Exploring New Privacy Options at Microsoft
A conversation with Microsoft Senior Director of IE Ryan Gavin
In its proposal released in December, the FTC threw the challenge to the tech community to find a way to give consumers a Do Not Track option for their online browsing. Microsoft was already on it. The release candidate of Internet Explorer 9, expected soon, will have a new Tracking Protection feature built in, which gives users the option to build or subscribe to lists that control how they can or can’t be tracked online. Benchmark recently interviewed Microsoft’s Senior Director of Internet Explorer Ryan Gavin about how Tracking Protection works, how it fits in the overall online privacy framework, and what it means for website owners.
Benchmark: Tell us a little bit about your role at Microsoft.
Ryan Gavin: First, thank you for the opportunity to chat. As a senior director in the Windows organization I look after the business and marketing of Internet Explorer.
Benchmark: What was the impetus behind including additional privacy controls in the upcoming Internet Explorer 9 release?
Ryan Gavin: You're right to highlight that Tracking Protection is an added set of controls on top of what we provide for consumers already today. Protecting consumer privacy is not a new focus for Microsoft and certainly not for IE. We have been leading for some time with features like InPrivate Browsing and InPrivate Filtering built right into IE8, for instance. This long-standing commitment to consumer privacy is a direct result of our point view, or motivation if you will, for why we build Windows Internet Explorer. Someone paid us money for Windows, and since they are a paying customer, we take very seriously our responsibility to offer them increased control for how and if their personal information is shared and observed by others. So what you are seeing now with IE9 and Tracking Protection is really just the next important step in offering consumers more control over their privacy.
So the impetus has always been there for us, but perhaps the difference today is that consumer privacy appears to be reaching a tipping point with consumers, the industry, and regulators, which means the work we have done in IE9 is increasingly pertinent.
Benchmark: IE9 has something called a Tracking Protection List (TPL) feature. Does it sufficiently address the FTC’s recommendations without need for additional products? If not, what else is needed?
Ryan Gavin: FTC Chairman Jon Leibowitz has made a number of positive public comments about the work we have coming in IE9 around the new Tracking Protection feature. You can see some of those in the recent Wall Street Journal article that covered the announcement.
It is important to keep in mind that privacy involves additional complexities beyond technology and products – browsers and sites. Public policy is an important aspect in making progress, both in the US as well as in places like the EU.
The FTC report you reference looks at a range of questions spanning how a 'Do Not Track' mechanism could be designed. These include how easily discovered and applied the system should be, the impact to online publishers and advertisers, what level of control should be available to consumers, and the trade-offs of uniformity when evaluating an industry solution.
These are similar questions that we have been working on for some time. What you see with IE9 and Tracking Protection is a substantial step towards helping to provide a technology solution that gives consumers a simple way to control who tracks them as they browse the Web. Because of our unique position in the industry, we believe our approach balances both the needs of our paying Windows customers, who want that level of privacy control, while respecting and supporting our advertising customer, which is another important business and industry for Microsoft. The public policy discussion will certainly continue and we are active in that dialogue.
Benchmark: IE9 Tracking Protection is an opt-in, list-based system. Does this mean there is no universal tracking opt-out? In other words, users will have to build up their own tracking profile (Tracking Protection Lists) as they visit websites (or alternatively, decide to use list(s) created by someone else)?
Ryan Gavin: Universal tracking opt-out sounds nice enough, but when you scratch an inch deep, it has some real challenges today. First, who gets to define 'tracking?' Is that something individuals should decide, software manufacturers like Google or Microsoft, regulators? I don't know the answer to that, but I suspect opinions are pretty wide and varied. Any universal system requires both the user to signal their intent not to be tracked, as well as a universal industry and regulatory agreement regarding what to do with that signal.
So because privacy and tracking in this context are not universally defined today, and personal preference matters a great deal, you have to have a system that empowers the consumer to be protected without pre-determining what they want.
