Here’s how Microsoft’s new Tracking Prevention feature works Watch Now

On January 15, 2020, Microsoft is scheduled to roll out a completely revamped Edge browser to the general public. That browser, which is available for beta testing now on all supported versions of Windows and MacOS, includes a feature called Tracking Prevention.

If that name sounds familiar, you're not imagining things. Microsoft added a Tracking Protection feature to Internet Explorer 9, back in 2011; it used simple text files called Tracking Protection Lists (TPLs) to allow or block third-party requests from specific domains.

That's the same general principle behind Tracking Prevention in the new Edge, but the implementation is more usable and more sophisticated, with multiple Trust Protection Lists taking the place of a single TPL. I've spent the past week looking closely at this feature. In this post I explain how it works and how it affects your browsing experience. And although it's aimed at the online advertising and tracking industries in general, my tests suggest that its effects are likely to be felt most directly by one company: Google.

Microsoft has yet to publish formal documentation for this feature. As a result, the implementation has a "black box" feel to it. There's also no obvious way to customize its actions or to replace the built-in lists with third-party alternatives.

If you're running the new Edge, you'll find Tracking Prevention on the Edge Settings page, under the Privacy And Services heading. The simple user interface includes an on-off switch for the feature (1), three boxes that define the extent of tracker blocking (2), and a place to manage exceptions (3).

By default, Tracking Prevention is turned on, with the Balanced setting selected. According to Microsoft, that setting "blocks potentially harmful trackers and trackers from sites you haven't visited," without breaking functionality in the websites you visit. Bumping that setting up to Strict blocks "the majority of trackers across all sites ... but could cause some websites to not behave as expected."

On my Windows 10 test PC, the Trust Protection Lists are located in the current user's profile, at %LocalAppData%\Microsoft\Edge Beta\User Data\Trust Protection Lists\, in a subfolder that identifies the version number of the current lists. (Obviously, this location will change when the new Edge is officially released.) There, I found an assortment of files that identify known trackers, with each list containing a separate category of domains: Advertising, Analytics, Fingerprinting, Social, and so on.

To see the effect of these settings for myself, I built a virtual machine running Windows 10, installed the latest release of the new Edge from the Beta channel, and then loaded a selection of 66 pages from a wide variety of websites. My sample consisted primarily of mainstream news publishers and tech sites (including ZDNet and our sister site CNET) that rely on advertising support and use a wide variety of third-party analytics companies.

For my test, I loaded the full set of sample pages, manually visiting each one to ensure that all elements had loaded. Next, I checked the Blocked Trackers page, which lists each blocked domain along with a count of how many elements were blocked for that entry.

The Basic setting blocked only one tracker, from Stripe. If my sample set had been a bit less reputable, it might have blocked a few dangerous sites, such as unauthorized cryptominers or malicious ads.

Using the default Balanced setting, Tracking Prevention blocked a total of 2,318 trackers, or an average of 35 on each page. Of that total, 552 were from Google domains. That's a mind-boggling 23.8% of the total. To put that into perspective, the second entry on the list of blocked trackers was Facebook, which represented 3.8% of the total. (It's worth noting that these results shouldn't suggest any kind of conspiracy against Google. The fact that Google is at the top of any list of online trackers is a reflection of their business model and their ubiquity. Google Analytics and Google AdSense are embedded on a staggering number of web pages.)

So, what happens when you kick the Tracking Prevention level up to the highest level, Strict? Perhaps not what you expect. I was so startled by the results when I first tried this experiment that I ran all the tests a second time, with the same counterintuitive results.

You would think that a stricter set of criteria for blocking trackers would result in more items being blocked; instead, the exact opposite was true.

With the Strict settings in place, Edge blocked a total of 739 trackers, or about two-thirds fewer than in the Balanced setting. The percentages for well-known sources of tracking like Google, Facebook, and Adobe were roughly the same, but the list also included a significant number of analytics companies, such as comScore, Chartbeat, and Nielsen. (On my main Windows 10 PC, running the Edge Dev builds with Tracking Prevention set to Strict, Google is at the top of the list of Blocked Trackers, with 23% of the total, more than Adobe, Facebook, Twitter, and comScore combined. Interestingly, Microsoft is on that list as well, in the 11 spot, with about 1.7% of the blocked items.)

Why the difference? In the Balanced setting, Edge blocks storage access for a large number of tracker categories, which means those domains can load content but can't set or retrieve cookies. A smaller group of third-party domains are blocked from loading any resources.

In the Strict setting, by contrast, storage access and resource loads are blocked for a large set of categories, with elements such as tracking pixels, iframes, and scripts completely prevented from loading and fetching other resources.

In action, the difference is noticeable. The Balanced setting includes a fair number of ads and social widgets. With the Strict setting enabled, most third-party ads, including oversized banner ads that push content down in an annoying fashion, disappeared completely, and pages loaded significantly faster.

You can see which trackers were blocked for a specific page by clicking the padlock icon to the left of the address. That action displays a drop-down menu like the one shown here, with the ability to turn off tracker blocking for that page or to expand the list to see where the blocked trackers are coming from.

The effect of the Strict setting is remarkably similar to what you see with an ad-blocking extension. In my tests, I noticed that this setting was more likely to trigger a page to display its "turn off your ad blocker" message. It also has the potential to break some aspects of a page, such as the ability to display comments or login flows from third-party sites.

The user experience I've shown here is what the general public will see when Microsoft opens the Stable channel for the new Edge in January and begins the slow process of replacing the old Edge. Two questions remain for me: Will Microsoft provide more granular controls for end users who want to tweak these settings? For example, will you be able to whitelist a particular domain from a tracking list instead of having to turn off Tracking Prevention on an entire site? And will end users and third-party developers be able to extend and customize this feature?