back to article Microsoft: IE9's web privacy hole? A feature, not a bug

A hole has been spotted in Internet Explorer 9's do-not-track technology, and Microsoft says it's a feature not a bug. In response to a US government call for greater protection of consumers' privacy online, Microsoft added a Tracking Protection Lists (TPLs) feature to IE9. Netizens can use one or more lists to prevent certain …


This topic is closed for new posts.
  1. Anonymous Coward

    Only MS

    Only MS could combine two simple lists of and get it wrong! They are, and lets not beat about the bush here, completely shite.

    1. Adze

      Why is it that...

      ...with NTFS permissions the most restrictive inherited permission applies - but it seems with TPLs the most permissive seems to apply?

      Corporate branding and symmetry anyone? 10p a bag down our way...

      1. ElReg!comments!Pierre

        @Adze NTFS

        Yes, this is how blacklists should work, but not filesystems. I find this system incredibly annoying. The way it should work in NTFS is

        -apply group settings (with the more restrictive setting applying in case of conflict)

        -apply user settings (which should ALWAYS supersede group settings).

        Otherwise safely allowing one user to access a particular directory, for example, is a pain in the ass.

      2. Anonymous Coward

        Not exactly true

        If you're a member of group A that has full permission to a folder and group B that has just read permission to the same folder, you end up with full permission. 'Allows' are cumulative.

        However, 'denies' are the trump card. If you're also a member of group C that 'denies' write permission to that folder, you've lost it yourself.

        That said, these lists could be treated as cumulative denies. Otherwise, what's the point of adding multiple lists if they end up unblocking each other because they don't have the same sites? If the same sites need to be on all lists, surely all lists will need to have the exact same content? Or am I missing something?

        1. Ragarath


          Why should a user setting override a group setting?

          If you think it should then your setting up your groups wrong.

          If the user your talking about needs access why are you putting the user in a group that denies access?

          This also raises the question why your adding specific user permissions to objects rather than groups (we all do it at times I know but it is not the way it should be done). Try thinking of a group as a user that can change ownership without having to change the permissions rather than thinking that it is a looser set of permissions.

          1. ElReg!comments!Pierre


            >Why should a user setting override a group setting?

            Because that's the sensible thing to do. Fine-grained control should have precedence over large-scale. Deny access to everyone but to the known authorized persons. That's just common sense.

            >If the user your talking about needs access why are you putting the user in a group that denies access?

            Because when you have hundreds of users, accessing tens of ressources, but with specific rights, you just can't create a group for every one of them. You create a few tens of groups, maybe, for the general population, but sometimes you need exceptions. What do you do, remove the "exceptional" users from all their groups and create a special group for each of them? And do the same thing, the opposite way, each time one of your "special" users lose or gain credentials?

            >Try thinking of a group as a user that can change ownership without having to change the permissions

            Well that's exactly what a NTFS group is, a rigid multifaced anonymous meta-user closed to finer-grain control, and that's why it sucks.

            >rather than thinking that it is a looser set of permissions.

            ??? tightness has nothing to do with it. It's just plain clumsy.

            >This also raises the question why your adding specific user permissions to objects rather than groups [...].

            Maybe because when john-doe-067845 (previously in group "users") genuinely needs -temporary- access to /secret/ressource/files/john-doe-067845/, but nothing else, I'm not necessarily willing to open the directory to all and sundry?

      3. Anonymous Coward
        Anonymous Coward


        An axe for roughly hewing wood.

        Memories of English lessons, nothing useful to add to the conversation.

        As you were.

  2. Ilgaz

    This is a naive thing anyway

    Think about it, companies who even abuses flash cookies and web storage will really care about some header browser sends. The sites which we had to "act" like IE users for years to function.

    As USA congress finally woke up thanks to real privacy watchdog organizations, advertisers had to come up with a scheme to prevent a serious law against the horrible amount of tracking they do. This is it.

    P3P was there for years, first and only implemented by MS. As nobody else cared/coded, it diminished. That is the real solution , something "machine to machine", clear and direct. Not your browser sending "don't spy".

  3. Ammaross Danan

    Whitelists and Blacklists

    The general rule of thumb for whitelists and blacklists is everything on blacklists get blocked, but is pre-empted by whitelists to allow "acceptable content" through (think web filtering "net nanny" stuff). However, with tracking websites, the logic is somewhat reversed. You want to give priority to the blacklists over the whitelists. The logic should flow as "all sites are blocked, except the whitelisted sites. If a site is specifically mentioned in a blacklist, the site should be blocked, disregarding the whitelist." Granted, for someone who wants to remain on tracking-websites good side, they allow all sites to track. Then blacklists block sites, and whitelists override blacklists. However, tracking should be treated more like NTFS permissions. It doesn't matter how many "allowed" permissions you have, all it takes is one "deny" and you are denied. This is how whitelists and blacklists should be handled for privacy. It's just a logic fallacy for MS using the old-fashioned whitelist/blacklist mindset.

  4. Alexander Hanff 1


    The flaw was actually mentioned on my blog over a month ago, but I am pleased Which? have now confirmed the issue in their labs.

  5. Anonymous Coward
    Anonymous Coward

    ...sidestepped by web sites that are deliberately mis-representing their privacy policies

    I wouldn't say the situation is as clear cut. As a developer who has been stung by different cookie behavior in IE, I simply added a P3P header that I cut and pasted from somewhere else, and bingo, my cookies started to work properly again. I didn't need to sign anything, or even make any kind of agreement in order to use this P3P header, and I deliberately chose not to investigate further.