The approach we have taken with Tracking Protection allows users to click on a button on a website to select a Tracking Protection List that they would like to subscribe to. Lists can block or allow content that comes in from third-party sites. Anyone can build and market a tracking protection list, and consumers can decide which lists they want to subscribe to. Designing the feature and system in this fashion allows for an open process in which organizations or individuals can publish lists, and consumers can then make their own determination regarding how they want their privacy protected.
Benchmark: So as a practical example, if a user encounters AdNetworkZ, they can choose to block it for the site they are currently visiting, and if they wish, for all sites they visit?
Ryan Gavin: This is a good point to clarify that tracking and advertising are two separate things and we should be careful not to conflate them. Tracking Protection in IE9 has no way to determine what an 'ad' is, and it does not in any way specifically target advertisements.
Let me explain how it works. Today webpages are a mosaic of content. A lot of the content comes from the site, or domain, you navigated to in the browser. However, in many cases there is additional content coming from other sites across the Internet being served on that page. This can be as diverse as weather or stock information, advertisements, videos, and other content that may or may not be visible to you – such as a single pixel tracking beacon. When this content is loaded, standard information, including your IP address and the address of the webpage you're viewing, is sent to each of the third parties I just mentioned. Over time, these third parties can build a profile of your browsing history.
You can filter out content from any website by using Tracking Protection Lists and as result stop third parties from building this personal profile of what you are doing online. Tracking Protection Lists are like 'Do Not Call' lists for content that has an impact on your privacy. For trusted content, these lists also have the ability to flag content or sites as 'OK to Call.' When you add a Tracking Protection List, Internet Explorer 9 prevents your information from being sent by preventing data requests to websites in the list. Once you have subscribed to a list, IE9 will not share your information with the third parties on that list, and yes, that protection of your privacy will persist as you browse the Web.
Benchmark: Will users end up with dozens or scores of TPLs?
Ryan Gavin: That will be up to the consumer. The product design and features in IE9 certainly support that, but as I said earlier, every user has their own preferences when it comes to protecting their online privacy.
Benchmark: Because websites depend on third parties for so much non-advertising content, blocking third parties is problematic. How easy will it be for site owners to create and make available their own custom Tracking Protection List to help users get the full experience of the site while controlling how they are tracked?
Ryan Gavin: Creating the lists will be quite easy. In fact we are working with organizations and individuals right now to do that very thing. Sharing those lists will be as easy as putting a link on a website. Once an IE9 user clicks on that link or button, their Tracking Protection List will have been added to IE9. As I mentioned before, there is also the ability to designate certain third party content as ‘OK to Call.’ This provides advertisers and other publishers of high-value content that ability to ensure their content comes through and delivers that full experience.
Benchmark: Aside from creating custom TPLs and/or pulling content back into their own domains – which is not a practical solution for many websites – do you have other recommendations for site owners to ensure privacy and preserve ad revenue from third-party ad networks to support their business models?
Ryan Gavin: Let me start buy drawing a somewhat similar parallel from the world of email. When SPAM filters came online with large mail services like Yahoo mail or Hotmail there was a lot of anxiousness with advertisers that their direct emails wouldn't get through. What happened in fact is that, over time, by working with advertisers, a system developed that allows for quality, trusted emails to pass through to consumers while protecting them from all the true junk. The net result was a better experience for both the consumer and advertisers. Trusted, higher quality mails made it into inboxes, which consumers appreciated, and because those mails weren't competing with other clutter, they were more effective for the senders.
It's not a perfect analogy, but my point is that advertising has evolved and will continue to evolve. Because Microsoft is both a member of the advertising industry as well as having a Windows business, we are listening and working with both sides of the industry. We can work together to find that balanced system where everyone benefits. With Tracking Protection Lists, site owners can ensure they are offering their visitors a trusted experience by helping them to control who is tracking them, while at the same time ensuring that good value-added content, including advertising, is getting through. Participation in the building of lists or supporting and endorsing third-party lists as they come out are just a few of the ways site owners can take action towards that end.
Benchmark: IE is the dominant browser today, but not the only one. Is there a possibility of interoperability of TPLs between IE and other browsers? Or will each browser end up with its own solution, in which case users will have to manage multiple solutions or stick with one browser?
Ryan Gavin: I certainly hope we see other browsers follow our lead. That would be a great thing for consumers. We opened up the Tracking Protection List file format and will make the format available under a Creative Commons Attribution license and the Microsoft Open Specification Promise. It's a good question for the other browser vendors, though.
Benchmark: Will Tracking Protection apply to mobile as well? Or do you envision a different solution for mobile?
Ryan Gavin: In terms of the consumer expectation of online privacy protection, there really are no distinctions between browsing on a mobile device or a PC. So while I don’t have anything to announce, I think you can imagine symmetry between these two ways of browsing the Web and consuming Internet content over time.
Benchmark: From a revenue perspective, we are not talking about eliminating online advertising; no matter how extensive a user’s TPL(s), they will still be served ads — just not highly targeted ads based on their behavior. So sites will continue to earn ad revenue, just at a lower, non-targeted rate, correct?
Ryan Gavin: Not quite. It’s important to reiterate that tracking and ads are not the same thing. What we have done is given consumers the choice to block that third-party content that could be used to track their online browsing and build a profile of them over time. There is a lot of ‘expected tracking’ that happens on the Web. When I go to Amazon for instance, I love that they know who I am and what things I may be interested in. There is real value there. There is real value for many consumers with targeted advertising, but it is an individual’s choice. With IE9 and Tracking Protection, we provide consumers the ability to protect themselves from ‘unexpected’ tracking, if you will. This approach still allows for rich, highly targeted advertising if content is listed as ‘OK to Call,’ while also providing consumer protections for less desirable tracking should they choose.
Benchmark: And as an opt-in system, behavioral statistics would indicate that a majority of users will likely do nothing, and passively allow tracking and targeted advertising to continue. So what do you feel the real impact will be on site-owner revenue?
Ryan Gavin: Like anything, user preferences will play a large role in dictating usage. Choice is a good thing. And because of our desire to give our customers choice, we have built Tracking Protection in IE9. It really isn’t about impacting ad revenue, but helping consumers take back control of their privacy. Remember, Microsoft is a pretty big site owner ourselves.
Benchmark: What advice do you have for site owners to prepare for and minimize the impact of the new era of increased online privacy concerns?
Ryan Gavin: Get up to speed on how Tracking Protection will work in IE9. You can watch a demo video and read more on our IE blog.
Second, I encourage site owners to get ready for IE9 — which has already passed over 20 million downloads in beta. You can learn more at the IE9 beta download site, 'Beauty of the Web.'
And finally, lead. It's increasingly clear that consumers want increased transparency, choice and control when it comes to their online privacy. As a producer of the Web you can either react to that change or get in front of it. Publishing or endorsing a Tracking Protection List to your visitors is a great step in helping to show you are serious about their online privacy and aligned with their interests.
About Ryan Gavin
As senior director of Internet Explorer, Ryan Gavin drives Microsoft’s Internet Explorer business globally, specifically, working on the development and implementation of the product strategy behind Internet Explorer, using customer feedback to shape the technologies and services associated with the Web. Ryan joined Microsoft over ten years ago, working across a variety of leadership roles, most recently as the senior director of Windows Live product management. Previously, Ryan was responsible for driving the company’s strategic direction for the Server and Tools division as a platform strategist. Ryan has his roots in the developer tools business, helping to drive the early releases of Visual Studio to professional developers world-wide. He holds a BA in Business Administration and Management from Seattle Pacific University. Ryan and his wife Christine are the proud parents of a young daughter and son who seem to occupy most days, nights and weekends.