Our tests of IE9’s new anti-tracking tool found a fundamental flaw – download multiple lists and things you want blocked could actually be allowed. Does that sound right to you? Because it doesn’t to us…
It’s been a busy year for online privacy so far, with web giants like Google, Microsoft and Mozilla all releasing anti-tracking tools in the past few months.
Great – they’re finally waking up to the fact that users want more control. But do these tools live up to their claims of stopping third parties from tracking our online behaviour? At Which? Computing we decided to contain our excitement before we’d put them to the test.
The results that came back from our labs were a surprise – and not a pleasant one. Our researchers had issues with each tool, but the biggest problem was with the Tracking Protection List (TPL) feature in Internet Explorer 9 (IE9).
How TPLs work
IE9 uses TPLs to give you control over third-party tracking tools. It does this by blocking web tools (such as Flash cookies, web beacons and images) from tracking how you browse the web.
To enable the anti-tracking feature in IE9, users have to download a TPL, which contains details on what tool to ‘allow’ and what tool to ‘block’.
While the blocking technology in the TPLs works fine, there’s a real problem with the rules that govern these lists.
Don’t download multiple lists
Microsoft offers IE9 users access to five different TPLs – they can install multiple lists and use them alongside their own personalised filtering list.
But here’s the crux of the problem – our study found that when a user has downloaded multiple TPLs, the rules from all of them are grouped together into a single list where allowing tracking takes precedence over blocking it.
For example, you may choose to install two tracking lists: one by EasyList and one by TRUSTe. The EasyList TPL might ‘block’ web beacons, whereas the TRUSTe TPL might ‘allow’ them. In this case, the web beacons would be ‘allowed’.
Put simply, if you enable more than one list you leave yourself vulnerable to being tracked.
When we put our findings to Jonathan Mayer, the lead researcher on Stanford University’s ‘Do Not’ Track’ project, he explained that there are other problems with TPLs – for example, they aren’t comprehensive:
‘A user who installs the best TPLs available would still be tracked by a number of companies. EasyPrivacy, for example, doesn’t [block] Google Analytics or the Facebook ‘Like’ button.’
Microsoft should mend its broken system
It all sounds just a bit too complicated to me, and I’m a technology journalist, so I’ll bet others are confused too.
Requiring users to understand and apply a ‘block’ and ‘allow’ rule across multiple TPLs is an overly complicated way of opting out of being tracked. Unless Microsoft re-evaluates its system, too many of us will be using our computers under a false sense of security.
Do you think more should be done to make it easier for us to opt-out of being tracked online?