Tuesday, December 07, 2010

Initial thoughts on Microsoft's IE9 Tracking Protection Announcement

While I am often critical of companies for their privacy practices, when they do good things, I think it is important to publicly praise them for it. As such, Microsoft deserves a significant amount of credit for moving the ball forward on privacy enhancing features in the browser. This blog post will reveal a few of my initial thoughts about Microsoft's announcement, and what I think are the politics behind its decision.

Briefly, Microsoft today announced that it will be improving the InPrivate Filtering feature in its browser -- which would have been a great feature, if the company hadn't intentionally sabotaged it in response to pressure from people within the company's advertising division.

When it was enabled by the user, InPrivate Filtering observed the 3rd party servers that users kept interacting with as they browsed the web, and once a server showed up more than a set number of times, the browser would block future connections to it. The feature was surprisingly effective, but unfortunately, Microsoft decided to require users to re-enable it each time they used their browser, rather than making the preference stick.

The company announced today that the forthcoming release candidate of IE9 will replace InPrivate Filtering with a Tracking Protection feature. The company is doing away with the automatic compilation of a list by the browser based on the users' own browsing, and instead shifting to a model where the user can subscribe to a regularly updated list of servers to which the browser will block all 3rd party connections.

If this feature sounds familiar, perhaps it is because Microsoft is essentially building AdBlock Plus into their browser, except that Microsoft itself will not be providing the list of ad networks. It will be up to consumer groups (or perhaps government regulators) to do that themselves.

It is important to note that once a user subscribes to such a list, as with the InPrivate Filtering feature, all 3rd party connections to the servers will be blocked. This means that not only will advertising networks on the list be blocked from tracking users, but IE9 will not even display advertising provided by those firms' servers.


I have a few thoughts on this announcement. I'm short on time, and so I'm going to list them (in no particular order):

  • Realpolitik. This is a very savvy, strategic decision on Microsoft's part. I think that the company probably thinks its own advertising business (or at least, its own overall bottom line) will suffer less than its competitors. After all, Google gets most of its money from online advertising, whereas Microsoft still earns a vast sum of money from Office and Windows.

  • Do not track. This is almost certainly designed to impact the current debate on Do Not Track taking place in Washington DC. While the debate has thus far centered around a header based mechanism, Microsoft may well try to make the case that the FTC could supply a subscription list of known tracking servers, which consumers could then subscribe to by visiting www.donottrack.gov, or some similar URL.

  • Multiple domains. Once the EFF, NAI, ACLU and perhaps even FTC start distributing subscription lists of ad network servers, the online advertising industry will likely have to embrace a multi-domain model. That is, if they continue to serve both contextual (non-targeted) and targeted advertisements from the same domain name, then their servers' inclusion in subscription blacklists will mean that consumers will not see any of the advertisements they deliver, and not just avoid the tracking. Faced with the choice of not being able to show any ads, or just not being able to target users, the ad networks may have to swallow their pride, and roll out alternate, non-tracking domains and servers for contextual ads.

  • What is tracking. If the ad networks do shift to a multi-domain model, then they will likely argue that they should still be able to deliver persistent cookies to users from their non-tracking domains, if those cookies are solely used for the purpose of doing frequency capping, and sequencing of multi-creative advertising campaigns. They will also try and argue that retargeting should not be considered tracking. There will likely be an intense lobbying campaign by the advertisers to narrowly define tracking, at least for the purpose of any FTC or other government agency supplied blacklist.

  • First to the party. When Google deployed SSL by default for users of Gmail in January, the company received widespread praise. When Microsoft followed suit in November (albeit not by default), the announcement received significantly less press, and even some criticism (for not doing it sooner, and not by default). The take-home message here is that the first company to roll out a privacy technology is the one that gets all the attention. Now that Microsoft has made this announcement, Google, Apple and Mozilla may be forced to follow, but if and when they do, they won't get nearly as much praise for doing so.

  • Competing on privacy. Microsoft has long wanted, and tried to compete on privacy, but never quite got it right. Most significantly, the company took the lead in adopting a strong search data retention, and IP address anonymizaton policy, in contrast to Google, which still continues to deceptively claim that its own policy of deleting a single octet from IP address logs is anonymization. While Microsoft offered far better privacy in this space, it failed in the battle to communicate these differences to the press, and Google received praise for offering far less. With this announcement, Microsoft appears to be yet again attempting to compete on privacy -- with any luck, the company will be successful in differentiating its product on these features.

  • Future proofing against 3rd party tracking. By opting to block connections to servers on the blacklist, Microsoft is offering IE9 users protection against more than just cookie based tracking. Flash cookies, evercookie, cache cookies, timing attacks, and even fingerprinting will all be blocked -- as long as the tracking is conducted by 3rd party servers. However, as Craig Wills and Balachander Krishnamurthy have documented, ad networks are increasingly using subdomain alias techniques (e.g. ads.publisher.com points to adserver.com) to bypass browser's 3rd party cookie blocking features. If ad networks find their servers blocked by IE, we may increasingly see them "innovate" around this blocking by further embracing alias subdomains and other sneaky techniques.


This is a great, pro-privacy and strategically savvy move on Microsoft's part. I am delighted to see companies competing on privacy, and building better features into their products. This announcement will likely have a significant impact on the current Do Not Track debate, and it will be interesting to see how the ad industry, the other browser vendors, and government regulators respond.


Anonymous said...

Hi Christopher, you have a broken link in here. You have a line break tag(/br>)included in the link to this page: http://web.cs.wpi.edu/~cew/papers/wosn09.pdf

Anne H said...

Very nice article and I think this is an interesting development. Am I correct that a website can create a TPL on their server that would override the user's TPL? I think this would be an issue for small publishers that rely on ad networks to offset their expenses.

Anonymous said...

You can easily turn on InPrivate Filtering by default in IE8. It's just a registry setting.

Googling for "inprivate filtering registry" will get you info on how to do it.