Privacy activists are crying foul over the "Suggested Sites" feature in IE8, but Microsoft insists concerns about the feature, such that it might be used to serve up targeted advertising or that it poses a security risk, are misplaced. The optional component in the next version of Microsoft's browser software "discover websites …
Search input data
The URL would be sent to Microsoft. The search term is included in the query string.
Old news, boring, nothing to see here, move along.
Does nobody remember Netscape and it's "What's related" feature? This is exactly the same.
Those who forget history are doomed to .... spew half-baked tinfoil-hat conspiracy theories when it repeats itself, apparently these days.
If this is an IE8 feature, why does the browser type need to be sent?
Or, perhaps more correctly, what does "browser type" mean?
Here, let me clarify that for you.
It's very simple. IE8, as they say, does not send any part of the page body back to the lookup server. It does, however, send URLs, and since some (deeply crappy) websites (this is in security 101, do NOT expose confidential data in GET request query strings) use GET instead of POST requests to transmit their form data, it could end up getting to MS that way; not because they copied it from the body of the HTML, but because a poorly-designed website moves data from the body to the URL when you hit "Submit".
It's pretty obvious what MS were saying - if you know about web browsers and servers and how they work. They obviously must have misjudged the level of your technical competence when they chose how to phrase their replies; how laughably unrealistic of them to expect a journalist working for a tech newssite to understand that complex stuff!
"misjudged the level of your technical competence"
The problem here is not technical.
The original article seems to understand exactly what data is transmitted. Microsoft has had a terrible track record with supposedly confidential information in the business field (e.g. Scan) and for various other reasons, and it is finding it very difficult to win back trust.
The main question here seems to be: Should I trust Microsoft with my data?
But it's not just Microsoft. The default position these days should be: Should I trust ANY company with my data?
Snooping under the guise of protection
If one accepts the recommended settings whilst setting up IE8 a feature called SmartScreen filter is enabled. What this does is send every website address one visits to Microsoft to be "checked against a list of reported unsafe websites". Microsoft state that "information received will not be used to personally identify you". Yet they collect the IP address of your machine!
This feature along with suggested sites turns IE8 into spyware.
It doesn't matter if they use the information for targeted advertising or not, the fact is with these two features enabled, MS are aware of every website and webpage your IP address visits.
Of course multinational corporations saying one thing and doing something entirely different never happens so we should all trust MS implicitly in that they will never ever look at the IP addresses they collect from client machines.
All I can say is disable both these features if you have to use IE. A much better alternative would be not to use IE at all.
I am about to see how Windows 7 responds when I install Firefox and attempt to uninstall IE. I doubt that an uninstall of IE is possible.
All Ts & Cs have the get out clause 'We'll change these whenever we want without needing to tell you'. So when they start targeting adverts the Ts & Cs will magically have changed - what, you don't read the entire agreement everyday ? That's not Microsofts fault now is it ?
Rendered data vs form data
Those two statements are NOT mutually exclusive. Microsoft can, in all fairness, say that form data will be sent to them, while at the same time saying that they don't send back any elements of data in the body of a RENDERED page. The word "rendered" makes all the difference. When you enter data in a form, the data you enter is not part of the rendered page. The rendered page is the page as you received it (before you changed it by entering form data), not the page when you submit it.
Having said that, would I trust Microsoft with my browser history? Not in a million years. Not even if they paid me.
As for the AC with "Here, let me clarify that for you", his explanation is pointless and incorrect. Whether the request uses GET or POST to send the form data to the server is irrelevant. The browser (IE is the browser, remember? IT is the one receiving, rendering, inputting, and sending the data) knows what data is part of a link with an embedded query string and which data is form data being submitted. Therefor, the browser can quite easily choose to NOT send the form data as part of the URL when submitting it to Microsoft, while still including that form data as part of the URL was submitting the request to the request host. How laughably unrealistic to expect a holier-than-thou I-know-more-than-you Anonymous Coward to understand THAT complex stuff.
I play Final Fantasy XI and a web site I view for that is anti-RMT (real money trading) in such that it doesn't allow adverts from IGE or any web sites which deal with RMT. The suggested sites however, if you click it whilst browsing the website will list... IGE. Less savvy people may think the suggested site is suggested by the site they are viewing and consider the web site safe to browse, or indeed that the site advocates a certain subject.
