Privacy protection and IE9: who can you trust?

Among the most significant new features in Internet Explorer 9 is a framework for giving users control over their online privacy. Microsoft announced Tracking Protection a few months ago and has shown a few demos since. Last week it gave the public its first crack at actually using the technology in the IE9 Release Candidate.

I’ve already explained how Tracking Protection works. (The short version: you can block third-party tracking cookies, web beacons, and even ads by importing a list into IE9 and enabling it.)

By design, Tracking Protection is disabled and no third-party lists are installed. If you want to block third-party scripts and cookies and ads, you have to choose to turn the feature on. Third parties can make it easy for you to do that. If you visit Abine.com using IE9, for example, you can get to this page that allows you to install a Tracking Protection List (TPL) automatically:

But how do you know whether this list is trustworthy? Is it based on solid research and up to date? How do you know the motivations of a list’s publisher? Microsoft is counting on a reputation system to emerge and for communities to make their recommendations about these lists. It doesn't help that one of the five lists that Microsoft highlights for IE9 RC users just happens to give a handful of Microsoft-owned domains a free pass on privacy.

Part 1: IE9 and Tracking Protection: Microsoft disrupts the online ad business

Gallery: Using Tracking Protection Lists in IE9

We designed this functionality as a good start to enable consumer choice and protection from potential tracking. We provide a tool in the browser, and consumers choose how to use it. As with everything on the web, we expect it to evolve over time especially as the broader privacy dialog continues. We’re communicating about it now as part of our transparency in the software development process.

So who can you trust? That question is especially important when you take into account the design of this feature in the IE9 RC. You can install multiple TPLs, and an Allow rule on any list trumps a Block rule on another list. So if you’re the owner of a big network of web properties, and you see a site visitor arrive using IE9, wouldn’t you want to helpfully offer that visitor the option to install a Tracking Protection List that whitelists all your domains? All in the interests of improved user experience, of course.

You can see an example of this potential conflict in the first batch of publicly available Tracking Protection Lists. I downloaded the current version of four lists from this Microsoft-hosted page (PrivacyChoice offers two versions of its lists, so I used the All Companies list). What I found after a close look inside these TPLs was surprising.

The data is in simple text files, with a fairly straightforward syntax. Here’s the beginning of Abine’s TPL:

Name: Abine Tracking Protection List Address: http://www.abine.com/tpl/abineielist.txt File: msFilterList -d statcounter.com counter.js -d addthis.com addthis_widget.js -d analytics.live.com masanalytics.js -d scorecardresearch.com beacon.js -d diig.com diggthis.js -d charbeat.com charbeat.js -d alexametrics.com atrk.js -d google-analytics.com siteopt.js

Each line after the msFilterList header is a rule. The –d means that the rule blocks traffic from the domain on that line that contains the substring shown after the domain. So in this snippet, the analytics scripts from Microsoft’s live.com and Google’s google-analytics.com are blocked. A +d means that requests to the domain on the same line are allowed. And when multiple lists target the same domain and substring, the Allow rule wins.

I imported the four raw TPLs into Microsoft Excel and cleaned them up for analysis. One revealing way to slice the data was to look at the number of Block and Allow rules defined in each list. See anything odd about this list?

Hmmm. One of these lists is not like the other. In fact, you can make some guesses about the purpose and scope of each list just from those numbers, and I bet those guesses would be accurate. On the next page, I’ll share what I learned about each company and its list.

Page 2: Four Tracking Protection Lists under the microscope-->

<-- Previous page

The top three organizations can be categorized as privacy advocates, each with a different pedigree and management structure.

• Abine bills itself as “the online privacy company.” Based in Cambridge, Massachusetts, the company was founded in 2008 by ex-IBMer Eugene Kuznetsov, Andrew Sudbury, and Rob Shavell. The company’s strangely organized Team page also name-checks Jules Polonetsky, co-chair and director of the Future of Privacy Forum and a former Chief Privacy Officer for both AOL and DoubleClick. The Abine Tracking Protection List is short but sweet, blocking all JavaScript from domains like salesforce.com and also some generic scripts (like quant.js) from any third-party server. It blocks entire domains from some ad publishers, including tribalfusion.com, and blocks those annoying ads-disguised as URLS from Kontera and IntelliTxt.
• EasyList was created in 2005 by the late Rick Petnel in hopes of resurrecting the “practically abandoned” Adblock and Adblock Plus Firefox extensions. The effort succeeded, and the group claimed a user base of four million by January 2009. (I can’t find a more recent estimate of the number of users.) The current generation of Easy subscriptions for Adblock Plus are dual licensed under Creative Commons Attribution-ShareAlike and the GNU General Public License and are designed to remove ads and tracking information. According to EasyList, the subscriptions are currently maintained by five authors and “an ample forum community.” EasyList recently announced that it was able to “automatically convert the majority of EasyPrivacy filters to a suitable form for Internet Explorer.” The EasyPrivacy TPL, not surprisingly, is long and detailed, and based on the exact same list used by AdBlock Plus. Its 2,189 Block rules target many entire domains, including hitbox.com and quantserve.com. It specifically targets many commonly used implementations of Google Analytics.
• PrivacyChoice was founded in early 2009. It’s operated by Jim Brock,  “a technology entrepreneur, former Yahoo! executive and co-founder of Attributor,” and claims to be supported by “contributions of time and money from users and websites who use our service.” The Tracker Index database of tracking companies, listing their privacy policies, and opt-out/opt-in processes, is truly impressive, covering domains used by nearly 300 ad networks and platforms. This database has been used to create two TrackerBlock lists for Internet Explorer 9 (you can view the lists in their raw format here and here ). The first blocks companies that are not subject to oversight by the Network Advertising Initiative and the second blocks all tracking company domains in the PrivacyChoice database.

And then there’s TRUSTe, which has been around since Web 1.0—founded in 1997, to be precise. Its main business is selling seals that sites can display on their web pages if their privacy policy passes a review process. TRUSTe claims to certify “more than 3000 web sites, including Microsoft, eBay, Facebook, Apple, the NFL, and AT&T.” Its Board of directors is dominated by venture capitalists, and an Advisory Council contains names from a Who’s Who in corporate America, including SalesForce.com, Microsoft, eBay, and Intuit, with a couple of legal eagles from the academic world represented as well.

As you can see from the table, TRUSTe’s current TPL represents advertisers, not consumers. TRUSTe’s TPL, unlike any of the others, consists exclusively of Allow rules for entire domains. Remember: Allow rules trump Block rules. So, if your domain is one of the nearly 4000 on the current version of the TRUSTe list, you’ve got a Get Out of Jail free card in IEP with any user who installs the TRUSTe list. That +d microsoft.com line means any ad, cookie, or web beacon from the microsoft.com domain is allowed on a third-party site, even if another list includes a rule to block one of those items. Other Microsoft properties are on the TRUSTe list as well, including live.com, windowslive.com, and msn.com. In my search of the TRUSTe list, I could not find any domains that included google.

Does TRUSTe deserve trust? The organization has a checkered history, and when I saw its name on the list of TPLs I remembered my less-than-favorable impressions from the middle of the last decade. One report I remember very well was published in 2006 by privacy expert Ben Edelman, whose study was meticulously designed and researched. He found that TRUSTe-certified sites were “more than twice as likely to be untrustworthy” as sites that didn’t have a certification.

Ben is now an assistant professor at the Harvard Business School and is still doing excellent research on privacy issues. I caught up with him last week and I asked about TRUSTe today: “They’ve improved dramatically,” he says. (Ben can take a lot of the credit for that change, in my opinion, thanks to his persistent hammering on this issue.)

Still, even with dramatic improvement it’s hard to imagine anyone interested in online privacy giving a free pass to so many domains on the say-so of a single company.

It’s possible that TRUSTe will change its TPL in coming months. The download page for the current version of the TPL claims that IE9 users can install TRUSTe’s Tracking Protection List to “block companies that offer poor privacy protection, while ensuring that trustworthy companies who protect their privacy can continue to provide them with a richer, more personalized browsing experience.” A report in MediaPost says TRUSTe plans to give 30 days’ notice to companies that are not in compliance with the Digital Advertising Alliance’s self-regulatory program and then turn on its Block filters.

Last week, at a privacy roundtable in Berkeley, IE boss Dean Hachamovich announced that Microsoft plan to “bring the design for a tracking protection list, as well as a persistent setting to indicate tracking preferences” to the W3C as a proposal for Web standardization. “We're doing that because we do want it to be universal,” said Hachamovich, “and we think there should be a consistent way that websites, and Web developers can determine the user's preference.”

In fact, adoption as a standard is the key to success for this specific approach to privacy. If it remains an opt-in option for IE9 users only, it will take years to get its usage on the Internet past single-digit percentages.

In the final installment of this series, next week, I'll to look at how Mozilla and Google are approaching the privacy issue in their roadmaps for future browser versions.