Study finds IE9's anti-tracking feature to be flawed

IE9trackingprot

A day after the release of Internet Explorer 9 RTM, a study conducted by 'Which? Company' discovered that the anti-tracking feature in IE9 is flawed.

The anti-tracking feature works by blocking flash cookies, web beacons and images from tracking your browsing behaviour. When a user browses a website, these tracking cookies can record what websites you're browsing, including content and images. Microsoft included a feature to block these elements from attaching themselves while browsing, but the feature contains a flaw that could still allow tracking methods to be used.

Tracking Protection in IE9 allows you to quickly add a list that prevents these tracking elements, which are called TPL's. These lists contain a list of 'allowed' and 'blocked' elements, but this is where the flaw in IE9's tracking protection exists.

Which? Company found that the TRUSTe TPL is basically one big allow list, which still allows content from sites like Acxiom to capture some of your data while surfing. This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs.

Unfortunately, there isn't a method to manually go down the list and toggle any of the websites to allow or disable them from tracking. Which? has already contacted Microsoft about the possible flaw. Corporate vice president of IE Dean Hachamovitch said,

‘To your premise, ‘deny' does equal block, or ‘protect' from potentially bad things. ‘Allow' is also essential in order to express relationships such as ‘this content but not that, or none of these except for those'.

It's unlikely that Microsoft will go back and revise their tracking protection strategy, but the hope is that they include an option for users to manually toggle lists, as it could be a handy feature in the future.

Report a problem with article
Previous Story

IE10 to ship with Windows 8?

Next Story

Microsoft's research's project Emporia brings people power to information

34 Comments

Commenting is disabled on this article.

well, I for one, am happy that MS have at least included anti-tracking feature in IE9.
I don't mind them releasing a couple of patches to tweak / fix any minor flaws in it.

It is a shame to see to what extent these blogger will go to bring IE9 down. What happen to old unbiased and objective report. Although I like the fact that internet is becoming our primary source information, it is really scary to think that any can publish an opinion with little or no regard for objectivities and facts.

I am not blaming the author of the article, the blame should go to these who let such a misleading article be published on Neowin. And we all know who I am referring to.

/facepalm

This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs.

Rubbish article alert!

That sentence contradicts itself. In the same sentence it says the flaw is with the IE tracking protection system, but also says it's not a flaw with the IE tracking protection system, but instead the TPL list provided by TRUSTe.

Make your mind up.

By default, in personal list mode, the lower limit you can set for number of tracking sites is 3, but I think I found the reg key to change this, so you can set it to 2.

It's at \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE\TrackingProtectionThreshold

I wonder why MS won't let you set it to 2, as that would make a certain amount of sense. I dunno if it actually does anything if you set it to 2, as IE stills says the min. number of sites before blocking occurs is 3 after I changed it to 2 in regedit.

[edit] Oh nevermind, I set it to "1" to test it, and rebooted to see if that would change anything, IE9 automatically reset it back to "3", I guess it ignores anything less than 3.

Correction, it gets reset if you go into the tracking protection options and settings for your personal TPL and hit 'OK'. But I still think it ignores anything less than "3" because "1" did not block everything as I expected..

Study finds Windows 7 3rd party browser launch speed to be flawed
This flaw in Microsoft Windows application support isn't a fault of Microsoft's, but the authors of Firefox.

Another Anti-IE9 article preparing for Firefox 4 to land. Totally BS, so don't use Truste TPL then, you should allow or deny by yourself. This such a stupid accusation go too far into saying IE9 is flaw!!!??!!?!?

The flaw is human behavior. Ho do you determine who to trust or distrust in a world of 7 billion users on the internet. You could get a white list and still have bad apples on it.

No surprise here really, IE8 incognito browsing thing wasn't that good either. After using it you could easily tell where people had been

If they can't get that right, they were not going to get this right

Teebor said,
No surprise here really, IE8 incognito browsing thing wasn't that good either. After using it you could easily tell where people had been

If they can't get that right, they were not going to get this right


That's InPrivate Browsing mode. It leaves no trace. You are referring to this. It was renamed from InPrivate filtering to Tracking Protection filtering. They got it right in the first place, just poor naming.

GreyWolf said,

That's InPrivate Browsing mode. It leaves no trace. You are referring to this. It was renamed from InPrivate filtering to Tracking Protection filtering. They got it right in the first place, just poor naming.

Leaves no trace except that you can see exactly where people have been, so not really working at all then? So if that was flawed then this was going to be

So wait wait...

"Which? Company found that the TRUSTe TPL is basically one big allow list, which still allows content from sites like Acxiom to capture some of your data while surfing. This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs."

So the article title should be: "Study finds anti-tracking list is ****, use another one".

Singh400 said,
So wait wait...

"Which? Company found that the TRUSTe TPL is basically one big allow list, which still allows content from sites like Acxiom to capture some of your data while surfing. This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs."

So the article title should be: "Study finds anti-tracking list is ****, use another one".

hahaha this.

Singh400 said,
So wait wait...

"Which? Company found that the TRUSTe TPL is basically one big allow list, which still allows content from sites like Acxiom to capture some of your data while surfing. This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs."

So the article title should be: "Study finds anti-tracking list is ****, use another one".

this. i wish neowin stuck legit crticism of MS than peddling 'OMGWTFBBQ M$ $oftwarez are teh suxors' crap

So how is this a flaw in IE9 when the article states

This flaw in Internet Explorer's tracking protection isn't a fault of Microsoft's, but of the authors of the TPLs.

primortal said,
So how is this a flaw in IE9 when the article states

It's a flawed feature that IE 9 supports, but it's not due to a flaw in IE 9, but per design.

primortal said,
So how is this a flaw in IE9 when the article states
You neat to it.
While it is of some concern, I don't know why the article title says is a flaw in IE9....

Northgrove said,

It's a flawed feature that IE 9 supports, but it's not due to a flaw in IE 9, but per design.

And any software that uses this list would then have a flawed design.

Since the adblock used by people in firefox also use these types of lists, then it is flawed, and any security or firewall software that uses these lists is also flawed.

You aren't being serious are you?

thenetavenger said,

Since the adblock used by people in firefox also use these types of lists, then it is flawed, and any security or firewall software that uses these lists is also flawed.

With addblock you can enable or disable stuff at you own free will. If you had read the second half of the article, you would have read that even such a basic thing isn't provided in IE...

So... what they found was that the TRUSTe list blows, not Microsoft's tracking protection... and the article even says as much. But the title of the article says Microsoft's tracking protection is flawed? Perhaps if IE 9 shipped with TRUSTe's list, that might make sense. But it doesn't. so...

I just ended up using all the other different lists I found and didn't use TRUSTe's after I took a look at it and noticed it was more of a whitelist than anything. Seems to be working well enough so far.

You can enable the personal one and allow or block from there. I'm surprised Hachamovitch didn't say so himself.