EasyPrivacy not blocking in IE

[Nitrox]

So I decided to test out how effective is IE’s tracking protection list.
To test that, I fired Fiddler and enabled it. Now fiddler will act as the middleman between IE and internet and it will show all the requests that IE makes and receives.
I subscribed to EasyPrivacy TPL list and nothing else.

I visited downloadsquad.com to test. I noticed the following trackers were loaded

Code: Select all

http://b.scorecardresearch.com/b?rn=29051529&C1=2&C2=1000009&C4=http%3A%2F%2Fdownloadsquad.switched.com%2F&C5=us.dnlsq&C7=http%3A%2F%2Fdownloadsquad.switched.com%2F&C8=Download%20Squad%20-%20The%20Latest%20App%20News%20and%20Reviews

http://b.scorecardresearch.com/b2?rn=29051529&C1=2&C2=1000009&C4=http%3A%2F%2Fdownloadsquad.switched.com%2F&C5=us.dnlsq&C7=http%3A%2F%2Fdownloadsquad.switched.com%2F&C8=Download%20Squad%20-%20The%20Latest%20App%20News%20and%20Reviews

http://downloadsquad.switched.com/traffic/status.gif?ver=1297939048

http://downloadsquad.switched.com/traffic/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F&cb=529427685

http://o.aolcdn.com/omniunih.js

But they should be blocked as per following filters in the list

Code: Select all

-d scorecardresearch.com

- /traffic/?

- /traffic/status.gif?

-d aolcdn.com /omniunih.js

A screenshot - http://i.min.us/ilIfJe.png

Does any one else notice this issue or is it just me?

Some information:
EasyPrivacy TPL List (Last Modified: 16 Feb 2011 21:40 UTC) Pastebin cache - http://pastebin.com/raw.php?i=BQ76yzEZ If the list is updated by the time you see this post.
IE 9 RC x86 Build
Win 7 Pro x86

[Michael]

I was not aware of this issue as I am not a Windows user, and am not certain of the correct location to report bugs or request assistance from Microsoft. Out of interest, what does the output look like with Adblock Plus and Firefox active?

[Nitrox]

Firefox + Fiddler - http://i.min.us/ilKMmM.png

All the ads and trackers are blocked by Adblock plus as per the subs.

[Michael]

This is odd. I'll send an e-mail to our Microsoft contact tomorrow to see if he can have a look into the issue.

[Michael]

I've e-mailed our contact a link to this topic and requested that he look into the report.

[andyzei [msft]]

Hey nitrox, michael,

Thank you for reporting this. There's quite a bit going on here (3 domains, 5 urls) and I think there are a few issues here. Let's look at each.

These urls should not be blocked --

Code: Select all

http://downloadsquad.switched.com/traffic/status.gif?ver=1297939048

http://downloadsquad.switched.com/traffic/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F&cb=529427685

downloadsquad.com does a 301 redirect to downloadsquad.switched.com. Because these downloads are 1st-party to the page that they are downloaded from, we won't apply TPL rules to them.

These URLs should be blocked:

Code: Select all

http://b.scorecardresearch.com/b?rn=29051529&C1=2&C2=1000009&C4=http%3A%2F%2Fdownloadsquad.switched.com%2F&C5=us.dnlsq&C7=http%3A%2F%2Fdownloadsquad.switched.com%2F&C8=Download%20Squad%20-%20The%20Latest%20App%20News%20and%20Reviews

http://b.scorecardresearch.com/b2?rn=29051529&C1=2&C2=1000009&C4=http%3A%2F%2Fdownloadsquad.switched.com%2F&C5=us.dnlsq&C7=http%3A%2F%2Fdownloadsquad.switched.com%2F&C8=Download%20Squad%20-%20The%20Latest%20App%20News%20and%20Reviews

This is an bug in IE if they aren't being blocked. I believe this issue is fixed in the latest RTM builds (it's blocked for me). We had a problem maintaining the right 1st-party context across top-level redirections.

Fiddler is cool -- there are a couple of other tools to help debug here in our developer tools (hit F12). There's network capture like fiddler, and there are also console messages (hit F12, reload the page, look at the console tab) for each download in the page that gets blocked. Here's mine for scorecardresearch:

Code: Select all

SEC7114: A download in this page was blocked by Tracking Protection.

http://b.scorecardresearch.com/b?rn=71921151&C1=2&C2=1000009&C4=http%3A%2F%2Fdownloadsquad.switched.com%2F&C5=us.dnlsq&C7=http%3A%2F%2Fdownloadsquad.switched.com%2F&C8=Download%20Squad%20-%20The%20Latest%20App%20News%20and%20Reviews 

Can you try navigating directly to http://downloadsquad.switched.com and see if these get blocked?

Finally there's:

Code: Select all

http://o.aolcdn.com/omniunih.js

You're right that there's a block rule for this, but interestingly, there is also an allow rule (my EasyPrivacy list is dated 21 Feb):

Code: Select all

+d o.aolcdn.com /omniunih.js

Our allow rules effectively override our block rules, so that's why this is getting allowed. Remove the allow rule and this should work.

Many thanks,

Andy Zeigler, Microsoft

[Michael]

The reason that there is both a rule to block and allow http://o.aolcdn.com/omniunih.js is because we currently have two filters for the item in the Adblock Plus version of EasyPrivacy:

Code: Select all

||aolcdn.com/omniunih.js

@@||o.aolcdn.com/omniunih.js$domain=mapquest.com|www.aol.com

The inability to block items based on the current domain in Internet Explorer means that the conversion script is forced to simply remove options from whitelists on the basis that I would generally prefer the Tracking Protection List to protect trackers rather than break websites. In this instance I would be in favour of retaining the allow rule because of the popularity of the websites on which the whitelist is required, although the ideal solution would be for Internet Explorer to support the restriction of rules to certain domains.

Out of interest, why are TPL rules not applied to first-party items? We have recorded many occasions on which websites host their own tracking systems (https://hg.adblockplus.org/easylist/fil ... ecific.txt and https://hg.adblockplus.org/easylist/fil ... tional.txt).

[andyzei [msft]]

Hey Michael,

I agree that a first-party exception rule would be useful in this case. I agree that erring on the side of compatibility is probably a good call at this point. A couple of other options might be to send a mail to the site owner and let them know. In IE, users also have the option of disabling Tracking Protection on a website, which is similar to a first-party exception rule. Another option might be to have two lists -- one that favors compatibility and another that favors privacy.

On the first-party / third-party issue, our position on this is that to a user, there a really two types of tracking -- expected and unexpected. When you go to netflix, you expect that they remember your queue and preferences (expected), but if some other website is getting this data it's unexpected. Right now expected/unexpected correlates very well with first- and third-party domains. I think that could change in the future -- for example, we might see an increase in DNS tricks that might prompt us to change our position here and offer additional protection. Hope that makes sense.

Thanks again,

Andy

[Michael]

Sending e-mails to site owners about tracking issues would certainly be a possibility, but I will need to write some documentation explaining the problem and why it should be avoided. I also don't know how motivated owners would be to alter their websites given that the problem has already been "resolved" by the subscription.

In terms of "expected" and "unexpected" tracking, every filter in the subscription blocks the unexpected variety; we do not prevent the "tracking" of preferences. Working from the files referenced, for example, ||allafrica.com^*/s_trans.gif? and ||allafrica.com^*/s_trans_nc.gif? block the collection of monitor resolution, colour depth, browser name and browser version on http://allafrica.com/ while /b/ss/*?aqb=1&ndh= blocks a first party tracker on http://www.autotrader.co.za/ that collects browser name, version, extensions and operating system details. These details are not the type that a user would expect to be collected in such an unnecessary manner and these sites are not alone in hosting such invasive tracking.

[IceDogg]

Michael, websites can see what extensions I have installed? really? I never knew that and frankly that ticks me off.

[Michael]

Sorry, I was a little ambiguous. I should have referred to plugins rather than extensions.

[IceDogg]

Ok, sorry I wasn't calling you out or anything I was just surprised is all.