There really *has* to be a way for web sites to disable the feature that does not include the internet all going https.
Even the URL of some intranets could give away secrets, eg the name of a secret project.
No rendered informaiton
Does IE8 send back saying "The user asked me to block this advert"?
That isn't rendered data, it's data about what ISN'T rendered.
It doesn't render where you've been before, so tracking cookies are A-OK in obeying the statement.
This is the problem when you start lying at any opportunity. After a while, you have to start to prove your statements.
I HATE IE!!!
Ok I just tryed to post a really long comment which made since and i made a mistake in my password, Clicked back and the Comment Field was Empty! This wouldn't have happened in Firefox :-(
Why I don't trust MS
Oddly related event, I bought some software from them & they promised not to pass on my details to any third party. It was in T&C's, I read it carefully & it was there.
Some while later I started getting spam paper mail from a company that had my details passed to it by MS (they said so quite clearly) so it could gather data.
Repeated complaints to MS just got back letters saying that MS "never passes your data to third parties", in clear contravention of what actually happened.
Don't trust them. Also the anti-malware tool they run on each patch tuesday has this in it's eula -
>>> When the software checks your device for Malware, a report will be sent to Microsoft about any Malware detected, specific information relating to the detection, errors that occurred while the software was checking for Malware, and other information about your device that will help us improve this and other Microsoft products and services. No information included in these reports will be used to identify or contact you. You may disable the software’s reporting functionality by following the instructions found at www.support.microsoft.com/?kbid=890830. For more information, read the Windows Malicious Software Removal Tool privacy statement at http://go.microsoft.com/fwlink/?linkid=113995.
I guess you should follow the link & do what it says.
@ Sean Ellis
"Should I trust Microsoft with my data?"
"Should I trust ANY company with my data?"
No and no.
Why, in spite of protestations "we won't use it for Evil"?
Because sooner or later some professional liar (aka a marketer) will see all that lovely data sitting there: just what he/she needs in order to spam the bejesus out of you, me, him, her, them, and us. Anyone who is foolish enough to use a piece of software that plays tattle-tale deserves what they get (intrusive ads, popups, popunders, email galore).
Important Advice to Software Developers: don't snoop on the users. No one cares how lofty your reasons are, and no one believes you when you say it's innocent. It isn't innocent. Proof: you're not doing this out of the goodness of your heart. You're doing it to put money in your pocket, and everyone finally understands that business lets nothing stand in its way when there's a chance to make money. They'd sell their own grandmothers if they thought they could.
Now I want you all to listen up
If you believe the B.S. that MS is saying or that this doesn't have a huge potential for future abuse then I'd like to make you a special offer.
Right then, all gathered round? Good... Now since you believe MS and don't think this is a huge potential security risk then I'd like to make you a special limited time offer. For only a small shipping and handling fee I will sell you ten acres. That's right then acres of prime Florida real estate. it's beautiful water front property that will be an investment in your families future. But that's not all, f you act now I've been authorized to throw in free of charge a lovely bridge in your choice of either London or San Francisco locations. If you like I'll even ship it out to you for a one time processing fee. /offers a pen... So who'll be first to take advantage of this magnificent offer?
>"Whether the request uses GET or POST to send the form data to the server is irrelevant. The browser (IE is the browser, remember? IT is the one receiving, rendering, inputting, and sending the data) knows what data is part of a link with an embedded query string and which data is form data being submitted. Therefor, the browser can quite easily choose to NOT send the form data as part of the URL when submitting it to Microsoft, while still including that form data as part of the URL was submitting the request to the request host. "
Yes, it could. But as the press release made clear, it doesn't, which is why they warn you that your data /could/ under some circumstances be sent. Duh.
You've also misunderstood me. I am not referring to the method used by the browser to submit data to the MS recommendation service. I am referring to the method used by the browser to submit a form on a third-party website, which, if it is GET will end up generating a URL containing the query parameters, and if it is POST, will generate a URL that does not contain the parameters, that URL then being sent to the recommendation service as with any other URL the browser fetches. Also, your concepts are muddled in this passage:
>" ... data is part of a link with an embedded query string and which data is form data being submitted ... "
Form data being submitted can be submitted either by an embedded query string in the URL of a GET request, or by being sent as the *BODY* of a POST request. To those skilled in the art, it is entirely plain that what the FAQ was saying is that URLs are sent to the recommendation service but never body data. Attempting to spin it to sound like some kind of tricky technical/legal loophole that MS intend to exploit to steal your form data is just conspiracy mongering.
Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft?
A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.
Entry name: \DontReportInfectionInformation
Value data: 1
This functionality is automatically disabled if the following registry key value exists:
This registry key value indicates that the computer is connected to an SUS server.
call me a bit thick, but...
"nor will the Suggested Sites feature be used to deliver advertising to the user"
surely suggesting aa site to a user *is* advertising that site
@ how to...
It's great that people are able to shut this service off, but why should we have too. I'm gradually moving my home computers away from MS, but most people even a very large number of IT tech don't know about these issues, or seem to see the possible problems.
MS OSs and software should be bullet proof and go out of it's way to avoid these issues, I mean come on people pay for this crap!!!!! (Although, I don't know why).
As a side note I'm typing this from the last MS machine in the house, and it has MS on it for the wife, her courses and work. But I've installed an version of XP Pro bought and paid for by me, that I can no longer find the validation code for, so in about 12 more days I may be putting DesktopBSD or PC-BSD on this laptop too. All legal MS OS and Office 2002 the OS came with another Laptop that was returned and so I've only ever had the system install disk. Tried calling MS got the run-around, not really interested in them anyway.
At that point I don't know what the wife will do for her apps, maybe they're Open Office compatible?
As long as this is strictly opt-in, i.e. off by default, I don't have a problem with this. I'm certain there are people who would be happy to trade their browsing privacy for some interesting site suggestions. Would I do it? No. But it sounds like they're taking reasonable precautions to avoid major privacy breaches (excluding secure sites, honoring Porn Mode). Additionally other companies (DoubleClick, Quantcast, and of course Google) are already collecting this kind of information on a much less voluntary basis using embedded scripts.
Please tell me this is a hoax
'Once the Suggested Sites feature is turned on, the addresses of websites visited are sent to Microsoft, together with data such as IP address, browser type, regional and language settings'
One more nail in IE's coffin
People, people, people.
There's this little thing called choice, see. If you don't like a particular feature in a particular browser you are free to use a different browser.
What's so fucking hard to understand about that?
So go and get Firefox, Opera, Chrome, Safari or whatever browser you like and stop whinging.
Gareth, with regard to the people who read El Reg, you're quite right. Regarding the other 99.999999999999% of Windwoes users, not so much. Most of those will blindly enable the function without having any clue that they've just surrendered another little bit of the privacy on the alter of Micro$haft's profits.
off by default
so shut up whining cause its ms, other browsers already do shit like this anyway.
How to stop.....
Install peer guardian and use the microsoft block list. Easy
Erm.. In what way is this news??
What the fuck do you think the Phising Protection does?
*Clue: it tells MS what you are looking at then they tell you if its on the list.
Insidious MS Snooping Technique
Has anyone ever clicked on Start - All Programs - Accessories - System Tools - Scheduled Tasks - Advanced - and then ticked - 'View Hidden Tasks' ? Amazing some of the little MS helpers to be discovered in there! But then the powers that be at MS, don't expect uncle and aunties to suspect some of the subversive and covert shenanigans the biggest software company gets away with. After all, it has 95% of the worlds PC OS market share doesn't it? Albeit a great part of that well trumpeted percentage, probably includes (heaven forbid) did someone mention illegitimate!? OS & associated Software.
Let's not think for one moment, that the new IE8 will be devoid of tell-tale helpers either. Bejayzus !!! Why would MS want to start breaking habits of a lifetime?
Sadly though, the rocks that are hurting the MS love affair are to be found in the bedroom, bored-room or should that be Boardroom ?
The sooner we all drift away from such an arrogant, careless and pompous regime, the better.
Now which pocket did I put that UBUNTU disc in.
Hell, try deleting MSN or MS Movie Maker or several other bits of crap you don't need.
But, somehow, they keep coming back.
So you look for where these files are. Can't. Obfuscated. Why? MS Knows Best.
Look for the functionality that keeps putting it back. Nonexistent.
Look for the process running. Nope, there's not one. Even though ti shows 27 svchost.exe running, fuck all about "restore point" process.