Feeds

Microsoft: IE9's web privacy hole? A feature, not a bug

When do-not-track lists clash

Beginner's guide to SSL certificates

A hole has been spotted in Internet Explorer 9's do-not-track technology, and Microsoft says it's a feature not a bug.

In response to a US government call for greater protection of consumers' privacy online, Microsoft added a Tracking Protection Lists (TPLs) feature to IE9. Netizens can use one or more lists to prevent certain ad networks and websites from tracking their behavior online. But when an IE9 user downloads multiple TPLs and a site's blocked on one list but allowed on another, IE9 will allow the site, letting it to track the user's activities.

The hole was flagged up by UK consumer watchdog Which?. Tracking Protection Lists are available from four Microsoft IE9 partners: Abine, EasyList, PrivacyChoice, and Truste.

An existing Microsoft TPL Q&A here at the foot of the IE9 test drive site mentions briefly what happens if there's a conflict. It's also illustrated as part of a video on Microsoft's IE blog that announces TPLs. While that might count as forewarning, this is not a capability that Microsoft has explicitly called out or explained in any great detail when it has talked about TPLs.

The company is instead placing the onus on IE9's users to "review carefully" the TPLs that they chose to ensure IE9 continues to block the sites they want blocked.

Microsoft is also shifting the responsibility to the creators of TPLs to maintain compatible lists. A company spokesperson told The Reg: "We'd hope the list creators are providing an overview of what's in the lists and what it'll mean if a consumer subscribers."

But it's Microsoft's underling platform, IE9, that the list providers are all relying. IE9 is enabling the "allow" list to override the "block" list when there's a conflict. The spokesperson told us: "It was designed like it. We are comfortable with it at this stage."

Washington lobbyist the Center for Democracy and Technology told The Reg that Microsoft could have been clear in explaining the process of what happens when there's a conflict in TPLs. The CDT has been advising parties on do-not-track.

Director of consumer privacy Justin Brookman said Microsoft could have been clearer explaining what happens when there's a conflict between lists, and he is "concerned" about the level of involvement needed by the end-user on managing TPLs. "The point of do not track is you shouldn't have to be terribly involved," he said.

He added he doubted Microsoft is trying to be malicious and called the policy behind it - of building white lists of approved sites - sound. "They still have their work cut out," he said.

TPLs have been added to IE9 on top of existing privacy and cookie-blocking features. It's an approach that's been criticized by an associate professor for Carnegie Mellon University's School of Computer Science, Department of Engineering and Public Policy (EPP).

TPL's are designed to stop third-party sites using techniques such as cookie tracking, Flash LSO tracking and browser finger printing to follow IE9 users and serve up ads and content on the sites that they visit. The idea with TPLs is you build up a list of sites you've either visited or allowing to track you.

Carnegie Lorrie Faith Cranor, also director of Carnegie CyLab Usable Privacy and Security Laboratory (CUPS), has highlighted that you don't just get TPLs in IE9, but also the ability to block cookies in the Internet Options panel. The default setting is to block third-party cookies that lack a "satisfactory" Platform for Privacy Preferences (P3P) compact privacy policy.

Cranor also co-authored a report last year that found that Microsoft's implementation of P3P, a W3C standard, is now being widely sidestepped by web sites that are deliberately mis-representing their privacy policies to prevent cookie blocking.

In her blog on TPL's Cranor wrote: "IE9 now has a confusing array of poorly-implemented privacy features that interact with each other in strange ways. If I don't turn on a TPL or change any privacy settings, then third-party cookies might be blocked depending on their P3P compact policies. If I turn on a TPL that allows a particular site, does it unblock third-party cookies that would otherwise be blocked?"®

Security for virtualized datacentres

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.