Feeds

IE8 Suggested Sites suggested to be snoopy

Privacy activists cry Phorm on Redmond

Providing a secure and efficient Helpdesk

Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced.

The optional component in the next version of Microsoft's browser software "discover websites you might like based on sites you've visited". Collecting a user's browser history and using it to create profiles that steer users towards one website or another may seem like a useful pointer to Microsoft's developers, but the feature is giving some privacy-conscious surfers the fear.

Once the Suggested Sites feature is turned on, the addresses of websites visited are sent to Microsoft, together with data such as IP address, browser type, regional and language settings. This data is encrypted. However, Microsoft cautions (in a draft for its IE8 privacy policy here) that "information associated with the web address, such as search terms or data you entered in forms might be included".

Even if you trust Microsoft to copy taste your browsing history, there is the risk that the feature creates a potential new mechanism for hackers to extract sensitive data, via possible future browser security exploits or social engineering tricks. For website owners the use of the technology creates the possibility that surfers will be lured away to similar (ie potentially rival) websites.

Discussions on the feature on No Deep Packet Inspection (NDPI), a forum normally dedicated to looking into behavioural advertising targeting firms such as Phorm, express concerns that the privacy policy for the feature fails to provide assurance that https (secure) web surfing sessions will be disregarded.

Even just the content of URLs, where search parameters or entered data is included, gives away a lot of data surfers might not like to share, other critics in the forum point out. The downsides of the feature - which is only activated with the clear consent of a user - far outweigh its supposed benefits, according to privacy sensitive critics.

"Only switch it on if you are utterly barking mad," one NDPI reader warned.

In response to to these criticisms, Microsoft provided El Reg with assurances that the technology will not be used to serve up targeted advertising.

Part of the agreement Microsoft has with Internet Explorer 8 users is that the data we collect will not be used to target advertising to the user, nor will the Suggested Sites feature be used to deliver advertising to the user. None of the links we display for suggested sites are "sponsored" or advertiser links as we choose the sites to display based purely on relevance.

When Suggested Sites is turned on, the addresses of websites users visit are sent to Microsoft, together with some standard information from the user’s computer such browser type as well as regional and language settings. To help protect user privacy, the information is encrypted when sent to Microsoft.

Microsoft's statement, supplied in response to inquiries from El Reg, goes on to clarify that secure sessions will not be sampled. Microsoft's bullet point response also explains that surfing information from periods when the InPrivate (aka pron surfing) feature is turned on is also excluded from Suggested Sites.

Internet Explorer 8 does not send back any elements of data in the body of a rendered page

Internet Explorer 8 does not send back data about secure HTTPS sites visited, intranet sites or local files on the PC

Internet Explorer 8 does not send any data about pages browsed during InPrivate sessions.

We've asked Microsoft for clarification on how the statement that "IE 8 does not send back any elements of data in the body of a rendered page" squares with a statement in its draft privacy policy) that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on.

Microsoft is far from the only browser supplier looking to make use of users' surfing histories to add features to the next version of its browser software. The Mozilla Foundation's controversial Data project involves gather anonymised surfing history data on a voluntary basis before selling it on as an analytical tool - a use of technology that raises even deeper privacy concerns. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.