Blog Post

Microsoft: It’s Naive To Trust Tracking Sites To Obey Anti-Tracking Orders

Updated with news from Microsoft’s IE9 launch today in San Francisco.

When it comes to online privacy, the two leading browser companies, Mozilla and Microsoft (NSDQ: MSFT), have laid out their differing strategies. Mozilla is going with an HTTP-based header that tells websites when users don’t want to be tracked, while Microsoft is pursuing a list-based approach that will allow users–or privacy organizations they trust–to block content and tracking devices from websites they don’t trust. At a privacy conference yesterday, the Microsoft executive in charge of the upcoming Internet Explorer 9, Dean Hachamovitch, explained why he thinks Mozilla’s approach is flawed.

When Internet Explorer 9 launches, the company will offer users the option of maintaining a privacy list of websites that should be blocked from collecting user information. That list could be maintained by an individual user of IE9 or could be simply grabbed from a trusted privacy protection group. The big advantage of this approach, said Hachamovitch, is that it doesn’t require advertisers to buy-in. It blocks their cookies and other tracking mechanisms whether they like it or not.

Hachamovitch said it’s naive to simply trust that the tracking sites will obey an anti-tracking signal. “We don’t have ‘do not send me pop-up window’ HTTP headers,” said Hachamovitch, speaking at UC Berkeley. “We just have pop-up blockers.” Similarly, he noted, there’s no “Do Not Phish Me” button on browsers.

One problem with the Microsoft approach, noted by Indiana University privacy researcher Chris Soghoian, is that a blocking list pushes the cost onto the user. “They have to keep that list updated,” said Soghoian, who favors a header-based approach like that offered by Mozilla. “But if there is an organization or industry that should have to bear the cost of this, it’s the ad networks. The user shouldn’t have to be playing a game of cat and mouse.”

In response, Hachamovitch said that in an environment where it still isn’t exactly clear what constitutes “tracking,” determining what to block requires some human judgment and the kind of curation that would be involved in creating an anti-tracking list.

Another speaker on the panel–Federal Trade Commission’s Chief Technologist Ed Felten–pointed out that both the Microsoft and Mozilla mechanisms rely on parties other than browser vendors and users to work. While a user surfing the web with IE9 would need to find a privacy organization to maintain an updated anti-tracking list, Mozilla’s approach relies on advertisers respecting the Do Not Track header.

Update: At an IE9 launch event in San Francisco, Microsoft engineers showed off their new browser. In addition to highlighting the new software’s performance enhancements, the company introduced some of the partners who will help IE9 users build the “tracking protection lists.” Those partners include Privacy Choice and TRUSTe, as well as EasyList, the organization that already helps users block ads with the Firefox AdBlock Plus add-on. TRUSTe and EasyList both have blog posts published about their new tracking protection lists.