IE "Persistence" Tracks Without Warning

A reader writes "Never mind if you've shut off cookies. If you are using IE 5+, the browser can still be used to track you, with no warning. An IE 5+ feature, "persistence", allows the browser to remember information, such as search queries. Which of course means that you can be uniquely identified and tracked. And since it is a feature, there is no warning either that this information is being stored or when it is given. Shutting off scripting in theory stops it. More on the story at www.news.c om ."

Repetitive redundancy

From Microsoft: "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."

Translation: only people who care about their privacy care about their privacy. Gee whiz, mister, that makes it all okay!

ONE BIG PROBLEM WITH THAT

it's good that that works and that it's that simple, but the fact remains that the vast majority of computer users never change the defaults on any of their applications. if something doesn't work quite the way the want it to, they don't bother poking around in the preferences to fix it. my father complains about the recent versions of microsoft word because of those "annoying red and green squiggly lines all over the place." i say "dad, you can get rid of those in two steps." he doesn't bother. with respect to something like this, where you can't even tell that it's happening, i would wager that next to no one (outside of those reading this forum) are going to do anything about it.

Re:This isn't as important as....

Just as an exmaple.... advaya.com is doing this through spam (or as they call it, direct mail marketing). And they sell this service to other companies. The spams contain "1x1 gifs" along with links that point to places you wouldn't normally think they would point at. Like this:

Check out these <A href=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar? b=4BF5Y7ESKTJH34789T5HTJKLGN489EI495T> hot magazines for 90 days for FREE </A>

It points to some server which records that you have clicked on this link, using that funky long string as your identifier. The string possibly holds some sort of demographic information.

There's also a 1x1 gif that comes with the spam...

<IMG src=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar.g if?b=56HJTY90JKHHJGGIJ5476">

who knows what that does :P

i'll let you judge for yourself if this is evil or not. i just wanted to point out a specific exmaple of where its being used. bye

Re:I have to say it...

This kind of thing would have never happened if IE had been open sourced. This is also why Mozilla will take the market from IE.

Mozilla will never take the market from IE, unless someone starts paying folks to use it. Most people don't give a rat's ass about features/loopholes/etc. like the one described in the story. What percentage of web users browse without using cookies? I don't know the answer to this, but I'd put money on it being a relatively small minority.

"Page Hit Counting" in IE 5.1

I use IE 5.1 and there is an option in the advanced tab called "Enable Page Hit Counting". Here is what the Help says about it (emphasis is mine):

Specifies whether you want Internet Explorer to allow Web sites to track your Web page usage. Selecting this check box allows sites to create a log on your computer of which pages you view, even when you are viewing Web pages offline. That log is sent to the site the next time you go to it. By tracking the usage and popularity of specific Web pages, content providers can tailor future content to match your interests.

Looks like this has been around a while as M$ fishes for the most innocuous name possible.

"I will gladly pay you today, sir, and eat up

Re:It looks to me like this can be easily disabled

Why didn't they place the controls for such a device in a more obvious location?

Yeah, I know! Who'd have ever thought to look under SECURITY SETTINGS for something like that?! Geez! What we're they thinking?!

(cough)

-- Dr. Eldarion --

Re:"Page Hit Counting" in IE 5.1

Yeah, take this as a friendly reminder to open your IE prefs...

While you are there, there's a begger's banquet of potential security issues that you can mitigate. Microsoft was nice enough to provide the options, not nice enough to choose the secure default.

Advanced Tab
-----------
Profile Assistant (Allows web sites to upload information about you from somewhere. The Windows Address Book?)
Install on Demand (Web sites can install "Web Components" on demand. Vague enough for you?)
Search from the Address Bar (Unless you want to tell MSN what you are looking for..)

Security Tab
------------
ActiveX control settings (duh)
Tons of Script options which have known issues (which is why they are in this dialog box)
Automatic Logon (Sends your weakly encrypted NTLM network password hash to anyone who asks)

Re:Oh for some privacy

my local bookshop gets payed in cash. all they know is that some long-haired annoying geek sometimes buy porn. but since this isn't strange they won't remeber that either. they don't know where I live, what other stores I've recently visted, and what my favourite food is. even if they knew my name, they wouldn't be allowed to sell it. I would like the same anonymity on the net.

