting consumers in control and building trust online.

In having consumers opt-out of privacy settings, rather than opting-in, but making the DNT protections weaker than many advocacy organizations would want, Microsoft is walking a thin line between the demands of the online privacy rights community, and the online advertising industry. And so far, it seems Microsoft is taking heat from both sides of the debate.

In acknowledging that there is “still work to do,” Microsoft is acknowledging that its stance on tracking will be met with both optimism and skepticism by the online privacy rights community. Advocates for increased internet privacy will find it easy to criticize the new Internet Explorer for not blocking cookies or tracking directly, but only asking websites not to send them.

And indeed, websites may decide not to honor these signals. The Digital Advertising Alliance has sharply criticized the move, stating that its members will ignore the new default Do Not Track signal all-together, unless it is somehow made clear that users have affirmatively opted-in. The Association of National Advertisers has issued a statement as well, urging Microsoft to reverse its decision to turn on the Do Not Track feature by default, citing the high “cost of business for all marketers,” “remov[ing] choice,” and “untargeted, irrelevant online advertising” as major reasons.

Even the nonprofit open-source giant Mozilla has joined the chorus of industry players criticizing the move, stating in a blog post that “it’s the users’ voice that matters.” The fear may be that by setting the default DNT setting to “on” and having the majority of online advertisers ignore it, Microsoft’s bold choice will muddy the waters for DNT in all browsers in the future.

Microsoft deserves commendation for going out on a limb and using its weight to redefine the status-quo for online privacy protections. But while the move was certainly bold enough to elicit a negative response from industry, whether it was bold enough to win back the users Internet Explorer has hemorrhaged since the introduction of Google Chrome and Mozilla Firefox, only time will tell. In the meantime, whether the IT giant’s decision gains traction and turns out to be a turning point for industry self-regulation in online privacy, or an unsuccessful attempt to lead by example, also remains to be seen.

Comments on this article

By clicking and submitting a comment I acknowledge the Science Progress Privacy Policy and agree to the Science Progress Terms of Use. I understand that my comments are also being governed by Facebook's Terms of Use and Privacy Policy.