Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

IE9 'Do Not Track' feature prone to user error

Microsoft introduced a feature in IE9 to protect privacy online, but it relies on the user to configure and maintain it

Microsoft today revealed a new security control in Internet Explorer 9 which will enable users to restrict sites from tracking them. The ability to control access to tracking data from within the browser is a welcome addition, but the feature is not exactly fool-proof.

Earlier this month the United States Federal Trade Commission (FTC) issued a scathing report on the state of online consumer privacy, coupled with a call for a Web-surfing equivalent to the "Do Not Call" list. The "Do Not Track" initiative as a government policy is still embryonic, but the privacy features in IE9 let users exercise similar control over which sites have access to personal data like the Web browsing history.

A post on Microsoft's IEBlog explains, "Today, consumers share information with more Web sites than the ones they see in the address bar in their browser. This is inherent in the design of the Web and simply how the Web works, and it has potentially unintended consequences. As consumers visit one site, many other sites receive information about their activities," adding, "When the browser calls any other Web site to request anything (an image, a cookie, HTML, a script that can execute), the browser explicitly provides information in order to get information. By limiting data requests to these sites, it is possible to limit the data available to these sites for collection and tracking."

In a nutshell, the IE9 "Do Not Track" capability is essentially just an evolution of security controls that are already present in Internet Explorer 8. The privacy control enables users to create Tracking Protection Lists (TPL) of domain names that will only be visited if directly clicked or typed in the browser address bar. But, the domains in the TPL will not be able to surreptitiously receive information as a third-party to a different site that is overtly visited.

The Microsoft Advertising Blog describes an important limitation of the IE9 security control, though. "IE9's privacy settings, like those contained in IE8, will not be on by default, but they will allow users to create lists of sites they wish to share information with, as well as sites they do not wish to share information with. The settings do not take a position on managing information; instead, they provide an improved platform for consumers to exercise choice."

At face value, that sounds fine. Users have control and can choose when and how to share information rather than having Microsoft, or some other third-party decide for them and dictate which sites can or can not receive privacy data. The problem is that the vast majority of users lack the privacy savvy, tech skill, and drive to devote the time and energy to properly configuring and maintaining these lists.

I am not suggesting that Microsoft's approach is wrong, just that it's also not a silver bullet. Unfortunately for average users, very little in security is. Businesses and consumers need to understand that much of security and privacy is subjective and that implementing and maintaining security controls is a somewhat complex process that can't be driven by a third-party.

Microsoft's approach with TPLs to block tracking efforts by unauthorized sites is as good as any other solution out there. It just requires a little up front effort to understand and configure it, and some ongoing administration to manage access for authorized sites and add new offending sites to the TPL.

Microsoft should be commended both for its ongoing collaboration with the FTC and other organizations to develop policies and controls that protect users, and for proactively introducing privacy features in IE9 that give users the ability to exercise some control over their personal information.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Federal Trade Commission, FTC, Microsoft
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, browser security, data protection, Federal Trade Commission, Microsoft, online privacy, software
Latest Blog Posts
Whitepapers
  • OVUM Report: Governance Risk and Compliance-- GRC usage and buying trends in the ANZ markets
    The existence of an established and stable governance risk and compliance strategy is extremely important to public and private sector organisations as they strive to meet an evergrowing range of regulatory demands. Given the current constraints, it is one of the few areas where the vast majority of organisations intend to either maintain or in many cases increase spending. Read more.
    Learn more »
  • Protecting Generation Web
    From data privacy to personal safety issues, cyber-bullying, inappropriate content and malware, schools are facing an increasingly difficult task when it comes to allowing young people to spread their online wings without compromising their safety and personal development. The reality that most schools are catering to the needs of mixed age groups and abilities, and it’s easy to understand why a simple stop and block approach won’t work. Learning environments are, by nature, flexible. It stands to reason that the IT resources used in them should be flexible too. Read on.
    Learn more »
  • Top 5 Myths of Safe Web Browsing
    There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts it’s next to impossible to stay protected against today’s changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments