Feeds

IE8 Suggested Sites suggested to be snoopy

Privacy activists cry Phorm on Redmond

Website security in corporate America

Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced.

The optional component in the next version of Microsoft's browser software "discover websites you might like based on sites you've visited". Collecting a user's browser history and using it to create profiles that steer users towards one website or another may seem like a useful pointer to Microsoft's developers, but the feature is giving some privacy-conscious surfers the fear.

Once the Suggested Sites feature is turned on, the addresses of websites visited are sent to Microsoft, together with data such as IP address, browser type, regional and language settings. This data is encrypted. However, Microsoft cautions (in a draft for its IE8 privacy policy here) that "information associated with the web address, such as search terms or data you entered in forms might be included".

Even if you trust Microsoft to copy taste your browsing history, there is the risk that the feature creates a potential new mechanism for hackers to extract sensitive data, via possible future browser security exploits or social engineering tricks. For website owners the use of the technology creates the possibility that surfers will be lured away to similar (ie potentially rival) websites.

Discussions on the feature on No Deep Packet Inspection (NDPI), a forum normally dedicated to looking into behavioural advertising targeting firms such as Phorm, express concerns that the privacy policy for the feature fails to provide assurance that https (secure) web surfing sessions will be disregarded.

Even just the content of URLs, where search parameters or entered data is included, gives away a lot of data surfers might not like to share, other critics in the forum point out. The downsides of the feature - which is only activated with the clear consent of a user - far outweigh its supposed benefits, according to privacy sensitive critics.

"Only switch it on if you are utterly barking mad," one NDPI reader warned.

In response to to these criticisms, Microsoft provided El Reg with assurances that the technology will not be used to serve up targeted advertising.

Part of the agreement Microsoft has with Internet Explorer 8 users is that the data we collect will not be used to target advertising to the user, nor will the Suggested Sites feature be used to deliver advertising to the user. None of the links we display for suggested sites are "sponsored" or advertiser links as we choose the sites to display based purely on relevance.

When Suggested Sites is turned on, the addresses of websites users visit are sent to Microsoft, together with some standard information from the user’s computer such browser type as well as regional and language settings. To help protect user privacy, the information is encrypted when sent to Microsoft.

Microsoft's statement, supplied in response to inquiries from El Reg, goes on to clarify that secure sessions will not be sampled. Microsoft's bullet point response also explains that surfing information from periods when the InPrivate (aka pron surfing) feature is turned on is also excluded from Suggested Sites.

Internet Explorer 8 does not send back any elements of data in the body of a rendered page

Internet Explorer 8 does not send back data about secure HTTPS sites visited, intranet sites or local files on the PC

Internet Explorer 8 does not send any data about pages browsed during InPrivate sessions.

We've asked Microsoft for clarification on how the statement that "IE 8 does not send back any elements of data in the body of a rendered page" squares with a statement in its draft privacy policy) that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on.

Microsoft is far from the only browser supplier looking to make use of users' surfing histories to add features to the next version of its browser software. The Mozilla Foundation's controversial Data project involves gather anonymised surfing history data on a voluntary basis before selling it on as an analytical tool - a use of technology that raises even deeper privacy concerns. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.