Microsoft becomes cookie defender, privacy hero

But it's started something it probably can't stop...

  • alert
  • submit to reddit

The Power of One Brief: Top reasons to choose HP BladeSystem

Analysis Microsoft got quite a bit of mileage out of its announcement earlier this week that it would be building cookie management features into Internet Explorer. Aside from commendations from Jason Catlett and Richard Smith, who're more usually throwing brickbats at the company, Microsoft got a handy sound-bite from Bill Lockyer, chair of the National Association of Attorneys General (NAAG) Internet and Privacy Committee: "I applaud Microsoft's responsiveness and leadership in dealing with this important issue."

Microsoft COO Bob Herbold thumped the tub too. "As we move into the .NET environment, Microsoft is taking significant steps to put the power of personal information back into the hands of the consumer by addressing privacy and security concerns at the foundation of the software industry. The steps we've taken to build robust privacy-enhancing features directly into the Windows Internet technologies will enhance the customer experience by allowing consumers to define and control their information while taking advantage of the next generation of Web services."

Goodbye Beast, hello Mother Teresa

What a difference a day makes, indeed. Wasn't it just Wednesday that Microsoft was the slipshod, careless perpetrator of practically every security hole and privacy infringement enabler in the Galaxy? Haven't Messrs Catlett and Smith spent years compiling long lists of offences perpetrated by the Great Satan of the Security Hole? Indeed they have (links below), but nevertheless from the way Microsoft tells it, the company is now leading the privacy charge, and is the consumer's friend.

But rewind - on closer examination this is a very large publicity edifice constructed on a very small foundation. When we first reported the Microsoft announcement yesterday we got a number of emails from puzzled readers pointing out that IE already has cookie management facilities, and that IE5 for the Mac even has a cookie management dialogue screen. Well, indeedy-doody. It has been possible to make most versions of most browsers deal with cookies selectively, or even refuse them altogether, for some considerable time - so what's so different about this one?

The new system is a "technology beta" which Microsoft is initially giving to 2,000 testers, but the company intends to go into public beta in about four weeks, so at some point soon we'll have a clearer idea of what's actually in it. According to the Microsoft announcement, however, it goes approximately as follows.

New "functionalities" will be built on IE's existing cookie management features. These will include "consumer notification for cookies", "cookie control", and help. The consumer notification bit will enable what Microsoft calls a "balanced discussion" of cookies which allows users to differentiate between first and third party cookies. As far as Microsoft is concerned this is new, as IE hasn't so far allowed differentiation between first and third party cookies. Opera 4 does, and also allows you to pick and choose as far as individual servers are concerned. Also new for Microsoft in this area is that the default setting will be for the user to be notified when a third party persistent cookie is being served to the user's machine.

You can do this with IE 4 and 5, albeit not differentiating between cookie sources, but the default at medium security settings for 5 is to accept, not to prompt. Judge for yourself whether or not a change in security defaults is a major privacy initiative.

"Cookie control" is an axe. "A 'delete all cookies' button has been added on the primary Internet Options page." This again seems less sophisticated than Opera, which allows you to automatically delete all cookies on exit, and is a lot more trivial than the whole deal sounds when you listen to Bob Herbold.

The extra help is also decidedly in the non-rocket science sector of software development. New help topics specifically addressing cookies and cookie management are being added. Microsoft has belatedly noted that previous IE help on cookies has been somewhat perfunctory, and even looked, er, as if it had been designed from the premise that we don't want the users to trouble their little heads about cookies.

So in summary, the technical aspects of this "technical beta" are next to zero, and the real development is that Microsoft has noted growing concern about cookies and privacy, and has therefore puffed up marginal improvements (of a similar order to those made without fanfare between IE 4 and 5, actually) into an attractive PR pitch that makes the company look concerned and proactive.

So why applaud?
The apparent Catlett/Smith enthusiasm for the move does in some senses therefore seem difficult to explain or justify. The heading on the release from Catlett's Junkbusters in particular is just plain wrong: "Privacy and security experts applaud Microsoft's new Web bug detector" - as we've seen, it's not new, just an alteration in stance and a little extra ease of management stuff layered on top of existing systems.

But that said, although Microsoft's move was small, it's a victory for privacy advocates like Catlett. These campaigners have been working hard to get the public and legislators worked up about privacy infringements, and just inducing Microsoft to talk big counts as success for them. Having Microsoft start sounding off on the dangers of cookies and loudly telling users it's giving them the tools to control them moves cookies even more to centre stage.

Catlett's release stresses that Microsoft's move is "only a start," and he's right - the more users know about cookies, the more they'll want to control them, and the more tools Microsoft will have to produce to allow them to do it. There's a flip side to this, of course. Cookies aren't all bad, and even Junkbusters publishes a links page covering the issue of whether cookies are good or evil. Tragically, both of its links to pages at microsoft.com explaining why cookies are your friend are now broken. Could you fix them for us, please Bill?

The trouble is, one of the consequences to be expected of privacy campaigns on cookies is that the public and legislators will be whipped up into an unreasoned and uninformed frenzy on cookies. This could easily result in the cookie's extinction, taking with it all of the legitimate and helpful uses cookies have. And then, presumably, we'd have reinvent them. ®

Related Stories

Microsoft adds cookie detector to IE, grooms Privacy R US stance
The Register privacy policy

Related Links

Junkbusters on cookies, and what to do about them
'Microsoft's inglorious record on privacy', as documented by Junkbusters
Richard Smith on IE and Navigator cookie leak security hole
Junkbusters' more about cookies links

The Essential Guide to IT Transformation

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.