twitter
facebook 
| IE Patch Highlights Privacy Efforts |
| Sep. 18, 2000 |
Against a steady stream of security concerns, large and small, Microsoft has released a new beta of Internet Explorer (IE) that incorporates special "cookie" management features to give users control over how Internet sites, and particularly advertising agencies, track their use of the Internet. The feature has come under attack from Internet advertisers, however, and Microsoft also faces new challenges in dealing with additional security holes in both IE and Microsoft Office. Cookie Management The major new feature in the IE 5.5 "Advanced Security Privacy Beta" is a feature that refines IE’s cookie management. IE 5 gives users the ability to reject cookies, accept all cookies, or to be prompted before they accept a cookie; the beta adds several features, as follows:
Offering different treatment for first-party and third-party cookies will help users keep track of sites, such as sites that deliver Internet advertising banners or that track users as they visit different sites. This feature has caused considerable alarm in the Internet advertising industry. It sees such cookies as a powerful tool for tracking user behavior on the Web, and for delivering advertising tailored to a Web surfer’s habits and interests, as measured by the types of Web sites they visit. A user who frequently retrieves Web pages—and sees the associated banner ads—from sites popular among women, for example, can be sent an ad oriented to women when she visits a more general site like Yahoo! One of the biggest problems for the Internet advertising industry, which has proposed its own solution for warning users about cookies, is that some of the most popular Web sites handle their own advertising and are less likely to use advertising hosting and delivery sites such as DoubleClick. Cookies sent along with ads from these sites would be considered "first-party" cookies. Smaller sites, more reliant on the agencies to sell their advertising, could encounter far higher resistance from users to the use of cookies, because users would be warned about "third-party" cookies that can track their use of the Internet. The main consolation for advertisers: users who elect to be prompted each time a site wants to use a cookie usually turn off the prompts after a few hours. Many sites send numerous cookies, and users eventually tire of the barrage of "Security Alert" dialog boxes that they receive as they surf the Net. Web Bugs A new type of Internet security threat, dubbed a "Web Bug" (from use of the term "bug" to mean a listening or surveillance device) has emerged for Office users. As Microsoft built HTML authoring and viewing capabilities into Office, it also built in the ability to embed graphic images into those pages which are not embedded in the document, but retrieved from a Web server, similar to the way a standard HTML page is linked to images. The threat: someone who wanted to track the use of a particular Word document, such as a confidential memo, could put a link to a small, transparent image, which would be invisible to anyone who opened the document, into the document. Each time the document was opened, it would retrieve the image from the Web server where the image is stored. Anyone with access to the logs on the Web server could then determine the IP address of any computer that opened the document by looking at all the requests for the image on that server. The request contains the IP address of the requester. For example, a program manager at one company (Company A) could put a reference to an image stored on his company’s Web server into a confidential document describing upcoming product releases. If that document was copied and e-mailed to a competitor, and an employee of the competitor opened the document, an entry would appear in Company A’s Web server indicating that a computer with an IP address owned by the competitor had retrieved the image. The entry would probably not identify the actual computer (or, by extension, the individual user) that opened the document because most IP numbers for individual PCs are hidden by firewalls and are frequently issued dynamically so that they change from session to session. Nevertheless, such an event could provide an early alert of corporate espionage. Web Bugs have been detected in real-world situations. For example, some e-mailed newsletters that are distributed in HTML format contain Web Bugs so that the newsletter distributor can determine, at minimum, how often the e-mail is viewed. This technique compensates for the fact that the Simple Mail Transfer Protocol (SMTP) technology widely used on the Internet does not offer senders an easy way to get a message receipt when someone opens or receives an e-mail, something that many proprietary e-mail systems (such as Exchange) can do. Among those who have admitted to using Web Bugs: online toy retailer Toysrus.com and the U.S. government’s Freevibe antidrug site. Microsoft’s response to the Web Bug controversy was to discuss cookies, a leap that one critic termed "the cookie non-connection." Microsoft’s assurance that Web Bugs are unlikely to expose users to unwanted cookies appears to address only a minor point, and leaves open the potential surveillance dangers posed by the increasing use of Web-related document formats, such as Extended Markup Language (XML), in Microsoft’s Office product line. As more documents are authored, stored, and shipped in Web-friendly formats (i.e., formats that contain hyperlinks to Web sites), the opportunities to use Web Bugs as a form of surveillance will increase. While other document-creation programs can be used to plant Web Bugs, none are likely to be as widely used for such purposes as Microsoft’s. (Microsoft says that 80% of all corporate information is now stored in Office formats.) So far no "live" Web Bugs have been reported. However, in 1999 the author of the Melissa virus was tracked down by investigators who traced a unique IP identifier stored in Microsoft Office documents by default (a patch has since disabled the feature). Although not the same technology as that employed by Web Bugs, this event suggests that being able to trace a particular document over the Internet is of more than theoretical interest. Persistence Microsoft faces similar questions over a potential security hole posed by "persistence," a feature that lets Web pages "remember" information entered by visitors. Web browsers typically "cache" each page a user accesses, so that if the visitor visits the page again, it can be retrieved quickly from the user’s hard disk rather than being sent over the Internet again. IE lets Web authors use DHTML to specify that certain "behaviors" that a user has accessed on a page can be stored with the version of the page that goes into the user’s cache. When the visitor comes to the site again, that information can be retrieved from the cached version of the page and used by the site. Microsoft’s own documents on persistence suggest that it can be used by a site to preserve the state of particular controls from session to session. For example, if a user expands a menu created with DHTML in order to look at lower-level menu items, when the user visits the page again, the menu will be in that same state instead of in its default, closed configuration. Privacy advocates say that the feature could be used by Web sites to identify returning visitors to a site, even if users have turned off the more commonly used cookies in order to preserve their privacy. Persistence will work even if cookies are turned off. Microsoft said it will investigate ways that users can turn off persistence by clearing their cache or other methods. Resources The Advanced Security Privacy Beta can be downloaded from www.microsoft.com/windows/ie/download/preview/privacy.htm. Persistence is described on Microsoft’s Web site at http://msdn.microsoft.com/workshop/author/persistence/overview.asp. An overview of Web Bugs is available at www.privacyfoundation.org/education/webbug.html. |