//rdj

Re:This is why LAW should require source disclosur

Yes, that's right. All software, commercial and non-commercial, should be MANDATED by law to include source code.

Agree with you partially - I think only source code should be copyrightable. Copyrights are intended to protect ideas, not a side effect of those ideas.

There's an interesting loophole in having binary files protected by copyrights: one could write a program that analyses an executable file, identifying all functions and respective calls. This software would then scramble the code, changing the position of the functions and fixing the calls accordingly. Would this be a copyright violation? To characterize a copyright violation should both files be absolutely identical, or would a certain sequence of identical bytes constitute a violation? If the latter, what about libraries -- a binary compiled with a certain library would make all subsequent programs linked with the same library illegal?

Re:You have a lot more to worry about

It is not as easy as you think. The IE ActiveX control is pretty much built into the OS. This makes it pretty much a given that anyone who wants to render HTML in their app is going to be using IE. We aren't necessarily talking obvious browser apps, either. It is very, very likely that you are using IE at times and not even knowing it.

Announcement: IE Calls Spouse, Parent W/O Warning

Redmond, WA (AP) -- Microsoft (NASDAQ: MSFT) today admitted that Internet Explorer, from version 4.2, has had the capability to phone the user's spouse or parents without warning and inform them of the user's browsing habits, including listing specific sites and the names of image and movie files downloaded.

The capability, described as a "feature" by Microsoft, came to light on the BugTraq mailing list three days ago after an angry user revealed that his copy of IE 5.1 had phoned his wife to tell her about his subscription to hotmonkeylovin.com.

"This is a perfectly standard feature of any web browser," said a Microsoft spokesman. "As with all aspects of life on the internet, there is a tradeoff here between a very valuable capability and a vanishingly small, almost theoretical loss of privacy."

Free Software Foundation guru Richard M. Stallman was unavailable for comment. A source close to the programmer said that Stallman was "busy reformatting his Windows partition."

Re:It's a Feature!

> > "This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure," said Michael Wallent, product unit manager for IE at Microsoft. "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."

<babblefish>Unless you find all the other security problems we built into IE, there's not much reason to worry about this one. If you use IE, they're going to get the information, one way or another.</babblefish>
--

Re:Better Documentation A Start?

Clearly documented explanations of the security features that one can toggle in the Internet Options -> Security tab would be one thing, but the lack of context-specific, right-click help (try it and see) or even the word persistence in the indexed help file (search and see) is somewhat silly.

While I agree, I think you're expecting too much from Microsoft's documentation group. They have different -- and Annoying(tm) -- ideas about what should go in a help system. Let me say up front that I neither agree or misunderstand why they dumb-down the docs -- we aren't thier main clients!

It's like an anti-man-page attitude; say How to do something not What something is or Why it is valuable. Much of the help provided is along the lines of "Print prints somethig to a printer" or worse "This button prints". In context, these might be OK...but the lack of extra details anywhere is just part of the design goal. Less is better...since it's not really necessary, is it? Anything more detailed would be confusing to a typical user.

MS is, after all, the company that don't document the switch /MBR for thier fdisk program (try it - fdisk /?)...why give detailed help on something that is much more of a user-level tool then a disk partitioning tool?

Re:It looks to me like this can be easily disabled

But why doesn't it shut off when you have your security level set as high as it can be?

It does.

Why didn't they place the controls for such a device in a more obvious location?

What would be more obvious than Options->Security?

Does "user data persistence" even give you a clue as to what it's actually doing?

You've got me there. It doesn't even have a help topic, like many of the security settings. That's a bit of a pain.

Re:Repetitive redundancy

Indeed. Here's a classic line from the Microsoft manager quoted in the article:

This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure..."

And, as always, Microsoft has made the call to sacrifice security and privacy for functionality.

Seriously, this must be a Microsoft corporate policy. Maybe a Microsoft-employed Slashdot reader can spill the beans, and point us to the internal web site or policy manual that says:

"If you ever need to choose between security and functionality, choose functionality. If you ever need to choose between stability and backward compatibility, choose backward compatibility. If you ever need to choose between adhering to the internet standard or adding a proprietary feature, why are you even thinking about it! Add the proprietary feature - of course! And don't document it, either!".

Or something like that. Come on, give it up, we know it's in there somewhere!

Torrey Hoffman (Azog)

This isn't as important as....

oh, say, bug files? Now you can't even turn those off.. for those of you who do not know, bug files are little 1x1 gifs (or any other image/html/etc format) that links to a page somethin like: ... very suspicious address? indeed. With the right server-side encoding (php can do it, asp can do it, cgi can do it) you can make the browser think its getting a 1x1 image, when in reality its sending unique identification information. Unfortunately i don't remember the link to the place that had a nice big write up on it. They had a list of some big and oft-visited sites which used this method. Next time you're bored check out some big sites's source and see if you see any questionable image tags. Makes local stored data from stupid searches seem kinda trivial now doesnt it?

Better Documentation A Start?

From the article [cnet.com]

Hint, the link is there to remind you to read it

Microsoft defended the feature and pointed out that the vast majority of Web surfers already are knowingly vulnerable to the same level of exposure. "This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure" [...]

Not to rant, but I cannot understand how such specious reasoning would find its way out of the mouth of a Microsoft representative. How could they possibly argue that since users are already at much greater risk from other features/exploits, one more "minor" inconvenience shouldn't matter?

Clearly documented explanations of the security features that one can toggle in the Internet Options -> Security tab would be one thing, but the lack of context-specific, right-click help (try it and see) or even the word persistence in the indexed help file (search and see) is somewhat silly.

Why would I have to journey to the developer's corner [microsoft.com] (link lifted from article) to learn what features are present in my browser? Maybe it's time that end-users insist on better [more immediate] documentation from Microsoft, especially with regards to things categorized under the heading of security

ps - SlashDot still has its woes when dropping in long URLs. God bless the preview button

Re:You have a lot more to worry about

I personally have taken the version of VIM with embedded Python, spliced in Python's built-in HTTP client classes, and use vi to view the source text, with the garbage tags stripped out.

I would've used Emacs for this, but I cannot trust LISP (the language's emphasis on parenthesies is antithetical to a prototypical architecture of a secure steganographical system) and I am worried that RMS may one day demand that the pages I view be switched to the GPL since I am using a GPL program to look at them.

I am now working on a kernel patch for /dev/web, which would map the Web's raw feed to a device that I can just cat to my standard out.

Explorer kicks ass, BTW.

Oh for some privacy

I tried to buy some porn the other day at the local bookshop. But guess what - people look at you when you pick it up off the shelf - like everyone in the store! It's worse - when you go and pay you actually have to interact with another human! It's even worse - they remember who you are and the next time you go shopping there and your wife comes along it's very embarassing. I think there must be some kind of multinational corporation conspiracy thing going on with the retailers in cahoots with the publishers in order to track me. Scary stuff.
--

Re:You have a lot more to worry about

So remove MSIE completely. In the future, return any software that turns out to require MSIE components.

The process is quite nicely automated by [98Lite] [98lite.net] which, despite the site name, actually has utilities that will remove MSIE from Win95, Win98, WIN98SE, and WinME. It'll nuke MSIEv3 through v5.x, and it does it safely.

Worth a shot, at any rate!


--

It looks to me like this can be easily disabled

I just looked at IE, and under security settings, it gives you the option of disabling "userdata persistence".

So?

Hee, hee, I've had this turned off for forever. It's under the advanced options and I never really knew what it did, but I didn't like the sound of "Userdata Persistence"...

rm -rf /

In related news...

I was just at a ftp server that grabbed my IP and reverse-resolved my name even though I was logged in "anonymously". This could be used to track me too.

And no, it wasn't IIS.

It is easily fixed

And you don't have to turn off javascript. It's just in the IE Preferences dialog, but it's enabled by default.

To turn it off, do the following in IE:

Click Tools->Internet Options.
Choose the 'Security' tab.
Click the 'Custom level' button
Search for 'Userdata persitence' (it's near the bottom, in the 'Miscellaneous' section)
Select the 'disable' option.

That's it!