Privacy experts rip IE cookie cutter

IE users still won't get enough protection from nosy companies with MS' new privacy technology, argue experts

Microsoft's plan to add privacy technology to its new browser is getting mixed reviews from privacy experts, who say the proposal is a good first step but still doesn't go far enough in protecting consumers from snooping companies.

Microsoft on Wednesday unveiled detailed plans for inserting Platform for Privacy Preferences, or P3P, technology into the upcoming version of Internet Explorer 6.0.

P3P is a Web standard, originally backed by Microsoft competitor Netscape Communications, that enables an automatic, computerised reading of a site's privacy policy. With P3P, Web surfers can configure their browsers to dictate whether they will relay personal information to specific sites based on those sites' privacy policies.

Michael Wallent, product unit manager for Microsoft IE, said the company chose P3P because it gives people the option of accepting or rejecting cookies depending upon a site's privacy policy. Thus, people can opt to visit only sites that promise a certain level of protection.

"We really focused in this release on allowing people to control cookies," Wallent said

Because Microsoft is the lead browser provider, its decision to insert P3P into IE could vastly broaden the technology's reach, in part because marketers and other third-party companies will be forced to adopt it if they want IE users to visit their sites.

In adding P3P, Microsoft is responding to an increasingly tech-savvy base of consumers, who are wary of privacy fiascos ranging from plans by ad network DoubleClick to merge online habits with personally identifiable offline data to the recent apprehension of a man who allegedly stole the identities of countless high-profile business leaders.

But the company also is reacting to threats of US federal privacy legislation, which could clamp down on Web sites. Dozens of privacy bills are lingering in Congress, but their chances for passage are slim this session because of a closely divided Congress and because the Bush administration is promoting industry self-regulation. Even so, the fact that legislators are jumping into the privacy debate is putting pressure on Microsoft and others to act swiftly.

The company has been in Washington DC, talking to legislators, federal agencies and privacy advocates in an attempt to prove that it's taking privacy concerns seriously.

Microsoft also has to consider the needs of Web companies, which want their Web pages to be accessible to as many people as possible. If Microsoft were to adopt a privacy policy so strict that it locked out people from certain sites, Web surfers might turn to other browsers.

Among the key features of the new technology is a tool for managing electronic markers, known as "cookies", that are frequently placed on PC hard drives when they visit a Web site. Cookies can enhance Web surfing but have come under fire for their potential to compile data on consumers. Allowing surfers to disable cookies could render some Web sites harder to use.

The other challenge Microsoft faces is making the settings easy enough for people to understand and tinker with. Several privacy experts worry that average consumers wouldn't go through the effort to ensure the settings match their needs.

"I think some percentage of people will go and change the settings, but I think it will be a low percentage," said Richard Smith, chief technology officer for the Denver-based Privacy Foundation.

Still, Smith said the inclusion of P3P indicates Microsoft is at least making privacy something of a priority. "There are definitely some good things about it," he said. "They're putting all the privacy controls in one place."

Smith also liked the feature that allows people to import privacy settings from outside groups or organisations. People who aren't sure how to set their preferences could simply visit a site that recommends certain IE settings based on their privacy ideals -- say, the Catholic Church or the Privacy Foundation. Thus, Smith's group could create a list of strict protocols while a shopping site might recommend much less stringent ones. People could import settings that work with their Web surfing plans.

Rob Enderle, an analyst with Giga Information Group, wondered how long it will take for direct marketers to devise a way to get people's data despite the technology. "These are all good steps, but invariably a bunch of people who work very hard to make money off the collection of private information are going to try to get around those steps," he said.

And some privacy advocates are panning the plan outright.

Andrew Shen, a policy analyst at the Electronic Privacy Information Center, said he would like to see more than just cookie management in the new IE. He said people can already change cookie settings on a site-by-site bases with alternative browsers such as Opera. "I don't think Microsoft's IE 6.0 will add anything to how consumers protect themselves online," he said.

EPIC has been highly critical of P3P technology, saying that it requires people to trade their personal information if they want to visit a site. In a report issued last year, the company called P3P "a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy". The group would like to see an end to most types of personal data collection.

But Microsoft's Wallent said the company wants to strike a compromise between privacy protection and companies doing business on the Web.

"If we came up with some extremist solution that companies wouldn't sign off on, then the Web wouldn't work," he said. "The compromise here is in the default settings, but consumers can go further if they want to."

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.