IE9 to let users block tracking

Users who opt into the feature will subscribe to lists that block sites from tracking them

The next version of Internet Explorer will let users turn on "tracking protection," a new mechanism that will block specified third-party sites from tracking users, Microsoft said.

The announcement comes just as the U.S. Federal Trade Commission has proposed that consumers be allowed to subscribe to a "do not track" system that is similar to the "do not call" lists that consumers join in order to block telemarketers.

To use the new IE9 feature, people will turn it on and then choose a list of sites to block. Anyone, including individuals, companies and consumer protection groups, can make such lists, and users can subscribe to as many as they please.

"Tracking protection in IE9 puts people in control of what sites can get their data as they move around the Web," said Dean Hachamovitch, vice president of IE at Microsoft, during a web conference about the feature.

Users may like the idea of being able to block certain sites from tracking their actions online but some may be surprised by the result. That's because sites that users block from tracking them will also be blocked from displaying content. During the webcast, the executives showed a prerecorded demo of how the mechanism works. Once the feature was turned on and started blocking sites, certain content on the page that was provided by the third-party sites no longer appeared on the page.

The lists are subscription-based, meaning the authors can update the lists and the updates will be automatically pushed out to subscribers. IE9 will check for updates to the lists once a week.

The feature will not block cookies that are built in Flash.

Experts said the announcement is a step in the right direction. However, Michael Cherry, an analyst with Directions On Microsoft, wondered if the feature goes far enough. That's because the IE9 tracking protection only prevents tracking by third parties, not by sites that users visit directly.

"I was expecting more," he said. "I want to be able to say 'I don't want any site to track me, whether I went there or not.'" For instance, if he visited a site looking for medical information, he might not want that site to save or share information about what he searched for. IE9's tracking protection feature wouldn't prevent that.

It would be good to be able to block even first party tracking, but Microsoft's announcement addresses the more important issue of third party tracking, said Justin Brookman, director of consumer privacy for the Center for Democracy and Technology. "There are privacy concerns [with first party tracking] and there should be a way to opt out of that but tracking across multiple domains is considerably more disturbing. People aren't surprised by first party tracking as much," he said.

Websites will be able to detect when visitors are using the list. That will be helpful so that sites know that some content may be blocked for the visitor, Hachamovitch said. For instance, if a medical imaging site uses third-party content to deliver an image, the site may want to alert visitors if they are not seeing the complete image because the third-party site is being blocked.

The mechanism could be abused by hackers but it is not a "vector for malware" because there is no software to install, said Hachamovitch. A hacker could, however, create a list and say it is from a legitimate source. "Consumers will need to be thoughtful and wary when they get lists," he said.

The makers of Firefox are also reportedly working on tools that would let users block trackers online. That design involves sending a signal from a browser saying that the user does not wish to be tracked, Hachamovitch said.

Hachamovitch called Microsoft's option complementary to the one Firefox is exploring and said that both have challenges. With the Firefox idea, it has yet to be determined what a website does when it receives such a signal, Hachamovitch said. There are also issues of verifying and enforcing such signals, he said.

The Firefox idea is a good one but there are important unanswered questions so far, including what happens when visitors turn on the do not track feature and then visit a site, Brookman said. "Are they legally required to obey it?" he asked. The answer to that question isn't known yet.

Microsoft's approach has been criticized because the lists require updating, Hachamovitch said.

In addition, users will have to seek out lists from trusted sources and from sources that are likely to proactively update the lists. Companies like antivirus vendors are in a good position to do that, said Cherry. Consumer privacy groups could also create lists for consumers.

Brookman agrees that looking for good lists to subscribe to could be cumbersome but that the benefits to Microsoft's idea outweigh the downsides. "One advantage of the Microsoft approach is you don't have to trust people to acknowledge your request," he said. That's because if a third party is on a user's list, that third party never receives information about the user.

Microsoft will be rolling out the feature soon. The new tracking protection feature will be available in the IE9 release candidate early next year. A release candidate is a near-final version of software. While the technical implementation of the Firefox idea is clear, the issues around what sites are required to do isn't, meaning that mechanism might not be available for some time, Brookman said.

Nancy Gohring covers mobile phones and cloud computing for The IDG News Service. Follow Nancy on Twitter at @idgnancy. Nancy's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsInternet Explorer 9Microsoftsecuritybrowserssoftwareprivacy

More about CherryFederal Trade CommissionIDGMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nancy Gohring

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place