Microsoft becomes cookie defender, privacy hero

But it's started something it probably can't stop...

  • alert
  • submit to reddit

Website security in corporate America

Analysis Microsoft got quite a bit of mileage out of its announcement earlier this week that it would be building cookie management features into Internet Explorer. Aside from commendations from Jason Catlett and Richard Smith, who're more usually throwing brickbats at the company, Microsoft got a handy sound-bite from Bill Lockyer, chair of the National Association of Attorneys General (NAAG) Internet and Privacy Committee: "I applaud Microsoft's responsiveness and leadership in dealing with this important issue."

Microsoft COO Bob Herbold thumped the tub too. "As we move into the .NET environment, Microsoft is taking significant steps to put the power of personal information back into the hands of the consumer by addressing privacy and security concerns at the foundation of the software industry. The steps we've taken to build robust privacy-enhancing features directly into the Windows Internet technologies will enhance the customer experience by allowing consumers to define and control their information while taking advantage of the next generation of Web services."

Goodbye Beast, hello Mother Teresa

What a difference a day makes, indeed. Wasn't it just Wednesday that Microsoft was the slipshod, careless perpetrator of practically every security hole and privacy infringement enabler in the Galaxy? Haven't Messrs Catlett and Smith spent years compiling long lists of offences perpetrated by the Great Satan of the Security Hole? Indeed they have (links below), but nevertheless from the way Microsoft tells it, the company is now leading the privacy charge, and is the consumer's friend.

But rewind - on closer examination this is a very large publicity edifice constructed on a very small foundation. When we first reported the Microsoft announcement yesterday we got a number of emails from puzzled readers pointing out that IE already has cookie management facilities, and that IE5 for the Mac even has a cookie management dialogue screen. Well, indeedy-doody. It has been possible to make most versions of most browsers deal with cookies selectively, or even refuse them altogether, for some considerable time - so what's so different about this one?

The new system is a "technology beta" which Microsoft is initially giving to 2,000 testers, but the company intends to go into public beta in about four weeks, so at some point soon we'll have a clearer idea of what's actually in it. According to the Microsoft announcement, however, it goes approximately as follows.

New "functionalities" will be built on IE's existing cookie management features. These will include "consumer notification for cookies", "cookie control", and help. The consumer notification bit will enable what Microsoft calls a "balanced discussion" of cookies which allows users to differentiate between first and third party cookies. As far as Microsoft is concerned this is new, as IE hasn't so far allowed differentiation between first and third party cookies. Opera 4 does, and also allows you to pick and choose as far as individual servers are concerned. Also new for Microsoft in this area is that the default setting will be for the user to be notified when a third party persistent cookie is being served to the user's machine.

You can do this with IE 4 and 5, albeit not differentiating between cookie sources, but the default at medium security settings for 5 is to accept, not to prompt. Judge for yourself whether or not a change in security defaults is a major privacy initiative.

"Cookie control" is an axe. "A 'delete all cookies' button has been added on the primary Internet Options page." This again seems less sophisticated than Opera, which allows you to automatically delete all cookies on exit, and is a lot more trivial than the whole deal sounds when you listen to Bob Herbold.

The extra help is also decidedly in the non-rocket science sector of software development. New help topics specifically addressing cookies and cookie management are being added. Microsoft has belatedly noted that previous IE help on cookies has been somewhat perfunctory, and even looked, er, as if it had been designed from the premise that we don't want the users to trouble their little heads about cookies.

So in summary, the technical aspects of this "technical beta" are next to zero, and the real development is that Microsoft has noted growing concern about cookies and privacy, and has therefore puffed up marginal improvements (of a similar order to those made without fanfare between IE 4 and 5, actually) into an attractive PR pitch that makes the company look concerned and proactive.

So why applaud?
The apparent Catlett/Smith enthusiasm for the move does in some senses therefore seem difficult to explain or justify. The heading on the release from Catlett's Junkbusters in particular is just plain wrong: "Privacy and security experts applaud Microsoft's new Web bug detector" - as we've seen, it's not new, just an alteration in stance and a little extra ease of management stuff layered on top of existing systems.

But that said, although Microsoft's move was small, it's a victory for privacy advocates like Catlett. These campaigners have been working hard to get the public and legislators worked up about privacy infringements, and just inducing Microsoft to talk big counts as success for them. Having Microsoft start sounding off on the dangers of cookies and loudly telling users it's giving them the tools to control them moves cookies even more to centre stage.

Catlett's release stresses that Microsoft's move is "only a start," and he's right - the more users know about cookies, the more they'll want to control them, and the more tools Microsoft will have to produce to allow them to do it. There's a flip side to this, of course. Cookies aren't all bad, and even Junkbusters publishes a links page covering the issue of whether cookies are good or evil. Tragically, both of its links to pages at microsoft.com explaining why cookies are your friend are now broken. Could you fix them for us, please Bill?

The trouble is, one of the consequences to be expected of privacy campaigns on cookies is that the public and legislators will be whipped up into an unreasoned and uninformed frenzy on cookies. This could easily result in the cookie's extinction, taking with it all of the legitimate and helpful uses cookies have. And then, presumably, we'd have reinvent them. ®

Related Stories

Microsoft adds cookie detector to IE, grooms Privacy R US stance
The Register privacy policy

Related Links

Junkbusters on cookies, and what to do about them
'Microsoft's inglorious record on privacy', as documented by Junkbusters
Richard Smith on IE and Navigator cookie leak security hole
Junkbusters' more about cookies links

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.