Update: Effectively Protecting Consumers from Online Tracking

Since December’s technology announcement about IE9’s Tracking Protection feature, we’ve seen a lot of interest from press, academics, governments, and industry groups. This blog post is an update based on the conversations we’ve had on this topic – visiting with government and industry groups in Europe last week, faculty and students at a joint Harvard-Stanford Law School class earlier this month, and with the Wall Street Journal / All Things D at the Consumer Electronics Show earlier this month as well. It’s another example of our approach to developing IE9 transparently and with the engagement of many different communities.

Privacy is a worldwide conversation and, at the same time, it is intensely local. Local sensibilities and expectations differ from Germany to the UK to Japan to the United States. One size can’t fit all. Privacy is a broad topic, ranging from Street View issues to medical record disclosure.

IE9’s Tracking Protection focuses on the issue of online tracking. Consumers on the Web are tracked every day without their awareness or permission. As a result, there is growing consumer concern and suspicion about tracking. That theme was consistent across the conversations visiting government agencies and industry groups in the United States last month as well as the conversations in Europe last week.

IE9’s Tracking Protection is a technology that enables governments and organizations and enthusiasts to better protect consumers from tracking. This technology works within and complements the privacy frameworks being developed worldwide. It is an effective way to put effective consumer privacy protections into operation.

Progress and News with Standardization and Lists

To protect consumers, having Tracking Protection work consistently across browsers is important. In December, we made the underlying format for Tracking Protection available under a Creative Commons Attribution license and the Microsoft Open Specification Promise so that they same lists can work in other browsers. Since then, the premier Web standards body, the W3C, has contacted us about standardizing the format. We are taking the next steps with the W3C to standardization.

We’ve had many conversations with governments, organizations, and interested individuals both in the United States as well as Europe about our approach. The feedback has been positive. Earlier this week, the European Privacy Association stated publicly that it welcomes this feature and the empowerment it will bring. In December, the Chairman of the US Federal Trade Commission, Jon Leibowitz, said “Microsoft deserves enormous credit for taking a critical step toward providing consumers with more choice about who can track their online browsing. Just as important, this announcement proves that technology is available to let consumers control tracking.” In an interview with the Washington Post in December, Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation, responded to the inclusion of these privacy features in IE9 by saying “this is the right direction and what is important is that industry has understood it can’t ignore privacy concerns. If they want to be efficient, they have to have privacy enhancing tools build in. And companies want legal certainty about privacy.”

The development of Tracking Protection Lists, for both US and European consumers, is underway. Several consumer privacy organizations have preliminary lists in testing. Some advertising industry groups, recognizing how Tracking Protection enables more effective self-regulation, are also in the process of developing Tracking Protection Lists. They have been clear and articulate about their point of view that ads and tracking are different, separate things. We’re excited to see them put that point of view into practice.

An interesting non-advertising scenario came up in conversations with some government agencies last week. There was concern that with all the tracking content on websites today, it would be possible (for example) for an entity on the Web to determine that several machines in a Defense Ministry were checking the weather in a particular part of the world, or that many browsers in the Healthcare Ministry showed a spike in visits to articles on a particular topic. There may be similar concerns for businesses, for example in finance, in a tracking agent paying close attention to the Web browsing patterns of employees. Tracking Protection functionality will work with the enterprise deployment and management tools available in Windows.

How Tracking Protection Works and Alternative Approaches

Tracking Protection works by blocking content that can be used to track you on the Web.

Typical Web pages that you visit are a mosaic of content from all over the Web. For example, if you look at these screen shots, or use developer tools in the browser, you can see how much content on a Web page comes from sites other than the one in your address bar. Cookies are just one of many ways that tracking happens; you can see examples of tracking pixels in the screen shots linked to above.

To turn on tracking protection, a user just clicks on a special link in a Web page. All their browsing across the Web, from then on, is protected from tracking until the user explicitly turns it off. Clicking that link adds a Tracking Protection List of Web addresses (like “msdn.com”) that the browser will block (unless the user visits them directly and can see them in the address bar). By limiting how the browser visits certain websites, Tracking Protection limits the information these sites can collect. (These lists also accommodate “allow” as well as “block” rules; please see the earlier technical post for more detail.) The system is open in that any Web site can host these links and lists, and any person can author and share a list.

This approach enables consumers to have push-button simplicity (just find a site and click a link) while leaving privacy and industry experts and enthusiasts the flexibility and freedom to provide consumers great guidance and recommendations on their own websites that offer Tracking Protection lists. As consumers find pages and lists that they like and trust, they can share them (via email, blog, Facebook, Twitter, etc.) and engage in privacy awareness.

Earlier this week other browser providers made announcements regarding alternative approaches to privacy protection. The specifics of the proposals are under active discussion on the Web (here for example, and here or here). What’s most important is that consumers have effective privacy protections to go along with great browser performance and an experience that puts the focus where it belongs: on the Web, not the browser.

—Dean Hachamovitch, Corporate Vice President, Internet Explorer