IE8 Suggested Sites suggested to be snoopy

Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced.

The optional component in the next version of Microsoft's browser software "discover websites you might like based on sites you've visited". Collecting a user's browser history and using it to create profiles that steer users towards one website or another may seem like a useful pointer to Microsoft's developers, but the feature is giving some privacy-conscious surfers the fear.

Once the Suggested Sites feature is turned on, the addresses of websites visited are sent to Microsoft, together with data such as IP address, browser type, regional and language settings. This data is encrypted. However, Microsoft cautions (in a draft for its IE8 privacy policy here) that "information associated with the web address, such as search terms or data you entered in forms might be included".

Even if you trust Microsoft to copy taste your browsing history, there is the risk that the feature creates a potential new mechanism for hackers to extract sensitive data, via possible future browser security exploits or social engineering tricks. For website owners the use of the technology creates the possibility that surfers will be lured away to similar (ie potentially rival) websites.

Discussions on the feature on No Deep Packet Inspection (NDPI), a forum normally dedicated to looking into behavioural advertising targeting firms such as Phorm, express concerns that the privacy policy for the feature fails to provide assurance that https (secure) web surfing sessions will be disregarded.

Even just the content of URLs, where search parameters or entered data is included, gives away a lot of data surfers might not like to share, other critics in the forum point out. The downsides of the feature - which is only activated with the clear consent of a user - far outweigh its supposed benefits, according to privacy sensitive critics.

"Only switch it on if you are utterly barking mad," one NDPI reader warned.

In response to to these criticisms, Microsoft provided El Reg with assurances that the technology will not be used to serve up targeted advertising.

Part of the agreement Microsoft has with Internet Explorer 8 users is that the data we collect will not be used to target advertising to the user, nor will the Suggested Sites feature be used to deliver advertising to the user. None of the links we display for suggested sites are "sponsored" or advertiser links as we choose the sites to display based purely on relevance.

When Suggested Sites is turned on, the addresses of websites users visit are sent to Microsoft, together with some standard information from the user’s computer such browser type as well as regional and language settings. To help protect user privacy, the information is encrypted when sent to Microsoft.

Microsoft's statement, supplied in response to inquiries from El Reg, goes on to clarify that secure sessions will not be sampled. Microsoft's bullet point response also explains that surfing information from periods when the InPrivate (aka pron surfing) feature is turned on is also excluded from Suggested Sites.

Internet Explorer 8 does not send back any elements of data in the body of a rendered page

Internet Explorer 8 does not send back data about secure HTTPS sites visited, intranet sites or local files on the PC

Internet Explorer 8 does not send any data about pages browsed during InPrivate sessions.

We've asked Microsoft for clarification on how the statement that "IE 8 does not send back any elements of data in the body of a rendered page" squares with a statement in its draft privacy policy) that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on.

Microsoft is far from the only browser supplier looking to make use of users' surfing histories to add features to the next version of its browser software. The Mozilla Foundation's controversial Data project involves gather anonymised surfing history data on a voluntary basis before selling it on as an analytical tool - a use of technology that raises even deeper privacy concerns. ®