Among the most significant new features in Internet Explorer 9 is a framework for giving users control over their online privacy. Microsoft announced Tracking Protection a few months ago and has shown a few demos since. Last week it gave the public its first crack at actually using the technology in the IE9 Release Candidate.
I’ve already explained how Tracking Protection works. (The short version: you can block third-party tracking cookies, web beacons, and even ads by importing a list into IE9 and enabling it.)
By design, Tracking Protection is disabled and no third-party lists are installed. If you want to block third-party scripts and cookies and ads, you have to choose to turn the feature on. Third parties can make it easy for you to do that. If you visit Abine.com using IE9, for example, you can get to this page that allows you to install a Tracking Protection List (TPL) automatically:
But how do you know whether this list is trustworthy? Is it based on solid research and up to date? How do you know the motivations of a list’s publisher? Microsoft is counting on a reputation system to emerge and for communities to make their recommendations about these lists. It doesn't help that one of the five lists that Microsoft highlights for IE9 RC users just happens to give a handful of Microsoft-owned domains a free pass on privacy.
We designed this functionality as a good start to enable consumer choice and protection from potential tracking. We provide a tool in the browser, and consumers choose how to use it. As with everything on the web, we expect it to evolve over time especially as the broader privacy dialog continues. We’re communicating about it now as part of our transparency in the software development process.
So who can you trust? That question is especially important when you take into account the design of this feature in the IE9 RC. You can install multiple TPLs, and an Allow rule on any list trumps a Block rule on another list. So if you’re the owner of a big network of web properties, and you see a site visitor arrive using IE9, wouldn’t you want to helpfully offer that visitor the option to install a Tracking Protection List that whitelists all your domains? All in the interests of improved user experience, of course.
You can see an example of this potential conflict in the first batch of publicly available Tracking Protection Lists. I downloaded the current version of four lists from this Microsoft-hosted page (PrivacyChoice offers two versions of its lists, so I used the All Companies list). What I found after a close look inside these TPLs was surprising.
The data is in simple text files, with a fairly straightforward syntax. Here’s the beginning of Abine’s TPL:
Name: Abine Tracking Protection List
-d statcounter.com counter.js
-d addthis.com addthis_widget.js
-d analytics.live.com masanalytics.js
-d scorecardresearch.com beacon.js
-d diig.com diggthis.js
-d charbeat.com charbeat.js
-d alexametrics.com atrk.js
-d google-analytics.com siteopt.js
Each line after the msFilterList header is a rule. The –d means that the rule blocks traffic from the domain on that line that contains the substring shown after the domain. So in this snippet, the analytics scripts from Microsoft’s live.com and Google’s google-analytics.com are blocked. A +d means that requests to the domain on the same line are allowed. And when multiple lists target the same domain and substring, the Allow rule wins.
I imported the four raw TPLs into Microsoft Excel and cleaned them up for analysis. One revealing way to slice the data was to look at the number of Block and Allow rules defined in each list. See anything odd about this list?
Hmmm. One of these lists is not like the other. In fact, you can make some guesses about the purpose and scope of each list just from those numbers, and I bet those guesses would be accurate. On the next page, I’ll share what I learned about each company and its list.
Page 2: Four Tracking Protection Lists under the microscope-->
<-- Previous page
The top three organizations can be categorized as privacy advocates, each with a different pedigree and management structure.
As you can see from the table, TRUSTe’s current TPL represents advertisers, not consumers. TRUSTe’s TPL, unlike any of the others, consists exclusively of Allow rules for entire domains. Remember: Allow rules trump Block rules. So, if your domain is one of the nearly 4000 on the current version of the TRUSTe list, you’ve got a Get Out of Jail free card in IEP with any user who installs the TRUSTe list. That +d microsoft.com line means any ad, cookie, or web beacon from the microsoft.com domain is allowed on a third-party site, even if another list includes a rule to block one of those items. Other Microsoft properties are on the TRUSTe list as well, including live.com, windowslive.com, and msn.com. In my search of the TRUSTe list, I could not find any domains that included google.
Does TRUSTe deserve trust? The organization has a checkered history, and when I saw its name on the list of TPLs I remembered my less-than-favorable impressions from the middle of the last decade. One report I remember very well was published in 2006 by privacy expert Ben Edelman, whose study was meticulously designed and researched. He found that TRUSTe-certified sites were “more than twice as likely to be untrustworthy” as sites that didn’t have a certification.
Ben is now an assistant professor at the Harvard Business School and is still doing excellent research on privacy issues. I caught up with him last week and I asked about TRUSTe today: “They’ve improved dramatically,” he says. (Ben can take a lot of the credit for that change, in my opinion, thanks to his persistent hammering on this issue.)
Still, even with dramatic improvement it’s hard to imagine anyone interested in online privacy giving a free pass to so many domains on the say-so of a single company.
It’s possible that TRUSTe will change its TPL in coming months. The download page for the current version of the TPL claims that IE9 users can install TRUSTe’s Tracking Protection List to “block companies that offer poor privacy protection, while ensuring that trustworthy companies who protect their privacy can continue to provide them with a richer, more personalized browsing experience.” A report in MediaPost says TRUSTe plans to give 30 days’ notice to companies that are not in compliance with the Digital Advertising Alliance’s self-regulatory program and then turn on its Block filters.
Last week, at a privacy roundtable in Berkeley, IE boss Dean Hachamovich announced that Microsoft plan to “bring the design for a tracking protection list, as well as a persistent setting to indicate tracking preferences” to the W3C as a proposal for Web standardization. “We're doing that because we do want it to be universal,” said Hachamovich, “and we think there should be a consistent way that websites, and Web developers can determine the user's preference.”
In fact, adoption as a standard is the key to success for this specific approach to privacy. If it remains an opt-in option for IE9 users only, it will take years to get its usage on the Internet past single-digit percentages.
In the final installment of this series, next week, I'll to look at how Mozilla and Google are approaching the privacy issue in their roadmaps for future browser versions.