/ Technology

IE9’s anti-tracking tool flawed – Microsoft should try harder

Animation of man tracking footprints

Our tests of IE9’s new anti-tracking tool found a fundamental flaw – download multiple lists and things you want blocked could actually be allowed. Does that sound right to you? Because it doesn’t to us…

It’s been a busy year for online privacy so far, with web giants like Google, Microsoft and Mozilla all releasing anti-tracking tools in the past few months.

Great – they’re finally waking up to the fact that users want more control. But do these tools live up to their claims of stopping third parties from tracking our online behaviour? At Which? Computing we decided to contain our excitement before we’d put them to the test.

The results that came back from our labs were a surprise – and not a pleasant one. Our researchers had issues with each tool, but the biggest problem was with the Tracking Protection List (TPL) feature in Internet Explorer 9 (IE9).

How TPLs work

IE9 uses TPLs to give you control over third-party tracking tools. It does this by blocking web tools (such as Flash cookies, web beacons and images) from tracking how you browse the web.

To enable the anti-tracking feature in IE9, users have to download a TPL, which contains details on what tool to ‘allow’ and what tool to ‘block’.

While the blocking technology in the TPLs works fine, there’s a real problem with the rules that govern these lists.

Don’t download multiple lists

Microsoft offers IE9 users access to five different TPLs – they can install multiple lists and use them alongside their own personalised filtering list.

But here’s the crux of the problem – our study found that when a user has downloaded multiple TPLs, the rules from all of them are grouped together into a single list where allowing tracking takes precedence over blocking it.

For example, you may choose to install two tracking lists: one by EasyList and one by TRUSTe. The EasyList TPL might ‘block’ web beacons, whereas the TRUSTe TPL might ‘allow’ them. In this case, the web beacons would be ‘allowed’.

Put simply, if you enable more than one list you leave yourself vulnerable to being tracked.

When we put our findings to Jonathan Mayer, the lead researcher on Stanford University’s ‘Do Not’ Track’ project, he explained that there are other problems with TPLs – for example, they aren’t comprehensive:

‘A user who installs the best TPLs available would still be tracked by a number of companies. EasyPrivacy, for example, doesn’t [block] Google Analytics or the Facebook ‘Like’ button.’

Microsoft should mend its broken system

It all sounds just a bit too complicated to me, and I’m a technology journalist, so I’ll bet others are confused too.

Requiring users to understand and apply a ‘block’ and ‘allow’ rule across multiple TPLs is an overly complicated way of opting out of being tracked. Unless Microsoft re-evaluates its system, too many of us will be using our computers under a false sense of security.

Do you think more should be done to make it easier for us to opt-out of being tracked online?

Comments
Profile photo of wavechange
Member

It looks as if Microsoft are beginning to put some effort into sorting out the problems with Internet Explorer but its too little and too late. They should bow out of the browser market, where their share continues to fall, and focus on improving Windows 7.

Profile photo of richard
Member

It shows Microsoft cannot supply a safe reliable and bug-free piece of software – and why I have never used MS software except the O/S – even Vista was rubbish.

Member
Barry Smallwood says:
17 March 2011

as far as i understand it the TPL consist of black lists and some also incude a whitelist.if you use 2 lists and in one a tracker is blacklisted and in the other it is white listed then the white list always wins.I have downloaded several lists but have checked them (right click then “more information”) and have removed ant with a white list this leaves me with 3 of those available and my own list.

Member
Fat Sam, Glos says:
17 March 2011

Use Firefox and install the TrackMeNot add-on.

(people are still using IE? Seriously? Shakes head…)