Feeds

Fresh privacy fears over IE 8 Suggested Sites

Promiscuous URL sharing not a great idea, warns top Cambridge researcher

5 things you didn’t know about cloud backup

A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft's browser allows users to "discover websites you might like based on sites you've visited", as Microsoft explains it.

When the feature is activated, the addresses of sites visited are sent to Microsoft, alongside informations such as IP address, browser type, regional and language settings, in an encrypted form. Microsoft draft IE8 privacy policy explains that "information associated with the web address, such as search terms or data you entered in forms might be included".

Microsoft was able to allay concerns that data from secure sites might be sampled or that the feature might be used to serve up targeted advertising in response to our earlier queries on the technology, prompted in response to posts by privacy activists on the No Deep Packet Inspection campaign website. However, concerns about the privacy implications of the technology remain.

Cambridge University security researcher Richard Clayton, who carried out an analysis of Phorm for the Foundation for Information Policy Research (FIPR), said full URL sharing via Suggested Sites poses a privacy and security risk. In particular he warns Microsoft should avoid sharing data submitted by surfers with other users of the service.

Microsoft should be clearer about explaining the risks as well as the benefits of the service, he adds.

In order for Microsoft to suggest other websites that you might like to look at, they need to know where you've been visiting lately. If you're embarrassed about saying where that is, then you leave the new feature turned off and no harm is done.

However, if you turn it on, then it appears that you hand over the entire URL of where you've visited. On some sites that's essential: if you've been on blogger.com, then knowing which of the eight million blogs you visited will matter. However, on other sites, that full URL may hold clues to your identity, give permissions to others to access the site, or compromise your privacy or security in some other manner.

The risk that someone at Microsoft decides to use that URL for wickedness are rather small - but what if they hand off the URL to someone else with similar tastes, for them to try visiting the places that you go to. Suddenly all that "security through obscurity", the pious hope that no one could possibly guess that URL, goes up in smoke.

Microsoft could do better, by minimising the data transfer, and only obtaining longer URLs for the sites, like blogger.com, where it actually matters. In the meantime, they should spell out the risks up front, along with the benefits... or did they genuinely think that there weren't any risks?

Clayton's response, which came in response to a request by El Reg for his opinion on the privacy implications of the technology, moves on the debate about whether Suggested Sites allows users a richer surfing experience or creates more problems than it solves.

Microsoft told us that when InPrivate (aka pron surfing) mode is applied within IE8, then Suggested Sites is temporarily turned off. "Data about secure HTTPS sites visited, intranet sites or local files on the PC" is excluded at all times, it added.

Microsoft went on to say that IE8 does "not send back any elements of data in the body of a rendered page" a statement that sits oddly alongside an explanation in the draft privacy policy) from IE 8 that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on. We're still waiting for a clarification from Microsoft on this point. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?