Dela via


Online privacy, Tracking, and IE8’s InPrivate Filtering

Online privacy and tracking have been in several news articles and public hearings lately. The recent attention has been on how visiting one site shares information with many sites, and how those sites can then share the information and effectively ‘track’ your activity on the web. The articles certainly show the complexity of the topic. This blog post offers some context on online safety and privacy and specific information about InPrivate Filtering, a feature in IE8 designed to help protect users from some tracking scenarios, as well as several other features IE8 offers users to help protect their privacy online.

Part of what makes online privacy tricky is that browsing the web is fundamentally an information exchange. Your web browser offers information in order to get information. That information can identify you. Often, that information is sent automatically for your convenience (like the languages you prefer to read) to tailor the content for you.

Because some of the technologies that can be used for tracking are also essential today for basic functionality, there is no “Just give me perfect privacy” feature. The way different tracking and anti-tracking technologies interact can read like a Spy vs. Spy comic strip. Distinguishing between a tracking technology (a beacon) and a useful piece of web content (a stock chart used as a beacon) is not obvious. Some people are concerned about Adobe Flash’s “super cookies”; IE8’s InPrivate browsing clears these as well with newer versions of Flash.  As another example, InPrivate Browsing in IE8 “clears your tracks” and removes information from browser history when you close IE. During the actual browsing session, before you close it, IE still records history (so the back button continues to work) and cookies (so that logins and shopping carts continue to work). Ultimately, people want the web to work and privacy protection.

We designed InPrivate Filtering to help users control who can get information about their browsing. IE enables users to choose how privately they want to browse. Users are in control of several privacy protection features in IE, and how automatically they function. Specifically, users can keep browsing information from going to sites they don’t actually visit directly. IE determines the potential tracking sites on the list based on the sites you browse to directly and how those sites were written. Different sites on the web have articles about more advanced features, like always browsing with InPrivate Filtering on, and importing and exporting InPrivate Filtering lists.

People who are concerned with tracking may be interested in how to use InPrivate Filtering in IE. (People interested in how it works can read more here and here.)

1. From the Safety menu, choose “InPrivate Filtering.”

2. Choose “Block for me” to turn on automatic filtering.

Alternatively, you can choose “InPrivate Filtering Settings” from the Safety menu at any time to see a list of sites that are in position to track your browsing based on the sites you browse to in IE. You can find more detailed instructions in several places around the web with some basic web searches.

The sheer complexity of privacy and online safety spans many disciplines. We’ve posted here about different aspects of web browsing safety. Bad things can happen to good people on the web in many ways. Internet Explorer includes protections for many different kinds of threats people face on the web. People often focus on malicious sites that exploit unpatched security issues in different devices and software. (Microsoft regularly releases updates; please turn on automatic updating if you haven’t already.) Sites host seemingly good downloads (“Free Emoticons! Puppy screensaver!”) that are actually malicious, or attempt to lure people to visit them; users often download them and run them anyway. Otherwise “good” sites unintentionally host malicious content. Phishing sites pretend to be one site (perhaps your bank) but are actually malicious in their use of information. IE’s SmartScreen has protected users over a billion times by blocking these kinds of attacks. Protecting children online is another set of challenges entirely. Some kinds of trust violations that are lower in severity go unhindered. Browser add-ons can leak information across sites, even though add-on developers can prevent it. Protecting a user’s online privacy is just as important to Microsoft as protecting the user from malicious sites.

The web today has lots of great innovation. Unfortunately, threats to online safety and privacy also see rapid innovation. The communities working together to combat online safety issues span the technology industry, financial and commercial institutions, academia, government, and law enforcement agencies.

