[first published at The Bridge on August 9, 2018]

What happens when technological innovation outpaces the ability of laws and regulations to keep up?

This phenomenon is known as “the pacing problem,” and it has profound ramifications for the governance of emerging technologies. Indeed, the pacing problem is becoming the great equalizer in debates over technological governance because it forces governments to rethink their approach to the regulation of many sectors and technologies.

The Innovation Cornucopia

Had Rip Van Winkle woken up his famous nap today, he’d be shocked by all the changes around him. At-home genetics tests, personal drones, driverless cars, lab-grown meats, and 3D-printed prosthetic limbs are just some of the amazing innovations that would boggle his mind. New devices and services are flying at us so rapidly that we sometimes forget that most did not even exist a short time ago. At this point, it feels like our smartphones have been in our lives forever, but even just a decade ago, very few of us had one. Likewise, plenty of people now regularly enjoy the benefits of the sharing economy, but ten years ago, Uber, Lyft, and Airbnb did not even exist. Most of the social networking platforms or online video and audio streaming services that we use today had not even been created 15 years ago. Back then, Netflix’s DVD mail subscription service seemed downright revolutionary.

With every innovation comes more questions about how the law should keep pace, or whether it even can. “There has always been a pacing problem,” observes Yale University bioethicist Wendell Wallach, author of  A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. But what Wallach and many other scholars worry about today is that the pace of change has been kicked into overdrive, making it more difficult than ever for traditional legal schemes and regulatory mechanisms to stay relevant. Larry Downes refers to this as “The Law of Disruption.” In his 2009 book on this “law,” Downes showed how “technology changes exponentially, but social, economic, and legal systems change incrementally” and that this law was becoming “a simple but unavoidable principle of modern life.”

Moore’s Law Quickens the Pace

There are three primary reasons the pacing problem is such a force in our modern world. The root cause lies in the power of “combinatorial innovation,” which is driven by “Moore’s Law.”  The Information Revolution spawned a stunning array of new technological capabilities that build on top of one another in a symbiotic fashion. Think about the shared foundational elements of most modern inventions: microchips, sensors, digital code, big data, cloud computing, remote data storage, wireless networking and geolocation capabilities, machine-learning, cryptography, and more. Each of these underlying capabilities is becoming faster, cheaper, smaller, more powerful, and easier to find and use. Innovators are combining them as part of their ongoing search for new and better ways of doing things.

Moore’s Law powers these developments. Moore’s Law is the principle named after Intel co-founder Gordon E. Moore, who first observed in 1965 that “computing would dramatically increase in power, and decrease in relative cost, at an exponential pace” in coming years. Indeed, it has continued to do so for the past half century for many information technologies. A recent Technology Policy Institute white paper noted that “data transit prices fell from about $1200 per Mbps in 1998 to $0.02 per Mbps in 2017.”

These forces are now revolutionizing other sectors as “software eats the world” and innovators utilize these new technologies to address nearly every conceivable need and want. In the field of genetics, the biological equivalent of Moore’s Law is known as the “Carlson curve.” The past two decades have seen the cost of sequencing a human genome fall from over $100 million to under $1,000, a rate nearly three times faster than Moore’s Law.

What the Public Wants, the Public Gets

The second reason the pacing problem is accelerating is that the public wants it to! It is true that many people say they are uneasy with many emerging technologies. When new gadgets and services first gain attention, a “technopanic” attitude often ensues. That is unsurprising because, as others have noted, “fear has gone hand in hand with technological advancements throughout history.”

But societal attitudes toward technological change often shift rapidly. They do so even faster today as citizens quickly assimilate new tools into their daily lives and then expect that even more and better tools will be delivered tomorrow. As more people begin to realize how new technologies improve our lives in meaningful ways, it becomes extremely hard for policymakers to take those innovations away or even tell us not to expect better ones. This relationship between technological change and societal expectations acts as an extraordinarily powerful check on the ability of regulators to “roll back the clock” on innovative activities.

Broken Government Exacerbates the Problem

Finally, the pacing problem is becoming more acute because “demosclerosis” and “kludgeocracy” have taken hold within American government. Jonathan Rauch coined the term demosclerosis in his 1999 book Government’s End: Why Washington Stopped Working to describe “government’s progressive loss of the ability to adapt.” “[A]s layer is dropped upon layer,” he argued, “the accumulated mass becomes gradually less rational and less flexible.”

Instead of cleaning up old legalistic messes and adapting to the times, government solutions are more often clumsily cobbled together to patch past problems and create temporary solutions. Steven Teles refers to this as kludgeocracy. “The complexity and incoherence of our government often make it difficult for us to understand just what that government is doing,” Teles says. Kludgeocracy creates serious costs for individual citizens, governments themselves, and to our democratic systems more generally, he argues. Taken together, demosclerosis and kludgeocracy breed highly dysfunctional governments and make it even easier for the pacing problem to speed ahead.

Can Policymakers Adapt?

Regulators are not oblivious to the challenges posed by the pacing problem. “I have said more than once that innovation moves at the speed of imagination and that government has traditionally moved at, well, the speed of government,” remarked Michael Heurta, head of the Federal Aviation Administration, in a 2016 speech regarding drones. Shortly after Huerta made those comments, the Department of Transportation released a report on the regulation of driverless car technology which noted that “The speed with which [driverless cars] are advancing, combined with the complexity and novelty of these innovations, threatens to outpace the Agency’s conventional regulatory processes and capabilities.”

Food and Drug Administration (FDA) regulators have increasingly referenced the pacing problem when discussing the challenge of keeping up with new medical innovations.  The New York Times recently asked Dr. Peter Marks, director of the FDA’s Center for Biologics Evaluation and Research, how the agency planned to deal with hundreds of “rogue” stem cell treatment clinics. “There are hundreds and hundreds of these clinics,” he said. “We simply don’t have the bandwidth to go after all of them at once.”

The pacing problem has even crept into antitrust enforcement. The US Department of Justice (DOJ) sought to break up Microsoft in the late 1990s, but as the legal proceedings dragged on through the early 2000’s, the market moved and made the DOJ’s case moot. Google Chrome and Mozilla Firefox emerged as legitimate competitors to Microsoft’s Internet Explorer without regulatory remedy. In the end, Microsoft reached a settlement with the DOJ that fell far short of the government’s original ambitions to bust up the firm, all because the market moved at a pace much faster than the regulator’s pace. More recent antitrust action in the US and EU also suffer from the pacing problem. Multi-year antitrust investigations reach conclusions that don’t reflect market trends in the intervening years and offer remedies that may be “too little, too late,” especially in the information technology sector.

Is the Pacing Problem Really the Pacing Benefit?

What should policymakers do in light of these new challenges? The extremes will not work. Lawmakers or regulators cannot simply double-down on the lethargic and unwieldy technocratic regulatory schemes of the past. Command-and-control tactics are not going to be effective in an age when technology evolves in a quicksilver fashion. In a world where “innovation arbitrage” is easier than ever, repressive crackdowns on new tech will often backfire. Evasive entrepreneurs will often move to those jurisdictions where their innovative acts are treated more hospitably. That, too, exacerbates the pacing problem.

From the perspective of many innovation advocates, this will make it seem like the pacing problem is more like the pacing  benefit. Generally speaking, that intuition is sound. Innovation is the fundamental driver of human betterment. We need more “moonshots”—“radical but feasible solutions to important problems”—to ensure that current and future generations enjoy more choices, greater mobility, increased wealth, better health, and longer lifespans. We don’t want archaic regulatory schemes and regimes holding that back.

Constructive Solutions

But policymakers will not abandon oversight of emerging technologies altogether, nor should we want them to. The potential harms associated with some new technologies could be significant enough that a certain degree of regulatory oversight will be required. But the pacing problem means the old, inflexible, top-down approaches will need to be discarded and that the administrative state itself must become more entrepreneurial.

In a forthcoming law review article entitled, “Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future,” Jennifer Skees, Ryan Hagemann, and I discuss how “soft law” mechanisms—multi-stakeholder processes, industry best practices and standards, workshops, agency guidance, and more—can help fill the governance gap as the pacing problem accelerates. Many agencies are already tapping soft law tools to help guide the development of new technologies such as driverless cars, drones, the Internet of Things, mobile medical applications, artificial intelligence, and others. In fact, we argue that soft law has already become the dominant form of technological governance for emerging tech in the US.

Critics might decry soft law as either being too lax (and open to private abuse) or too informal (and open to government abuse), but the pacing problem makes both arguments increasingly irrelevant. We need a new governance vision for the technological age. Our new governance systems must be more flexible and adaptive than the heavy-handed regulatory regimes that preceded them.

___________________

Related Reading

• Adam Thierer, “Evasive Entrepreneurialism and Technological Civil Disobedience: Basic Definitions,” The Bridge, July 20, 2018.
• Adam Thierer, “Making the World Safe for More Moonshots,” The Bridge, February 5, 2018.
• Jennifer Skees, “Do You Need a License to Innovate?” The Bridge, June 29, 2018,
• Andrea O’Sullivan & Adam Thierer, “3D Printers, Evasive Entrepreneurs and the Future of Tech Regulation,” The Bridge, August 1, 2018.
• Adam Thierer, “Does “Permissionless Innovation” Even Mean Anything?” Technology Liberation Front, May 18, 2017.
• Adam Thierer, “Wendell Wallach on the Challenge of Engineering Better Technology Ethics,” Technology Liberation Front,  April 20, 2016,

Advocates of regulation will credit regulators for the fact that major browser providers Microsoft and Mozilla are going after online “tracking.” In forthcoming versions of their browsers, they will provide controls that protect against unwanted monitoring even better than the controls that now exist.

When consumer advocates cluster in Washington, D.C., asking federal agencies to solve consumer issues, of course, any progress on the issues will be credited to the threat of coercion. But experiments like these have no controls.

Decisions about the qualities of goods and services are made out at the leading edge of consumer demand, where producers work to anticipate developing public interests. Meeting demand after it has been realized is a recipe for business failure because competitors getting there before the others win market share and profits. Laggards are losers.

You can tell when regulators push for something that does not match up with consumer demand as perceived in the business sector. The regulators get nowhere. That would be the FTC’s call a decade ago for a suite of regulations requiring “notice, choice, access, and security.” The current push for “tracking” controls does appear to meet up with consumer demand, and, again, the browser providers are working on it years ahead of what any regulation would have required.

I’ve put “tracking” in scare quotes because the open question is just what anyone means by the word. The report linked above notes a comment from Google, provider of the Chrome browser:

“The idea of ‘Do Not Track’ is interesting, but there doesn’t seem to be consensus on what ‘tracking’ really means, nor how new proposals could be implemented in a way that respects people’s current privacy controls,” said the company…

Maybe Google will be the laggard and loser for not moving on “tracking” as fast as its competitors. That’s one approach, while Microsoft and Mozilla will each take a different tack to the problem. The result will be an experiment that does have controls. The browser provider that meets up with consumer interests, in the consumer-friendliest way, wins. Such would not be the case if a federal regulation—yes, one-size-fits-all—determined what “tracking” was and how browsers or others would provide protection against it.

Marketplace competition will do better than any other known method for determining what “tracking” means to consumers and what to do about it. There is no privacy advocate, there is no technologist, no advocacy group, nor academic who knows what to do here.

The one thing I recommend is that do-not-track efforts should control the content of the header and the domains the browser communicates with. Simply putting a “do-not-track” signal in the header would punt the problem back to regulators and the cadre that surrounds them. This group would come up with something that satisfies itself, the regulatory community, but that does not digest and reconcile actual consumers’ competing interests in privacy, convenience, access to content, and so on.

Really, what would we do without European antitrust regulators protecting us from the evils of browser innovation? If Microsoft was allowed to actually bundle its Internet Explorer browser alongside its operating system we might actually do something really crazy… like perhaps try it! After all, the latest browser stats make it pretty clear most of us have a choice and that fewer and fewer of us rely on IE. As Erick Schonfeld noted on Tech Crunch today:

The new browser wars on on. More than a decade after Microsoft killed off Netscape with Internet Explorer, competition in the browser market has never been stronger. Just last week, Mozilla released Firefox 3.5, which has now been downloaded nearly 14 million times. Earlier in June, Apple released Safari 4. In March, Microsoft introduced Internet Explorer 8, and Google came out with a speedier beta of its Chrome browser. Some early data is coming in showing relative market share and how fast people are upgrading. If you look at the chart above from Statcounter, it indicates that since March Internet Explorer has lost 11.4 percent market share to other browsers. [..] Where did that go? It went to Firefox, Safari, and Chrome. Nearly 5 percent of that, or about half, went to Firefox 3.0, which currently has 27.6 percent market share. That doesn’t count last week’s upgrade.

Alas, as I pointed out in my essay a few weeks ago (“European Regulators Think Consumers Too Stupid to Know How to Download a Different Browser“), some Euro-crats still seem to believe that changing browsers requires great detective skills to unearth alternatives.  It’s just pure poppycock and yet another sad example of how antitrust law is usually hopelessly behind the times and has absolutely nothing to do with protecting consumers or fostering innovation.

Now, please excuse me while I get back to surfing the Net via Firefox and Chrome (and Opera on my mobile phone). My God, how did I ever find these browser alternatives!

According to Ina Fried of CNet News, Microsoft plans to remove its Internet Explorer web browser from the new versions of Windows 7 when it ships it in Europe later this year. [Additional coverage at ZDNet.]  MS is apparently doing so to assuage the concerns of EU antitrust officials, who have been obsessed with the company for the past decade. [Update: Here is MS official announcement.]

Apparently, European officials think their citizens are too stupid to find an alternative browser.  I mean, seriously, how hard is it?  Does the competition lack name recognition such that consumers can’t find them?  Hmmm… Google and Apple seem to be pretty well known brands, and their browsers (Chrome & Safari) are pretty easy to find.  And then there’s Mozilla’s Firefox browser (my PC favorite) and Opera (my mobile phone favorite), which are outstanding browsers. [Incidentally, Firefox already has 31% share of the European market.]

OK, OK, the regulators might say, but these competitors are just too expensive!  Uh, no, wait… every one of them is free. So, strike that theory.

Well, the regulators need another theory then. How about illegal tying of products and services! You know, there’s only certain sites or services you can use with IE, right?   Nope, that theory doesn’t work either.  And does anyone believe that MS could really tie OS functionality to the use of IE? How long would the world tolerate Outlook e-mails or Word documents that only allowed linking to URLs via IE??  Come on.

OK, any other theories left? Not that I can think of. Which brings us back to the only theory the Euro-crats have left: people are sheep. They’ll take whatever MS bundles into the OS free, you see, and they will use it more than they use competing products.  Thus, we regulators have to save them from their own stupidity! The masses just don’t know what’s good for them!  These free, integrated services are harming them! And, therefore, the only remaining solution is to kill innovation by crippling functionality and removing the free offering. That’s pro-consumer! … or so say the European antitrust bureaucrats.

Meanwhile, back in the real world, a whole lotta innovation continues to take place. But shhhh.. don’t tell the Euro-crats. They need a company to pick on. Welcome to the Theater of the Techno-Absurd.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer

Microsoft’s share of the browser market across all versions of Internet Explorer has dropped, by one estimate, dropped from 78.58%  in December 2007 to 68.15% in December 2008 (or by just under 8% in another estimate).

[IE’s] share dropped from 69.77% in November to 68.15% in December. [During the same period,] Firefox gained more than half a point and ended up at 21.34%, Safari approaches the [10%] hurdle with 7.93% and Chrome came in at 1.04%, the first time Google was able to cross the 1% mark.

This is particularly interesting: 

Since IE6 is used primarily within corporations, its market share is much higher during the week than it is on weekends. As a result, all other browsers gain on weekends and especially during a holiday. Because of that circumstance, Net Applications noted that the December numbers should be taken with a grain of salt. However, it is worth the note that IE6 achieved … market share numbers of about 28% during the week and about 21% on weekends in early 2008. In December, these numbers were down to about 20% during the week and 15% on weekends.    

So, Microsoft still has an established base among corporate users, where IT administrators  generally prevent employees from installing new applications (including browsers) and the sysadmins often don’t roll out alternative browsers across a corporate network for any one of several possible reasons, including:

• They just don’t want to bother having to install, regularly upgrade and support another piece of software;
• They may overestimate the security vulnerability of such alternative browsers compared to Internet Explorer;
• The crustier sysadmins may not realize that today’s browsers are not only free for individual users, but also for corporate users–unlike the old Netscape Navigator; and
• Corporate intranets may be designed for IE, in which case rolling out an alternative browser might cause confusion among less tech-savvy employees.

Microsoft may still have an advantage that could be considered “unfair,” but so what?  IE’s share of home browser usage may have fallen faster among home users than corporate users, but the overall trend line is clear:  increasing numbers of Americans are taking advantage of the rich browser options available to them, both at home and at work.  As Microsoft’s  share of the browser market falls further with each passing year–at an apparently accelerating rate–the concerns about Microsoft’s “dominance” of the browser market that drove the Justice Department’s antitrust jihad against the company a decade ago seem increasingly obsolete. 

If nothing else, the increasing competitiveness of the browser market should be a persistent reminder to those who advocate top-down regulatory “fixes” to perceived iniquities of online markets that competition and innovation may move faster than government regulators or the courts.  

My prediction for 2009:  IE’s overall share will fall even further than it did in 2008, with particularly strong growth in Google Chrome’s market share.

By Berin Szoka & Adam Thierer

As we noted in our intro to this ongoing series, Google’s tenth anniversary has passed with Googlephobia reaching new heights of hysteria.

But is Google really too big and dangerous, or are people just too lazy to find other alternatives to each of the wonderful services that Google offers?  If one is truly paranoid about the firm’s supposed dominance, it doesn’t take much effort to live a Google-free life. To prove it, we set out to find alternatives to each of the services that Google provides.  After awhile, we got a little tired of compiling alternatives in each category and just provided links for the additional choices at your disposal.  It’s tough to see what the fuss is about with the cornucopia of choices at our disposal.  If you don’t like Google, then just don’t use it or any of its services.  The choice is yours.

In each case, we’ve listed Google first, even though Google may not be the market leader ( e.g., Google’s relatively unknown social network Orkut).

Search Engines

• Google
• Microsoft Live Search
• Yahoo!
• Ask.com
• AltaVista
• Cuil
• others: en.wikipedia.org/wiki/List_of_search_engines

eMail

• Google Gmail
• MSN Hotmail
• Apple .Mac/MobileMe
• Yahoo!
• AOL
• others: www.emailaddresses.com/email_web.htm

Encyclopedia

• Knol (Google)
• Wikipedia
• Citizendium
• Microsoft Encarta
• Britannica Online
• World Book Online
• others: www.surfnetkids.com/encyclopedia.htm

Instant Messaging

• Google Talk
• Yahoo Messenger
• Windows Live Messenger (Microsoft)
• AOL AIM
• Jabber
• others: en.wikipedia.org/wiki/Instant_messaging#User_base

Web Browsers

• Chrome (Google)
• Firefox (Mozilla Foundation)
• Internet Explorer (Microsoft)
• Safari (Apple)
• Opera
• Flock
• others: en.wikipedia.org/wiki/List_of_web_browsers

Social Networks

• Orkut (Google) – (not popular in the U.S.)
• Facebook
• Myspace
• Bebo
• LinkedIn
• Friendster
• LiveJournal
• others: en.wikipedia.org/wiki/List_of_Social_network_service

Mapping

• Google Maps
• Microsoft Live Search Maps
• MapQuest
• WikiMapia
• Google Earth
• Virtual Earth (Microsoft)
• others: en.wikipedia.org/wiki/List_of_online_map_services

Mobile Search / Portal Services

• Google mobile
• Yahoo! mobile
• Microsoft Windows mobile & Mobile Live Search
• AOL Mobile

Video Hosting

• YouTube (Google)
• Google Video
• Flickr (Yahoo!)
• Yahoo Video
• Vimeo
• Photobucket
• BlipTV
• others: en.wikipedia.org/wiki/List_of_video_sharing_websites

Photohosting

• Picasa (Google)
• Flickr (Yahoo!)
• Apple .Mac/MobileMe
• Photobucket
• Snapfish
• Shutterfly
• Imageshack
• AOL Pictures
• others: en.wikipedia.org/wiki/Photo_sharing#Online_photo_sharing_websites

Document / Spreadsheet Creation

• Google Docs
• Microsoft Office
• OpenOffice
• ThinkFree Office
• EditGrid
• NumSum
• Zoho Sheet
• Zoho Writer
• ajaxWrite
• Glide Write
• others: www.editgrid.com/user/siulung/Web-based_Spreadsheets_Comparison_Matrix

Online File Storage

• Google Docs
• Windows Live SkyDrive (Microsoft)
• Apple .Mac/MobileMe
• Mozy
• Buzzword (Adobe)
• Xdrive
• Box.net
• others: http://www.listible.com/list/online-file-storage

Blog hosting services

• Blogger (Google)
• Wordpress
• Windows Live Spaces (Microsoft)
• Skyrock (based in France, but bigger than WordPress and almost as big as Blogger)
• LiveJournal
• Note: many social networking services also have a blogging component
• others: http://en.wikipedia.org/wiki/Blog_hosting_service#Developer-hosted

RSS blog feed aggregators

• Google Reader
• My MSN
• My Yahoo!
• NewsGator Online
• Bloglines
• FeedBucket
• others: dmoz.org/Computers/Software/Internet/Clients/WWW/Feed_Readers/Web_Based
• others: www.newsonfeeds.com/faq/aggregators

WebClipping Services

• Google Notebook
• Digg
• Del.icio.us (Yahoo)
• Reddit
• Clipmarks
• Zotero
• WebResearch
• ScrapBook
• Diigo

News Aggregators

• Google News
• Yahoo News
• MSN News & MSNBC (Microsoft)
• News Directory.com
• Reuters
• CNN.com
• Digg
• Topix
• others: news.nettop20.com
• others: newsonfeeds.com/faq/aggregators

Calendar Services

• Google Calendar
• Microsoft Outlook
• Lotus Notes
• Lightning/Sunbird (Mozilla Foundation)
• Apple .Mac/MobileMe
• others: www.calendarzone.com

By Berin Szoka & Adam Thierer as part of an ongoing series

With Google celebrating its 10th anniversary this week, many panicky pundits are using the occasion to claim that Google has become the Great “Satan” of the Internet.  Nick Carr wonders what the future holds for “The OmniGoogle.” The normally level-headed Mike Malone worries that Google is “turning into Big Brother.”  And Washington Post’s Rob Dubbin says that he can’t escape Google’s “tentacles,” even for just 24 hours.  Meanwhile, speculation abounds that the Justice Department is preparing a major antitrust lawsuit against Google concerning its advertising partnership with Yahoo! or perhaps even a broader suit concerning Google’s “dominance” of online advertising generally.

Carr quotes Google co-founder Sergey Brin’s now-famous 2003 interview:

I think people tend to exaggerate Google’s significance in both directions.  Some say Google is God.  Others say Google is Satan.  But if they think Google is too powerful, remember that with search engines, unlike other companies, all it takes is a single click to go to another search engine. People come to Google because they choose to.  We don’t trick them.

In the last five years, Google has become far more than just a search engine.  As Google’s suite of suite of complementary products continues to grow, so too does the specter of Google as an all-knowing and therefore all-powerful economic colossus.  Yet Google isn’t even close to being the sort of nefarious monopolist out to destroy user privacy at every turn, as some seem to imply—if not exclaim.  Indeed, in our view, the Net is overall a far better place because of the existence of Google and the many free services it provides consumers.

Our point is not that Google should be immune from criticism.  Indeed, healthy criticism of corporate actions plays a vital role in the free market by disciplining corporate policies and behavior—often thus providing an effective alternative to government regulation.  This is particularly important in the area of consumer privacy protection, as demonstrated by Google’s quick response to public concern about its Chrome EULA.

We hold no brief for Google and our aim is not to be Google apologists.  In fact, we’ve had more than a few run-ins with Google on many important policy issues in the past ( e.g., on net neutrality, spectrum policy, and the need for “baseline Federal privacy legislation”) and will likely continue to do so in the future.  We are always willing to engage serious, rational discussions about other policy issues involving Google, such as concerns about its alleged market power, but it seems to us that the hysteria about Google’s supposed dominance of the Internet is clouding rational discussion of the policy issues raised by Google, its innovations and its success.  Indeed, the creeping paranoia about all things Google-related that is most evident throughout the blogosphere (but that reaches far beyond it) has produced an environment that resembles nothing so much as a lynch mob:  Angry, short-tempered, out for corporate blood, and unwilling to engage in reasoned discussion.

The specter of Google’s market power driving—and confusing—so many of today’s Internet policy debates is reminiscent of the previous generation of conspiracy theories about how Microsoft, like the Borg (perhaps sci-fi’s scariest villains), would assimilate all in its path—forever controlling the digital revolution.  We don’t want Google to become the victim of the same regulatory & antitrust ordeal that Microsoft has endured over the past decade, with the kind of hysterical claims of Chicken Little-ism that drove a ten-year crusade against Microsoft.  Short-sighted, heavy-handed government intervention can cripple a creative company while doing little to actually benefit consumers because regulators cannot keep pace with technological change—perhaps the only constant fact in the every-changing digital world.

Of course, like all temporal things, Microsoft’s seemingly permanent “monopoly” has faded, and the bulk of the criticism it once faced has shifted focus to Google.  Microsoft continues to be the subject of many unfair attacks because of its success (a/k/a “dominance”) in the OS, office product, and browser markets.  Other companies have experienced similar attacks on a smaller scale:  Facebook and the once-angelic Apple have both been subject to increasing criticism for their success in certain sectors of the digital economy, customer complaints about openness ( e.g., “locked” devices or portability of social networking data) and privacy policies.  The hysteria surrounding Google is not unique in kind, yet it is clear that the mantle of “Great (digital) Satan” has clearly passed from Microsoft to Google.

Thus, we have decided to start a new series of essays on “Googlephobia” (a term that seems to have taken off in the spring of 2005, when the French government seriously proposed creating its own alternative to the Google search engine).  We’ve already penned a few essays on the topic here (as have a number of our TLF colleagues) and, therefore, our next installment in the series will be #5—in which we will outline the many competitors to Google’s many products.

But here are a few of our past essays on the topic, which clearly belong on the list even though they weren’t part of a series at the time:

• Market Forces At Work: The PR Backlash Against Google Chrome’s EULA, by Berin Szoka, September 4, 2008.
• “Cry [Censorship] and Let Slip the Dogs of [Regulation]!” – A Lesson in the Dangers of Googlephobia, by Berin Szoka, July 14, 2008.
• Google, California’s Privacy Policy Law & Our Sci-Fi Future, by Berin Szoka, June 4, 2008
• Is Google Evil? The Never-Ending Search for High-Tech Villainy, by Adam Thierer, June 30, 2005.

And here’s an oldie on the same topic:

• “Google as a Public Utility? No Results in This Search for Monopoly,” by Adam Thierer and Wayne Crews, November 14, 2003.