IE feature can track Web surfers without warning

Microsoft is investigating a possible privacy loophole in its Internet Explorer browser that could thwart efforts by people who want to surf the Web anonymously.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
People surfing the Web incognito may want to think twice before using Internet Explorer.

Microsoft today said it is investigating a possible privacy loophole in its Internet Explorer browser that could thwart efforts by people who want to surf the Web anonymously. The feature in IE 5 and above, referred to by Microsoft as "persistence," is designed to let Web pages remember information, such as search queries, entered by visitors.

But privacy advocates complain, and Microsoft today acknowledged, that the trade-off for that convenience is that Web sites could uniquely identify visitors as they return over time--without any warning from IE.

Microsoft defended the feature and pointed out that the vast majority of Web surfers already are knowingly vulnerable to the same level of exposure.

"This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure," said Michael Wallent, product unit manager for IE at Microsoft. "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."

The discovery of these potential privacy leaks highlights the difficulties Web surfers face in protecting their personal data online. While high assurances of privacy are hard to come by on the Net, new versions of products with new features may always threaten to undermine steps to guard against online snooping that have proven effective in the past.

"If you disable cookies and there's something that works just like them, what are you supposed to do?" said Richard Smith, chief technology officer of the Privacy Foundation. "The other issue is that if companies perceive that too many people are disabling cookies, they can just use this feature instead."

Cookies are files that Web sites place on visitors' computers that let those sites identify, authenticate and store information about individuals. Most Web surfers let their browsers accept cookies so they can use features such as shopping carts, which depend on the data files.

Though cookies are as common as e-commerce sites on the Web, and though most people accept them, privacy advocates maintain that Web surfers should be given the option of turning them off.

For that reason, Microsoft came under fire this year for not giving its browser customers sufficient warning that Web sites were attempting to place cookies on their computers. The company two weeks ago remedied the problem with an update to IE 5.5 that gives detailed information about incoming cookies, including crucial notification of whether the cookie is coming from the Web site the customer is visiting or from a third-party Web site, such as an advertising company, that might be tracking individuals across numerous Web properties.

Microsoft's Wallent said that the company is investigating whether people can clear the information collected under IE persistence by clearing their cache, where copies of Web files are stored. If that fails, Microsoft will continue looking at options for people concerned about the privacy implications, Wallent said.

In the meantime, IE users can turn off the browser's scripting capabilities, on which IE persistence depends.

The privacy issue was the subject of an advisory posted to the Bugtraq security mailing list by Guille Bisho of Spain.