IE8 Suggested Sites suggested to be snoopy
Privacy activists cry Phorm on Redmond
Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced.
The optional component in the next version of Microsoft's browser software "discover websites you might like based on sites you've visited". Collecting a user's browser history and using it to create profiles that steer users towards one website or another may seem like a useful pointer to Microsoft's developers, but the feature is giving some privacy-conscious surfers the fear.
Even if you trust Microsoft to copy taste your browsing history, there is the risk that the feature creates a potential new mechanism for hackers to extract sensitive data, via possible future browser security exploits or social engineering tricks. For website owners the use of the technology creates the possibility that surfers will be lured away to similar (ie potentially rival) websites.
Even just the content of URLs, where search parameters or entered data is included, gives away a lot of data surfers might not like to share, other critics in the forum point out. The downsides of the feature - which is only activated with the clear consent of a user - far outweigh its supposed benefits, according to privacy sensitive critics.
"Only switch it on if you are utterly barking mad," one NDPI reader warned.
In response to to these criticisms, Microsoft provided El Reg with assurances that the technology will not be used to serve up targeted advertising.
Part of the agreement Microsoft has with Internet Explorer 8 users is that the data we collect will not be used to target advertising to the user, nor will the Suggested Sites feature be used to deliver advertising to the user. None of the links we display for suggested sites are "sponsored" or advertiser links as we choose the sites to display based purely on relevance.
When Suggested Sites is turned on, the addresses of websites users visit are sent to Microsoft, together with some standard information from the user’s computer such browser type as well as regional and language settings. To help protect user privacy, the information is encrypted when sent to Microsoft.
Microsoft's statement, supplied in response to inquiries from El Reg, goes on to clarify that secure sessions will not be sampled. Microsoft's bullet point response also explains that surfing information from periods when the InPrivate (aka pron surfing) feature is turned on is also excluded from Suggested Sites.
Internet Explorer 8 does not send back any elements of data in the body of a rendered page
Internet Explorer 8 does not send back data about secure HTTPS sites visited, intranet sites or local files on the PC
Internet Explorer 8 does not send any data about pages browsed during InPrivate sessions.
Microsoft is far from the only browser supplier looking to make use of users' surfing histories to add features to the next version of its browser software. The Mozilla Foundation's controversial Data project involves gather anonymised surfing history data on a voluntary basis before selling it on as an analytical tool - a use of technology that raises even deeper privacy concerns. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust