Eric L. Howes
April 2nd, 2002, 10:56 PM
Hi All:
Although it's been a while, some of you may remember the two long threads from last year in which a number of DSLR members hashed out the new Privacy settings in Internet Explorer 6.0:
"IE6 and Cookies"
www.dslreports.com/forum/remark,1346935;root=security,1;mode=flat;start=0
"IE6 does not handle cookies the same"
www.dslreports.com/forum/remark,1462205;root=security,1;mode=flat;start=0
A number of good resources resulted from those discussions, including several pages on my web site devoted to IE 6.0...
"P3P & Internet Explorer 6.0 Privacy Info"
www.staff.uiuc.edu/~ehowes/info2.htm
"Internet Privacy w/ IE6 & P3P: A Summary of Findings"
www.staff.uiuc.edu/~ehowes/ie6-p3p.htm
...as well as downloadable files that you can use to configure IE 6.0's handling of cookies:
Internet Explorer 6.0 Resources
www.staff.uiuc.edu/~ehowes/resource5.htm
One thing that I never got around to doing during those original discussions, though, was putting together a comprehensive summary of the failings and shortcomings of IE 6.0. With the help of R2, however, I've returned to the question of Internet Explorer 6.0's Privacy settings and its handling of cookies, and finally assembled that summary list of problems with Internet Explorer 6.0. You can find this summary on my Privacy Policy page (which is more of an anti-Privacy Policy than anything else):
www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p
The most significant result of this decision to revisit the question of IE 6.0 is that R2 and I were able to gain a better understanding of the Privacy Settings slider bar. In fact, after looking again at Microsoft's (confusing) documentation, we decided that the table that R2 originally put together to document the effects of the various slider levels on cookies...
www.dslreports.com/forum/remark,1346935~root=security,1~mode=flat;start=160#1437080
...needed to be re-worked. You can find an updated version of that table on the Privacy Policy page mentioned above.
Once we re-worked R2's table in the light of our better understanding of what Microsoft considers "acceptable" "consent" on the part of web surfers, several important things immediately became clear:
First, the slider bar blocks EVEN FEWER COOKIES than we had originally thought it did. It's even clearer now that the slider bar is without question the WORST method IE 6.0 offers to configure cookies. And yet most users will go for the slider bar because of its apparent simplicity, as well as the vapid, reassuring descriptions it offers for the various slider levels.
Second, the default Privacy settings for Internet Explorer 6.0 are lax and provide no meaningful privacy protection. At the default "Medium" setting, most cookies are accepted, even those from major third-party advertisers and marketers like Doubleclick. Thus, IE 6.0 puts the onus on users (not the web sites) to put a stop to privacy invasive practices of web sites. And to take back their privacy, those users -- who might have initially thought IE 6.0 would significantly improve their privacy protection straight "out-of-the-box," given all the hype -- will have to figure out IE 6.0's complicated Privacy settings themselves. And just how clear and helpful are those Privacy settings? Not very.
Third, the Privacy Settings slider bar treats opt-in and opt-out policies *identically.* With but two exceptions, IE 6.0 regards both opt-in and opt-out provisions within compact policies as sufficient "consent" to classify the compact policy as "acceptable" or "satisfactory," even when "personally identifiable" information is used. This is a *major* concession to the online marketing and advertising industry inasmuch as it effectively values the commercial needs of marketers and advertisers over the privacy of web surfers. (The two exceptions are at the "High" level in first-party and third-party contexts, and the "Medium-High" level in third-party contexts.)
Fourth, the privacy levels used by Privacy Settings slider bar provide less useful control over third-party cookies than they could or ought to. The handling of cookies from major third-party advertisers and marketers like Doubleclick (who will almost always have "acceptable" compact policies) is especially problematic. With the Privacy Settings slider bar, there is no way to block these cookies (or even "downgrade" them to session cookies, rendering them worthless for the marketers involved) except by choosing the "Block All" setting, which for most users who surf the net is not a viable option.
What Microsoft's reasoning for this arrangement might be is puzzling, as third-party cookies almost never provide web surfers with direct, substantive benefits; they are almost exclusively designed and used to benefit marketers and advertisers. (And, no, "personalized" advertising and direct marketing do NOT count as significant benefits to the end user or web surfer.) To the skeptical, it would at least appear that IE 6.0's Privacy Settings slider levels were explicitly designed to protect the cookies of major third-party advertisers and marketers like Doubleclick.
Fifth, IE 6.0's reliance on P3P compact policies strongly suggests that the mere existence of privacy policies is the most important standard in determining how privacy friendly a web site is. Thus, IE 6.0 paradoxically presents major advertisers and marketers like Doubleclick -- who will almost always have "acceptable" compact policies -- as more privacy friendly than small web sites that collect very little if any data at all about users but who don't have compact policies. Strange days indeed on the increasingly corporatized WWW.
There are still more reasons to doubt the efficacy of Internet Explorer 6.0's Privacy protections, and you can find them detailed on my newly revised Privacy Policy page:
www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p
By the way, that page discusses corporate privacy policies and the use of privacy seal programs more generally, and it even includes a gloss of Yahoo's latest privacy policy.
Internet Explorer 6.0's Privacy settings are complicated and confusing, so please don't hesitate to ask questions about any of this new material on IE 6.0. Hope you all find it interesting and useful.
All the best,
Eric L. Howes
added url tags in order to make links functioning - Forum Admin
Although it's been a while, some of you may remember the two long threads from last year in which a number of DSLR members hashed out the new Privacy settings in Internet Explorer 6.0:
"IE6 and Cookies"
www.dslreports.com/forum/remark,1346935;root=security,1;mode=flat;start=0
"IE6 does not handle cookies the same"
www.dslreports.com/forum/remark,1462205;root=security,1;mode=flat;start=0
A number of good resources resulted from those discussions, including several pages on my web site devoted to IE 6.0...
"P3P & Internet Explorer 6.0 Privacy Info"
www.staff.uiuc.edu/~ehowes/info2.htm
"Internet Privacy w/ IE6 & P3P: A Summary of Findings"
www.staff.uiuc.edu/~ehowes/ie6-p3p.htm
...as well as downloadable files that you can use to configure IE 6.0's handling of cookies:
Internet Explorer 6.0 Resources
www.staff.uiuc.edu/~ehowes/resource5.htm
One thing that I never got around to doing during those original discussions, though, was putting together a comprehensive summary of the failings and shortcomings of IE 6.0. With the help of R2, however, I've returned to the question of Internet Explorer 6.0's Privacy settings and its handling of cookies, and finally assembled that summary list of problems with Internet Explorer 6.0. You can find this summary on my Privacy Policy page (which is more of an anti-Privacy Policy than anything else):
www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p
The most significant result of this decision to revisit the question of IE 6.0 is that R2 and I were able to gain a better understanding of the Privacy Settings slider bar. In fact, after looking again at Microsoft's (confusing) documentation, we decided that the table that R2 originally put together to document the effects of the various slider levels on cookies...
www.dslreports.com/forum/remark,1346935~root=security,1~mode=flat;start=160#1437080
...needed to be re-worked. You can find an updated version of that table on the Privacy Policy page mentioned above.
Once we re-worked R2's table in the light of our better understanding of what Microsoft considers "acceptable" "consent" on the part of web surfers, several important things immediately became clear:
First, the slider bar blocks EVEN FEWER COOKIES than we had originally thought it did. It's even clearer now that the slider bar is without question the WORST method IE 6.0 offers to configure cookies. And yet most users will go for the slider bar because of its apparent simplicity, as well as the vapid, reassuring descriptions it offers for the various slider levels.
Second, the default Privacy settings for Internet Explorer 6.0 are lax and provide no meaningful privacy protection. At the default "Medium" setting, most cookies are accepted, even those from major third-party advertisers and marketers like Doubleclick. Thus, IE 6.0 puts the onus on users (not the web sites) to put a stop to privacy invasive practices of web sites. And to take back their privacy, those users -- who might have initially thought IE 6.0 would significantly improve their privacy protection straight "out-of-the-box," given all the hype -- will have to figure out IE 6.0's complicated Privacy settings themselves. And just how clear and helpful are those Privacy settings? Not very.
Third, the Privacy Settings slider bar treats opt-in and opt-out policies *identically.* With but two exceptions, IE 6.0 regards both opt-in and opt-out provisions within compact policies as sufficient "consent" to classify the compact policy as "acceptable" or "satisfactory," even when "personally identifiable" information is used. This is a *major* concession to the online marketing and advertising industry inasmuch as it effectively values the commercial needs of marketers and advertisers over the privacy of web surfers. (The two exceptions are at the "High" level in first-party and third-party contexts, and the "Medium-High" level in third-party contexts.)
Fourth, the privacy levels used by Privacy Settings slider bar provide less useful control over third-party cookies than they could or ought to. The handling of cookies from major third-party advertisers and marketers like Doubleclick (who will almost always have "acceptable" compact policies) is especially problematic. With the Privacy Settings slider bar, there is no way to block these cookies (or even "downgrade" them to session cookies, rendering them worthless for the marketers involved) except by choosing the "Block All" setting, which for most users who surf the net is not a viable option.
What Microsoft's reasoning for this arrangement might be is puzzling, as third-party cookies almost never provide web surfers with direct, substantive benefits; they are almost exclusively designed and used to benefit marketers and advertisers. (And, no, "personalized" advertising and direct marketing do NOT count as significant benefits to the end user or web surfer.) To the skeptical, it would at least appear that IE 6.0's Privacy Settings slider levels were explicitly designed to protect the cookies of major third-party advertisers and marketers like Doubleclick.
Fifth, IE 6.0's reliance on P3P compact policies strongly suggests that the mere existence of privacy policies is the most important standard in determining how privacy friendly a web site is. Thus, IE 6.0 paradoxically presents major advertisers and marketers like Doubleclick -- who will almost always have "acceptable" compact policies -- as more privacy friendly than small web sites that collect very little if any data at all about users but who don't have compact policies. Strange days indeed on the increasingly corporatized WWW.
There are still more reasons to doubt the efficacy of Internet Explorer 6.0's Privacy protections, and you can find them detailed on my newly revised Privacy Policy page:
www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p
By the way, that page discusses corporate privacy policies and the use of privacy seal programs more generally, and it even includes a gloss of Yahoo's latest privacy policy.
Internet Explorer 6.0's Privacy settings are complicated and confusing, so please don't hesitate to ask questions about any of this new material on IE 6.0. Hope you all find it interesting and useful.
All the best,
Eric L. Howes
added url tags in order to make links functioning - Forum Admin