Wednesday, December 08, 2010

Internet Explorer 9 ad blocking via "Tracing Protection" -- no means yes.

A year ago I began strongly encouraging Microsoft and Mozilla to include ad blocking technology in their respective Web browsers. And not just point to an extension like the awesomeness that is AdBlock Plus, but include it or something exactly like it, as core browser feature. For security, privacy, and competitive advantage reasons I believed this to be a really good idea. Still do, in fact.

In a blog post I argued ad blocking technology would be a huge win for Microsoft (and users), in particular by retroactively integrating the feature in all versions of Internet Explorer (6, 7, and 8). Doing so would attract vast quantities of new users. After all, ad blocking is the most popular extension type in ALL the browsers, but it also gives them an attractive differentiator that Google’s business model would never tolerate matching.

Despite my best efforts, my arguments fell flat. During Blue Hat, Robert “RSnake” Hansen and I had very productive discussions with the IE & Mozilla security teams about their browser security plans for the future. Still the idea of making ad blocking readily available for the end-user was met with much resistance. The fear was such a feature would conflict with Microsoft’s own ad serving business, or advertising partners, and may also lead to potential anti-trust issues. Oh well, we thought. Nothing ventured nothing gained. As any infosec pro, we can attest, we’re used to getting told “no” by the business. :)

Then something really interesting took place last week. The U.S. Federal Trade Commission (FTC) issued a report on protecting consumer privacy online which recommended that Congress create new online Do-Not-Track legislation and it be accompanied by a privacy policy feature-set baked into Web browsers. To over simplify, browsers supporting Do-Not-Track would allow Web surfers to indicate, presumably through HTTP headers, that they opt-out from being tracked. Unfortunately user data would still get sent to the tracking company by nature of the way browsers work (third-party cookies, etc), but tracking companies receiving the do-not-track header would be legally compelled to respect the users choice.

Then the impossible happened! Only days after the report was released Dean Hachamovitch, Corporate Vice President of Internet Explorer, published a lengthy and technically detailed blog post (even had a video) describing their plans to include an implementation of Do-Not-Track in the yet to be released Internet Explorer 9. Dean explains...

“We want to develop (as the recent FTC report put it) ‘more effective technologies for consumer control’ and make progress on the report’s recommendation of ‘a browser-based mechanism through which consumers could make persistent choices’ regarding tracking.”

The two primary components involved:
  1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
  2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.
Ladies and gentlemen, this is all the framework that is necessary for ad blocking to function in IE9! User configurations will also be persistent across sessions, even when the browser is restarted, which is opposite to how InPrivate mode behaves. This is huge! Sure, just like in AdBlock Plus, IE9 users will still need to procure a regularly updated TPS list in order to block all the known advertisers, but that problem is already long solved.

No way Microsoft slammed out the code from scratch in a few short days because the FTC made some recommendation. The IE team clearly saw ad blocking as a good idea despite what they told us before and had ad blocking, errr I mean Tracking Protection, ready to go. Only they might not have had the juice to include it because of the aforementioned road blocks.

My speculation is, and I could be WAY off base here, that Microsoft knew generally what was in the FTC’s report prior to release and was waiting for publication before announcing Tracking Protection in IE9. That way IE team could be seen as simply supporting the FTC’s out-out recommendations to protect user privacy, and who could argue with that, while at the same time taking the opportunity to implement ad blocking functionality under the same banner. That way they could get around competing business interests and the watchful eye of anti-trust regulators. They could say they are “protecting the user” and “abiding by the FTC,” which they are in both counts. If I’m right, extremely brilliant move.

I think we’re witnessing the beginning of a whole new chapter in the ongoing browser war. Now we must ask, when and if Mozilla is going to add the functionality of their #1 extension natively into their browser? How can they now not do so? Can Firefox’s market-share position afford Internet Explorer to be more advanced in privacy protection features? We’ll have to wait and see what they say or do. I’m hopeful they’ll come around as Microsoft did. Even more interesting will be how Google reacts. AdBlock is their most popular add-on as well. The bottom line is these are very good signs for everyone on the Web.

No comments: