IE6 and Cookies

Discussion in 'privacy technology' started by Eric L. Howes, Apr 2, 2002.

Thread Status:
Not open for further replies.
  1. Hi All:

    Although it's been a while, some of you may remember the two long threads from last year in which a number of DSLR members hashed out the new Privacy settings in Internet Explorer 6.0:

    "IE6 and Cookies"
    www.dslreports.com/forum/remark,1346935;root=security,1;mode=flat;start=0

    "IE6 does not handle cookies the same"
    www.dslreports.com/forum/remark,1462205;root=security,1;mode=flat;start=0

    A number of good resources resulted from those discussions, including several pages on my web site devoted to IE 6.0...

    "P3P & Internet Explorer 6.0 Privacy Info"
    www.staff.uiuc.edu/~ehowes/info2.htm

    "Internet Privacy w/ IE6 & P3P: A Summary of Findings"
    www.staff.uiuc.edu/~ehowes/ie6-p3p.htm

    ...as well as downloadable files that you can use to configure IE 6.0's handling of cookies:

    Internet Explorer 6.0 Resources
    www.staff.uiuc.edu/~ehowes/resource5.htm

    One thing that I never got around to doing during those original discussions, though, was putting together a comprehensive summary of the failings and shortcomings of IE 6.0. With the help of R2, however, I've returned to the question of Internet Explorer 6.0's Privacy settings and its handling of cookies, and finally assembled that summary list of problems with Internet Explorer 6.0. You can find this summary on my Privacy Policy page (which is more of an anti-Privacy Policy than anything else):

    www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p

    The most significant result of this decision to revisit the question of IE 6.0 is that R2 and I were able to gain a better understanding of the Privacy Settings slider bar. In fact, after looking again at Microsoft's (confusing) documentation, we decided that the table that R2 originally put together to document the effects of the various slider levels on cookies...

    www.dslreports.com/forum/remark,1346935~root=security,1~mode=flat;start=160#1437080

    ...needed to be re-worked. You can find an updated version of that table on the Privacy Policy page mentioned above.

    Once we re-worked R2's table in the light of our better understanding of what Microsoft considers "acceptable" "consent" on the part of web surfers, several important things immediately became clear:

    First, the slider bar blocks EVEN FEWER COOKIES than we had originally thought it did. It's even clearer now that the slider bar is without question the WORST method IE 6.0 offers to configure cookies. And yet most users will go for the slider bar because of its apparent simplicity, as well as the vapid, reassuring descriptions it offers for the various slider levels.

    Second, the default Privacy settings for Internet Explorer 6.0 are lax and provide no meaningful privacy protection. At the default "Medium" setting, most cookies are accepted, even those from major third-party advertisers and marketers like Doubleclick. Thus, IE 6.0 puts the onus on users (not the web sites) to put a stop to privacy invasive practices of web sites. And to take back their privacy, those users -- who might have initially thought IE 6.0 would significantly improve their privacy protection straight "out-of-the-box," given all the hype -- will have to figure out IE 6.0's complicated Privacy settings themselves. And just how clear and helpful are those Privacy settings? Not very.

    Third, the Privacy Settings slider bar treats opt-in and opt-out policies *identically.* With but two exceptions, IE 6.0 regards both opt-in and opt-out provisions within compact policies as sufficient "consent" to classify the compact policy as "acceptable" or "satisfactory," even when "personally identifiable" information is used. This is a *major* concession to the online marketing and advertising industry inasmuch as it effectively values the commercial needs of marketers and advertisers over the privacy of web surfers. (The two exceptions are at the "High" level in first-party and third-party contexts, and the "Medium-High" level in third-party contexts.)

    Fourth, the privacy levels used by Privacy Settings slider bar provide less useful control over third-party cookies than they could or ought to. The handling of cookies from major third-party advertisers and marketers like Doubleclick (who will almost always have "acceptable" compact policies) is especially problematic. With the Privacy Settings slider bar, there is no way to block these cookies (or even "downgrade" them to session cookies, rendering them worthless for the marketers involved) except by choosing the "Block All" setting, which for most users who surf the net is not a viable option.

    What Microsoft's reasoning for this arrangement might be is puzzling, as third-party cookies almost never provide web surfers with direct, substantive benefits; they are almost exclusively designed and used to benefit marketers and advertisers. (And, no, "personalized" advertising and direct marketing do NOT count as significant benefits to the end user or web surfer.) To the skeptical, it would at least appear that IE 6.0's Privacy Settings slider levels were explicitly designed to protect the cookies of major third-party advertisers and marketers like Doubleclick.

    Fifth, IE 6.0's reliance on P3P compact policies strongly suggests that the mere existence of privacy policies is the most important standard in determining how privacy friendly a web site is. Thus, IE 6.0 paradoxically presents major advertisers and marketers like Doubleclick -- who will almost always have "acceptable" compact policies -- as more privacy friendly than small web sites that collect very little if any data at all about users but who don't have compact policies. Strange days indeed on the increasingly corporatized WWW.

    There are still more reasons to doubt the efficacy of Internet Explorer 6.0's Privacy protections, and you can find them detailed on my newly revised Privacy Policy page:

    www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p

    By the way, that page discusses corporate privacy policies and the use of privacy seal programs more generally, and it even includes a gloss of Yahoo's latest privacy policy.

    Internet Explorer 6.0's Privacy settings are complicated and confusing, so please don't hesitate to ask questions about any of this new material on IE 6.0. Hope you all find it interesting and useful.

    All the best,

    Eric L. Howes

    added url tags in order to make links functioning - Forum Admin
     
  2. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    I went looking around one night for a way to make my web site P3P compliant. Every single place I found wanted to charge an arm and a leg to generate the code for it. I decided against it, thus my site is not P3P compliant.
    Of course, I don't use cookies anyway, except on my message boards. It still annoys me to think IE6 is categorizing my site as privacy unfriendly while saying DoubleClick is just peachy.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Eric - Thank you for validating my decision (and my advice to many people) not to 'upgrade' to IE6. Pete

    "IE5.5 - Forever?"  :)
     
  4. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    =(noooooooooooo nooooo i just updated to ie 6 yesterday on my windows me and the mass 8000kb critical update.

    i got all kinds of security  am i still at risk blaze in tears=(
     
  5. Mr. Blaze:

    You asked:

    > i got all kinds of security  am i still at risk blaze in tears=(

    IE 6.0 can be a safe browser, but you have to take the initiative to configure it correctly. That means using some other strategy than the P3P-based Privacy Settings slider bar to configure cookie handling. A good start would be the Advanced Privacy Settings -- at the very least turn third-party cookies off.

    Still better, turn all cookies off in Advanced Settings (or push the slider bar to Block All) and start adding sites you want to accept cookies from to the Trusted zone or the Per Site Privacy Actions.

    You might also look into using one of the custom XML Import files from the XML-Menu package on this page:

    http://www.staff.uiuc.edu/~ehowes/resource5.htm#files

    ...to configure cookie handling.

    Next, lock down your Internet zone security settings -- that means all scripting, ActiveX, Java, and what not Disabled. Sites that you trust and that require any of the above can be added to the Trusted zone.

    If you'd rather not deal with the bother of a tight Internet zone (many sites will break until you add them to the Trusted zone), then consider downloading and installing IE-SPYAD, which will add a long list of known advertisers and spyware pushers to the Restricted zone:

    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

    By the way, I'm going to be making some tweaks to that IE6-P3P summary over the next few days -- in particular I'm going to be fleshing out the alternatives listed in the conclusion.

    If any of the above isn't clear, please don't hesitate to ask questions.

    All the best,

    Eric L. Howes
     
  6. Mike:

    You wrote:

    > It still annoys me to think IE6 is categorizing
    > my site as privacy unfriendly while saying
    > DoubleClick is just peachy.

    I agree completely. If you haven't already, check out the page at DoubleClick that I link to where DC discusses how its cookies will be handled by IE 6.0. And to think that when IE 6.0's P3P implementation was first announced early 2001, all the tech media were filled with stories about how DC was dead meat.

    Eric L. Howes
     
  7. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Are DC's cookies of a standard format?  If so, a little creative filtering with Proxomitron could render them entirely subversive...
     
  8. checkout:

    You asked:

    > Are DC's cookies of a standard format?

    So far as I know they are, but then I'm no connoisseur of cookies. ;-)

    Best,

    Eric L. Howes
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Looks like some inventive minds have got there before me....CookieCutter.  I'm going to give this one a good try.
     
  10. ** Update ** IE6 and Cookies

    Hi All:

    Just thought I'd let you know that I've updated the Privacy Policy page with all the new Internet Explorer 6.0 info in response to the many questions and comments that greeted my last update:

    http://www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p

    Major enhancements include:

    * a more complete discussion of alternatives to the Privacy Settings slider bar -- look for the grey-bordered box titled, "Alternatives to the P3P-based Slider Bar in IE 6.0";

    * a short summary of the problems that IE 6.0 encounters with pop-ups/pop-unders and how its handling of pop-ups and pop-unders further erodes IE 6.0's privacy protections;

    * a short discussion of why commercial web sites will almost always have "acceptable" compact policies and why no site would be so stupid as to construct an "unacceptable" one;

    * a succinct discussion of the problem of verifying actual compliance with published compact policies;

    * a major new section towards the end of the document entitled, "But They Have a Choice..."

    I've also embedded a few new links in the text, including one to a Microsoft page that demonstrates that MS never really regarded cookies as much of a problem to begin with:

    http://office.microsoft.com/assistance/2000/FPcookie.aspx

    The other new link sends you to a great critique of "obfuscation in gobbledygooky privacy policies":

    http://ecommerce.internet.com/news/insights/trends/article/0,,10417_1001341,00.html

    If you read the previous version of this Privacy Policy page and were hankering for more -- esp. for info on how to make IE 6.0 privacy friendly -- then come on over and have a look:

    http://www.staff.uiuc.edu/~ehowes/priv-pol.htm#ie6-p3p

    All the best,

    Eric L. Howes
    eburger68@myrealbox.com
     
  11. FanJ

    FanJ Guest

    Hi Eric,

    As always: thanks so much for your info and all your hard work! It's much appreciated !  :)
    (although I myself use IE5.5)

    And BTW: thanks also for your reply to my email some days ago about IE-SPYAD about some issues in the not-for-everyone-section ( I used my private addy).

    Best regards, Jan.
     
Thread Status:
Not open for further replies.