Update: Effectively Protecting Consumers from Online Tracking


Since December’s technology announcement about IE9’s Tracking Protection feature, we’ve seen a lot of interest from press, academics, governments, and industry groups. This blog post is an update based on the conversations we’ve had on this topic – visiting with government and industry groups in Europe last week, faculty and students at a joint Harvard-Stanford Law School class earlier this month, and with the Wall Street Journal / All Things D at the Consumer Electronics Show earlier this month as well. It’s another example of our approach to developing IE9 transparently and with the engagement of many different communities.

Privacy is a worldwide conversation and, at the same time, it is intensely local. Local sensibilities and expectations differ from Germany to the UK to Japan to the United States. One size can’t fit all. Privacy is a broad topic, ranging from Street View issues to medical record disclosure.

IE9’s Tracking Protection focuses on the issue of online tracking. Consumers on the Web are tracked every day without their awareness or permission. As a result, there is growing consumer concern and suspicion about tracking. That theme was consistent across the conversations visiting government agencies and industry groups in the United States last month as well as the conversations in Europe last week.

IE9’s Tracking Protection is a technology that enables governments and organizations and enthusiasts to better protect consumers from tracking. This technology works within and complements the privacy frameworks being developed worldwide. It is an effective way to put effective consumer privacy protections into operation.

Progress and News with Standardization and Lists

To protect consumers, having Tracking Protection work consistently across browsers is important. In December, we made the underlying format for Tracking Protection available under a Creative Commons Attribution license and the Microsoft Open Specification Promise so that they same lists can work in other browsers. Since then, the premier Web standards body, the W3C, has contacted us about standardizing the format. We are taking the next steps with the W3C to standardization.

We’ve had many conversations with governments, organizations, and interested individuals both in the United States as well as Europe about our approach. The feedback has been positive. Earlier this week, the European Privacy Association stated publicly that it welcomes this feature and the empowerment it will bring. In December, the Chairman of the US Federal Trade Commission, Jon Leibowitz, said “Microsoft deserves enormous credit for taking a critical step toward providing consumers with more choice about who can track their online browsing. Just as important, this announcement proves that technology is available to let consumers control tracking.” In an interview with the Washington Post in December, Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation, responded to the inclusion of these privacy features in IE9 by saying “this is the right direction and what is important is that industry has understood it can’t ignore privacy concerns. If they want to be efficient, they have to have privacy enhancing tools build in. And companies want legal certainty about privacy.”

The development of Tracking Protection Lists, for both US and European consumers, is underway. Several consumer privacy organizations have preliminary lists in testing. Some advertising industry groups, recognizing how Tracking Protection enables more effective self-regulation, are also in the process of developing Tracking Protection Lists. They have been clear and articulate about their point of view that ads and tracking are different, separate things. We’re excited to see them put that point of view into practice.

An interesting non-advertising scenario came up in conversations with some government agencies last week. There was concern that with all the tracking content on websites today, it would be possible (for example) for an entity on the Web to determine that several machines in a Defense Ministry were checking the weather in a particular part of the world, or that many browsers in the Healthcare Ministry showed a spike in visits to articles on a particular topic. There may be similar concerns for businesses, for example in finance, in a tracking agent paying close attention to the Web browsing patterns of employees. Tracking Protection functionality will work with the enterprise deployment and management tools available in Windows.

How Tracking Protection Works and Alternative Approaches

Tracking Protection works by blocking content that can be used to track you on the Web.

Typical Web pages that you visit are a mosaic of content from all over the Web. For example, if you look at these screen shots, or use developer tools in the browser, you can see how much content on a Web page comes from sites other than the one in your address bar. Cookies are just one of many ways that tracking happens; you can see examples of tracking pixels in the screen shots linked to above.

To turn on tracking protection, a user just clicks on a special link in a Web page. All their browsing across the Web, from then on, is protected from tracking until the user explicitly turns it off. Clicking that link adds a Tracking Protection List of Web addresses (like “msdn.com”) that the browser will block (unless the user visits them directly and can see them in the address bar). By limiting how the browser visits certain websites, Tracking Protection limits the information these sites can collect. (These lists also accommodate “allow” as well as “block” rules; please see the earlier technical post for more detail.) The system is open in that any Web site can host these links and lists, and any person can author and share a list.

This approach enables consumers to have push-button simplicity (just find a site and click a link) while leaving privacy and industry experts and enthusiasts the flexibility and freedom to provide consumers great guidance and recommendations on their own websites that offer Tracking Protection lists. As consumers find pages and lists that they like and trust, they can share them (via email, blog, Facebook, Twitter, etc.) and engage in privacy awareness.

Earlier this week other browser providers made announcements regarding alternative approaches to privacy protection. The specifics of the proposals are under active discussion on the Web (here for example, and here or here). What’s most important is that consumers have effective privacy protections to go along with great browser performance and an experience that puts the focus where it belongs: on the Web, not the browser.

—Dean Hachamovitch, Corporate Vice President, Internet Explorer


Comments (21)

  1. Steve says:

    I hate to repeat this here but once a post on the IE blog is not the latest post it gets ignored.

    Can someone from Microsoft please make a statement about shutting down the IE6/IE7/IE8/IE9 images at http://www.spoon.net/

    ======================================================================================================

    This was **THE** most useful resource for testing multiple versions of IE and the shutdown really ticked developers off!

    As a long time web developer of Enterprise Web Applications I've tried all the options out there to try and simplify testing IE and the lack of realistic options is a royal PITA.

    1.) Multiple IEs – IE8 breaks the functionality of IE6's textboxes – thus its a NO-GO

    2.) IETester – works great until you need to test popup interaction and then it fails – thus a NO-GO

    3.) Virtual PC with timebombed images of IE6, IE7, IE8 – works ok, but the 12Gigs of HD space needed is frustrating when each full image of Windows dies 4 times a year, running a full Windows image is slow and you have to beg for updates because the releases are not co-ordinated and announced well at all – thus its a NO-GO

    4.) IE Super Preview – Last I checked this did not allow full testing of IE user interaction, JavaScript DOM changes, popups etc. – thus its a NO-GO

    5.) Multiple PC's to run multiple versions of windows and IE.  With all the hardware, software, and physical space needed – its a NO-GO

    6.) Spoon.net IEs – They work, they work just like local native apps once running, and there's no hacking of my real local IE install. – the **ONLY** problem with these IE's is that Microsoft shut them down

    Please understand that we (developers) just want something that works.  Testing in multiple versions of IE is a pain to begin with and with IE9 on the horizon it is only getting worse.

    I'm not sure where the issue stands with Spoon, but I would really like a solution worked out fast.

    Steve

  2. steve says:

    I hate to repeat this here but once a post on the IE blog is not the latest post it gets ignored.

    Can someone from Microsoft please make a statement about shutting down the IE6/IE7/IE8/IE9 images at http://www.spoon.net/

    ======================================================================================================

    This was **THE** most useful resource for testing multiple versions of IE and the shutdown really ticked developers off!

    As a long time web developer of Enterprise Web Applications I've tried all the options out there to try and simplify testing IE and the lack of realistic options is a royal PITA.

    1.) Multiple IEs – IE8 breaks the functionality of IE6's textboxes – thus its a NO-GO

    2.) IETester – works great until you need to test popup interaction and then it fails – thus a NO-GO

    3.) Virtual PC with timebombed images of IE6, IE7, IE8 – works ok, but the 12Gigs of HD space needed is frustrating when each full image of Windows dies 4 times a year, running a full Windows image is slow and you have to beg for updates because the releases are not co-ordinated and announced well at all – thus its a NO-GO

    4.) IE Super Preview – Last I checked this did not allow full testing of IE user interaction, JavaScript DOM changes, popups etc. – thus its a NO-GO

    5.) Multiple PC's to run multiple versions of windows and IE.  With all the hardware, software, and physical space needed – its a NO-GO

    6.) Spoon.net IEs – They work, they work just like local native apps once running, and there's no hacking of my real local IE install. – the **ONLY** problem with these IE's is that Microsoft shut them down

    Please understand that we (developers) just want something that works.  Testing in multiple versions of IE is a pain to begin with and with IE9 on the horizon it is only getting worse.

