Microsoft’s release candidate for Internet Explorer 9 — made available for download this week — includes a tool that lets users protect themselves from being tracked on the Web. During his recent trip to Germany, we sat down with Dean Hachamovitch, Microsoft corporate vice president responsible for the development of Internet Explorer, to discuss privacy, the difference between expected and creepy tracking, Tracking Protection in IE9, market share and how hard it is to get rid of Internet Explorer 6. An edited version of the conversation follows.
IDG: Let’s talk privacy — you announced a new feature called Tracking Protection for IE9 in December. How was it received?
Hachamovitch: After the announcement of Tracking Protection, it was remarkable to see how much interest we got. We got questions from academics, press and governments. The talk at CES in January was also significant — normally they interview people like the CEO from NVIDIA or the COO of Twitter, and now they wanted to know about privacy.
IDG: How does Tracking Protection work in detail?
Hachamovitch: If you look at a modern webpage, you almost never have a static webpage, they’re more like a mosaic of different services. You get a video from here, an ad from there and even small white pictures with a size of 1 x 1 pixel…
IDG: What do those do?
Hachamovitch: Those are mostly tracking pixels. They measure, for example, how many hits a site gets. It’s important to understand that cookies are only one way to track users on the Web. There are also tracking pixels and a variety of others. The fact is that users on the Web are tracked, often without their knowledge and without their consent. Another important aspect is the distinction between tracking and advertising. Not all tracking is advertising, not all advertising is tracking. The third aspect is that you have to distinguish between expected tracking and unexpected tracking. If I buy a book at Amazon, for example, or listen to a song on Last.FM, I know that the service will track my behavior. I know it will use this data to show me similar things which I might like, and thus enhance my experience.
The other thing is unexpected tracking or, as I call it, creepy tracking. The user gets no information about which service is tracking his online behavior, how this information is used or where it ends up. It is precisely this kind of tracking that we want to address with Tracking Protection. The technology will be an integral part of all versions of IE9, starting with the Release Candidate of IE9.
IDG: How will the plug-in know which attempts at tracking it should stop?
Hachamovitch: The plug-in relies on lists; these contain a set of rules that define which content to block.
IDG: So it is similar to plug-ins like Adblock Plus?
Hachamovitch: Exactly. Actually, we already have interest from some of the list providers for Adblock Plus to provide lists for Tracking Protection.
IDG: How much technical know-how does it take to generate these lists? Can anyone generate a new list and share it with their friends?
Hachamovitch: Yes, and we encourage everyone to do so. Tracking Protection is designed as an open platform; the more people create lists, the better the service will get. The process itself is really simple: Say you browse the Web one rainy afternoon and you want to see what content the website you’re currently visiting is loading. IE9 will have a feature that shows you precisely this information. If you find something you can’t explain, you can add it to a list. You can then put the list online and send the links to your friends. They just need to click on the link and your rule-set is added to their IE9.
IDG: So Tracking Protection is not limited to Tracking? Can you block ads as well, for example?
Hachamovitch: If you generate a list for it, it can block other things.
IDG: Sounds simple enough — how do you think the site-owners and advertising companies will react?
Hachamovitch: It has already generated a lot of interest. But I tell you what: If your list blocks a specific thing a website tries to load and a lot of people install your list, the site might go: “Wow, people are blocking these things and I need them. Hmm… if I try and explain to my visitors what this specific content does and why I need it, I might be able to convince them and they might switch to my list, which allows this particular feature.” Tracking Protection really levels the playing field for consumers compared to the people who own the site. It might even help start a conversation that otherwise won’t happen.
IDG: Are you going to open that solution for other browsers as well, say Google Chrome or Mozilla Firefox?
Hachamovitch: We would love to see that function become part of other browsers, because it would be great for consumers — but, of course, I can’t speak for them. However, we will make the file format available under the appropriate licenses.
IDG: There have been a few other proposals around privacy on the net. What do you think of them?
Hachamovitch: You mean, like the “do not track” header?
IDG: Yes, exactly.
Hachamovitch: This solution is basically a browser plug-in, one which gives the user a big button with “do not track” on it. If the user clicks on it, the browser tells the website: Hey, do not track me. The thing is, it is entirely up to the website if they honor that request.
The other discussion is about the data retention period, about how long a website is allowed or required to keep information about its users. Now, our Tracking Protection is a very elegant solution to this problem. If there is a list that prevents sites from getting data about the user, they can retain the data for exactly zero units of time. Our technology can be used by everyone — normal users, privacy advocates, even companies and governments. You just build a list and make it available to other users of IE9.
IDG: Can you tell us when there will be a version for Windows Phone 7 or Windows Mobile?
IDG: You mean, no, there won’t be a version?
Hachamovitch: I mean, I can’t say anything about it. OK, maybe one thing: I’m smiling — so you might infer from that smile that there will be more conversation about that topic soon.
IDG: Let’s talk a little about market share. According to some reports, Firefox overtook IE in usage in Europe in recent months. Would you care to comment?
Hachamovitch: I always find those studies interesting. The numbers they love to quote date back to before there was WiFi, before there was Twitter, before there was Facebook; it’s a bizarre comparison. The simple truth is: More people are using Internet Explorer than ever before. The Beta of IE9 has been downloaded 20 million times — I think that alone shows huge interest. And IE9 has some great and unique features, Tracking Protection for example, or the hardware acceleration feature or the extended support for HTML5.
IDG: One of the biggest competitors could be said to be IE6.
Hachamovitch: We have people at Microsoft whose full-time job is driving IE6 out of the market. If they do a better job of getting rid of IE6, they get a bigger bonus at the end of the year. We really want users to move to the latest available version that their operating system supports.
IDG: Internet Explorer is one of the few browsers that companies can integrate into their management and patch systems. Why didn’t any of your competitors try to build something similar to appeal more to companies?
Hachamovitch: OK, I can only speak on the product I work on. Our point of view is: If you license Windows, you are our customer. You can expect us to provide a long period of support with security updates. Actually those should be called “trust updates”, because not only do they fix security issues, they also have a positive impact on reliability, stability and performance. Our customers expect to be able to manage and deploy Internet Explorer. That’s something we built into all parts of Windows, IE and the Office application suite in particular. And when you take your customers seriously, you design software that way.
IDG: Talking about security updates, you normally stick to the Patch Day releases. But cybercriminals attack browsers on a daily basis — do you think it’s possible that you might set up a faster patch cycle for products like IE?
Hachamovitch: Our normal patch cycle is eight weeks, but every year, typically once or twice, we release an out-of-cycle patch. So you see we have the capability to go faster. The problem with releasing patches out of cycle is that there is a capacity issue. People can only absorb a certain amount of information. If the IT staff has a few hundred desktops to administrate, they rely on a certain rhythm. If we release a patch outside the normal schedule, we generate irregular events for them. They benefit from the eight-week-pattern, and they benefit from having control over their systems. … So yes, we can go faster – just look at the number of IE9 Previews we released. But if we do, we generate a lot of incidents. There is a certain balance there.
IDG: Last question: Users love to customize their browsers — that’s one of the reasons why Firefox is so popular. Why is there no central add-on directory for Internet Explorer?
Hachamovitch: Let me go back to the beginning of your question: Users love to customize their browser. Do they really? If you look at the data, most of them actually don’t. Compared to all the users worldwide, it is a very small subset of people that use add-ons, but they are very vocal. It’s very easy to over-correct for this group. So, on the one hand, saying “everyone” is a little extreme — on the other hand, here is our approach: Take the functionalities that people really want, and build them in…
IDG: …which is a different approach from, say, Mozilla.
Hachamovitch: Yes, but this way people don’t go: Oh, I have the browser, now I need to download an additional plug-in? Plus, if you update the browser, the functions keep working. I’m sure you’ve come across the problem where you update your browser but your add-ons are not compatible. That’s actually the biggest issue people have — compatibility. If you build the feature in the browser, you get security, reliability and compatibility. The bigger picture is that we build the functionality in and then leave data on the outside. And so the way you program is by using the data — like we do with the lists for Tracking Protection.