IE9 and Privacy: Introducing Tracking Protection

The feedback and conversation on IE9’s Platform Previews and Beta to date from many different communities has made the IE9 development process, and product, substantially better than previous releases. The discussions around hardware-accelerated HTML5 and same markup with the developer community, for example, have informed many changes to the product. Thank you for using it and providing feedback.

In general, we’ve focused this blog on engineering issues. In this post, still continuing our pattern of transparency, let’s look at the increasingly important topic of privacy online through the lens of a consumer concerned about being tracked on the web. Here is a brief summary (warning, what follows it is long) of what we intend to deliver in the release candidate of IE9.

Today, consumers have very little awareness or control over who can track their online activity. Much has been written about this topic. With the release candidate:

  1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
  2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection Lists (TPLs), and the underlying technology mechanism for Tracking Protection offer new options and a good balance between empowering consumers and online industry needs. They further empower consumers and complement many of the other ideas under discussion. You can see how it might work in this video:

Some Recent Context

On December 1, 2010, the Federal Trade Commission released a major report on consumer privacy online.  You can read the report here. Microsoft has been engaged in dialogue with the FTC, the Article 29 Working Party in the EU, and others in the privacy arena for some time, and has long recognized the critical importance of privacy to our customers. Unlike other topics we’ve discussed on this blog, privacy involves additional complexities beyond technology and product engineering and interoperability. For privacy, many other aspects are at least as important for making progress: public policy, the law and its enforcement, and engagement across several other industries. This increased importance applies both in the recent US report as well as in similar efforts in places like the EU.

The FTC report looks at recommendations in areas like Do Not Track, and others in the industry have discussed potential Do Not Follow solutions. The report asked a series of questions, including:

  • How can such a mechanism be designed to be clear, easy-to-find, usable, and understandable to consumers?
  • How can such a mechanism be designed so that it is clear to consumers what they are choosing and what the limitations of the choice are?
  • What are the potential costs and benefits of offering a standardized uniform choice mechanism to control online behavioral advertising?
  • What is the likely impact if large numbers of consumers elect to opt out? How would it affect online publishers and advertisers, and how would it affect consumers?
  • In addition to providing the option to opt out of receiving ads completely, should a universal choice mechanism for online behavioral advertising include an option that allows consumers more granular control over the types of advertising they want to receive and the type of data they are willing to have collected about them?

Perhaps the briefest form of the question concerns consumers who want the option to say “no thank you” to being tracked… what happens to them?

Consensus and Innovation

On the IE team, we’ve asked similar questions and want to make progress operationally as well as in the public discussion. We want to develop (as the recent FTC report put it) “more effective technologies for consumer control” and make progress on the report’s recommendation of “a browser-based mechanism through which consumers could make persistent choices” regarding tracking.

Today, we’re offering an early look at a way to enable operational progress in the privacy discussion.

Let’s take a look at how this might work and then consider how it furthers the conversations we’ve been having with all interested private and public bodies. While the web browser is only one part of the online privacy experience, for many consumers, the browser is a key technology to manage their privacy choices.

By applying principles described in the FTC report like Transparency and Privacy by Design, we can make it easier for consumers to opt out of potential tracking experiences. There is no change to default behavior with respect to privacy and tracking, and consumers need to exercise choice for anything to change.

How (and Why) This Works

Today, consumers share information with more websites than the ones they see in the address bar in their browser. This is inherent in the design of the web and simply how the web works, and it has potentially unintended consequences. As consumers visit one site, many other sites receive information about their activities (you can read more details here). This situation results from how modern websites are built; typically a website today might bring together content from many other websites, leaving the impression that the website appears to be its own entity. When the browser calls any other website to request anything (an image, a cookie, HTML, a script that can execute), the browser explicitly provides information in order to get information. By limiting data requests to these sites, it is possible to limit the data available to these sites for collection and tracking.

A Tracking Protection List (TPL) contains web addresses (like msdn.com) that the browser will visit (or “call”) only if the consumer visits them directly by clicking on a link or typing their address. By limiting the calls to these websites and resources from other web pages, the TPL limits the information these other sites can collect.

You can look at this as a translation of the “Do Not Call” list from the telephone to the browser and web. It complements many of the other approaches being discussed for browser controls of Do Not Track.

What we describe here is providing a new browser mechanism for consumers to opt-in and exercise more control over their browsing information. By default the Tracking Protection List is empty, and the browser operates just as it does today. The list is empty by default for two reasons:

  • Controlling this aspect of the browser’s behavior is up to the consumer. The browser vendor provides the functionality and respects the consumer’s choices here.
  • Restricting content from external sites can make some functionality in sites stop working along with the other web mechanisms (cookies, web beacons, and the like) that might be essential to how the sites operate.

Anyone or any organization can create a TPL (it is just a file that can be placed on a website) and consumers can add and remove lists as they see fit, having more than one if they wish. To keep everyone’s experience up to date, the browser will automatically check for updates to lists on a regular basis. One change from similar features in IE8 is that once a consumer has added a list, Tracking Protection remains enabled across browsing sessions until the consumer turns it off.

In addition to “Do Not Call” entries that prevent information requests to some web addresses, lists can include “OK to Call” entries that permit calls to specific addresses. In this way, a consumer can make exceptions to restrictions on one list easily by adding another list that includes “OK to Call” overrides for particular addresses.

