Privacy protection and IE9: who can you trust?

Privacy protection and IE9: who can you trust?

Summary: Among the most significant new features in Internet Explorer 9 is a framework for giving users more control over their online privacy. I downloaded the first four Tracking Protection Lists and took a close look inside each one. What I found might surprise you.

SHARE:
TOPICS: Browser, Microsoft
54

Among the most significant new features in Internet Explorer 9 is a framework for giving users control over their online privacy. Microsoft announced Tracking Protection a few months ago and has shown a few demos since. Last week it gave the public its first crack at actually using the technology in the IE9 Release Candidate.

I’ve already explained how Tracking Protection works. (The short version: you can block third-party tracking cookies, web beacons, and even ads by importing a list into IE9 and enabling it.)

By design, Tracking Protection is disabled and no third-party lists are installed. If you want to block third-party scripts and cookies and ads, you have to choose to turn the feature on. Third parties can make it easy for you to do that. If you visit Abine.com using IE9, for example, you can get to this page that allows you to install a Tracking Protection List (TPL) automatically:

But how do you know whether this list is trustworthy? Is it based on solid research and up to date? How do you know the motivations of a list’s publisher? Microsoft is counting on a reputation system to emerge and for communities to make their recommendations about these lists. It doesn't help that one of the five lists that Microsoft highlights for IE9 RC users just happens to give a handful of Microsoft-owned domains a free pass on privacy.

Part 1: IE9 and Tracking Protection: Microsoft disrupts the online ad business

Gallery: Using Tracking Protection Lists in IE9

In its initial announcement of Tracking Protection, back in December 2010, Microsoft acknowledged that this is just the first step in terms of developing a privacy protection platform that really works:

We designed this functionality as a good start to enable consumer choice and protection from potential tracking. We provide a tool in the browser, and consumers choose how to use it. As with everything on the web, we expect it to evolve over time especially as the broader privacy dialog continues. We’re communicating about it now as part of our transparency in the software development process.

So who can you trust? That question is especially important when you take into account the design of this feature in the IE9 RC. You can install multiple TPLs, and an Allow rule on any list trumps a Block rule on another list. So if you’re the owner of a big network of web properties, and you see a site visitor arrive using IE9, wouldn’t you want to helpfully offer that visitor the option to install a Tracking Protection List that whitelists all your domains? All in the interests of improved user experience, of course.

You can see an example of this potential conflict in the first batch of publicly available Tracking Protection Lists. I downloaded the current version of four lists from this Microsoft-hosted page (PrivacyChoice offers two versions of its lists, so I used the All Companies list). What I found after a close look inside these TPLs was surprising.

The data is in simple text files, with a fairly straightforward syntax. Here’s the beginning of Abine’s TPL:

Name: Abine Tracking Protection List Address: http://www.abine.com/tpl/abineielist.txt File: msFilterList -d statcounter.com counter.js -d addthis.com addthis_widget.js -d analytics.live.com masanalytics.js -d scorecardresearch.com beacon.js -d diig.com diggthis.js -d charbeat.com charbeat.js -d alexametrics.com atrk.js -d google-analytics.com siteopt.js

Each line after the msFilterList header is a rule. The –d means that the rule blocks traffic from the domain on that line that contains the substring shown after the domain. So in this snippet, the analytics scripts from Microsoft’s live.com and Google’s google-analytics.com are blocked. A +d means that requests to the domain on the same line are allowed. And when multiple lists target the same domain and substring, the Allow rule wins.

I imported the four raw TPLs into Microsoft Excel and cleaned them up for analysis. One revealing way to slice the data was to look at the number of Block and Allow rules defined in each list. See anything odd about this list?

Publisher Block Allow
EasyList 2,189 47
PrivacyChoice 463 1
Abine 94 0
TRUSTe 0 3,958
All data current as of February 12, 2011.

Hmmm. One of these lists is not like the other. In fact, you can make some guesses about the purpose and scope of each list just from those numbers, and I bet those guesses would be accurate. On the next page, I’ll share what I learned about each company and its list.

Page 2: Four Tracking Protection Lists under the microscope -->

<-- Previous page

The top three organizations can be categorized as privacy advocates, each with a different pedigree and management structure.

  • Abine bills itself as “the online privacy company.” Based in Cambridge, Massachusetts, the company was founded in 2008 by ex-IBMer Eugene Kuznetsov, Andrew Sudbury, and Rob Shavell. The company’s strangely organized Team page also name-checks Jules Polonetsky, co-chair and director of the Future of Privacy Forum and a former Chief Privacy Officer for both AOL and DoubleClick. The Abine Tracking Protection List is short but sweet, blocking all JavaScript from domains like salesforce.com and also some generic scripts (like quant.js) from any third-party server. It blocks entire domains from some ad publishers, including tribalfusion.com, and blocks those annoying ads-disguised as URLS from Kontera and IntelliTxt.
  • EasyList was created in 2005 by the late Rick Petnel in hopes of resurrecting the “practically abandoned” Adblock and Adblock Plus Firefox extensions. The effort succeeded, and the group claimed a user base of four million by January 2009. (I can’t find a more recent estimate of the number of users.) The current generation of Easy subscriptions for Adblock Plus are dual licensed under Creative Commons Attribution-ShareAlike and the GNU General Public License and are designed to remove ads and tracking information. According to EasyList, the subscriptions are currently maintained by five authors and “an ample forum community.” EasyList recently announced that it was able to “automatically convert the majority of EasyPrivacy filters to a suitable form for Internet Explorer.” The EasyPrivacy TPL, not surprisingly, is long and detailed, and based on the exact same list used by AdBlock Plus. Its 2,189 Block rules target many entire domains, including hitbox.com and quantserve.com. It specifically targets many commonly used implementations of Google Analytics.
  • PrivacyChoice was founded in early 2009. It’s operated by Jim Brock,  “a technology entrepreneur, former Yahoo! executive and co-founder of Attributor,” and claims to be supported by “contributions of time and money from users and websites who use our service.” The Tracker Index database of tracking companies, listing their privacy policies, and opt-out/opt-in processes, is truly impressive, covering domains used by nearly 300 ad networks and platforms. This database has been used to create two TrackerBlock lists for Internet Explorer 9 (you can view the lists in their raw format here and here ). The first blocks companies that are not subject to oversight by the Network Advertising Initiative and the second blocks all tracking company domains in the PrivacyChoice database.

And then there’s TRUSTe, which has been around since Web 1.0—founded in 1997, to be precise. Its main business is selling seals that sites can display on their web pages if their privacy policy passes a review process. TRUSTe claims to certify “more than 3000 web sites, including Microsoft, eBay, Facebook, Apple, the NFL, and AT&T.” Its Board of directors is dominated by venture capitalists, and an Advisory Council contains names from a Who’s Who in corporate America, including SalesForce.com, Microsoft, eBay, and Intuit, with a couple of legal eagles from the academic world represented as well.

As you can see from the table, TRUSTe’s current TPL represents advertisers, not consumers. TRUSTe’s TPL, unlike any of the others, consists exclusively of Allow rules for entire domains. Remember: Allow rules trump Block rules. So, if your domain is one of the nearly 4000 on the current version of the TRUSTe list, you’ve got a Get Out of Jail free card in IEP with any user who installs the TRUSTe list. That +d microsoft.com line means any ad, cookie, or web beacon from the microsoft.com domain is allowed on a third-party site, even if another list includes a rule to block one of those items. Other Microsoft properties are on the TRUSTe list as well, including live.com, windowslive.com, and msn.com. In my search of the TRUSTe list, I could not find any domains that included google.

Does TRUSTe deserve trust? The organization has a checkered history, and when I saw its name on the list of TPLs I remembered my less-than-favorable impressions from the middle of the last decade. One report I remember very well was published in 2006 by privacy expert Ben Edelman, whose study was meticulously designed and researched. He found that TRUSTe-certified sites were “more than twice as likely to be untrustworthy” as sites that didn’t have a certification.

