Do Not Track Feud Drags Retail Web Sites Into Legal Risk

Retailers could really use some cooperation from vendors these days—or at least fewer surprises—when it comes to following privacy policies. Right, that'll happen. As of last week, Microsoft and the Apache Web server project are feuding over how Apache (the most widely used Web server) will handle Do Not Track features of Internet Explorer (the most widely used Web browser).

Unfortunately, the two software suppliers aren't just throwing the usual hissy fits at each other. They're configuring their software as part of the feud, which means retailers and their online privacy policies and, potentially, the Federal Trade Commission are caught in the middle.

The fight stems from Do Not Track, which is part of the not-yet-released IE 10. Microsoft has decided to turn on Do Not Track by default, so the browser will inform Web sites that the user's Internet movements shouldn't be tracked. Sounds reasonable, if overly protective, right?

Trouble is, the Do Not Track standard, which is being developed by the World Wide Web Consortium, is a voluntary standard that requires cooperation from everyone in the Web-browsing chain. That, in turn, means the Do Not Track header is supposed to reflect a conscious decision on the part of the user, not a default setting, according to Roy Fielding, an Apache co-founder who's also on the Do Not Track standards committee.

So Fielding wrote a patch to force Apache Web servers to ignore Microsoft's default Do Not Track setting that's now part of the latest stable version of Apache. That sounds extreme, but online advertising organizations have already said they'll ignore Microsoft's default setting, claiming it violates what was negotiated as part of the self-regulation standard. Other browser makers have also criticized the Microsoft action.

Fielding also doesn't think Microsoft is being benevolent and protective: "The decision to set DNT by default in IE 10 has nothing to do with the user's privacy," he wrote. "Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that."

Who's right? Who cares? Vendor feuds are a fine spectator sport. And none of this would matter to retailers—except that every big chain has a published privacy policy on its Web site, and many of those policies specify that the chain will go along with customers' privacy preferences.

Remember, violating a privacy policy is one of the few ways a chain can get into privacy trouble with the otherwise largely toothless FTC.Remember, violating the terms of a published privacy policy is one of the few ways a chain can actually get into serious trouble over online privacy with the otherwise largely toothless FTC. It was a privacy policy violation that resulted in Google being hit with a $22.5 million FTC settlement in July.

So online retailers really need to observe those customer preferences if that's what their privacy policies say. And when feuding vendors start adjusting their products in ways that make it hard for retailers to figure out what customers actually prefer, that becomes impossible.

Yes, that's stupid. It means chains using Apache (historically, that list has included Walmart, Walgreens, CVS and McDonald's, among others) will have to look for that code when it's time to test upgrades, strip it out and then test to make sure nothing else has broken. It's a little extra work that nobody should have to do, but retailers can't afford to simply ignore the Do Not Track settings.

It also means retailers will have to figure out how they're going to deal with Internet Explorer users who don't change the default Do Not Track setting. Everyone has assumed that only a small number of customers would take the trouble to turn on Do Not Track; with Microsoft's default setting, it could eventually be as many as half of all browsers.

So retailers whose E-Commerce setup is designed to bounce customers cleanly from one site to another could face a mess trying to do that without violating their privacy policies. The only practical way might be to explicitly ask online customers to opt in to online tracking while on the retailer's sites—that is, reversing Microsoft's default opt out on a case-by-case basis.

Or retailers could have to deal with the publicity fallout if they decide just to change their privacy policies to say that they'll no longer observe customers' Do Not Track preferences. (Actually, only the first few retailers to make that type of change will have fallout. After that, everyone else will be able to follow suit and the watchdogs will be too busy to notice. OK, who wants to go first?)

None of this should be necessary. The whole idea behind the voluntary Do Not Track standard was to keep the user-tracking problem out of the hands of bureaucrats and legislators while minimizing the problems for customers and retailers, among others.

Instead, it's turning into a fight between vendors that will put retailers squarely in the sights of the FTC and make some E-Commerce sites much harder for customers to use.