Progress Snapshot 5.10 from The Progress & Freedom Foundation

A recent telephone poll conducted by professors at Berkeley and the University of Pennsylvania concluded, “Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interest.” The study’s authors claim that their poll is the “the first nationally representative telephone (wireline and cell phone) survey to explore Americans’ opinions about behavioral targeting by marketers.” They also assert that the poll indicates that “if Americans could vote on behavioral targeting today, they would shut it down.” Advocates of regulating online data collection have trumpeted this poll as evidence consumers demand legislation to protect their privacy. “This research gives the F.T.C. and Congress a political green light to go ahead and enact effective, but reasonable, rules and policies,” declared Jeff Chester, a leading critic of online advertising.

But what is most surprising about this poll is not that 66% of users said they do not want tailored online ads, but that 34% of users said they did! The key, initial question of “whether or not you want the websites you visit to show you ads that are tailored to your interests,” presents no trade-off. The fact that anyusers said “yes” indicates that many users paused to do the rough mental math about the unarticulated trade-off between the benefits of receiving tailored ads and the costs of that tailoring.

The methodology of opinion polls necessarily affects respondents’ mental calculations, rendering polls not just easily manipulated, but inherently unreliable as indicators of real preferences. Every poll reflects the bias of its authors to some degree by the way questions are worded, the order in which they are asked, the sample surveyed, etc. The easiest way to bias the results of a poll is to omit any mention of the trade-offs at issue. This poll simply buried the issue of trade-offs in a heavily loaded follow-up question: After telling respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads,” the interviewer asked whether the respondent would allow advertisers to “follow [them] online in an anonymous way in exchange for free content.” Only 10% of users said they would allow this voluntary exchange.

What does this tell us about whether, and how, government should further regulate online advertising? Precious little: Not only does this poll overstate the costs of targeted advertising, understate its benefits, and ignore the tools available to users to address their privacy concerns but, like any opinion poll, this one tells us more about the psychology of decision-making under the artificial uncertainty of polls than about the choices users would actually make in the real world.

User Uncertainty About Concepts Like “Tailoring” and “Following”

Even the word “tailoring”—though benign compared to other words the study’s authors could have used ( e.g., “track,” “monitor,” “record”)—is so vague as to leave respondents wondering what it really entails. One can only speculate as to what users thought the word meant (since the poll did not ask), but it seems likely that some of these scarier words probably flashed through the minds of respondents in the instant before they answered the question. Indeed, the word “tailoring” conflates both the costs and benefits of personalized advertising in a single, vague word. Given this ambiguity, it’s hardly surprising that most users would say “no”—not just to receiving tailored advertising (66%), but also to receiving tailored discounts (49%) and news (57%). If users had been asked about receiving “relevant” (rather than “tailored”) ads, the responses probably would have turned out somewhat differently—just as an additional 17% of users agreed to receiving tailored “discounts,” whose value to users is more readily apparent: saving money on potential purchases.

The second set of questions asked users whether it “Would be OK… if these ads [discounts/news] were tailored for you based on following what you do on the website you are visiting… [24% said yes] OTHER websites you have visited… [34% said yes] and OFFLINE—for example, in stores? [25% said yes].” Again, the term “follow” was not defined. A third set of questions explained to respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads.” The interviewer then asked whether the respondent would “definitely allow, probably allow, probably NOT allow, or definitely not allow advertisers” to “follow you online in an anonymous way in exchange for free content”—and only 10% of users said yes. Thus, it appears that users are more, not less, hostile to tailored advertising when reminded of the trade-offs involved (35% yes in the first set of questions, 10% yes in the third). What explains this paradox?

The most obvious explanation is that, by the time the respondent got to the critical question about “allowing” tailored advertising, they had heard the word “follow” at least five times: once in each of the three questions about whether tailoring was OK, once in the introduction about how marketers customize ads and once in the question itself—each time increasing uncertainty as to how “tailoring” really works and more than negating any suggestion of “anonymity.” Furthermore, asking users whether something should be “allowed” implies that there are undisclosed reasons why it should not be. This much is simple psychology—obvious to anyone who wanted to craft a poll that would support a particular regulatory agenda.

But behavioral economics research tells us something even more profound about the way our brains work: human beings hate making choices, and loathe uncertainty even more. Indeed, such “mental accounting” or “mental transaction” costs appear to be the primary reason why, after a decade of efforts to develop a micropayments system that can fund online content and services, no such system has emerged—and thus why Internet publishers instead rely primarily on advertising revenues ($23.5 billion in 2008) to fund “free” offerings for consumers. In this case, merely forcing consumers to consider the costs of “tailoring” and being “followed,” and decide whether these things are “OK” or should even be “allowed” strongly tips the scales in favor of the outcome desired by the study’s authors because these considerations and decisions are significant psychological costs in themselves, which likely outweigh the diffuse benefits of tailored advertising, which users simply do not appreciate.

Indeed, the scale tips so strongly that the study suggests that 73% of Americans object to having ads tailored based on “what you do on the website you are visiting.” Would not this objection apply to purely contextual advertising “tailored” to the keywords entered by a user in a search engine or to the keywords that appear on a particular page to which a user has navigated within a site? If so, this study isn’t just about the bogeyman of “behavioral” advertising, but about essentially all online advertising, which is to some degree “tailored.” Indeed, must lawmakers protect us from the tailoring of news (71%) and discounts (62%) within websites? Or, if data collection is the real harm to consumers, what about the fact that hundreds of millions of people happily share far more personal information every day on social networks or using grocery discount cards? Opinion polls simply cannot answer these questions.

The Direct Benefit of Tailored Ads: Relevance

Whatever Americans tell pollsters about “tailored” ads, they also complain about irrelevant ads: A previous poll found that 72% of consumers “find online advertising intrusive and annoying when the products and services being advertised are not relevant to [their] wants and needs” and 85% say that less than 25% of the ads they see while browsing online are relevant to their wants and needs. Real-world experiments confirm that users reveal a clear preference for more relevant advertising. In a 2004 experiment, click-through rates (CTR) for behaviorally targeted ads were between 94% and 225% higher than for contextually targeted ads. A 2009 study found that the difference could be between 670% and 1000% percent, depending on how well-tailored the ads were. In other words, users in the real world were two to eleven times more likely to click on highly-tailored ads. Truly, actions speak louder than words: Users clearly “vote with their clicks” for ads they find relevant—i.e., they vote for “tailoring.”

Further reinforcing this conclusion is the fact that better tailoring increases not only click-through rates but also “conversion rates”—the percentage of users who actually complete the action desired by the advertiser, whether that be making a purchase or signing up for a list. A 2008 experiment found increased conversion rates of 400-900% (2008). This indicates that relevant ads really do help consumers find things they like—and that they like the fruits of tailoring, however they respond when asked about “tailoring” as an abstract concept that conflates costs (“How are they following me?”) and benefits (“What’s in it for me?”).

The Indirect Benefit of Tailored Ads: Free Content & Services

Even less apparent to poll respondents than the direct benefit of tailoring (increased relevance) are the indirect benefits: In particular, greater relevance to the user means more effective communication for the advertiser, and increased ad revenue for most online publishers per ad on their sites. Thus, there exists a clear quid pro quo: in effect, users “pay” for content and services by sharing information about their interests. Even more fundamentally, users “pay” for content by seeing ads. But both quid pro quos are implicit: Users can simply choose not to “pay” by using readily available tools in their browser to blocking ads and/or tracking. In essence, today’s system allows users who don’t like ads—tailored or otherwise—to opt out at little or no cost, much as if they simply decided not to pay for a product they bought at their local grocery store.

This creates a serious dilemma, given that advertising increasingly stands alone as the lifeblood of online content and services. Indeed, ads have long funded the costs of generating content for radio, television, and newspapers (with subscriptions paying only for distribution). The basic reason is simple economics: In competitive markets, prices tend to fall to the marginal cost of production. The Internet has simply borne this theory out in full:

1. Producing the first unit of content (e.g., a news story or video) remains costly, so while the marginal cost of every additional unit is essentially zero,average cost is not.
2. The failure of micropayments online seems to confirm that, no matter how low the technological transaction costs are, the mental transaction costs involved combined with even tiny payments will exceed the perceived value of most content.
3. The world of media scarcity in which consumers could choose from only a few sources of content (e.g., news, entertainment) has given way to a world of staggering media abundance and the choices of users are no longer constrained by the tyranny of physical limitations like distance and printing costs.
4. Because pure information cannot be copyrighted (and fair use allows significant referencing and quotation), very little content is so unique that users cannot find a ready substitute elsewhere if a site (or even cartel of sites) attempted to charge.

These forces have given birth to the world of “Free,” where few (if any) users will pay for something they can get for nothing. While there are a number of ways to fund content and services, advertising is far and away the leading business model for the new economy: Indeed, overall advertising market is expected nearly to double its share of total U.S. ad spending from 8.7% in 2008 ($23.4 billion) to 15.2% ($37.2 billion). But with 44% of advertising revenue going to search engines (which show highly “tailored” ads simply based on search terms), hundreds of thousands of publishers—from the mightiest to the tiniest—rely on $7.6 billion (33% of the total) in “display” ad revenue. Yet this base is tiny: Most websites earn a fraction of the revenue generated by offline ads: roughly $0.60 to $1.10 per thousand impressions (CPM) online versus average CPMs of $4.54 (radio) to $10.25 (broadcast). This unprofitability of online advertising, and the fact that certain kinds of online content (e.g., video and online services) does not provide the textual keywords necessary for basic contextual targeting is driving publishers to ad networks that offer behavioral targeting, which is expected to grow from $525 million in 2007 to $4.4 billion in 2012—when it will represent 25% of all display ad spending.

In short, advertising is indispensable to the future of online media, but it is also currently inadequate to sustain “Free” culture. As Adam Thierer and I warnedearlier this year: “The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation… Something must give because there is no free lunch.” In 2001, long before Google mattered and before he worked for them, Kent Walker (now Google’s general counsel) put it best in a seminal law review article:

Privacy is both an individual and a social good. Still, the no-free-lunch principle holds true. Legislating privacy comes at a cost: more notices and forms, higher prices, fewer free services, less convenience, and, often, less security. More broadly, if less tangibly, laws regulating privacy chill the creation of beneficial collective goods and erode social values… Such regulation would likely increase both direct and indirect costs to the individual consumer, reduce consumer choice, and inhibit the growing trend of personalization and tailoring of goods and services.

Thus, as Jim Harper and Solveig Singleton concluded in their 2001 paper With a Grain of Salt: What Privacy Surveys Don’t Tell Us:

privacy surveys in particular… suffer from the “talk is cheap” problem. It costs a consumer nothing to express a desire for federal law to protect privacy. But if such law became a reality, it will cost the economy as a whole, and consumers in particular, significant amounts that surveys do not and cannot reveal.

We Need a Behavioral Economics Experiment, Not Just Another Poll

The Berkeley-Penn poll could certainly have done more to present these trade-offs to respondents and less to color their responses by inflating mental transaction costs. But even the most “fair” poll cannot meaningfully simulate the trade-offs inherent in the real world. If we really want to know how muchsubjective value consumers place on a particular aspect of their privacy, we must look to the preferences they reveal in the process of making real choices.

Of course, the best experiment is the one being conducted in the real world every day. No laboratory experiment can ever fully replicate all of the conditions of the real world, but a behavioral economics experiment could tell us more about the revealed preferences of Internet users than any poll. Unlike the real world, an economist could vary certain conditions in a lab experiment to tell us how various changes to current industry practice, user empowerment, or user education might actually affect real consumer choices. At a minimum, any experiment would require the following to inform policymaking about online advertising and privacy.

First, the experiment should vary the mechanisms by which notice is provided to users as to how tailoring works ( e.g., placement, interface, wording) and what those notices actually say.

Second, test subjects must make real choices in real use of the Internet with trade-offs in real money and their own time between either paying for access to a particular site or getting access for free in exchange for receiving tailored ads based on at least the three variables presented as questions in the Berkeley-Penn study: (i) users’ browsing activity on that site; (ii) their browsing activity on other sites; and (iii) offline activity or demographic information.

The second variable is critical because it addresses the value created by behaviorally tailored ads, which could be wiped out by regulation. Search engines are able to sell highly effective advertising based solely on information provided directly to the site (search keywords, which are highly indicative of user interest), and some sites can sell lucrative advertising based on purely contextual targeting because their content contains keywords that advertisers value highly ( e.g., a site for digital camera enthusiasts). But the vast majority of websites, and especially non-commercial websites, would produce little ad revenue if advertisers could only guess at the likely interests of visitors based on the keywords on that site. This, in a nutshell, is why so many sites stand to gain so much from behavioral targeting—particularly in the Internet’s “Long Tail.” To be useful, an experiment must reflect this dynamic.

In the real world, of course, it might be possible for the user to opt-out of tracking without losing access to content because today’s quid pro quo is implicit and most sites operate on a “No Cost Opt-Out” basis for tracking and even seeing ads. But in order to tell us how much consumers really care about tracking, the experiment must place some value on access to content that is supported by free content and services.

Third, the experiment must examine the extent to which user empowerment affects user choice: If some users are uncomfortable with having their browsing activity tracked, is it because they are concerned about all tracking or only tracking of certain sensitive activities, such as researching medical issues or—everyone’s favorite—viewing pornography? How does the availability of privacy management tools change user choices about ad-tailoring? Do Americans really want tailoring banned, or do they just want the ability to exercise easy choice about when they want to participate? How would those choices change when they come at a cost (e.g., seeing more ads) and privacy-sensitive users cannot simply free-ride off the value created by users whodon’t opt-out of targeted advertising (and also don’t block ads)?

Such an experiment would, by its very nature, be imperfect—but far less imperfect than any poll about opinions on privacy. Until a proper experiment is conducted by trained behavioral economists, all we can say with confidence is the following:

1. Users don’t understand exactly how ads are tailored;
2. Users seem to be concerned about “tailoring” or “following” in the abstract;
3. Users are generally unwilling to pay for online content and services; and
4. Better tailoring of ads means more funding for content and services.

There is only one approach that can address all these concerns: educate users about how online advertising works and how they can implement their own privacy preferences, while constantly striving to further empower users to make privacy management easier.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer