Microsoft IE9 Tracking Protection Lists (Part 2 – The How)

In Part 1 of my blog on the Microsoft Internet Explorer 9 (IE9) Tracking Protection List (TPL) feature I discussed why it was important to do something about tracking.  Now lets talk just a little bit about how tracking and the TPLs work and then spend most of the article on which TPLs you should use with IE9.

When you view a web page the various elements on that page typically come from multiple sources.  So, for example, if you go to the advertising on the page doesn’t come from MSNBC, it might actually come from DoubleClick (which is owned by Google, quite ironic since MSNBC is co-owned by Microsoft).  In fact many web page are made of elements from dozens of different sources.  Some of those sources might not even display actual content, they might be invisible.  These invisible elements are there just to gather information, specifically that you visited the page.  These invisible tracking elements, or beacons, are an example of the techniques used for third-party tracking.  Another example are third-party tracking cookies.  Tricks like beacons are increasingly popular because most browsers have either blocked or limited third-party cookies for some time now.  IE has long blocked third-party cookies by default unless the third-party publishes what is known as a “compact privacy policy”.  Ok, that turned out to be a weak solution, so you can optionally set IE to always block third-party cookies if you wish.   But that can lead to web pages that don’t render properly.  Safari on the iPad and iPhone block third-party cookies by default, which is no doubt why some pages don’t render properly on those devices.  A better solution would be to only block third-party cookies, beacons, etc. that are specifically used for tracking.  This is what the TPL was designed to do.

Tracking Protection Lists are simply lists of web addresses that Internet Explorer should NOT communicate with unless the user directly goes to the site.  In other words, they tell Internet Explorer not to engage in third-party communications with that web address.  TPLs can also include instructions to explicitly allow third-party communications with a web address.  I’ll explain why that is important in a minute.  You could actually use TPLs in a number of ways beyond what Microsoft has explicitly designed them for.  For example, beyond limiting tracking you can also use them to actually block the display of third-party ads.  But we’ll focus on tracking protection.

What Microsoft hasn’t done is create an actual Tracking Protection List for users, it is relying on third parties to do that.  You can find a set of TPLs by clicking on the tools (gear box) icon in IE9, then Safety->Tracking Protection.  There you will find a link to get “Tracking Protection Lists Online”.  Clicking it will show you a set of lists, with very poor descriptions of what they do.  Ed Bott did some analysis of the lists as of last February and I’m using his data in my analysis.  You can use more than one list, and which one(s) you choose is based on what your goal is.

In Part 1 of this series I broke the actors who are tracking down into three categories which I’ll recast here.  “Good Guys” are those who are tracking you so they can provide a better web experience and have strong privacy protection policies in place.  “Careless Guys” are those whose motives may be good, but whose privacy protection policies and/or operations are suspect.  “Bad Guys” are everybody else.  The question you have to ask yourself is, are you willing to let some of these actors (e.g., the Good Guys) track you while blocking the others or do you just not want to be tracked at all?  As a reminder, letting yourself be tracked results in more appropriate ads (e.g., diaper ads for a new mother and sports car ads for an empty nest guy going through a mid-life crisis).  And in the future you might find websites that block your access to content unless you allow them to track you and display appropriate ads.  So you need to make a decision just how much you want to give in to tracking paranoia.

The most important list you need to know about, and the one I recommend, is the EasyPrivacy Tracking Protection List.  This list is the most aggressive at blocking tracking.  The EasyPrivacy list is taken directly from the popular Adblock Plus add-in for Firefox, so it has a long history and a very active volunteer community dedicated to eliminating third-party tracking.  But of course, it is going to block the “Good Guys”.  Fortunately for all of us, if you want to re-enable the “Good Guys” then you can simply add another list.  TRUSTe’s TRUSTed Tracking Protection List is a list of what are supposed to be the “Good Guys” as determined by TRUSTe.

That sounds easy doesn’t it?  Add one list if you are “paranoid” about tracking, then add a second if you want some tracking protection but don’t want to interfere too much with the web experience.  There is a caveat there of course, you have to trust TRUSTe to only have the “Good Guys” on its list.  I think for most users this is an ok assumption, though the TRUSTe “Good Guy” list is long enough that it makes me wonder if some “Carless Guys” are actually on it.  Still, nothing is perfect.

There are other choices in Tracking Protection Lists.  For example, instead of the two lists I mention above you could use the lists from PrivacyChoice.  There are two, one that blocks all third-party tracking that PrivacyChoice knows about.  This would be the list for the “paranoid”.  The other is a PrivacyChoice that only blocks tracking sites that are not part of the Network Advertising Initiative (NAI).  The NAI is another attempt at identifying the “Good Guys”.  So if you believe NAI has a better program than TRUSTe then the PrivacyChoice TPL blocking companies without NAI oversight is for you.

There are other lists such as Albine (which has one list specifically designed to block tracking on kid-oriented web sites), and then FanBoy which seems similar to EasyPrivacy.  These might be of interest, but require more investigation.

There you have it.  If I were you I’d go turn on IE9’s Tracking Protection List feature immediately.  Either EasyPrivacy + TRUSTe or EasyPrivacy alone.

This entry was posted in Computer and Internet, Microsoft, Privacy and tagged , , , , , , . Bookmark the permalink.

2 Responses to Microsoft IE9 Tracking Protection Lists (Part 2 – The How)

  1. Thanks for the article Hal. I will have to enable the TPL on my machine. So I was wondering if IE9 blocks 3rd party cookies by default? I know IE8 does, however cannot see if IE9 automatically does so.

    • halberenson says:

      I don’t believe anything has changed in this regard. The default Privacy level (Internet Options->Privacy) for both IE8 and IE9 is Medium, which blocks third-party that don’t have a “compact privacy policy”. But neither block all third-party cookies by default, you’d have to raise the level or click on Advanced and override the policy to specify you want to block all third-party cookies. BTW, if you do block all third-party cookies then you don’t need to use a TPL since a TPL is about selectively blocking third-party cookies.

      The problem with the old privacy levels is that the “compact privacy policy” requirement is too squishy, both in terms of a site making an accurate policy available and your inability to specify what an acceptable policy is. In practice it has proven to be somewhere between useless and harmful (because it gives users a false sense of security about their privacy). That is why things like the TPL, along with the Do-Not-Track flag (when combined with legislation that would mandate websites honor it), have started to appear.

Comments are closed.