Feeds

Fresh privacy fears over IE 8 Suggested Sites

Promiscuous URL sharing not a great idea, warns top Cambridge researcher

Choosing a cloud hosting partner with confidence

A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft's browser allows users to "discover websites you might like based on sites you've visited", as Microsoft explains it.

When the feature is activated, the addresses of sites visited are sent to Microsoft, alongside informations such as IP address, browser type, regional and language settings, in an encrypted form. Microsoft draft IE8 privacy policy explains that "information associated with the web address, such as search terms or data you entered in forms might be included".

Microsoft was able to allay concerns that data from secure sites might be sampled or that the feature might be used to serve up targeted advertising in response to our earlier queries on the technology, prompted in response to posts by privacy activists on the No Deep Packet Inspection campaign website. However, concerns about the privacy implications of the technology remain.

Cambridge University security researcher Richard Clayton, who carried out an analysis of Phorm for the Foundation for Information Policy Research (FIPR), said full URL sharing via Suggested Sites poses a privacy and security risk. In particular he warns Microsoft should avoid sharing data submitted by surfers with other users of the service.

Microsoft should be clearer about explaining the risks as well as the benefits of the service, he adds.

In order for Microsoft to suggest other websites that you might like to look at, they need to know where you've been visiting lately. If you're embarrassed about saying where that is, then you leave the new feature turned off and no harm is done.

However, if you turn it on, then it appears that you hand over the entire URL of where you've visited. On some sites that's essential: if you've been on blogger.com, then knowing which of the eight million blogs you visited will matter. However, on other sites, that full URL may hold clues to your identity, give permissions to others to access the site, or compromise your privacy or security in some other manner.

The risk that someone at Microsoft decides to use that URL for wickedness are rather small - but what if they hand off the URL to someone else with similar tastes, for them to try visiting the places that you go to. Suddenly all that "security through obscurity", the pious hope that no one could possibly guess that URL, goes up in smoke.

Microsoft could do better, by minimising the data transfer, and only obtaining longer URLs for the sites, like blogger.com, where it actually matters. In the meantime, they should spell out the risks up front, along with the benefits... or did they genuinely think that there weren't any risks?

Clayton's response, which came in response to a request by El Reg for his opinion on the privacy implications of the technology, moves on the debate about whether Suggested Sites allows users a richer surfing experience or creates more problems than it solves.

Microsoft told us that when InPrivate (aka pron surfing) mode is applied within IE8, then Suggested Sites is temporarily turned off. "Data about secure HTTPS sites visited, intranet sites or local files on the PC" is excluded at all times, it added.

Microsoft went on to say that IE8 does "not send back any elements of data in the body of a rendered page" a statement that sits oddly alongside an explanation in the draft privacy policy) from IE 8 that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on. We're still waiting for a clarification from Microsoft on this point. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.