Ben is now an assistant professor at the Harvard Business School and is still doing excellent research on privacy issues. I caught up with him last week and I asked about TRUSTe today: “They’ve improved dramatically,” he says. (Ben can take a lot of the credit for that change, in my opinion, thanks to his persistent hammering on this issue.)

Still, even with dramatic improvement it’s hard to imagine anyone interested in online privacy giving a free pass to so many domains on the say-so of a single company.

It’s possible that TRUSTe will change its TPL in coming months. The download page for the current version of the TPL claims that IE9 users can install TRUSTe’s Tracking Protection List to “block companies that offer poor privacy protection, while ensuring that trustworthy companies who protect their privacy can continue to provide them with a richer, more personalized browsing experience.” A report in MediaPost says TRUSTe plans to give 30 days’ notice to companies that are not in compliance with the Digital Advertising Alliance’s self-regulatory program and then turn on its Block filters.

Last week, at a privacy roundtable in Berkeley, IE boss Dean Hachamovich announced that Microsoft plan to “bring the design for a tracking protection list, as well as a persistent setting to indicate tracking preferences” to the W3C as a proposal for Web standardization. “We're doing that because we do want it to be universal,” said Hachamovich, “and we think there should be a consistent way that websites, and Web developers can determine the user's preference.”

In fact, adoption as a standard is the key to success for this specific approach to privacy. If it remains an opt-in option for IE9 users only, it will take years to get its usage on the Internet past single-digit percentages.

In the final installment of this series, next week, I'll to look at how Mozilla and Google are approaching the privacy issue in their roadmaps for future browser versions.

Topics: Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • You know what...

    Wireless broadband providers are charging by the gig and every little bit counts! I do not want ads wasting my bandwidth so why not provide this to customers. <br><br>Something tells me we're going to see a whole bunch of php required tags embedded in pages once this technology hits.() ()
    slickjim
    • RE: Privacy protection and IE9: who can you trust?

      @Peter Perry one more note, I do see this taking a big chunk out of Google's revenue and that will hurt the search Giant Big Time!
      slickjim
      • It's smart...

        @Peter Perry

        Microsoft, while they like ad revenue, doesn't survive on it. Ads are Google's lifeblood. But I don't think usage will be high enough to matter. You have to go in and turn it on, requiring a few seconds of your time, which means it will escape the grasp of most people.
        LiquidLearner
      • LiquidLearner, having it off by default

        @Peter Perry is probally done for those that will wonder what went wrong with the install as they can't see ads if it was on by default. :)

        That, and to keep Regulators happy.
        John Zern
      • Google This and Google That! haha.....

        @Peter Perry Why is why I can't believe the Microsoft's "Embrace Extend Extinguish" modus operandi has changed. It seems they really want them to keep using these anticompetitive misinformation techniques that only ended up failing last time around. So you fools can jump on the MS coat tails, use Bing, support this asinine attempt to spread your mis-information in a blind attempt to pull money out of Google's pockets. But it's not to stop ads anyway. Only to control tracking and it's being implemented in all browsers.

        But if you want to watch videos from the largest content provider (including embedded in MS's own video site) in the World, then you will still have to deal with Google making money off Ads at least there, or you can not watch 'em (even YouTube videos links on Bing Video Searches)!!! The tracking? Google doesn't make money off tracking anyway..... only off the ads these tracking companies place and they don't care if the tracking is disabled or NOT!
        i2fun
        • Just a Lame Response to Firefox's Secure Privacy Browser!

          @i2fun@... Microsoft heard about Mozilla's Privacy (plus extensions they already have available) plans and had to respond with at least something that better ensures user's control of privacy online. The thing is this system isn't in IE browser itself like Firefox and leaves the same old holes in IE that are the reason it is the most insecure browser on the planet to date. Things like VB Script and Active X! .....huge monstrously destructive and insecure technologies from the last 15 years of IE dominance on the web!

          http://blog.mozilla.com/blog/2011/02/08/mozilla-firefox-4-beta-now-including-do-not-track-capabilities/

          So this is nothing new. Simply much like "DO NOT TRACK" headers in Firefox!

          Then Google followed with an Add on too. So Microsoft was simply forced to respond!
          i2fun
      • RE: Privacy protection and IE9: who can you trust?

        @Peter Perry

        Who cares if google suffers from this, it's there own fault for not monitorign there partners, and if they had chosen a better company direction. Advertising is hated in Snail mail and email, why would it be any different in websites. Companies need to make this optional, at least when it comes to displaying the ad. Google's index is getting to big and well they still can't provide proof that Advertising companies aren't paying them to show up on top, which relentlessly ruins your search results. I don't' have this problem because from my business aspects have chosen to not use Google due to my profits margins. My own opinion here and probably someone Else's, I don't care if this effected google, because well if I didn't' know better, I wouldn't want to pay techs like me regularly to removed partner ad's/malware! I make so much money on Marketing companies who are partnered with Google it is disgraceful!! Google woudl deserve it!
        Ez_Customs
  • RE: Privacy protection and IE9: who can you trust?

    On the one hand, this is great for users sick to death of advertising.<br><br>On the other hand, it's a death knell for ZDNET and other blogging sites. These sites only exist because of advertising and bloggers are paid for the number of posts they attract (that is posters who are potentially looking at the ads).<br><br>If IE9 (and presumably the other browsers will catch up) has wide takeup, then the main revenue for these types of sites will take a significant hit.<br><br>Any idea how ZDNET et al will survive with diminished advertising revenue Ed?
    tonymcs1
    • A lot of dominoes have to fall

      @tonymcs@...

      This will take several years to play out. Ask me again next year at this time...
      Ed Bott
      • RE: Privacy protection and IE9: who can you trust?

        @Ed Bott

        When I see you playing the guitar next to the subway, I'll throw you a dime :)
        Alan Smithie
      • Alan Smithie, you wouldn't be angry that he took your spot?

        Forcing you to another subway entrence?
        John Zern
      • Yeah but Ed won't have a dime

        Alan will.

        LOL... :D
        search &amp; destroy
    • The storyline isn't fully written yet, TRUSTe me

      @tonymcs@<br><i>Any idea how ZDNET et al will survive with diminished advertising revenue Ed?</i><br><br>Another obvious question to address might be:
      [i]How will the bigger, badder and better funded players find ways to effectively sidestep it?[/i]

      Seems there's always an end-around, backdoor or circumvent to be found in every computational puzzle. :| <br><br>@Ed Bott <br><i>It doesn't help that one of the five lists that Microsoft highlights for IE9 RC users just happens to give a handful of Microsoft-owned domains a free pass on privacy.</i><br><br>Attaboy MS! And so it begins. ;)
      klumper
      • RE: Privacy protection and IE9: who can you trust?

        @klumper
        Let's be clear. In this space they are not a monopoly.
        DannyO_0x98
    • RE: Privacy protection and IE9: who can you trust?

      @tonymcs@...

      All of us non-primary Windows users. We're gold.
      DannyO_0x98
  • Please learn elementary grammar

    It's "whom can you trust," not "who can you trust."
    bmeacham989
    • Yes, yes

      @bmeacham98@... <br><br>But this is a Microsoft *Windows related* classroom. Not an English class.<br><br>The reason we came up with so many acronyms, leetspeak and tidbits of mindless jargon was to cover our wholly imperfect computing and communication bases in the first place. It also helps cover up any grammatical slip-ups and profundency splatters much more effectively, on the Internet and beyond. But you know that.<br><br>Oh, and in God we trust. There's the missing answer to your non-question . . . <br>I trust.
      klumper
    • RE: Privacy protection and IE9: who can you trust?

      @bmeacham98@... I agree itshould be whom, but its not elementary grammar. Last I saw, grammar is not on any of the national tests, therefore the schools do not have it in their curriculum anymore. We teach kids to memorize, not think.
      zclayton2
    • In ordinary usage...

      @bmeacham98@... <br><br>I started my career as a copy editor. I know grammar inside and out. In general, modern grammarians find this construction perfectly acceptable and even preferable for ordinary speech and writing.
      Ed Bott
  • Can you do us a favor?

    So can you keep this table of blocked/allowed updated over time?
    xp-client