Online privacy, Tracking, and IE8’s InPrivate Filtering

發行項
08/01/2010

Online privacy and tracking have been in several news articles and public hearings lately. The recent attention has been on how visiting one site shares information with many sites, and how those sites can then share the information and effectively ‘track’ your activity on the web. The articles certainly show the complexity of the topic. This blog post offers some context on online safety and privacy and specific information about InPrivate Filtering, a feature in IE8 designed to help protect users from some tracking scenarios, as well as several other features IE8 offers users to help protect their privacy online.

Part of what makes online privacy tricky is that browsing the web is fundamentally an information exchange. Your web browser offers information in order to get information. That information can identify you. Often, that information is sent automatically for your convenience (like the languages you prefer to read) to tailor the content for you.

Because some of the technologies that can be used for tracking are also essential today for basic functionality, there is no “Just give me perfect privacy” feature. The way different tracking and anti-tracking technologies interact can read like a Spy vs. Spy comic strip. Distinguishing between a tracking technology (a beacon) and a useful piece of web content (a stock chart used as a beacon) is not obvious. Some people are concerned about Adobe Flash’s “super cookies”; IE8’s InPrivate browsing clears these as well with newer versions of Flash. As another example, InPrivate Browsing in IE8 “clears your tracks” and removes information from browser history when you close IE. During the actual browsing session, before you close it, IE still records history (so the back button continues to work) and cookies (so that logins and shopping carts continue to work). Ultimately, people want the web to work and privacy protection.

We designed InPrivate Filtering to help users control who can get information about their browsing. IE enables users to choose how privately they want to browse. Users are in control of several privacy protection features in IE, and how automatically they function. Specifically, users can keep browsing information from going to sites they don’t actually visit directly. IE determines the potential tracking sites on the list based on the sites you browse to directly and how those sites were written. Different sites on the web have articles about more advanced features, like always browsing with InPrivate Filtering on, and importing and exporting InPrivate Filtering lists.

People who are concerned with tracking may be interested in how to use InPrivate Filtering in IE. (People interested in how it works can read more here and here.)

1. From the Safety menu, choose “InPrivate Filtering.”

2. Choose “Block for me” to turn on automatic filtering.

Alternatively, you can choose “InPrivate Filtering Settings” from the Safety menu at any time to see a list of sites that are in position to track your browsing based on the sites you browse to in IE. You can find more detailed instructions in several places around the web with some basic web searches.

The sheer complexity of privacy and online safety spans many disciplines. We’ve posted here about different aspects of web browsing safety. Bad things can happen to good people on the web in many ways. Internet Explorer includes protections for many different kinds of threats people face on the web. People often focus on malicious sites that exploit unpatched security issues in different devices and software. (Microsoft regularly releases updates; please turn on automatic updating if you haven’t already.) Sites host seemingly good downloads (“Free Emoticons! Puppy screensaver!”) that are actually malicious, or attempt to lure people to visit them; users often download them and run them anyway. Otherwise “good” sites unintentionally host malicious content. Phishing sites pretend to be one site (perhaps your bank) but are actually malicious in their use of information. IE’s SmartScreen has protected users over a billion times by blocking these kinds of attacks. Protecting children online is another set of challenges entirely. Some kinds of trust violations that are lower in severity go unhindered. Browser add-ons can leak information across sites, even though add-on developers can prevent it. Protecting a user’s online privacy is just as important to Microsoft as protecting the user from malicious sites.

The web today has lots of great innovation. Unfortunately, threats to online safety and privacy also see rapid innovation. The communities working together to combat online safety issues span the technology industry, financial and commercial institutions, academia, government, and law enforcement agencies.

