A First Look at Internet Explorer 9 Privacy Features

There's lots of excitement about the privacy features in the new Internet Explorer 9 web browser. Microsoft had announced and previewed their Tracking Protection feature some time ago, which allows users to setup lists of websites with which all third-party interactions are blocked. In the mean time Firefox released a beta "Do Not Track" feature that allows users to configure their browser to send a header to every website that transmits a user's preferences not to be tracked. Then yesterday Microsoft announced that IE9 would include the ability to set a Do Not Track preference as well. And today IE9 is here with Tracking Protection lists and Do Not Track headers.

There is ongoing discussion about what a do-not-track header actually means and what websites should do when they see it. As of yet we have no agreement on what it means to track, let alone what it means to not track. Therefore, sending out a do-not-track header is, as Mike Zaneis from the Interactive Advertising Bureau described it to the Wall Street Journal, "like sending a smoke signal in the middle of Manhattan; it might draw a lot of attention, but no one knows how to read the message." But browser vendors are forging on ahead with an "if we build it, they will come" attitude, and a hope that some day the smoke signals will take on a useful meaning. Indeed, with heavy pressure from the Federal Trade Commission to implement do not track, there is significant interest in developing standards around this concept.
Besides reaching a consensus on what the do-not-track header means, there is also a need for a framework that allows for some sort of enforcement. Companies need to have some sort of legal or contractual obligation to respect the header (once we figure out what it means to respect it), there must be some way to determine whether or not they are actually respecting it, and there must be consequences for not respecting it. Enforcement and consequences could come through regulatory requirement or through industry self regulation. But either way they need teeth. For example, if there was a way for a browser to detect whether or not a site was respecting do-not-track headers, browsers could have a setting that allows users to block sites that don't respect them. Or companies that contract with advertising networks and other service providers could include language in their contracts obligating all of their vendors to respect do not track.

Until the details about do not track get ironed out, the new IE9 header is not at all useful to consumers. But fortunately, the Tracking Protection feature is something consumers can use right away. Unlike do not track, which requires the cooperation of websites, Tracking Protection is a feature that users can use to enforce their privacy preferences without relying on websites to give them any respect at all. And Tracking Protection goes beyond cookies and advertising, and allows users to completely prevent a list of third-party websites from tracking them. No cookie tracking, no Flash LSO tracking, no browser finger printing, no nothing. (At least not at third-party websites.... first-party sites are a different story.) There is no distinction between tracking for advertising purposes and tracking for other purposes, and no need for standard definitions of what is or is not tracking. Instead, the choice of what type of tracking to allow or block is made when the user selects a Tracking Protection List (TPL) to install. Today Microsoft lists five different TPLs on their website, provided by four different organizations. Each of these organizations has made a judgement about what should be allowed and blocked, and the idea is that users should pick the TPL from the organization they trust the most.

The first thing I did after installing IE9 was find the Tracking Protection feature in the Tools->Safety menu. I was a little surprised when selecting Tracking Protection brought me to the Manage Add-ons menu. But there was a prominent link to "Get a Tracking Protection List online..." so I did. If one is good, four or five might be better, so I downloaded all of them. There was an initial minor user interface glitch and the TPLs didn't actually show up in the list of active TPLs until after I had closed the Manage Add-ons window and reopened it. But once I got that sorted out, I started investigating the protection offered by each list. (You can look at this yourself by clicking on a TPL after you install it. Note that + means allow, - means block and # is a comment.) Abine offered a short list of sites to block, while PrivacyChoice offered a much longer list. EasyPrivacy also offered a long block list, plus a short allow list at the end. On the other hand the TRUSTe list appeared to block only 23 sites and explicitly allows a gazillion others. I suppose all this should have been clear from the short blurbs on the download site. Abine says it's TPL "blocks many online advertising and marketing technologies that can track and profile you" while TRUSTe says it "enables relevant and targeted ads." So clearly one is emphasizing blocking ad targeting while the other is emphasizing enabling it.

It actually turns out that enabling multiple TPLs might not be such a good thing, since it is not completely obvious how they interact with each other when one says allow and the other says block, and by adding a second TPL you may be undoing protections provided by your first TPL.

There is one more TPL option, a personalized tracking list. I tried repeatedly to figure out how to add things to this list, and finally gave up. But an hour later it occurred to me that the personalized tracking list is the new version of what was called InPrivate Filtering in IE8. Once I figured that out, I realized that the list would start populating itself only after I started seeing the same trackers across multiple websites. You can set the threshold for how many sites you have to see a tracker on before it appears, and there's a toggle to switch between automatically adding sites to a block list or manually choosing whether to allow or block each one.

Once I sorted out which TPLs I wanted to enable and disable, I decided to check out some sites and see what would happen. I noticed the blue Tracking Protection symbol appeared in the address bar at a lot of sites (the same symbol also appears in place of any visual content that is blocked). Hoping for some detailed information about what was being blocked on the site, I clicked on the blue symbol in the address bar. It revealed a window that told me "Some content is filtered on this site" and "Use the button below to configure options." But the only option provided by said button was "Turn off Tracking Protection." I didn't want to turn it all off -- I wanted to see what was being blocked and maybe unblock some of it, or maybe just for this site. Not entirely clear, what the button would do, I clicked it anyway. After some trial and error I determined that it turns off tracking protection completely for that site only and turns the symbol grey. You can click on the grey symbol to re-enable tracking protection for that site. And if you navigate to another site, tracking protection goes back on. That's more or less what I wanted to happen, but clearer language could make it more obvious how this functionality works. Also, I still would like information about what exactly is being blocked and I would like to have more fine-grained unblocking control. I think the browser add-on Ghostery does this well.

So after I figured out TPLs, I went in search of the switch to turn on the do-not-track header. Actually, there seems to be no user interface component associated with this much-hailed feature. It seems if you enable a TPL, the header gets sent automatically. I confirmed this by experimenting with Microsoft's Do Not Track Test Page.

In addition to the do-not-track and tracking-protection features, IE9 also has several online safety and security features, as well as at least two additional privacy features left over from previous iterations of IE: InPrivate Browsing and P3P.

In the Tools->Safety menu, InPrivate Browsing will "prevent Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data. Toolbars and extensions are disabled by default." This feature is mainly aimed at preventing IE from leaving private data on your computer after you finish browsing. It does not block cookies or third-party content, but it does delete any cookies when you exit.

In a completely different place, IE9 has the Internet Options panel, which still includes the Privacy tab introduced way back in IE6. The privacy panel has a slider bar that lets users control when cookies are blocked. The default setting, used by almost everyone, blocks third-party cookies that lack a "satisfactory" Platform for Privacy Preferences (P3P) compact privacy policy. Users can change these settings and use the advanced settings if they want to block all cookies or block all third-party cookies regardless of P3P. Back on the Tools->Safety menu there is also a "Webpage privacy policy..." option that can be used to retrieve the full computer-readable P3P privacy policy from websites that have one and translate it back into English. P3P is a standard developed by the World Wide Web Consortium that was supposed to be the technology tool that would give users control over their online privacy. It was offered as a self-regulatory solution in the online privacy debates dating back to the mid 1990s. However, by the time the P3P specification was finished in 2002, industry lost interest in P3P and the only browsers to implement P3P were Microsoft Internet Explorer and the now defunct Netscape web browser. But the Microsoft implementation suffered from usability issues and implementation bugs, and is now being widely circumvented by websites that are misrepresenting their privacy policies to avoid cookie blocking. (As of yet there has been no enforcement of P3P, but this month the first class-action law suit was filed against a company for using a bogus P3P compact policy to circumvent IE cookie blocking.)

So that's at least five different privacy features in IE9 (do-not-track header, TPLs, personalized tracking protection, InPrivate browsing, and Internet Options Privacy/P3P). On the one hand, I think Microsoft should be commended for embracing and implementing almost every browser privacy concept to come along over the past 10 years. On the other hand, IE9 now has a confusing array of poorly-implemented privacy features that interact with each other in strange ways. If I don't turn on a TPL or change any privacy settings, then third-party cookies might be blocked depending on their P3P compact policies. If I turn on a TPL that allows a particular site, does it unblock third-party cookies that would otherwise be blocked? And some day when the do-not-track header actually means something, will IE continue to send it to every website if I turn it on, even sites where I have explicitly turned off Tracking Protection or used a TPL to allow tracking?

I'm focusing on IE9 in this article, but a lot of my criticisms of the usability of its privacy features are applicable to the other browsers as well (IE9 just has a lot more privacy features than the other browsers, which is actually a good thing). Usability of privacy tools is a major research area for my lab at Carnegie Mellon, and in the coming months we expect to offer some more concrete suggestions for improving privacy tools based on the results of our user testing. In the mean time, I would encourage those who are building privacy tools for their products to think more about the entire user experience associated with privacy options, conduct their own user studies, and be prepared to iterate on their privacy features so that they result in something that has real benefit to users.