Dean Hachamovitch

List of articles referenced
Adobe Flash Now Supports InPrivate Browsing - IEBlog - Site Home - MSDN Blogs
Browser Information
Even without cookies, a browser leaves a trail of crumbs
Hearings - U.S. Senate Committee on Commerce, Science, & Transportation
How a browser extension leaks Google history to Amazon | CNET to the Rescue - CNET Blogs
How to Start Internet Explorer 8 in InPrivate Browsing Mode by Default - The Winhelponline Blog
HTTP/1.1: Header Field Definitions
IE June Security Update Now Available - IEBlog - Site Home - MSDN Blogs
IE8 and Privacy - IEBlog - Site Home - MSDN Blogs
IE8 and Trustworthy Browsing - IEBlog - Site Home - MSDN Blogs
IE8 Blocked over 1 Billion Malware Attacks | Windows 7 News
Protect Yourself from Malicious Advertisements with Internet Explorer 8
IE8 Security Part I: DEP/NX Memory Protection - IEBlog - Site Home - MSDN Blogs
IE8 Security Part II: ActiveX Improvements - IEBlog - Site Home - MSDN Blogs
IE8 Security Part III: SmartScreen® Filter - IEBlog - Site Home - MSDN Blogs
IE8 Security Part IV: The XSS Filter - IEBlog - Site Home - MSDN Blogs
IE8 Security Part V: Comprehensive Protection - IEBlog - Site Home - MSDN Blogs
IE8 Security Part VI: Beta 2 Update - IEBlog - Site Home - MSDN Blogs
IE8 Security Part VII: ClickJacking Defenses - IEBlog - Site Home - MSDN Blogs
IE8 Security Part VIII: SmartScreen Filter Release Candidate Update - IEBlog - Site Home - MSDN Blogs
IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter - IEBlog - Site Home - MSDN Blogs
IE8 SmartScreen in action - IEBlog - Site Home - MSDN Blogs
IE8: Ad blocking with the InPrivate Filter - SuperSite Blog
Internet Explorer 8 - InPrivate Filtering
Internet Explorer 8: Nine Things You Didn't Know You Could Do - IE8 Tips 5-9 | PCMag.com
Is Google Watching You? New Plugin Will Let You Know [APPS]
Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated] | ZDNet
My Browser Info
Panopticlick (Electronic Frontier Foundation)
Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Content - IEBlog - Site Home - MSDN Blogs
Privacy, Add-ons, and Cookie-less HTTP Requests - IEBlog - Site Home - MSDN Blogs
Rickrolling - Wikipedia, the free encyclopedia
Spy vs. Spy - Wikipedia, the free encyclopedia
What is Private Filtering on IE8 and How to Prevent Web Sites from Collecting Information About You?
Windows Live Family Safety
Your Privacy Online - What They Know - WSJ.com

Comments

  • Anonymous
    August 01, 2010
    I know this is random but can we expect a Spell Checker In Internet Explorer 9 and maybe a good add on place like Firefox and Google chrome has.

  • Anonymous
    August 01, 2010
    The comment has been removed

  • Anonymous
    August 01, 2010
    Matt, please try to read and understand before posting. People don't use browsers that don't work. The IE team provides plenty of ways to "stick it to Google" including InPrivate Filtering. Users can trivially block all Google ads across all sites by simply putting "*.googlesyndication.com" in the Restricted Sites Zone. That works for Google's *.doubleclick.net as well.

  • Anonymous
    August 01, 2010
    Is there documentation & examples on the rules used by the inprivate filter?

  • Anonymous
    August 01, 2010
    The comment has been removed

  • Anonymous
    August 01, 2010
    @Luddite - the whole point is that it's not just cookies.

  • Anonymous
    August 01, 2010
    @fanboy: InPrivate Filtering is described in prior posts on this blog, and it's quite simple: If content appears in a 3rd party context on more than /n/ sites (a user selected number) then it isn't downloaded on future navigations if the user chooses by enabling InPrivate Filtering. @luddite: You can learn more about IE's cookie settings here: blogs.msdn.com/.../understanding-internet-explorer-cookie-controls.aspx As NotJustCookies points out, features like beacons and trackers don't always rely only upon cookies, which is why features like InPrivate Filtering and Zones are useful for blocking other types of unwanted content. The point which "Cluetrain" makes above is that sites can potentially break when you start blocking their content. If there was any way to automatically block content without causing problems, two things would likely happen: 1> Browsers would build that feature in, and 2> Sites would adapt so they'd break when their content was blocked. This isn't speculative: we've seen this happen already with both popup blockers and ad blockers.

  • Anonymous
    August 01, 2010
    The comment has been removed

  • Anonymous
    August 01, 2010
    The comment has been removed

  • Anonymous
    August 02, 2010
    The comment has been removed

  • Anonymous
    August 02, 2010
    The comment has been removed

  • Anonymous
    August 02, 2010
    @EricLaw [MSFT]: I may agree with you about the AdBlocking feature, but apparently I am not the only one who thinks there is something missing here. Take a look at today's Wall Street Journal for example: online.wsj.com/.../SB10001424052748703467304575383530439838568.html

  • Anonymous
    August 02, 2010
    Cooper, as Dean outlines, there are tons of features in IE that put the user in control of their privacy. The idea of "automatically" shielding the user at the cost of putting reliable function of their browsing experience at risk is a hazardous one; users will likely move to browsers that "work correctly" when sites are broken. By way of example, consider the InPrivate Filtering feature. There's no programmatic mechanism by which a client can know whether a given script file represents a "beacon" or a library file. So, if there's a centralized script repository (e.g. Google and Microsoft both host JQuery so that websites can benefit from our worldwide CDNs) that repository's host will be flagged as a potential tracker site by the InPrivate logic, because these repositories are DESIGNED to be called from many independent 3rd party contexts. While such sites probably don't do any tracking, there's literally no way for the client to know. So, if InPrivate Filtering was on by default, users would find that the sites they use and care about one-by-one would break as the scripts got blocked. Now, the obvious next step is to allow the sites to flag certain responses as innocuous/non-trackers from a privacy point of view, very similar to what is done with P3P. The problem is that you're then back to the problem that privacy isn't a binary thing-- it's up to the individual user's preference to decide what privacy policy they themselves are happy with. That, in turn, requires that the user provide a configuration decision, which in practice boils down to what IE provides with the existing InPrivate Filtering feature.

  • Anonymous
    August 02, 2010
    Is the IE Team going to include some protection in IE9 against the potential privacy issues regarding CSS :visited? blog.mozilla.com/.../plugging-the-css-history-leak The Mozilla Team seems to be pretty serious about it. Thank you.

  • Anonymous
    August 02, 2010
    @James: We haven't made any announcements about that topic. You might be interested in checking out blogs.msdn.com/.../csshistoryprobing.aspx which explains the issue and the already-available mitigations present in IE8.

  • Anonymous
    August 02, 2010
    @EricLaw [MSFT]: Thanks! It is an interesting reading. I hope you'll manage to further improve mitigations/solutions for IE9.

  • Anonymous
    August 02, 2010
    There is a fairly decent free adblocker for IE called Simple Adblock. It seems to be growing fast since after several updates early 2010. After intallation you are requested if privacy filters should be set which should block tracking cookies.

  • Anonymous
    August 02, 2010
    How about...this: Microsoft just listens to its customers for once instead of the Redmondland Marketeers? I swear...every time theres a debate to be had about consumers and bottom lines with no balance in sight, it's always sales and marketers that end up saying, "but doing good for the customer is...NO!" Almost sounds like a U.S. political party I know. As for those who might say that providing that extra length of privacy would break sites, how about NOT MAKING SITES THAT BREAK WITH PRIVACY ENABLED? Sounds like a big "DUH" moment here. So...DUH!!!

  • Anonymous
    August 02, 2010
    You're a genius-- I'm sure no one ever considered that sites could simply not infringe on the user's privacy, and then everything would be golden. Thanks for solving this problem for everyone! Now, onto resolving world peace!

  • Anonymous
    August 02, 2010
    The comment has been removed

  • Anonymous
    August 02, 2010
    What "setup process" are you referring to? Given that there's an icon in your status bar which plainly shows when Filtering is on and when it's not, I'm not sure how you failed to notice this.

  • Anonymous
    August 02, 2010
    Why aren't all index.dat files wiped when deleting browser history? Among the various index.dat (there are more than 10 index.dat on my pc), the following are NOT wiped: C:Users<Username>AppDataLocalLowMicrosoftInternet ExplorerDOMStoreindex.dat C:Users<Username>AppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHistnumberindex.dat Could this be a bug? It would be very good for privacy if IE wiped ALL index.dat files when deleting browser history.

  • Anonymous
    August 02, 2010
    It's just a drop in the ocean, but... at this point, I'd like to thank Dean and the crew for standing up to the higher-ups concerning our privacy. Nevermind that in the end you had to compromise. Thanks guys.

  • Anonymous
    August 03, 2010
    The comment has been removed

  • Anonymous
    August 03, 2010
    @David: The Restricted Sites UI is simpler to use (for a small number of hosts) since you don't have to run an elevated text editor and manually edit a hard-to-find file. Notably, however,  HTTP requests are still made for hosts in the restricted sites Zone-- the Zone blocks the sending or setting of cookies and the ability to run script or ActiveX objects, but doesn't block the request. So, if you want to block static images and are worried about information in the request URL, then the Hosts file is the way to go. If you're worried only about script and cookies, then the Restricted Zone should suffice.

  • Anonymous
    August 03, 2010
    The comment has been removed

  • Anonymous
    August 03, 2010
    Thanks Eric!

  • Anonymous
    August 03, 2010
    IE8 InPrivate mode filtering is not a complete solution for privacy.  It has been mentioned and proven several times that IE has history issues outside of regular IE browsing as it shares its "history" with the operating system.  Until the IE Team has sorted out the various privacy breaches with Windows Exploring and Windows Media Player - please stop posting that using IE8 InPrivate Mode ensures that no private information is leaked as that is currently a proven fallacy.

  • Anonymous
    August 03, 2010
    The comment has been removed

  • Anonymous
    August 04, 2010
    I lost a lot of respect for this blog after reading this post. What a load of complete nonsense "Users are in control of several privacy protection features in IE" - actually, they aren't, as pointed out by the many news articles that surfaced over the weekend. Has this turned into a politician's blog? Did you even write this, or did your legal team/upper management do so? I love how you completely change the topic at the end "but we're good at security!" which has nothing to do with the issue at hand - the fact InPrivate Filtering was neutered by your upper management. Don't waste our time with nonsense like this.

  • Anonymous
    August 04, 2010
    I lost a lot of respect for your comment after reading it. You failed to identify any actual problem and point generically to the poor reporting from the mainstream media that something's amiss. Don't you find it a bit suspicious that the primary source they cited was a disgruntled MS executive who got fired? This post (and the comments) plainly explain how simply it is to turn on InPrivate Filtering (it's a regkey, for crying out loud) permanently if you're too lazy to click the icon once in a while. Of course, when you find that the feature breaks sites you care about, then you'll turn it off and find that the IE default behavior suddenly makes a lot more sense. Think. Then post.

  • Anonymous
    August 04, 2010
    The comment has been removed

  • Anonymous
    August 04, 2010
    @ What It's been mentioned several times elsewhere on this very blog, but you actually can turn on InPrivate Filtering on by default. It's pretty easy actually:

  1. Launch Regedit.exe and navigate to: HKEY_CURRENT_USER Software Microsoft Internet Explorer Safety PrivacIE
  2. Create a new DWORD value named StartMode
  3. Double-click StartMode, click the text form and enter 1. Enabling this by default would break a ton of sites though, as shared scripts are used across an increasingly entangled web to deliver content. I've also seen people import .xml files with the list from Adblock Plus to give IE 8 adblock functionality, although there isn't a way to auto update the list...
  • Anonymous
    August 04, 2010
    i have an interesting thing i found out. in ie windows 7 if you click an internet shortcut thats on the desk. it will open after done browsing i close the window then open a new 1 with the start menu internet icon it asks if i'd like to restore my session sometimes or it remembers cookies from previous session eventhough its not supposed to. so why does it do that?

  • Anonymous
    August 04, 2010
    8675309: The prompt about restoring your session indicates that one of your add-ons is hanging or crashing on shutdown. As for the fact that your session cookies are preserved, this can also be a symptom of such a hang, because the "zombie" process keeps the session alive. blogs.msdn.com/.../session-cookies-sessionstorage-and-ie8.aspx

  • Anonymous
    August 06, 2010
    The comment has been removed

  • Anonymous
    August 10, 2010
    it also sometimes happens on vista aswell but not that often