The next version of Internet Explorer will let users turn on “tracking protection,” a new mechanism that will block specified third-party sites from tracking users, Microsoft said.
The announcement comes just as the U.S. Federal Trade Commission has proposed that consumers be allowed to subscribe to a “do not track” system that is similar to the “do not call” lists that consumers join in order to block telemarketers.
Related story – Online ‘ad-stalking’ getting out of hand
To use the new IE9 feature, people will turn it on and then choose a list of sites to block. Anyone, including individuals, companies and consumer protection groups, can make such lists, and users can subscribe to as many as they please.
“Tracking protection in IE9 puts people in control of what sites can get their data as they move around the Web,” said Dean Hachamovitch, vice president of IE at Microsoft, during a web conference about the feature.
Users may like the idea of being able to block certain sites from tracking their actions online but some may be surprised by the result. That’s because sites that users block from tracking them will also be blocked from displaying content.
During the webcast, the executives showed a prerecorded demo of how the mechanism works. Once the feature was turned on and started blocking sites, certain content on the page that was provided by the third-party sites no longer appeared on the page.
The lists are subscription-based, meaning the authors can update the lists and the updates will be automatically pushed out to subscribers. IE9 will check for updates to the lists once a week.
The feature will not block cookies that are built in Flash.
Experts said the announcement is a step in the right direction. However, Michael Cherry, an analyst with Directions On Microsoft, wondered if the feature goes far enough. That’s because the IE9 tracking protection only prevents tracking by third parties, not by sites that users visit directly.
“I was expecting more,” he said. “I want to be able to say ‘I don’t want any site to track me, whether I went there or not.'” For instance, if he visited a site looking for medical information, he might not want that site to save or share information about what he searched for. IE9’s tracking protection feature wouldn’t prevent that.
It would be good to be able to block even first party tracking, but Microsoft’s announcement addresses the more important issue of third party tracking, said Justin Brookman, director of consumer privacy for the Centre for Democracy and Technology. “There are privacy concerns [with first party tracking] and there should be a way to opt out of that but tracking across multiple domains is considerably more disturbing. People aren’t surprised by first party tracking as much,” he said.
Websites will be able to detect when visitors are using the list. That will be helpful so that sites know that some content may be blocked for the visitor, Hachamovitch said. For instance, if a medical imaging site uses third-party content to deliver an image, the site may want to alert visitors if they are not seeing the complete image because the third-party site is being blocked.
The mechanism could be abused by hackers but it is not a “vector for malware” because there is no software to install, said Hachamovitch. A hacker could, however, create a list and say it is from a legitimate source. “Consumers will need to be thoughtful and wary when they get lists,” he said.
The makers of Firefox are also reportedly working on tools that would let users block trackers online. That design involves sending a signal from a browser saying that the user does not wish to be tracked, Hachamovitch said.
Hachamovitch called Microsoft’s option complementary to the one Firefox is exploring and said that both have challenges. With the Firefox idea, it has yet to be determined what a website does when it receives such a signal, Hachamovitch said. There are also issues of verifying and enforcing such signals, he said.
The Firefox idea is a good one but there are important unanswered questions so far, including what happens when visitors turn on the do not track feature and then visit a site, Brookman said. “Are they legally required to obey it?” he asked. The answer to that question isn’t known yet.
Microsoft’s approach has been criticized because the lists require updating, Hachamovitch said.
In addition, users will have to seek out lists from trusted sources and from sources that are likely to proactively update the lists. Companies like antivirus vendors are in a good position to do that, said Cherry. Consumer privacy groups could also create lists for consumers.
Brookman agrees that looking for good lists to subscribe to could be cumbersome but that the benefits to Microsoft’s idea outweigh the downsides. “One advantage of the Microsoft approach is you don’t have to trust people to acknowledge your request,” he said. That’s because if a third party is on a user’s list, that third party never receives information about the user.
Microsoft will be rolling out the feature soon. The new tracking protection feature will be available in the IE9 release candidate early next year. A release candidate is a near-final version of software. While the technical implementation of the Firefox idea is clear, the issues around what sites are required to do isn’t, meaning that mechanism might not be available for some time, Brookman said.