Internet Explorer Privacy Features - Questions and Answers
1:00 PM PST, Wednesday, January 9, 2002
Host Guide_KenM:
Welcome to today's TechNet Chat. Our topic is "Internet Explorer Privacy Features - Questions and Answers". Questions, comments, and suggestions are welcome. The Input Room is where you can enter questions for our hosts today. We will read them and select questions to answer. The questions and answers will be posted in the Reading Room.
MichaelG:
Q: What does IE6 provide as far as privacy, besides cookie control?
Host Guest_Aaron:
A: IE 6 also uses P3P to help inform users about the privacy practices of sites they visit, aside from cookies. At any time you can click on, view-> privacy report to see the policy of a site. There is no programmatic action taken on these policies. The only programmatic privacy based filtering is on cookies. While this certainly does not solve all of the Web privacy issues, it's a great first step!
MichaelG:
Q: Why do I see that some GIFs are listed in the URLs of the privacy report?
Host Guest_Aaron:
A: The privacy report will list all of the elements of the Web page—that is, users will see everything that traveled over HTTP as a separate entity.
MichaelG:
Q: P3P, does that go in the HTTP header or in the HTML (a META tag)?
Host Guest_Aaron:
A: Great question. Let me explain that in several parts. There are three main pieces of P3P to think about: policy reference files, policies, and compact policies. P3P user agents use policy reference files to determine which P3P policy to apply to which part of the site. As an example, policy1 may be for your shopping area, policy2 may be for your home page. The way a site tells a page where the policy reference file is by: a) using something called the well-known location, i.e. posting at /w3c/p3p.xml at the site, b) stating the URL for the reference file in the HTTP header, or c) placing the reference file…URL in a link tag on the page. Lastly, the compact policy, which is derived from a full policy and applies to cookies, is sent using the HTTP header. Hopefully, that all makes sense.
MichaelG:
Q: Is native (designer?) capability for P3P planned for VS.NET, or a future version?
Host Guest_Aaron:
A: I do not believe that VS.NET has any tools for building P3P in at this time. The potential to include some toolability there is clear though.
ron:
Q: What does the "Clear SSL State" button do?
Host Guest_Aaron:
A: When SSL performs client authentication, it does so by utilizing a client certificate. This certificate is "cached" in the sense that future client authentication attempts will try to do so with that certificate. This button allows you to clear that cached state, so that you may use a different certificate for future client SSL authentication.
MichaelG:
Q: So it only works if I'm using a client certificate?
Host Guest_Aaron:
A: The button is located on the content tab of "Internet Options". It only is relevant if you are making client-authenticated SSL connections.
ron:
Q: After I hit that button, I can no longer open SSL pages—even ones that don't require client authorization.
Host Guest_Aaron:
A: This is unexpected behavior. There has been a resurgence of an old SSL configuration problem on some platforms. You may want to investigate this Knowledge Base article and see if it is relevant to your situation: http://support.microsoft.com/default.aspx?scid=kb;en-us;261328.
Host Guest_Aaron:
Does anyone have any questions about P3P deployment?
MichaelG:
Q: Is P3P honor-based? I could put a policy that says we don't even look at customer data, while we actually post it on our Web and sell it? Will there be a "secure" P3P that would integrate/replace certification from eTrust, etc.?
Host Guest_Aaron:
A: Great question. I am not a lawyer, but here is my layman understanding. Currently, P3P is as honor-based as any other privacy information, so enterprises must describe themselves in a fair and accurate way as they do elsewhere. It's a bit like the nutrition labeling you see on food packages. There is support in P3P for sites to include certificates such as BBB or Truste and have them show up. You can see an example by going to microsoft.com.
MichaelG:
Q: Except the FDA goes after you if you publish incorrect info, right?
Host Guest_Aaron:
A: I'd imagine so. In this case, if a site maliciously describes itself to trick users, the FTC is the agency that could pursue action. Whatever FTC laws apply to regular privacy practice statements extends directly to P3P, as far as I know. That said, I would imagine there is some room for implementers to make errors that are not in the spirit of maliciousness. But again, I am not an attorney so this is layman discussion.
Host Guide_KenM:
For those new to the chat, our topic is "Internet Explorer Privacy Features - Questions and Answers". Questions, comments, and suggestions are welcome.
MichaelG:
Q: What are the default IE6 cookie settings? Is it safe to assume, as a site developer, that we'll be able to use session and local cookies?
Host Guest_Aaron:
A: Cookies from domains that correspond to the top-level of the document are allowed by default. We call these first-party context cookies. You should deploy P3P anyway, because you never know when your content may be hosted in a frame from a Web mail or portal site.
MichaelG:
Q: Where in IE6 can I set the P3P settings for cookie acceptance? I only have seen the block/accept/prompt settings box.
Host Guest_Aaron:
A: There are three places for IE 6 settings: Click "Tools", then "Internet Options", and then the "Privacy" tab. The slide you see there controls the cookie filtering settings. You can then click "Advanced" to get prompt/accept/block for first- or third-party cookies options, which override the filtering settings. Finally, from the "Privacy" tab, if you click "Edit", you get a list of per site cookie decisions.
MichaelG:
Q: Does an IE6 upgrade import the few cookie control settings IE5.5 had (basically block/allow/prompt for cookies and session cookies)?
Host Guest_Aaron:
A: Yes, you can use the import mechanism to do that, but you should be able to get most of what you need from the advanced options.
MichaelG:
Q: But it won't automatically upgrade those settings?
Host Guest_Aaron:
A: Oops. Now I get your question. IE 6 will change your IE 5x settings to the default cookie filtering settings for IE6; this protects users' privacy out of the box. There happens to be an import mechanism for IE6 that allows for very granular settings; this is what I thought you were speaking of.
MichaelG:
Q: Is this correct: By blocking third-party cookies, people can avoid being "tracked" by sites such as DoubleClick?
Host Guest_Aaron:
A: If you block third-party cookies, you have denied one of the main ways that sites track Internet users. Unfortunately, this is the "hammer" approach. With that approach you also block out a common way that sites do shopping carts, login sessions, and other things. This hits at the beauty of P3P. By using a setting like "medium" or "medium high", you ensure that the third-party cookies that you do let through have reasonable privacy practices.
MichaelG:
Q: The IE team needs to add a quick little dialog explaining that P3P will handle that for me. I didn't know, so I set "Block all third-party cookies". I'd assume most people don't read enough of the docs/press releases to fully understand.
Host Guest_Aaron:
A: Unfortunately, not many people actually read dialogs either :( We have tried to educate on this in the text on the privacy slider and also in the help documentation.
MichaelG:
Q: I think there should be an "Advanced P3P settings".
Host Guest_Aaron:
A: If you could design it, what would you put there?
Host Guide_KenM:
We are going to have to wrap up this chat in about 10 minutes. We are working on answers to some last questions though.
Host Guest_Aaron:
In short, we strongly considered having a wide range of options for users to choose from. Based on usability expertise, it turns out that very, very few people configure their browser settings. But those who do are vocal (myself included). As it turns out simple user interface is much more effective. So we solved this by having an import mechanism. The import schema can take just about any settings you can dream up. Since the schema is fully open, anyone can go write cool templates, or even a little app that sets up a file for others to import. Here's the link to the docs on it: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/privacy/overview/privacyimportxml.asp. We have definitely thought about doing something like this. If only we had time to do everything!
MichaelG:
Q: Will there be overlap/convergence of some of the .NET Framework security features and privacy in IE, specifically relating to running code in the browser from a specific site?
Host Guest_Aaron:
A: As yet there is no relation between the CLR security model of evidence based + Code access security and IE privacy settings—although it's easy to imagine P3P-based evidence in that scenario.
MichaelG:
Q: Also, Aaron, you weren't introduced. What is your role in IE?
Host Guest_Aaron:
A: I managed the implementation of the IE 6 privacy features. It looks like we will not have the time to get into off-topic discussions. I will say that I love that quick search IE5 power toy. :)
Host Guide_KenM:
We are going to have to wrap up this chat in a few minutes. Are there any other questions for Aaron?
Host Guest_Aaron:
Thanks everybody. I hope P3P deployment goes well for all!
Host Guide_KenM:
Thanks for joining us today! You've asked some great questions. Unfortunately, it's time to go. Thanks for attending today's chat.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.