Is Microsoft backtracking on tracking?

It's currently unclear what position Microsoft is taking on tracking protection in its new Spartan browser.
Written by Mary Branscombe, Contributor on
Image: Microsoft
The first public build of Project Spartan doesn't just show off the integration with Cortana and OneNote, it shows how much cruft Microsoft has removed along the way.

That isn't just legacy code for rendering sites, it also includes a lot of settings. One of those is the P3P (Platform for Privacy Preferences Project) privacy standard that was supposed to let you choose how much tracking information you wanted to share with different sites. Given how few sites actually implement the P3P protocol (and those that misuse it), there's not much point putting it into a modern browser at this point, but it's not the only tracking change.

Spartan and IE no longer default to turning on the Do Not Track (DNT) signal. Having IE turn that on by default used to be a strong, if hollow, statement that Microsoft wanted to protect user privacy online.

It was a strong statement because it upset advertisers, who doubtless hoped that users would never get around to turning DNT on. It also upset people in the DNT working group because they thought it gave advertisers an excuse for ignoring DNT, resulting in the W3C spec saying DNT should be off by default so that it reflected a deliberate choice. And it was ultimately hollow because the DNT spec never actually clarified what 'not tracking' actually meant and hardly any sites ever looked for the signal.

DNT was a two-year diversion into ad industry self-regulation that did nothing to improve privacy or regulate tracking, and there's certainly no point in Microsoft flogging that particular dead horse any more.

Having it not turned on by default in Microsoft browsers because that's what the spec says is most noteworthy because it wasn't the browser team that announced it. It was Microsoft privacy officer Brendan Lynch, in a blog post on Good Friday (which isn't a public holiday in the US but may have gone unnoticed elsewhere).

Spartan by nature

The browser team hasn't yet talked about tracking in the new browser (Microsoft told us they don't have anything more to share at this point), so it's not clear what the plan is.

For example, Spartan doesn't have InPrivate browsing, for keeping some sites out of your browsing history, but that's probably just because it's such an early preview -- it doesn't have a functional download manager at this point either.

More disappointingly, unlike the immersive IE it replaces but like the Windows Phone browser, it doesn't support Tracking Protection Lists (TPLs). You can trim off the ads and extraneous items on a site and get just the content by switching to reading view, but that doesn't stop the tracking code running that, for example, tells the site to show you adverts for something you just searched for on a shopping site. You won't see the ad but you still get tracked and you're still leaving demographic footprints all over the web.

That's not the same as have the Tracking Protection built into IE that lets you create a list of trackers to block on some or all sites, or to subscribe to a preset list.

At this point, we don't know if Tracking Protection Lists aren't there because Spartan won't support them (which would be a definite step back) or because it takes time to build them into the new browser. Certainly the interface for managing TPLs in IE makes them hard to work with.

You have to know the feature exists in the first place, and then turn it on from the Security menu under the cog icon; then you have to pick a list from the elderly IE gallery through Manage Addons (choose the Adblock Plus equivalent Fanboy list, the Abine list or the one from PrivacyChoice rather than the TrustE list that white lists ad networks that behave well). These are all lists contributed by organizations other than Microsoft; there are only a handful of them as the idea didn't get a lot of backing in the industry, but the ones that are there really clean up your browsing experience. (They also show up automatically on new PCs where you sign in with the same Microsoft account.)

Sometimes they do it a little too well -- and if a website doesn't work correctly, you have to tap a small icon in the address bar and turn all tracking back on for a site rather than being able to pick and choose if you just want the comment tool or the YouTube playlist but not the 17 ad trackers the site also loads. That's not very friendly, but it is effective; turn tracking off and on to see how many trackers are on one site (anywhere from 3 to 280 is quite common on sites I visit).

Clarity required

It would be a shame for the interface to hold back so useful a feature. Running IE with a good TPL like Abine is very like using Adblock. Sites are less annoying -- no more AutoPlay videos, or at least far fewer of them -- and they load faster, plus, of course, you're not getting followed around the web. When Google decided to work around the tracking protection in Safari, Apple changed the browser -- and a lawsuit against Google is finally going ahead in the UK over that. Microsoft was able to just put out a TPL to stop that tracking.

TPLs matter even more because we don't yet have the extensibility model for Spartan. We don't know how easy it will be for third parties to build tools like Ghostery or Adblock, or how long it will take them to build them.

Microsoft has made such a strong commitment to user privacy in the past that it's strange that we don't yet know what the plan is here; Lynch's post is all about being clear about the spec but doesn't mention users at all, or where Microsoft now stands on the industry-wide debate about the ad-funded web, mobile ads and the balance between tracking and privacy. Dropping the old privacy tools makes room for a fresh start, but there's no sign yet of what that might be.

See also:

Editorial standards