    I don't even really know what P3P means, and I'll wager that there's a lot more in my boat.

    1. Ilgaz

      You can get into trouble

      P3P's advantage is, it is machine readable XML, which is very direct. Not like some 6 page privacy policy written by some evil lawyer in law language exploiting laws.

      So, if you run a popular site, make sure you really understand what do you claim with p3p policy and it is compatible with your site privacy policy.

      Otherwise... Lawyers are real evil beings.

  6. John Robson Silver badge

    Whitelists == OR

    Blacklists == AND

  7. John Robson Silver badge


    What's the point in allowing a second list?

  8. Jach

    Interesting idea of a whitelist

    Whitelist is now a copy of the blacklist and the whitelisted domains are the ones that are missing from the original blacklist.


  9. This post has been deleted by a moderator

  10. Anonymous Coward
    Anonymous Coward

    Just simplify the damn thing

    Do not track = enabled

    1. Anonymous Coward


      some websites you might want to track you

  11. Pascal Monett Silver badge

    I just love it

    So the IE9 "do not trace" function has a hole that depends on TPL creators to not be abused.

    Obviously, it's a "feature", because anything Microsoft does that the public does not like is never a bug and there's always important "public" (i.e. big-spending customer) support to justify it.

    I'm sure that, if a general outcry against said "feature" is raised, Ballmer will certainly trot out the line that the "customers" wanted it. And he will be right, of course, albeit not mentioning that the "customers" he considers are not the teeming millions of anonymous users, but the select few business partners with deep pockets that made the requirement list (and screw the rest of us).

  12. Anonymous Coward
    Anonymous Coward

    It all depends upon

    what Microsoft's objective with these lists was.

    If their objective was to protect the IE9 users privacy the default would be:

    "If its denied on any list then its denied"

    If their objective was to minimise the impact on the advertisers then the default would be:

    "If its allowed on any list then its allowed"

    It looks the they opted for the 2nd one.

  13. JDX Gold badge


    I'd want it that way, to be honest. Don't use a list you don't trust.

  14. Anonymous Coward

    A more thorough explanation for anyone that uses TPLs

    First of all, the TPLs work on a set of rules. The rules specify whether to allow content or not based on a segment of the URL being accessed. Some of the TPLs only bother with checking domains, but it is also possible to block based on other text in the URL.

    The TPL lists define three categories of webpages. There are blacklisting rules, whitelisting rules and allowed pages. The TPLs specifically list the blacklisting and whitelisting rules, but anything that is not blacklisted ends up in the allowed pages set. The conflict occurs when one TPL puts an overly broad rule in its whitelist that conflicts with the blacklist of another TPL. However, this does not mean that it's useless to have more than one TPL installed. Obviously, using two sets of blacklists just increases the amount of stuff in the blacklist. Only two of the TPLs that MS offers use whitelisting in their rules at all.

    For anyone interested in seeing what's in each list, you can open the "Tracking Protection..." dialog box and click the "More information" link for any of the installed TPLs to see the set of rules that each one uses. Lines that begin with a "-" are blacklisting rules and lines that begin with a "+" are whitelisting rules. TRUSTe and EasyPrivacy both use whitelists, with TRUSTe whitelisting more domains than it blocks. EasyPrivacy whitelists individual pages that look "mostly harmless". For those interested in blocking ads as well as tracking, Fanboy is already offering a set of TPLs that cover ads and tracking ( Also an unofficial set containing EasyList and EasyPrivacy is available at (

  15. Gilgamesh

    I don't see the problem here

    Whitelist plus blacklist = greylist

  16. Tom 35

    "allow" list?

    Why is there an allow list? When I use a block list, I expect it to block stuff.

    If there are allow lists they should be separate not bundled into a block list.

    1. Ragarath

      There is sense in the madness

      Block list contains what you want to block. But you are saying in your block list "do not block" saying do not block in an allow list (where things are not blocked) seems strange.

      But I tend to agree 1 list for block and allow would be better. But then that is 2 lists for people to maintain. Remember we nerds (sorry techs) that read this site don't worry about this kind of thing. Normal users would be put off maintaining 2 lists. They want to download some thing and be done.

  17. thecakeis(not)alie

    Why can't this be simple?

    Which sites would you like to block from tracking you?


  18. Neal 5

    and the problem is?

    what you what more choice or less, you want a nanny police state or not, make your own mind up.

    I buy only an os from m$, not the policing rights on my entire life.

  19. Doug Glass

    Damn, ...

    ... use Firefox.

  20. Slasher
    Paris Hilton

    Why use IE?

    Why use any version of IE? Use Firefox, Opera, Konqueror, Seamonkey et al.

    Paris, 'cos even she has more sense...

  21. Anonymous Coward

    Once again...

    Microsoft "BOLTS-ON" another ACL (Access Control List), after the fact, as their "solution" to inherently bad "security/privacy" design/approach-problems. And, once again, Microsoft's approach is full of "holes". And, Microsoft simply denies that a real problem even exists.

    This type of DESTRUCTIVE REDUNDANCY is not "a feature".

    Get a clue.

  22. Tom 13

    MS should let the users decide how it works.

    Default should set to most restrictive, with an opt in for least restrictive. Taking either of the other sides is going to leave someone upset about how the lists work.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022