Study finds 'flaw' in IE9 privacy feature

A new privacy feature in Internet Explorer 9 could be allowing websites to see data that users thought they had blocked, research carried out by the independent consumer body Which? has shown.

The Tracking Protection feature relies on a user selecting tracking protection lists (TPL), which are blacklists that indicate which companies the user would like to block from tracking behaviour via cookies and web beacons. Web beacons are usually small, transparent images embedded in pages to track behaviour.

The tracking protection feature in Internet Explorer 9 (IE9) has been criticised in a report.

Internet Explorer 9 (IE9) users are offered the option of downloading more than one TPL from a selection that includes Abine, EasyList, TRUSTe and PrivacyChoice. They can also create their own custom list.

However, the Which? report said it had identified a behaviour conflict that automatically sets the browser to 'allow' sites by default even if they have been specified with a 'block' instruction in another installed list.

"[The] study found that when a user has downloaded multiple TPLs, all of the rules from all of the TPLs are grouped together into a single list where an 'allow' takes precedence over a 'block', " the report said.

"For example, a consumer may choose to install two TPLs: one by EasyList and one by TRUSTe. The EasyList TPL might 'block' web beacons, whereas the TRUSTe TPL might 'allow' them. In this case, the web beacons would be 'allowed'," it added.

This could lead to users that install multiple lists feeling a false sense of security, according to Rob Reid, senior policy advisor at Which?. Microsoft had not responded to a ZDNet UK request for comment at the time of writing, but acknowledged Which?'s findings.

"Saying 'allow' beats 'deny' is a good bit of wordplay," Dean Hachamovitch, corporate vice president of IE told Which?. "Reversing it increases the difficulty for well-intentioned list authors to express complex relationships. I understand that this may seem counterintuitive [but] it's not a unique occurrence in the application of technology to safety."

Hachamovitch suggested that a user's primary role is to choose a list they trust, but Reid said this is not sufficient.

Requiring users to understand and apply a block-and-allow rule across multiple TPLs seems an overly complicated way of opting out of being tracked.

– Rob Reid, Which?

"Requiring users to understand and apply a block-and-allow rule across multiple TPLs seems an overly complicated way of opting out of being tracked," Reid said. "We are also concerned that the lack of monitoring and mediation of the TPLs leaves the system and consumers vulnerable to abuse."

"The TRUSTe TPL is almost exclusively what we'd call an 'allow' list. It 'allows' content from Acxiom, a major data aggregator. If you want to stop your online behaviour from being tracked, the last thing you'd want to do is install a list that guarantees that Acxiom can track you," Jonathan Mayer, lead researcher on Stanford University's 'Do Not Track' project, added in the report.

Firefox 4

Mozilla's Firefox 4 web browser, which is scheduled to launch on 22 March, also introduces a Do Not Track privacy feature. Rather than relying on a blacklist approach, the page's header information informs advertising agencies that the user does not wish to be tracked. It is then up to the ad company to honour the request.

"The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn't rely on users finding and loading lists of ad networks and advertisers to work," Alexander Fowler, global privacy and public policy leader at Mozilla, said in a blog post.

However, Fowler concedes that it is a 'chicken and egg' situation. "The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective," he said.