Home page logo
/

interesting-people logo Interesting People mailing list archives

Privacy Concerns in Microsoft's New IE8 Web Browser
From: David Farber <dave () farber net>
Date: Wed, 3 Sep 2008 11:52:35 -0400



Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: September 3, 2008 11:48:45 AM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Privacy Concerns in Microsoft's New IE8 Web Browser


           Privacy Concerns in Microsoft's New IE8 Web Browser

              http://lauren.vortex.com/archive/000421.html


Greetings.  Yesterday I posted some thoughts on the privacy policy
associated with Google's new "Chrome" Web browser, and gave the
open-source product -- which has a great deal of potential -- an
overall thumbs-up based on current information
( http://lauren.vortex.com/archive/000420.html ).

I'm afraid that I'm much more concerned about the privacy policy for
Microsoft's new "Internet Explorer 8" browser (which of course is
not open source).  While overall functionality and touted privacy
improvements appear to be similar in many ways to Chrome, some of
the specific privacy-related decisions in IE8 are very different
from Chrome -- and not necessarily in a good way.  One in particular
is significantly alarming
( http://www.microsoft.com/windows/internet-explorer/beta/ privacy.aspx ).

Some aspects of these issues related to IE8 are not entirely clear
only from a reading of the policy -- for example, it appears that
IE8's anti-phishing mechanism sends complete URLs, not hashes, to MS
and can leak personal URL data, but I'd like to verify this fully --
so I will withhold detailed comment on several concerns for now
until I can obtain more information from Microsoft.

But I do want to draw your attention to IE8's "Suggested Sites"
feature.  While the IE privacy policy suggests that this feature is
turned off by default (unlike Chrome's "Google Suggest" feature
which is on by default), Suggested Sites appears to carry much
higher abuse potential.  While Google Suggest only operates on URLs
entered manually at the URL location bar, MS' Suggested Sites
reportedly transmits your entire Web browsing history to Microsoft,
including in some cases search terms and potentially personal
information included in URLs!

The IE8 privacy policy notes:

   "When Suggested Sites is turned on, the addresses of websites you
    visit are sent to Microsoft, together with some standard
    information from your computer such as IP address, browser type,
    regional and language settings. To help protect your privacy,
    the information is encrypted when sent to Microsoft. Information
    associated with the web address, such as search terms or data
    you entered in forms might be included. For example, if you
    visited the Microsoft.com search website at
    http://search.microsoft.com and entered "Seattle" as the search
    term, the full address
    http://search.microsoft.com/results.aspx?q=Seattle&qsc0=0&FORM=QBMH1&mkt=en-US
    will be sent. Address strings might unintentionally contain
    personal information, but this information is not used to
    identify, contact or target advertising to you."

Note that the mention of encryption only appears to apply to the
actual transit of the data -- Microsoft will apparently end up with
a complete copy of your browsing history and associated URL data
fields from throughout the Internet, creating a significant
potential privacy risk of abuse by outside parties demanding access
to this information from Microsoft.

There are certainly other tools that also can be configured to send
users' Web browsing history on an ongoing basis to their developers
(either as part of basic or extended functionalities), including
from Google.  However, it is notable that in the design decisions
associated with a fundamental "must have" tool like a Web browser,
the privacy abuse potential associated with IE8 appears to be much
higher than that for Chrome -- simply because the Suggestion feature
in IE8 appears to transmit the *entire* Web browsing history and
associated full URL data including any personal information, vs.
Chrome's transmission only of directly entered URLs (which by the
way are unlikely to contain personal data fields).

While it's true that Chrome's suggestion feature is on by default
and IE8's reportedly is off by default, on balance the potential for
privacy abuse in the IE8 implementation is of vastly greater
concern.  At a minimum, I would urge users of IE8 to keep Suggested
Sites turned off at all times.

I'll have more to say about IE8 and Chrome as information and my
experiences with the products expand.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
  - Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


  By Date           By Thread  

Current thread:
  • Privacy Concerns in Microsoft's New IE8 Web Browser David Farber (Sep 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]