Privacy Uncertain With New IE8 Feature

Microsoft rebuffs claims that browser feature invades user privacy

Redmond today continued to rebuff assertions that a "suggested sites" feature in Internet Explorer 8, currently at Beta 2 release, invades user privacy.

IE8 Beta 2's suggested sites feature sends user information to Microsoft based on the URLs typed into the browser's address bar. It allows the software giant to capture an individual's browsing history only if the Web site loads. The program is not based on keystrokes as many early critics had thought. The URL capture process has come to be known as "phoning home," or encapsulating the user's search and surf patterns.

Cyra Richardson, Microsoft's program manager for the IE team, maintained that the popular browser "phones home only a limited amount of information to Microsoft and that the company discards all user IP addresses almost immediately," Richardson wrote in an e-mail.

Additionally, user permission is required before the feature can be initiated.

Richardson added that if "a user opts in to Suggested Sites, Microsoft collects Web page addresses for sites a user visits (after a URL has been logged to Internet Explorer History), information on user location (down to ZIP code), and the browser version."

The suggested sites feature sends the user's IP address, but Microsoft does not retain it or associate it with the other data collected. Furthermore, according to Redmond, the information is disassociated from the user if the browser history is cleared or the feature is turned off.

"Additionally, when browsing in an InPrivate session, Suggested Sites no longer aggregates suggestions," Richardson said.

However, Microsoft did contend that as of Monday, there remains a glitch in the IE8 Beta 2 version. In the event that the browser needs to be reinstalled, this glitch will keep the user permission request from reinitiating.

User behavior is already tracked to some degree by cookies, which are text files exchanged between a Web server and a user's browser. If enabled by the user, cookies provide a personalized experience on some sites. However, they may also help identify a person when used with other information.

"The real point to argue [with Microsoft] is if the user can decide and is the vendor entirely up front and honest about what information is used and stored," said Andrew Storms, director of security at San Francisco-based nCircle.

Storms saw some reasons for optimism about browser security.

"The good news about these discussions about the phone home features in browsers is that we are having them," he said. "The more we talk about them, the more people become aware of what's going on and the more we can expect vendors to be compliant with the desires of the users."

-- Jabulani Leffall