    I'm not sure where the issue stands with Spoon, but I would really like a solution worked out fast.

    Steve

  3. Ee says:

    >> Please understand that we (developers) just want something that works

    Why do you insist on using older IE:s, then? You're only hurting yourself, I'd rather quit my job if I had to than work with that baggage.

  4. Richard says:

    Steve, look at of us web developers chiming in and demanding a response from Microsoft!  Oh wait, we're not.  Maybe you should take the hint.  Your tactic for comments is a NO-GO.

  5. Don says:

    @Richard although there's obviously some additional re-spamming of duplicates in the comments the sentiment from developers is the same.

    I'm with Steve – I want answers.

  6. Jeffrey Gilbert says:

    Same. Why be a dick, Richard? Clearly the guy is trying to help the developer community. Don't be a shill.

  7. SiSL says:

    @Steve Your solution lies within Spoon network… Just buy their product Spoon Studio and make your own images like I did…

  8. Prior Semblance says:

    @Jeffrey

    Anything that encourages the continued support of IE6 hurts the developer community.

  9. j says:

    For just ONCE I would like to be able to read some comments related to the actual post and topic at hand. Oh well, here's to another dozen complaints about spoon, geolocation, etc.

  10. vic says:

    @j – you realize that not even your comment was about online tracking? 😛

    I guess the reality is that developers (not users) read this blog and they care about getting IE bugs fixed and having features implemented in IE.  Thus I'll chime in with mine.

    Where is GeoLocation at?

    When is innerHTML going to be fixed? (in the next beta?, the RC?, you do realize that it has to make it into IE9!)

    What with CSS3 Text-Shadows?

    We gonna see CSS3 Transitions?

    Where's ma CSS3 Multi-Column?

    Why no CSS3 Grid-Layout?

    What's taking so long for HTML5 Forms?

    Oh and since it is the more important topic of the moment –  when are the VPC images going to be refreshed? January is almost over!

    Oh and as for privacy settings with tracking? yeah not worried about that at all.  I've been using Google Chrome's Incognito mode for ages.  As long as you aren't using Windows XP your privacy is fine. (If you are still stuck on XP, read up on the Windows Media Player privacy bugs!)

  11. AntiLinuxZihadist says:

    I think most of the so-called "web developers" are so f***ing stupid that these wonderfully technical blog posts are too difficult for them to understand. That's why  these pathetic losers can't have a constructive discussion on-topic, and instead resort to trolling/spamming. I guess most open source "developers" are like this. They are f***ing losers who are so pathetic that they can't find a job.

  12. Peter says:

    Posting the same comment over and over again isn't communicating, especially when it is crystal clear that there won't be a response.

    Or, in this case, no response is also a response. Let me translate their silence for you:

    Microsoft will defend its intellectual property by all means possibe. Even if that means to make the life of the "developers, developers, developers!" for the IE platfom much harder, frustrating, and loyalty draining. This policy takes precedence over the long term strategy to build and nurture a solid foundation for applications that will run in IE, thereby gambiting any marketshare we may have left in a few years.

    We can't offer a viable solution for the mess we made over the past decade, and developers are left to their own devices.

    Perhaps it's best to not count on Microsoft at all, and just use a VMware player and a few left-over XP licenses to install an environment for IE6, IE7 and IE8.

    — End of translation

    Yes, Microsoft, we heard you. Loud and clear. (You might also have heard us. But do you listen?)

    Now that we've got that out of our system, why do you post the same question over and over again, just to receive the same answer?

    That's not only childish, it's also not very intelligent behaviour. – Like I just demonstrated. This will be my last and final post on this issue, and concentrate on online privacy. (Which is the topic off this post, for those who forgot.)

  13. hAl says:

    Please IEblog members, start moderating your blog as this is getting wel out of control.

    Just remove all posts that are irrelevant to the topic of on line tracking.

    Also clean up the comments at the last three articles!!!

    ***

    ***

    Please IEblog members, start moderating your blog as this is getting wel out of control.

    Just remove all posts that are irrelevant to the topic of on line tracking.

    Also clean up the comments at the last three articles!!!

    ***

    ***

    Please IEblog members, start moderating your blog as this is getting wel out of control.

    Just remove all posts that are irrelevant to the topic of on line tracking.

    Also clean up the comments at the last three articles!!!

    ***

  14. Oleg says:

    @hAl –  if only it were that simple there are many sub topics in the comments that are true issues worth discussing (and unfortunately) no other venue for developers to discuss other issues about IE with Microsoft.

    The pinned sites post had plenty of conversation around the topic, sharing with other windows browsers, etc. etc. (personally I think its all quite odd – I don't plan to add any additional clutter to my task bar.

    The so-badly-named-it-aint-funny "CSS corner" post on media queries was also good with many comments on topic about the approach and options for developers – it once again raised the concern about programming for 1 browser which is a touchy item since that's how a lot of the whole IE-only developer mentality started – and in turn stagnated the web for years.

    And finally this post – a whitepaper PR press release on privacy, with nothing of any interest for developers.  I can't say I'm shocked at all that developers want to get back to talking about the important topics in the comments.

    More importantly hAl as to your request –  in the name of democracy, "I'm afraid I* can't do that" (I* == MSIE Team)

  15. Smarta says:

    Not all "European consumers" live in the EU and not all people living in the EU are "European consumers"…

  16. Muzziel says:

    Will this work out like P3P?

  17. burak says:

    You have a great site. thanks (http://www.sorubak.com )

  18. Jane says:

    @Steve: The definition of insanity is doing the same thing over and over and expecting different results.

  19. mentas says:

    Sorry unrelated comment but why IE9 Beta crash on this site? Also it runs slow/breaks/crash on new Apple site (HTML5/CSS3).

  20. Robin Berjon says:

    Hi,

    this is promising and interesting work. Two questions if you don't mind:

     – In this post you indicate that you have made the format available, in the previous December post you indicated that you will make it available. I can't however find where you made that format available. It's quite possible that I missed it, could you please provide a pointer to the specification?

     – I am the co-chair of the W3C group in charge, amongst other things, of privacy, and while you indicate that you've started talking to W3C this is the first I hear of this. Clearly, there's been some noise on the line somewhere! Do you mind getting in touch with me (robin at berjon dot com) so that we can move this forward? I would very much like to see Microsoft's input on this problem in greater detail, and to talk about how we can move things forward together.

    Thanks!

  21. steve says:

    I hate to repeat this here but once a post on the IE blog is not the latest post it gets ignored.

    Can someone from Microsoft please make a statement about shutting down the IE6/IE7/IE8/IE9 images at http://www.spoon.net/

    ======================================================================================================

    This was **THE** most useful resource for testing multiple versions of IE and the shutdown really ticked developers off!

    As a long time web developer of Enterprise Web Applications I've tried all the options out there to try and simplify testing IE and the lack of realistic options is a royal PITA.

    1.) Multiple IEs – IE8 breaks the functionality of IE6's textboxes – thus its a NO-GO

    2.) IETester – works great until you need to test popup interaction and then it fails – thus a NO-GO

    3.) Virtual PC with timebombed images of IE6, IE7, IE8 – works ok, but the 12Gigs of HD space needed is frustrating when each full image of Windows dies 4 times a year, running a full Windows image is slow and you have to beg for updates because the releases are not co-ordinated and announced well at all – thus its a NO-GO

    4.) IE Super Preview – Last I checked this did not allow full testing of IE user interaction, JavaScript DOM changes, popups etc. – thus its a NO-GO

    5.) Multiple PC's to run multiple versions of windows and IE.  With all the hardware, software, and physical space needed – its a NO-GO

    6.) Spoon.net IEs – They work, they work just like local native apps once running, and there's no hacking of my real local IE install. – the **ONLY** problem with these IE's is that Microsoft shut them down

    Please understand that we (developers) just want something that works.  Testing in multiple versions of IE is a pain to begin with and with IE9 on the horizon it is only getting worse.

    I'm not sure where the issue stands with Spoon, but I would really like a solution worked out fast.

    Steve