Consumers are being warned to think twice before enabling Microsoft’s anti-tracking feature in Internet Explorer 9 (IE9) to their browsers after a potential flaw in the technology was discovered by Which? Computing.
The warning was issued by a lead researcher at Stanford University following tests carried out by Which? Computing that found a potential flaw in the way the Tracking Protection Lists (TPLs) work. TPLs play a central role in how the anti-tracking feature in IE9 works.
IE9 uses TPLs to give users control over third-party content that can have an impact on their online privacy. It does this by blocking web content, such as Flash cookies, web beacons and images, from tracking web browsing behaviour.
How they work
To enable the anti-tracking feature in IE9, users have to download a TPL. Which? Computing found problems if users download and use more than one TPL – creating conflicts between the lists and potentially preventing the anti-tracking feature from operating properly.
Microsoft offers IE9 users access to five different TPLs – one each from Abine, EasyList and TRUSTe and two from PrivacyChoice – which can be downloaded via Microsoft’s website. Consumers can install multiple TPLs and use them alongside their own personalised filtering list.
TPLs contain details on what content to ‘allow’, and what content to ‘block’ – effectively giving control over how content such as Flash cookies track browsing behaviour.
However, a Which? Computing study found that when a user has downloaded multiple TPLs, all of the rules from all of the TPLs are grouped together into a single list where an ‘allow’ takes precedence over a ‘block’.
For example, a consumer may choose to install two TPLs: one by EasyList and one by TRUSTe. The EasyList TPL might ‘block’ web beacons, whereas the TRUSTe TPL might ‘allow’ them. In this case, the web beacons would be ‘allowed’.
The flaw could mean that users are unknowingly having their web behaviour tracked, despite using the anti-tracking features in IE9.
Dr Rob Reid, a senior Which? Policy advisor, said: ‘We’re disappointed with the way these lists work, and feel consumers who install multiple lists could be left with a false sense of security.’
Jonathan Mayer, lead researcher on Stanford University’s ‘Do Not Track’ Project, said the findings by Which? Computing could leave IE9 users open to being tracked: ‘The issue here is that if a user installs TPLs that have ‘allows’ for web content that should be blocked, they leave themselves vulnerable to being tracked,’ he said.
‘The user has to decide which list to trust and get it right. I would urge users to think twice before installing a list, and to consider who it is they trust to compile a list that protects them, and to trust they keep updating the list. My concern with TPLs is that users shouldn’t have to know the difference between a ‘block’ and an ‘allow’ rule. They should just be able to opt out.’
He added: ‘The TRUSTe TPL is almost exclusively what we’d call an ‘allow’ list. It ‘allows’ content from Acxiom, a major data aggregator. If you want to stop your online behaviour from being tracked, the last thing you’d want to do is install a list that guarantees that Acxiom can track you.’
Microsoft has acknowledged our findings. Dean Hachamovitch, corporate vice president, IE, said: ‘To your premise, ‘deny’ does equal block, or ‘protect’ from potentially bad things. ‘Allow’ is also essential in order to express relationships such as ‘this content but not that, or none of these except for those’.
‘Saying ‘allow’ beats ‘deny’ is a good bit of wordplay. Reversing it increases the difficulty for well-intentioned list authors to express complex relationships. I understand that this may seem counterintuitive [but] it’s not a unique occurrence in the application of technology to safety.’
He added: ‘The primary consumer role here is choosing a list author they trust. Auditing any such list requires privacy expertise as well as technical acumen. Propping up more checkboxes is unlikely to actually help consumers.’
Which?’s Reid added: ‘We’d like Microsoft to re-evaluate its ‘allow’ and ‘block’ system since we find this all a bit confusing and are worried that consumers will too. Requiring users to understand and apply a block and allow rule across multiple TPLs seems an overly complicated way of opting out of being tracked.
‘We are also concerned that the lack of monitoring and mediation of the TPLs leaves the system and consumers vulnerable to abuse.’
Keep up with the latest news by taking out a trial to Which? Computing magazine
How to follow the latest Which? Tech news
Are you a Twitter user? Follow WhichTech on Twitter for regular tech tweets.
Prefer RSS? Don’t miss a thing with the Which? tech RSS feed.
For just the main headlines in newsletter form, sign-up to our weekly Which? tech email.
Apple iPad 2 3G data plans compared – find the best 3G plan for your iPad
Best Android tablets round-up – we look at the best iPad alternatives around
Best cheap laptops for under £500 – find the best laptop deals