We designed this feature so that consumers have a clear, straight forward, opt-in mechanism to enable a higher degree of control over sharing their browsing information AND websites can provide easy to use lists to manage their privacy as well as experience full-featured sites.

There are many points of view to balance in the design of such a feature because the technologies involved create such a complex situation, going well beyond what typical consumers and even many web developers are fully aware of.

While “Do not track” is a meaningful consumer promise around data use, the web lacks a good precise definition of what tracking means. Until we get there, we can make progress by providing consumers with a way to limit or control the data collected about them on sites they don’t visit directly. That kind of control is already technically feasible today in a variety of ways. It is important to understand that the feature design makes no judgment about how information might be used. Rather, it provides the means for consumers to opt-out of the release of that information in the first place.

Tracking Protection lists are “curated” in that people (or organizations) make decisions about what sites are on the list. Internet Explorer 8’s InPrivate Filtering functionality relied on frequency heuristics to build a list as a consumer browses sites. By moving Tracking Protection to use curated lists, we improve the predictability of the consumer experience. Consumers are in position to choose whose lists (if any) they want and to exercise control over what information they share with which websites.

Looking Ahead

Tracking Protection and TPLs are a great way to start making progress as we work through the public discussion. They provide greater transparency about how the web operates and the opportunity to act on that information. Transparency and progress are important. This step forward may be too much for some even as it is not enough for others.

Today many view third-party cookies as the principal tracking mechanism. Consumers using IE today have tremendous control over cookies and can, if they choose to make a few clicks, “block all third party cookies,” “Block all cookies from example.com,” or with a little more work, “Discard all 3rd party cookies at the end of the browser session.” Of course, it is about more than cookies, and as an industry we will continue to have incomplete solutions until we agree on a clear definition of tracking, how it is and can be done, and what should be done in response. Do Not Track technologies, from cookie blockers to what’s described here, will continue to be incomplete until we have a clear definition of tracking. (At the same time they might overachieve at preventing non-tracking activities). "Do Not Track" itself is misnomer in that tracking is an inherent part of many experiences on the web (e.g. a shopping site showing me other items I’ve browsed to) and off (e.g. a credit card company calling you to confirm what it considers to be suspicious activity).

Also, many have recognized the progress being made in self-regulatory efforts and are hopeful to see more. For example, you can see this progress with sites like https://www.aboutads.info/ that involve giving “consumers a better understanding of and greater control over ads that are customized based on their online behavior.”

One potential downside is that some web site publishers and developers already have concerns with large numbers of visitors blocking some of the content today (usually ads). We understand this concern and have provided several ways to deal with this issue.

First, this functionality is opt-in, and by default consumers’ experience will remain the same as it is today, unless they make a decision to change it. Second, any site can make available a Tracking Protection List that creates exceptions (via “OK to Call” items) for external content that provides the full experience of the site. This TPL provides transparency to the consumer about the additional sites he will visit and share information with. Third, a site can pull external content into its own domain, so that a consumer has no need to call external sites. Lastly, networks of sites and associations can work together to create a TPL that they recommend broadly to consumers. We designed the feature so that there are ample opportunities for all the constituencies to engage in a manner consistent with their priorities and point of view.

We designed this functionality as a good start to enable consumer choice and protection from potential tracking. We provide a tool in the browser, and consumers choose how to use it. As with everything on the web, we expect it to evolve over time especially as the broader privacy dialog continues. We’re communicating about it now as part of our transparency in the software development process.

Thanks –
Dean Hachamovitch
Corporate Vice President, Internet Explorer

P.S. Here’s a preliminary file format for TPLs that shows both “Do Not Call” (block) and “OK to Call” (allow) items. We will make the format available under a Creative Commons Attribution license and the Microsoft Open Specification Promise.

 <?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:wf="https://www.microsoft.com/schemas/webfilter/2008">
<channel>
<title>Demo</title>
<description>Tracking Protection List from ietestdrive.com </description>
<item><wf:blockRegex><![CDATA[msdn\.com/.*\.js]]></wf:blockRegex></item>
<item><wf:allowRegex><![CDATA[strikestrike\.com/.*\.js]]></wf:allowRegex></item>
</channel>
</rss>

P.P.S. One aspect of the larger tracking discussion involves a change to “HTTP headers.” The key thing to note is that such a change is the start but only part of delivering tracking protection. It’s a signal to the web site of the consumer’s preferences. The rest of that solution (defining what that signal from the consumer means, what to do with it, verification, enforcement, etc.) is still under construction.

List of articles referenced
Creative Commons Licenses
Do Not Track - Universal Web Tracking Opt-Out
FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers
Google Chrome Gets Better at Blocking Ads | Maximum PC
Internet Explorer 8: Features
Microsoft Open Specification Promise
100 Million Adblock Plus Downloads « Mozilla Add-ons Blog
Online privacy, Tracking, and IE8’s InPrivate Filtering - IEBlog - Site Home - MSDN Blogs
Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Content - IEBlog - Site Home - MSDN Blogs
Privacy Principles | Microsoft Privacy
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers (Preliminary FTC Staff Report)
Selectively Filtering Content in Web Browsers - IEBlog - Site Home - MSDN Blogs
The Self-Regulatory Program for Online Behavioral Advertising
Understanding Cookie Controls - EricLaw's IEInternals - Site Home - MSDN Blogs
Your Privacy Online - What They Know - WSJ.com