IE9 "Do Not Track" Feature Prone to User Error
Microsoft today revealed a new security control in Internet Explorer 9 which will enable users to restrict sites from tracking them. The ability to control access to tracking data from within the browser is a welcome addition, but the feature is not exactly fool-proof.
Earlier this month the United States Federal Trade Commission (FTC) issued a scathing report on the state of online consumer privacy, coupled with a call for a Web-surfing equivalent to the "Do Not Call" list. The "Do Not Track" initiative as a government policy is still embryonic, but the privacy features in IE9 let users exercise similar control over which sites have access to personal data like the Web browsing history.
A post on Microsoft's IEBlog explains, "Today, consumers share information with more Web sites than the ones they see in the address bar in their browser. This is inherent in the design of the Web and simply how the Web works, and it has potentially unintended consequences. As consumers visit one site, many other sites receive information about their activities," adding, "When the browser calls any other Web site to request anything (an image, a cookie, HTML, a script that can execute), the browser explicitly provides information in order to get information. By limiting data requests to these sites, it is possible to limit the data available to these sites for collection and tracking."
In a nutshell, the IE9 "Do Not Track" capability is essentially just an evolution of security controls that are already present in Internet Explorer 8. The privacy control enables users to create Tracking Protection Lists (TPL) of domain names that will only be visited if directly clicked or typed in the browser address bar. But, the domains in the TPL will not be able to surreptitiously receive information as a third-party to a different site that is overtly visited.
The Microsoft Advertising Blog describes an important limitation of the IE9 security control, though. "IE9's privacy settings, like those contained in IE8, will not be on by default, but they will allow users to create lists of sites they wish to share information with, as well as sites they do not wish to share information with. The settings do not take a position on managing information; instead, they provide an improved platform for consumers to exercise choice."
At face value, that sounds fine. Users have control and can choose when and how to share information rather than having Microsoft, or some other third-party decide for them and dictate which sites can or can not receive privacy data. The problem is that the vast majority of users lack the privacy savvy, tech skill, and drive to devote the time and energy to properly configuring and maintaining these lists.
I am not suggesting that Microsoft's approach is wrong, just that it's also not a silver bullet. Unfortunately for average users, very little in security is. Businesses and consumers need to understand that much of security and privacy is subjective and that implementing and maintaining security controls is a somewhat complex process that can't be driven by a third-party.
Microsoft's approach with TPLs to block tracking efforts by unauthorized sites is as good as any other solution out there. It just requires a little up front effort to understand and configure it, and some ongoing administration to manage access for authorized sites and add new offending sites to the TPL.
Microsoft should be commended both for its ongoing collaboration with the FTC and other organizations to develop policies and controls that protect users, and for proactively introducing privacy features in IE9 that give users the ability to exercise some control over their personal information.