Microsoft becomes cookie defender, privacy hero

Analysis Microsoft got quite a bit of mileage out of its announcement earlier this week that it would be building cookie management features into Internet Explorer. Aside from commendations from Jason Catlett and Richard Smith, who're more usually throwing brickbats at the company, Microsoft got a handy sound-bite from Bill Lockyer, chair of the National Association of Attorneys General (NAAG) Internet and Privacy Committee: "I applaud Microsoft's responsiveness and leadership in dealing with this important issue."

Microsoft COO Bob Herbold thumped the tub too. "As we move into the .NET environment, Microsoft is taking significant steps to put the power of personal information back into the hands of the consumer by addressing privacy and security concerns at the foundation of the software industry. The steps we've taken to build robust privacy-enhancing features directly into the Windows Internet technologies will enhance the customer experience by allowing consumers to define and control their information while taking advantage of the next generation of Web services."

Goodbye Beast, hello Mother Teresa

What a difference a day makes, indeed. Wasn't it just Wednesday that Microsoft was the slipshod, careless perpetrator of practically every security hole and privacy infringement enabler in the Galaxy? Haven't Messrs Catlett and Smith spent years compiling long lists of offences perpetrated by the Great Satan of the Security Hole? Indeed they have (links below), but nevertheless from the way Microsoft tells it, the company is now leading the privacy charge, and is the consumer's friend.

But rewind - on closer examination this is a very large publicity edifice constructed on a very small foundation. When we first reported the Microsoft announcement yesterday we got a number of emails from puzzled readers pointing out that IE already has cookie management facilities, and that IE5 for the Mac even has a cookie management dialogue screen. Well, indeedy-doody. It has been possible to make most versions of most browsers deal with cookies selectively, or even refuse them altogether, for some considerable time - so what's so different about this one?

The new system is a "technology beta" which Microsoft is initially giving to 2,000 testers, but the company intends to go into public beta in about four weeks, so at some point soon we'll have a clearer idea of what's actually in it. According to the Microsoft announcement, however, it goes approximately as follows.

New "functionalities" will be built on IE's existing cookie management features. These will include "consumer notification for cookies", "cookie control", and help. The consumer notification bit will enable what Microsoft calls a "balanced discussion" of cookies which allows users to differentiate between first and third party cookies. As far as Microsoft is concerned this is new, as IE hasn't so far allowed differentiation between first and third party cookies. Opera 4 does, and also allows you to pick and choose as far as individual servers are concerned. Also new for Microsoft in this area is that the default setting will be for the user to be notified when a third party persistent cookie is being served to the user's machine.

You can do this with IE 4 and 5, albeit not differentiating between cookie sources, but the default at medium security settings for 5 is to accept, not to prompt. Judge for yourself whether or not a change in security defaults is a major privacy initiative.

"Cookie control" is an axe. "A 'delete all cookies' button has been added on the primary Internet Options page." This again seems less sophisticated than Opera, which allows you to automatically delete all cookies on exit, and is a lot more trivial than the whole deal sounds when you listen to Bob Herbold.

The extra help is also decidedly in the non-rocket science sector of software development. New help topics specifically addressing cookies and cookie management are being added. Microsoft has belatedly noted that previous IE help on cookies has been somewhat perfunctory, and even looked, er, as if it had been designed from the premise that we don't want the users to trouble their little heads about cookies.

So in summary, the technical aspects of this "technical beta" are next to zero, and the real development is that Microsoft has noted growing concern about cookies and privacy, and has therefore puffed up marginal improvements (of a similar order to those made without fanfare between IE 4 and 5, actually) into an attractive PR pitch that makes the company look concerned and proactive.

So why applaud?
The apparent Catlett/Smith enthusiasm for the move does in some senses therefore seem difficult to explain or justify. The heading on the release from Catlett's Junkbusters in particular is just plain wrong: "Privacy and security experts applaud Microsoft's new Web bug detector" - as we've seen, it's not new, just an alteration in stance and a little extra ease of management stuff layered on top of existing systems.

But that said, although Microsoft's move was small, it's a victory for privacy advocates like Catlett. These campaigners have been working hard to get the public and legislators worked up about privacy infringements, and just inducing Microsoft to talk big counts as success for them. Having Microsoft start sounding off on the dangers of cookies and loudly telling users it's giving them the tools to control them moves cookies even more to centre stage.

Catlett's release stresses that Microsoft's move is "only a start," and he's right - the more users know about cookies, the more they'll want to control them, and the more tools Microsoft will have to produce to allow them to do it. There's a flip side to this, of course. Cookies aren't all bad, and even Junkbusters publishes a links page covering the issue of whether cookies are good or evil. Tragically, both of its links to pages at microsoft.com explaining why cookies are your friend are now broken. Could you fix them for us, please Bill?

The trouble is, one of the consequences to be expected of privacy campaigns on cookies is that the public and legislators will be whipped up into an unreasoned and uninformed frenzy on cookies. This could easily result in the cookie's extinction, taking with it all of the legitimate and helpful uses cookies have. And then, presumably, we'd have reinvent them. ®

Related Stories

Microsoft adds cookie detector to IE, grooms Privacy R US stance
The Register privacy policy

Related Links

Junkbusters on cookies, and what to do about them
'Microsoft's inglorious record on privacy', as documented by Junkbusters
Richard Smith on IE and Navigator cookie leak security hole
Junkbusters' more about cookies links