By Richard Koman / CIO Today. Updated August 27, 2008.
Anyone perusing porn sites at home will appreciate Microsoft's latest efforts at browser privacy, but it's not clear it will do much for the enterprise. Internet Explorer product manager Andrew Ziegler discussed the new privacy features of IE8, currently in its second beta, in an extensive blog post Monday. Users of the new software will be able to turn on Microsoft's InPrivate Browsing and Blocking features.
When what many observers are calling "porn mode" is turned on, IE8 doesn't store history, cookies, form data, passwords, URLs, search queries or visited links.
Ziegler suggested the need for such privacy is completely on the up-and-up. "Maybe you need to buy a gift for a loved one without ruining the surprise," he wrote. "Maybe you're at an Internet kiosk and don't want the next person using it to know at which Web site you bank."
While the problem of clearing sensitive passwords on public machines is real, observers say the hands-down, number-one reason most people would want to clear history, URLs and search queries is to erase signs of pornography viewing. "The most likely situation is the obvious one. Nudge nudge, wink wink, say no more," said Ars Technica. "Microsoft dishes dirt on IE8 'prOn mode,'" British Web site the Register smirked.
People can do what they want at home, but enterprises need to know where people are surfing at work. Porn surfing can expose a corporation to liability for sexual harassment, and managers obviously need to know employees are working.
Blocking Third-Party Tracking
"The enterprise is more concerned with keeping user information guarded from untrusted Web sites than making sure your off-business Internet habits are kept secret," said Andrew Storms, director of security operations at nCircle Network Security, in an e-mail. "The features so far described by Microsoft seem to fall more squarely into the paranoid spouse category, aka what has been coined porn mode."
Microsoft's InPrivate Blocking mode appears designed to tackle that concern, but it may be more of a sneak attack at Google. The security mode tracks sites that track users across numerous sites.
"If you happen to browse to sites that refer to the same third-party resource, i.e., a script, image, stylesheet, information is sent to that third party," Ziegler wrote. "Over time, the third party can create a profile of which Web sites you go to, what links you click on, etc."
With InPrivate Blocking on, IE8 automatically blocks third parties that have seen you across more than 10 sites. One obvious target of the feature is Google Analytics; every site that uses Analytics refers to the same Google domain. Presumably, IE8 will block Google Analytics' access to users' Web trails.
You Are Being Tracked
In any case, enterprise employees can expect Microsoft to allow IT to disable InPrivate browsing. "Historically, Microsoft has done a good job of giving enterprise security
teams a fair amount of configuration control of applications from within Active Directory," Storms said. "Essentially, if written policy states that all browsing history is kept, then more than likely the enterprise will be given the ability to disable the InPrivate mode."
And one more word of caution for at-work surfers: "Most companies monitor all your network activity. So despite your browser history being deleted, your browsing history is still being kept somewhere on an IT server," Storms advised.