Internet Explorer 9 Feature Focus: Tracking Protection

Tracking Protection is a new IE 9 feature that limits the browser's communication with certain web sites, which in turn prevents content on those sites from tracking your online activities. Tracking Protection performs its magic using one or more tracking protection lists, each of which works like a combination white list and black list.

Paul Thurrott

March 21, 2011

6 Min Read
ITPro Today logo in a gray background | ITPro Today

In late 2010, the Federal Trade Commission proposed that browser makers implement a "Do Not Track" mechanism, modeled on the successful "Do Not Call" registry, which would protect consumers against privacy violations. From a functional standpoint, however "Do Not Track" wouldn't work like Do Not Call but would instead prevent sites and services from tracking the user.

Less than a week later, Microsoft surprised competitors and onlookers alike by announcing that it would implement a Do Not Track mechanism called Tracking Protection in Internet Explorer 9. At the time of the announcement, IE 9 was still available in a pre-release beta version, so Tracking Protection is one of just a handful of features added to the product that late in development, and arguably the biggest of those features.

Tracking Protection explained

Tracking Protection is a new IE 9 feature that limits the browser's communication with certain web  sites, which in turn prevents content on those sites from tracking your online activities. Tracking Protection performs its magic using one or more tracking protection lists, each of which works like a combination white list (sites to not block) and black list (sites to block).

Tracking Protection is necessary because a typical web page can contain an astonishing amount of content--images, advertisements, and other code--that is provided not by the site you're visiting but by third party web sites. And these in-page elements, silently and secretly, are often specifically designed to put a digital tracer on your browser--and thus on you--and follow you along as you browse online, tracking the sites you visit and collecting information.

With Tracking Protection, you regain some level of control over this behavior.

Enabling Tracking Protection

While Tracking Protection is a desirable, arguably necessary feature, it's not enabled by default. To enable this feature, first click Tools, Safety and then Tracking Protection in IE 9. (Here, "Tools" refers to the gear-like icon in the upper right of the IE 9 window.) This launches the Tracking Protection view in the Manage Add-ons window.

Now, select the "Your Personalized List" entry and click the Enable button. This turns on Tracking Protection and uses a built-in IE 9 feature that automatically generates an internal tracking protection list that is based on your browsing history. Any time a site or in-page element tracks your movement across 10 or more sites, it's added to this automatic tracking list. (It is, however, not automatically blocked. You can configure this behavior; see below).

Enabling this automatic, internal tracking protection list and then configuring which sites to block is a good start, and may prove to be enough for most users. (I'm pretty sure this is all I'll be doing with my own PCs.) But various third parties also offer their own tracking protection lists, and you can install any number of them in IE 9 to further burnish its security functionality if you'd like.

Finding and installing tracking protection lists

To find and install third party tracking protection lists, open Tracking Protection (Tools, Safety, Tracking Protection) and click the link titled "Get a Tracking Protection List online." This will open a new IE 9 window and navigate to the Tracking Protection Lists web site. At the time of this writing, there are four third party lists available:

Abine. This tracking protection list blocks many online advertising and marketing technologies that can track and profile you as you browse the web. This list is updated weekly to keep you safer and more private.

EasyPrivacy. This list is based on the popular EasyPrivacy subscription for Adblock Plus and is managed by the well-known EasyList project, which serves nearly ten million daily users and has a large support forum with dozens of experienced members able to assist resolving any issues that may arise.

PrivacyChoice. This company maintains a comprehensive database of tracking companies, including domains used by nearly 300 ad networks and platforms, tracking methods, summaries of key policies, oversight, and opt-out and opt-in processes. There are two lists. The first blocks companies that are not subject to oversight by the Network Advertising Initiative (NAI) and the second list blocks all tracking company domains in the PrivacyChoice database.

TRUSTe. This list enables relevant and targeted ads from companies that demonstrate respectful consumer privacy practices and comply with TRUSTe's high standards and direct oversight.

To download and install a tracking protection list, click the "Add TPL" link next to the company in question. In the Tracking Protection window that appears, click Add List. The window will disappear and the list will be added to the browser and enabled.

Configuring the behavior of a tracking protection list

Third party tracking protection lists are automatically updated on a regular basis and do not need to be configured in any way. In fact, they can't be. But the automatic tracking list (Your Personal List) can be configured in important ways. To do so, open the Tracking Protection interface, select Your Personal List, and then click Settings. The Personalized Tracking Protection List window will open.

There are three pertinent settings you may want to configure here:

Automatically block all listed content. By default, IE 9 will choose whether to block or allow each content item in the list based on their behavior. But you can click the "Automatically block" radio button to block all listed content automatically.

Individually block or all a selected content. To individually block or allow any individual content item in the list, select the content in question and then click Block or Allow, respectively.

Change how content is added to the list. By default, third party content that is used across ten or more of the sites you've visited is added to your personalized tracking protection list. You may find this number to be too aggressive, or not aggressive enough, however, so IE 9 lets you change the value to any number from 3 to 30.

Different people have different opinions about security and policy, but for my own installs of IE 9, I've enabled the personalized tracking protection list and set Tracking Protection to automatically block all listed content. And I do not recommend installing multiple lists: As I describe in "Examining a tracking list," below, multiple lists with conflicting rules will lead to unwanted content getting through to the browser.

Removing a tracking protection list

If you've installed a tracking protection list you'd like to uninstall, just bring up the Tracking Protection interface, select the list in question, and click Remove.

Examining a tracking protection list

Microsoft implements IE 9 tracking protection lists as simple text files, and not as XML as I'd expected. As such they are very easy to read. Here's an excerpt from one such list:

msFilterList
-d statcounter.com counter.js
-d addthis.com addthis_widget.js
-d analytics.live.com masanalytics.js
-d scorecardresearch.com beacon.js
-d diig.com diggthis.js
-d charbeat.com charbeat.js
-d alexametrics.com atrk.js
-d google-analytics.com siteopt.js
-d postrank.com engage.js
-d addthis.com js addthis_widget,js
-d adsyndication.msn.com getads.js
-d blogrollr.com embed.js
-d aolcdn.com omniunih.js
-d static.ak.connect.facebook.com  featureloader.js
-d feeds.feedburner.com
-d mybloglog.com jsserv.php
-d stats.wordpress.com .js
-d smrtinks.com .js
-d disqus.com avc.js
... 

In this list, you can see several examples of content blocking. The lines that start with "-d" each indicate some content that will be blocked. So "-d statcounter.com counter.js" indicates that the counter.js JavaScript script from the domain statcounter.com will be disabled, or filtered out. Content that is explicitly allowed would start with "+d". And lines that start with just "-" (such as - webtrends.js) mean that that content will be disabled regardless of the URL.

Tracking protection lists can have conflicts, where one item in a list will disable or allow content, while another (in the same or a different list) will do the opposite. In such cases, the browser will always allow the content in question. For this reason, it's not necessarily a good idea to install multiple lists into IE 9: You may simply allow the very types of content you're trying to block.

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like