Microsoft Edge gets 'Tracking Prevention' feature

Microsoft testing a Firefox-like tracking protection feature for Edge.

Microsoft adds 'Tracking Prevention' feature to Edge Microsoft testing a Firefox-like tracking protection feature for Edge.

Microsoft introduced today a new feature to its new Chromium-based Edge browser that it calls Tracking Prevention.

As the name implies, the new feature can be used to block tracking scripts loaded by aggresive online advertisers and web analytics firms.

The feature is currently only available in Microsoft Edge Insiders preview builds. Microsoft says the feature still needs work, but it's rolling it out in the current in-dev stage so it can get useful feedback from users and accelerate its development.

How Tracking Prevention works

Tracking Prevention is eerily similar to the Enhanced Tracking Protection feature that Mozilla added to Firefox last year, and turned on by default for all users this spring.

The two work in a similar way. When enabled, they will block tracking scripts loaded from domains the user isn't accessing directly, such as those loaded from ad slots, by analytics services, and more.

But the mechanism is a little bit more complex. According to Microsoft, Edge's new Tracking Prevention feature is possible because of the addition of a new component known as Trust Protection Lists.

This component contains lists of organizations and their domains, known to track their users, and for which Tracking Prevention would activate.

When a user loads a website, the URLs of any third-party domains loaded on a website is verified against the Trust Protection Lists. If the third-party domain matches an URL on the Trust Protection Lists, Edge will (1) restrict its access to various browser storage mechanisms, or, as a more severe major, (2) block that domain from loading additional JavaScript code.

For example, a domain considered a "tracker" would not be able to access any browser storage mechanism where it may try to persist data about the user.

"This includes restricting the ability for that tracker to get or set cookies as well as access storage APIs such as IndexedDB and localStorage," Edge engineers explained today in a blog post.

Furthermore, besides blocking trackers from accessing or leaving tracking data inside a user's browser, Tracking Prevention also actively blocks trackers from loading and executing additional tracking scripts, tracking pixels, iframes, and more -- which may not require access to a browser storage mechanism, but are still capable of tracking users either way.

How to enable Tracking Prevention

Tracking Prevention has been rolled with Microsoft Edge Insider preview build 77.0.203.0 or higher. The feature is not available on Mac versions due to a build bug, but Microsoft said this would be corrected in a future version.

To enable it, users must visit the Edge flags page at edge://flags#edge-tracking-prevention. Here, they'll have to activate an Edge flag to enable the feature.

Edge Tracking Prevention flag

Image: Microsoft

Once the flag is activated, and after an Edge restart, a new section will appear in the Edge settings section where users can set the Tracking Prevention level.

Edge Tracking Prevention settings

Image: Microsoft

Three options are available: Basic, Balanced, and Strict. Microsoft says the difference between these three is what type of trackers they block.

Basic blocks only "malicious trackers," Balanced blocks trackers that Microsoft considers malicious and third-party trackers, and Strict blocks the majority of third-party trackers, regardless of categorization.

How Microsoft categorizes tracking scripts into malicious or privacy tracking categories is still a mystery; however, the company revealed a few details.

For example, scripts that perform cryptocurrency mining or attempt to fingerprint users based on their browser settings are considered malicious and will be blocked in all three Tracking Prevention levels -- Basic, Balanced, and Strict.

In Balanced mode, Microsoft said that "all users will get a robust set of tracker categories that have storage access blocked, and a slightly smaller set that have resource loads blocked."

The only tracking scripts that can load and execute JS code in Balanced mode are from domains that provide third-party login and commenting services, such as social networks, or OAuth providers.

But while these scripts will be allowed in Balanced mode, they'll be blocked in Strict mode "for users who don't mind a little bit of site breakage in exchange for greater protection."

Tracking Protection is currently only an optional feature in normal browsing sessions, but Microsoft says the feature will be enabled (in Strict mode) for Edge's private browsing mode.

Let's hope the feature is developed to a state where Microsoft rolls it in the stable version of Edge, and turns it on by default, just like Mozilla did for the Firefox userbase.

More browser coverage: