Feeds

IE8 Suggested Sites suggested to be snoopy

Privacy activists cry Phorm on Redmond

Beginner's guide to SSL certificates

Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced.

The optional component in the next version of Microsoft's browser software "discover websites you might like based on sites you've visited". Collecting a user's browser history and using it to create profiles that steer users towards one website or another may seem like a useful pointer to Microsoft's developers, but the feature is giving some privacy-conscious surfers the fear.

Once the Suggested Sites feature is turned on, the addresses of websites visited are sent to Microsoft, together with data such as IP address, browser type, regional and language settings. This data is encrypted. However, Microsoft cautions (in a draft for its IE8 privacy policy here) that "information associated with the web address, such as search terms or data you entered in forms might be included".

Even if you trust Microsoft to copy taste your browsing history, there is the risk that the feature creates a potential new mechanism for hackers to extract sensitive data, via possible future browser security exploits or social engineering tricks. For website owners the use of the technology creates the possibility that surfers will be lured away to similar (ie potentially rival) websites.

Discussions on the feature on No Deep Packet Inspection (NDPI), a forum normally dedicated to looking into behavioural advertising targeting firms such as Phorm, express concerns that the privacy policy for the feature fails to provide assurance that https (secure) web surfing sessions will be disregarded.

Even just the content of URLs, where search parameters or entered data is included, gives away a lot of data surfers might not like to share, other critics in the forum point out. The downsides of the feature - which is only activated with the clear consent of a user - far outweigh its supposed benefits, according to privacy sensitive critics.

"Only switch it on if you are utterly barking mad," one NDPI reader warned.

In response to to these criticisms, Microsoft provided El Reg with assurances that the technology will not be used to serve up targeted advertising.

Part of the agreement Microsoft has with Internet Explorer 8 users is that the data we collect will not be used to target advertising to the user, nor will the Suggested Sites feature be used to deliver advertising to the user. None of the links we display for suggested sites are "sponsored" or advertiser links as we choose the sites to display based purely on relevance.

When Suggested Sites is turned on, the addresses of websites users visit are sent to Microsoft, together with some standard information from the user’s computer such browser type as well as regional and language settings. To help protect user privacy, the information is encrypted when sent to Microsoft.

Microsoft's statement, supplied in response to inquiries from El Reg, goes on to clarify that secure sessions will not be sampled. Microsoft's bullet point response also explains that surfing information from periods when the InPrivate (aka pron surfing) feature is turned on is also excluded from Suggested Sites.

Internet Explorer 8 does not send back any elements of data in the body of a rendered page

Internet Explorer 8 does not send back data about secure HTTPS sites visited, intranet sites or local files on the PC

Internet Explorer 8 does not send any data about pages browsed during InPrivate sessions.

We've asked Microsoft for clarification on how the statement that "IE 8 does not send back any elements of data in the body of a rendered page" squares with a statement in its draft privacy policy) that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on.

Microsoft is far from the only browser supplier looking to make use of users' surfing histories to add features to the next version of its browser software. The Mozilla Foundation's controversial Data project involves gather anonymised surfing history data on a voluntary basis before selling it on as an analytical tool - a use of technology that raises even deeper privacy concerns. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.