Dean Hachamovitch

Comments

Anonymous
August 01, 2010
I know this is random but can we expect a Spell Checker In Internet Explorer 9 and maybe a good add on place like Firefox and Google chrome has.
Anonymous
August 01, 2010
The comment has been removed
Anonymous
August 01, 2010
Matt, please try to read and understand before posting. People don't use browsers that don't work. The IE team provides plenty of ways to "stick it to Google" including InPrivate Filtering. Users can trivially block all Google ads across all sites by simply putting "*.googlesyndication.com" in the Restricted Sites Zone. That works for Google's *.doubleclick.net as well.
Anonymous
August 01, 2010
Is there documentation & examples on the rules used by the inprivate filter?
Anonymous
August 01, 2010
The comment has been removed
Anonymous
August 01, 2010
@Luddite - the whole point is that it's not just cookies.
Anonymous
August 01, 2010
@fanboy: InPrivate Filtering is described in prior posts on this blog, and it's quite simple: If content appears in a 3rd party context on more than /n/ sites (a user selected number) then it isn't downloaded on future navigations if the user chooses by enabling InPrivate Filtering. @luddite: You can learn more about IE's cookie settings here: blogs.msdn.com/.../understanding-internet-explorer-cookie-controls.aspx As NotJustCookies points out, features like beacons and trackers don't always rely only upon cookies, which is why features like InPrivate Filtering and Zones are useful for blocking other types of unwanted content. The point which "Cluetrain" makes above is that sites can potentially break when you start blocking their content. If there was any way to automatically block content without causing problems, two things would likely happen: 1> Browsers would build that feature in, and 2> Sites would adapt so they'd break when their content was blocked. This isn't speculative: we've seen this happen already with both popup blockers and ad blockers.
Anonymous
August 01, 2010
The comment has been removed
Anonymous
August 01, 2010
The comment has been removed
Anonymous
August 02, 2010
The comment has been removed
Anonymous
August 02, 2010
The comment has been removed
Anonymous
August 02, 2010
@EricLaw [MSFT]: I may agree with you about the AdBlocking feature, but apparently I am not the only one who thinks there is something missing here. Take a look at today's Wall Street Journal for example: online.wsj.com/.../SB10001424052748703467304575383530439838568.html
Anonymous
August 02, 2010
Cooper, as Dean outlines, there are tons of features in IE that put the user in control of their privacy. The idea of "automatically" shielding the user at the cost of putting reliable function of their browsing experience at risk is a hazardous one; users will likely move to browsers that "work correctly" when sites are broken. By way of example, consider the InPrivate Filtering feature. There's no programmatic mechanism by which a client can know whether a given script file represents a "beacon" or a library file. So, if there's a centralized script repository (e.g. Google and Microsoft both host JQuery so that websites can benefit from our worldwide CDNs) that repository's host will be flagged as a potential tracker site by the InPrivate logic, because these repositories are DESIGNED to be called from many independent 3rd party contexts. While such sites probably don't do any tracking, there's literally no way for the client to know. So, if InPrivate Filtering was on by default, users would find that the sites they use and care about one-by-one would break as the scripts got blocked. Now, the obvious next step is to allow the sites to flag certain responses as innocuous/non-trackers from a privacy point of view, very similar to what is done with P3P. The problem is that you're then back to the problem that privacy isn't a binary thing-- it's up to the individual user's preference to decide what privacy policy they themselves are happy with. That, in turn, requires that the user provide a configuration decision, which in practice boils down to what IE provides with the existing InPrivate Filtering feature.
Anonymous
August 02, 2010
Is the IE Team going to include some protection in IE9 against the potential privacy issues regarding CSS :visited? blog.mozilla.com/.../plugging-the-css-history-leak The Mozilla Team seems to be pretty serious about it. Thank you.
Anonymous
August 02, 2010
@James: We haven't made any announcements about that topic. You might be interested in checking out blogs.msdn.com/.../csshistoryprobing.aspx which explains the issue and the already-available mitigations present in IE8.
Anonymous
August 02, 2010
@EricLaw [MSFT]: Thanks! It is an interesting reading. I hope you'll manage to further improve mitigations/solutions for IE9.
Anonymous
August 02, 2010
There is a fairly decent free adblocker for IE called Simple Adblock. It seems to be growing fast since after several updates early 2010. After intallation you are requested if privacy filters should be set which should block tracking cookies.
Anonymous
August 02, 2010
How about...this: Microsoft just listens to its customers for once instead of the Redmondland Marketeers? I swear...every time theres a debate to be had about consumers and bottom lines with no balance in sight, it's always sales and marketers that end up saying, "but doing good for the customer is...NO!" Almost sounds like a U.S. political party I know. As for those who might say that providing that extra length of privacy would break sites, how about NOT MAKING SITES THAT BREAK WITH PRIVACY ENABLED? Sounds like a big "DUH" moment here. So...DUH!!!
Anonymous
August 02, 2010
You're a genius-- I'm sure no one ever considered that sites could simply not infringe on the user's privacy, and then everything would be golden. Thanks for solving this problem for everyone! Now, onto resolving world peace!
Anonymous
August 02, 2010
The comment has been removed
Anonymous
August 02, 2010
What "setup process" are you referring to? Given that there's an icon in your status bar which plainly shows when Filtering is on and when it's not, I'm not sure how you failed to notice this.
Anonymous
August 02, 2010
Why aren't all index.dat files wiped when deleting browser history? Among the various index.dat (there are more than 10 index.dat on my pc), the following are NOT wiped: C:Users<Username>AppDataLocalLowMicrosoftInternet ExplorerDOMStoreindex.dat C:Users<Username>AppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHistnumberindex.dat Could this be a bug? It would be very good for privacy if IE wiped ALL index.dat files when deleting browser history.
Anonymous
August 02, 2010
It's just a drop in the ocean, but... at this point, I'd like to thank Dean and the crew for standing up to the higher-ups concerning our privacy. Nevermind that in the end you had to compromise. Thanks guys.
Anonymous
August 03, 2010
The comment has been removed
Anonymous
August 03, 2010
@David: The Restricted Sites UI is simpler to use (for a small number of hosts) since you don't have to run an elevated text editor and manually edit a hard-to-find file. Notably, however, HTTP requests are still made for hosts in the restricted sites Zone-- the Zone blocks the sending or setting of cookies and the ability to run script or ActiveX objects, but doesn't block the request. So, if you want to block static images and are worried about information in the request URL, then the Hosts file is the way to go. If you're worried only about script and cookies, then the Restricted Zone should suffice.
Anonymous
August 03, 2010
The comment has been removed
Anonymous
August 03, 2010
Thanks Eric!
Anonymous
August 03, 2010
IE8 InPrivate mode filtering is not a complete solution for privacy. It has been mentioned and proven several times that IE has history issues outside of regular IE browsing as it shares its "history" with the operating system. Until the IE Team has sorted out the various privacy breaches with Windows Exploring and Windows Media Player - please stop posting that using IE8 InPrivate Mode ensures that no private information is leaked as that is currently a proven fallacy.
Anonymous
August 03, 2010
The comment has been removed
Anonymous
August 04, 2010
I lost a lot of respect for this blog after reading this post. What a load of complete nonsense "Users are in control of several privacy protection features in IE" - actually, they aren't, as pointed out by the many news articles that surfaced over the weekend. Has this turned into a politician's blog? Did you even write this, or did your legal team/upper management do so? I love how you completely change the topic at the end "but we're good at security!" which has nothing to do with the issue at hand - the fact InPrivate Filtering was neutered by your upper management. Don't waste our time with nonsense like this.
Anonymous
August 04, 2010
I lost a lot of respect for your comment after reading it. You failed to identify any actual problem and point generically to the poor reporting from the mainstream media that something's amiss. Don't you find it a bit suspicious that the primary source they cited was a disgruntled MS executive who got fired? This post (and the comments) plainly explain how simply it is to turn on InPrivate Filtering (it's a regkey, for crying out loud) permanently if you're too lazy to click the icon once in a while. Of course, when you find that the feature breaks sites you care about, then you'll turn it off and find that the IE default behavior suddenly makes a lot more sense. Think. Then post.
Anonymous
August 04, 2010
The comment has been removed
Anonymous
August 04, 2010
@ What It's been mentioned several times elsewhere on this very blog, but you actually can turn on InPrivate Filtering on by default. It's pretty easy actually:

Launch Regedit.exe and navigate to: HKEY_CURRENT_USER Software Microsoft Internet Explorer Safety PrivacIE
Create a new DWORD value named StartMode
Double-click StartMode, click the text form and enter 1. Enabling this by default would break a ton of sites though, as shared scripts are used across an increasingly entangled web to deliver content. I've also seen people import .xml files with the list from Adblock Plus to give IE 8 adblock functionality, although there isn't a way to auto update the list...

Anonymous
August 04, 2010
i have an interesting thing i found out. in ie windows 7 if you click an internet shortcut thats on the desk. it will open after done browsing i close the window then open a new 1 with the start menu internet icon it asks if i'd like to restore my session sometimes or it remembers cookies from previous session eventhough its not supposed to. so why does it do that?
Anonymous
August 04, 2010
8675309: The prompt about restoring your session indicates that one of your add-ons is hanging or crashing on shutdown. As for the fact that your session cookies are preserved, this can also be a symptom of such a hang, because the "zombie" process keeps the session alive. blogs.msdn.com/.../session-cookies-sessionstorage-and-ie8.aspx
Anonymous
August 06, 2010
The comment has been removed
Anonymous
August 10, 2010
it also sometimes happens on vista aswell but not that often

共用方式為

Online privacy, Tracking, and IE8’s InPrivate Filtering

Comments

其他資源