Beware! Cookies can manipulate Internet Explorer


New York: If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy.

Large numbers of websites, including giants like Facebook, appear to be using a loophole that circumvents IE’s ability to block cookies, according to researchers at CyLab at the Carnegie Mellon University School of Engineering.

A technical paper published by the researchers says that a third of the more than 33,000 sites they studied have technical errors that cause IE to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu.

Typos and honest mistakes likely explain many of the errors, says Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory and one of the paper’s authors. But she estimates that more than half represent deliberate efforts to keep IE from blocking certain types of third-party cookies based on privacy policies.

Cookies are used to store information about a user or computer’s Web use so sites can customize that user’s experience, including what ads they see. So-called persistent or tracking cookies are data placed not by the site visited, but by other third-party Web sites that have placed content or advertising on the visited Web page. These types of cookies can stay on computers for long periods of time and gather data about surfing habits, and have long raised hackles among those concerned about privacy online.

The loophole resides deep in an exchange of data between browser and site. Normally, Internet Explorer checks the privacy policy of a site to see if it complements the browser’s own security settings.

This checking is done through “compact policies”: lines of computer code (in this case, three- or four-letter codes) that reflect the content of the tomelike privacy policies that sites have written out in English. For illustrative purposes, imagine an interaction between browser and site that goes something like this:

Browser: I don’t allow cookies that store personally identifiable information that could be used to contact me without permission.
Site: I do have some cookies to place here, but none do that.
Browser: That sounds fine. Come on in.

Compact policies are voluntary and are part of an Internet standard called Platform for Privacy Preferences, or P3P, that was developed in the 1990s. Dr. Cranor was on the standards committee that developed P3P. The goal of compact policies was to create a way of describing sites’ privacy practices when it comes to cookies that computers could read and use.

Microsoft’s IE browser is the only major browser to make meaningful use of P3P; it uses compact policies to block and control certain cookies by default with its “medium” privacy setting. (Access the settings in IE Version 8 by clicking “Tools,” then “Internet Options” and then “Privacy.” Change your setting using the slider.) And it has been the power of IE’s market share–60 percent, according to NetMarketshare–that has led sites that want to install cookies onto PCs to use compact policies, say experts like Dr. Cranor and Ari Schwartz, vice president at the Center for Democracy and Technology until he joined the Obama administration last month.

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.

The loophole sites are using to evade IE’s cookie blocker shows up in the process the browser uses to check compact policies. IE checks only for codes that indicate a site doesn’t have the right privacy protections, Dr. Cranor says. If it finds a compact policy with bad inputs — say, the codes are wrong (there are certain three- and four-letter combinations) or there aren’t enough of the codes to complete a proper policy (at least five) — it simply lets the cookies install.

When students at Carnegie Mellon started investigating these bad codes, they noticed the exact same insufficient three-code combination showing up in more than 2,700 Web sites. Curious how everyone could make the same mistake, they searched for the code in Google and found, surprisingly, a Microsoft support page.

Microsoft says it has now “retired” the page cited by CyLab (you can see it, cached, here), adding that the codes shown there were meant only to be an example, not a recommendation. It notes it also provides an article to guide Web developers on how to properly configure P3P so it matches their written privacy policy.

CyLab found that some of the Internet’s largest sites make use of the loophole, and through other means than the inaccurate Microsoft codes. For instance, Facebook last year had a compact policy with the cheeky entry “HONK,” Dr. Cranor says. (“Honk” is not a valid compact-policy code, nor does it resemble any valid codes, which would explain codes that were mistyped.) Facebook now has a policy with two correct codes, which is unusable because there must be at least five codes.

A Facebook spokesman said in an e-mailed statement: “We’re committed to providing clear and transparent policies, as well as comprehensive access to those policies. We’re looking into the paper’s findings to see what, if any, changes we can make.” Ben Maurer, a software engineer at Facebook, said that the site used only two codes instead of five because current compact-policy codes do not “allow a rich enough description to accurately represent our privacy policy.” Mr. Maurer said he did not know the history of how “HONK” made it into a compact policy.

The paper also notes that 134 sites with TRUSTe seals, which are meant to reassure consumers that strong privacy measures are in place at a Web site, have faulty compact policies. Only 391 of more than 3,000 sites with the seal had compact policies at all.

TRUSTe’s president, Fran Maier, said in a blog post that the group was investigating the matter and contacting customers mentioned in the paper. She noted that customers self-attest to the accuracy of their policies, though TRUSTe will help them accomplish that. She said P3P adoption has been poor across the Internet because it was difficult to put into effect and because consumers didn’t see value in it.

Dr. Cranor says she thinks the real trouble is the lack of a regulatory requirement to use P3P, noting that few consumers know what P3P is. “I’m hoping companies will do the right thing, and it may take pressure form regulators to make that happen,” she says. “Beyond companies that are basically trying to look good on privacy, there is no incentive because you don’t have to do it.”

[Story Source] [Contest win Rs 1000-100,000 now]

This post was submitted by somya harsh.

Related Posts
Internet Explorer 9 (IE9) Beta 13 Million Downloads and Counting

Internet Explorer 9 (IE9) Beta 13 Million Downloads and Counting

At over two months since release, the Beta development milestone of Internet Explorer 9 has amassed an impressive number of downloads, no less than 13 million, and counting. By my calculations IE9 is ...
54 Amazing IE9 Websites You Have to Try

54 Amazing IE9 Websites You Have to Try

When you have a Ferrari you might want to test drive it on a circuit, where there are none of the limitations of a town street. Well, when you have Internet Explorer 9 Beta you need a “circuit” on whi...
Web Apps: IE9 Aims to Out

Web Apps: IE9 Aims to Out

Microsoft (Nasdaq: MSFT) on Wednesday released the open beta version of Internet Explorer 9, a browser tightly integrated with Windows 7 and designed to fend off the rising threat of Google's (Nasdaq...
Internet Explorer 9: From corporate memo to beta | Beyond Binary

Internet Explorer 9: From corporate memo to beta | Beyond Binary

SAN FRANCISCO--Just days after launching Internet Explorer 8 in March 2009, Microsoft's Dean Hachamovitch wrote a memo about what the company really needed to do with the next version of its browser."...

Leave a Reply

We will keep You Updated...
Get Free Email Newsletter from VoteUpIndia Sign up for our free email newsletter. (Help?)
Read latest headlines in your favorite news reader
Follow VoteUpIndia  on Twitter Become a VoteUpIndia Fan on Facebook Subscribe to VoteUpIndia in Google Reader Add VoteUpIndia  to My Yahoo Add VoteUpIndia  to Netvibes Subscribe to Free Techie Buzz RSS Feed
Sponsored Links
Featured Video
Best Storytellers
Powered by Authors Widget
Recent Posts

McDonald's Suspends Employee, Probes Child's Eviction From Pune Outlet

PUNE: After reports emerged that an eight-year-old destitute child was thrown out of an outlet of...

Why Arjun Made a Humble Request to Cast Sonakshi in Tevar

It's all about wearing your Tevar, this new year. Arjun Kapoor looked dapper at the initial promotions...

5 things Modi needs to do ASAP, after Bihar loss

It's not correct to transpose the outcome from a state election as a referendum on the central government,...

Sehwag's half century in All Star tournament.

The first match has been really special. We thoroughly enjoyed being here. New York, you were brilliant....

Bihar Defeat May Lead to Silent Rebellion in BJP Against PM, Amit Shah: Arun Shourie to NDTV

NEW DELHI: In the aftermath of the BJP's debacle in Bihar, Arun Shourie, one time admirer of Narendra...

Court Refuses to Stop Gillette Razor Ad Starring Deepika Padukone

New Delhi: The Delhi High Court has refused to stop a Gillette razor advertisement starring Deepika...

Bigg Boss 9: Roopal Tyagi voted out of the house

TV actor Roopal Tyagi was evicted from reality show Bigg Boss on Sunday’s episode. Roopal is the...
Recent Comments
How i can submit my story...? and where i can see the staus of votes for this?
IFFI lose its art value,so it became lose it commercial value
Dear sir I am sending an article which is based on true story and needs your help to lime light such incidents which never come in
Thanks for the interesting article. Great Post. Keep it up
It is indeed heartening to learn that LSE, the world leader in higher education, will join hands with the most admired Reliance Foun
Tag Cloud