| IE6 and Cookies (Here we go again...) Hi All:
Although it's been a while, some of you may remember the two long threads from last year in which a number of DSLR members hashed out the new Privacy settings in Internet Explorer 6.0:
"IE6 and Cookies"
»IE6 and Cookies
"IE6 does not handle cookies the same"
»IE6 does not handle cookies the same
A number of good resources resulted from those discussions, including several pages on my web site devoted to IE 6.0...
"P3P & Internet Explorer 6.0 Privacy Info"
»www.staff.uiuc.edu/~ehowes/info2.htm
"Internet Privacy w/ IE6 & P3P: A Summary of Findings"
»www.staff.uiuc.edu/~ehowes/ie6-p3p.htm
...as well as downloadable files that you can use to configure IE 6.0's handling of cookies:
Internet Explorer 6.0 Resources
»www.staff.uiuc.edu/~ehowes/resource5.htm
One thing that I never got around to doing during those original discussions, though, was putting together a comprehensive summary of the failings and shortcomings of IE 6.0. With the help of R2, however, I've returned to the question of Internet Explorer 6.0's Privacy settings and its handling of cookies, and finally assembled that summary list of problems with Internet Explorer 6.0. You can find this summary on my Privacy Policy page (which is more of an anti-Privacy Policy than anything else):
»www.staff.uiuc.edu/~ehowes/priv-···#ie6-p3p
The most significant result of this decision to revisit the question of IE 6.0 is that R2 and I were able to gain a better understanding of the Privacy Settings slider bar. In fact, after looking again at Microsoft's (confusing) documentation, we decided that the table that R2 originally put together to document the effects of the various slider levels on cookies...
»IE6 and Cookies
...needed to be re-worked. You can find an updated version of that table on the Privacy Policy page mentioned above.
Once we re-worked R2's table in the light of our better understanding of what Microsoft considers "acceptable" "consent" on the part of web surfers, several important things immediately became clear:
First, the slider bar blocks EVEN FEWER COOKIES than we had originally thought it did. It's even clearer now that the slider bar is without question the WORST method IE 6.0 offers to configure cookies. And yet most users will go for the slider bar because of its apparent simplicity, as well as the vapid, reassuring descriptions it offers for the various slider levels.
Second, the default Privacy settings for Internet Explorer 6.0 are lax and provide no meaningful privacy protection. At the default "Medium" setting, most cookies are accepted, even those from major third-party advertisers and marketers like Doubleclick. Thus, IE 6.0 puts the onus on users (not the web sites) to put a stop to privacy invasive practices of web sites. And to take back their privacy, those users -- who might have initially thought IE 6.0 would significantly improve their privacy protection straight "out-of-the-box," given all the hype -- will have to figure out IE 6.0's complicated Privacy settings themselves. And just how clear and helpful are those Privacy settings? Not very.
Third, the Privacy Settings slider bar treats opt-in and opt-out policies *identically.* With but two exceptions, IE 6.0 regards both opt-in and opt-out provisions within compact policies as sufficient "consent" to classify the compact policy as "acceptable" or "satisfactory," even when "personally identifiable" information is used. This is a *major* concession to the online marketing and advertising industry inasmuch as it effectively values the commercial needs of marketers and advertisers over the privacy of web surfers. (The two exceptions are at the "High" level in first-party and third-party contexts, and the "Medium-High" level in third-party contexts.)
Fourth, the privacy levels used by Privacy Settings slider bar provide less useful control over third-party cookies than they could or ought to. The handling of cookies from major third-party advertisers and marketers like Doubleclick (who will almost always have "acceptable" compact policies) is especially problematic. With the Privacy Settings slider bar, there is no way to block these cookies (or even "downgrade" them to session cookies, rendering them worthless for the marketers involved) except by choosing the "Block All" setting, which for most users who surf the net is not a viable option.
What Microsoft's reasoning for this arrangement might be is puzzling, as third-party cookies almost never provide web surfers with direct, substantive benefits; they are almost exclusively designed and used to benefit marketers and advertisers. (And, no, "personalized" advertising and direct marketing do NOT count as significant benefits to the end user or web surfer.) To the skeptical, it would at least appear that IE 6.0's Privacy Settings slider levels were explicitly designed to protect the cookies of major third-party advertisers and marketers like Doubleclick.
Fifth, IE 6.0's reliance on P3P compact policies strongly suggests that the mere existence of privacy policies is the most important standard in determining how privacy friendly a web site is. Thus, IE 6.0 paradoxically presents major advertisers and marketers like Doubleclick -- who will almost always have "acceptable" compact policies -- as more privacy friendly than small web sites that collect very little if any data at all about users but who don't have compact policies. Strange days indeed on the increasingly corporatized WWW.
There are still more reasons to doubt the efficacy of Internet Explorer 6.0's Privacy protections, and you can find them detailed on my newly revised Privacy Policy page:
»www.staff.uiuc.edu/~ehowes/priv-···#ie6-p3p
By the way, that page discusses corporate privacy policies and the use of privacy seal programs more generally, and it even includes a gloss of Yahoo's latest privacy policy.
Internet Explorer 6.0's Privacy settings are complicated and confusing, so please don't hesitate to ask questions about any of this new material on IE 6.0. Hope you all find it interesting and useful.
All the best,
Eric L. Howes |
|
|
|
Harold7
join:2002-01-31
Plattsmouth, NE | Interesting reading... I use IEClean 6.0 to manage security for IE 6.
It controls everything to do with IE 6 privacy, cookies etc., I hardly trust my security and personal information to M$, so IEClean takes that worry away.:) |
|
 gt7697cPremium
join:2001-02-16
The Hive | reply to eburger68
What happens if you override automatic cookie handling, and then override cookie handling for individual Web sites.
Will cookie handling for individual Web Sites still work????
--
Just my 2 bits. |
|
gt7697cPremium
join:2001-02-16
The Hive | reply to Harold7
Harold7, can you provide a link to that program. I would like to read more about it. Thanks.:)
--
Just my 2 bits. |
|
dangme
join:2001-09-15
San Francisco, CA | reply to eburger68
I have opted to enlist an app called Cookie Pro to handle my cookies and Norton Internet Security to handle privacy settings. Yes, it's more expensive, but both programs work extremely well, giving me peace of mind without having to delve in to all the documentation that eburger68 was magnamimous enough to provide.
As far as I can tell, my Internet security settings are safe. Anybody know of a good site to test settings to make sure I don't have a false sense of security? |
|
| reply to gt7697c
gt7697c:
You asked:
said by gt7697c:
What happens if you override automatic cookie handling, and then override cookie handling for individual Web sites. Will cookie handling for individual Web Sites still work????
Yes, that is one viable strategy. The conclusion of the IE6-P3P section of that document mentions three different alternatives to the Privacy Settings slider bar:
1) override the default Privacy settings with the Advanced Privacy Settings (ideally with all third-party cookies blocked) and then add trusted web sites either to the Per Site Privacy Actions box or the Trusted sites zone;
2) employ custom block lists to load known advertisers, marketers, and purveyors of spyware into the Restricted sites zone;
3) use free, third-party filtering software, such as ad blockers, cookie crushers, and pop-up stoppers.
Hope that helps.
Eric L. Howes |
|
gt7697cPremium
join:2001-02-16
The Hive
| You da man!!!! Thanks!!!!:):):)
Implementing it as soon as I finish typing.
Edit
Where does one get the customize cookie block list of web marketers????
How does one import that list without having to manually type it in????
--
Just my 2 bits.
[text was edited by author 2002-04-02 22:01:14] |
|
| reply to dangme
dangme:
You asked:
said by dangme:
Anybody know of a good site to test settings to make sure I don't have a false sense of security?
You can links to a number of sites that will test ad blocking, active content filtering, and general browser privacy on this page:
»www.staff.uiuc.edu/~ehowes/info17.htm
Best,
Eric L. Howes |
|
 cjsmithPremium
join:2000-11-03
Villa Rica, GA
| Egads Eric.. You have done it again.. I must seriously consider the installation of IE 6, since I have reviewed those threads initially as they were in progress. Yes I have been hesitant, and I have often pondered the install upgrade from 5.5 SP2 to 6.0, but...
Eric have you heard anything in relation to Microsoft releasing an SP package to rectify the IE6 shortcomings?
Thank you and "R2" for both the time and diligence that went into this remarkable insight to the MS IE6 mystery. 
As far as third party apps of course I use the "p" word.  /*Shameless Plug*/ ad blocker, cookie crusher, and pop-up stopper all rolled in to one and much, much more!!!
--
ZXList | Computer Cops | Proxomitron Discussion
[text was edited by author 2002-04-03 02:35:34] |
|
| reply to gt7697c
gt7697c:
You asked:
said by gt7697c:
Where does one get the customize cookie block list of web marketers????
How does one import that list without having to manually type it in????
Well, there are two different "lists" you can edit.
First, you can add sites to the Per Site Privacy Actions list on the Privacy tab. You can export that list from the Registry and then add to and edit it from there. To help you along I added two sites to my Per Site Privacy Actions list and then exported it:
this-is-allowed.com (Allow)
this-is-blocked.com (Block)
What follows is the complete Registry file for the resulting Per Site Privacy Actions list:
-----snip-----------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\this-is-allowed.com]
@=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\this-is-blocked.com]
@=dword:00000005
-----snip-----------
Watch the wrap on some of those lines -- everything between [ brackets ] is one line.
As you can see, a value data of 1 = "Allow" and a value data of 5 = "Block."
If you need more info on this, see this thread:
»Add another security zone to IE6?
...where R2 discusses a number of different IE 6 Registry settings, including the one above.
Now, you can also add sites to the Restricted zone (where cookies are always blocked). There's a pre-made list of known advertisers and marketers for the Restricted zone here:
»www.staff.uiuc.edu/~ehowes/resou···#IESPYAD
Hope the above helps.
Eric L. Howes |
|
| reply to cjsmith
cjsmith:
You wrote:
said by cjsmith:
Eric have you heard anything in relation to Microsoft releasing an SP package to rectify the IE6 shortcomings?
I haven't heard a thing about a specific fix for shortcoming in IE 6.0's Privacy settings. I have heard that there is a SP1 in the works, but I don't have specifics. I do look forward to it, as IE 6.0 has strange effects on ZIP drives in Windows Explorer (won't completely refresh when you take one out and put another one in -- the directory contents of the previous ZIP disk still show until you close and reopen Windows Explorer).
said by cjsmith:
Thank you and "R2" for both the time and diligence that went into this remarkable insight to the MS IE6 mystery.
It's been an interesting couple of days. I always wanted to revisit the question of IE 6.0 because I've had a nagging sense since last fall that we never quite finished the job. Still haven't now, but we're closer.
All the best,
Eric L. Howes |
|
| reply to gt7697c
gt7697c:
You asked:
said by gt7697c:
Can you provide a link to that program. I would like to read more about it.
Here's a link to IE Clean:
»www.nsclean.com/ieclean.html
By the same folks who make BOClean, the anti-trojan app.
ELH |
|
cjsmithPremium
join:2000-11-03
Villa Rica, GA | reply to eburger68
Thank you this thread is "Marked" accordingly! |
|
gt7697cPremium
join:2001-02-16
The Hive | reply to eburger68
Nope don't think I will be trying IE Clean any time soon. Most of it what it does I already have on my system. Either in O/S or through a third party app.
Thanks for IE-SPYAD.
--
Just my 2 bits. |
|
| reply to eburger68
Eric,
It is not cast in concrete..but the lid is on the box.
Do you have any comment or information to share?????
__________________________________________________________
The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
The Draft
»www.w3.org/TR/2001/WD-P3P-20010928/
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
W3C Working Draft 28 September 2001
The Latest
»www.w3.org/TR/P3P/
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
W3C Proposed Recommendation 28 January 2002
One of the products.
»www.alphaworks.ibm.com/tech/p3peditor
Update: February 21, 2002
Bug fix for compact policy generation; files generated are now compatible with the P3P Proposed Recommendation.
What is P3P Policy Editor?
The IBM P3P Policy Editor is a visual tool, with an easy-to-use interface, for creating a Web site's privacy policy in the P3P language, which can be interpreted by Web browsers and other user agents that support the Platform for Privacy Preferences Project (P3P) specification from the W3C. P3P allows users to automate the acceptance or rejection of a Web site's requests for information, based on user preferences set in browsers or client devices. Users are assured that their privacy is protected without having to read each Web site's privacy policy.
Comments on P3P-Policy-Editor
»www.alphaworks.ibm.com/forum/p3p···Document
"Another Microsoft con"
"Why bother with this java platform ? microsoft do not support it and they WON the browser war people."
Opt-out
"When using the template that collects user information for contact details I cant find anywhere to select and Opt-in or Opt out option for that data collection as I need to specify for 3rd party cookies.
Do I need to manually change the compact policy adding 'i' or 'o' to each entry."
__________________________________________________________--
Thanks you for all your information> |
|
| reply to eburger68
If you want to solve your cookie problem you can start
using a browser that support cleaning of cookie/cache/URL history, when the browser is closed down!
»www.crazybrowser.com is one alternative. Another is
"my IE browser" that can be found at.
»www.webattack.com/Freeware/misct···er.shtml
Both is built upon MOZILLA so there is no compatibility problem, supports WIN UPDATE & HTTPS for example.
Here are some of the features of the crazybrowser! (My IE is similair)!
* Security: This has full support for P3P privacy notifications and zone-based security assignments, are very easy to operate.
* Can be set to clear the cookies,cache...etc when browser is closed.
* Built in Popup Filter/Stopper: Annoying ad windows can be removed automatically.
* Browser Tab Interface: Web pages are organized on tabs to prevent your screen from getting cluttered. Browser tabs may be aligned at the top, the bottom, the left or the right of Crazy Browser and may be displayed on either one or multiple rows. (This feature alone makes it worth downloading, if you ever try surfing with TABS you will not live without it again)
* Multimedia Data Loading: Easy Turn off loading of multimedia data on/off with just one click.
* Multiple Engine Searching: Crazy Browser comes with many preconfigured search engines, but you can extend it to use your own.
* Works great with HTTPS services, 128 crypthations.
* It is faster than IE.
* Works with Windows update.
* Absolutely Free and NO SPYWARE or ADWARE.
I guess this was the way IE was supposed to work
Try one of these browsers and your cookie and other Microsoft security problems are long gone! |
|
| reply to eburger68
Hi folks,
I have always used CookiePal to manage my cookies - because I like the program . It reads the cookie alert window's caption. After the last update (MS) My Danish caption contains about the whole FAQ about cookies and there is no way CookiePal can capture the whole string. Leaving it hopeless unuseful. Where is this string located? Anybody know? I have searched for it as ascii string in all files on my computer, but can't find it. Meanwhile I have tried every cookie program I can think of, but none of them are able to catch anything anymore. Now I use Proxomitron's cookie function, but I don't like it, even though I love the rest of proxomitron
Arne
Proxomitron Forum
»asp.flaaten.dk/pforum/ |
|
 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | reply to eburger68
Thanks for bring this up again -- although it causes my head and neck to have random twitches and spasms just thinking about it!:) Wading through all that garbage was quite challenging. This is a perfect example of a simple idea -- improving privacy control -- can have a disastrous outcome if you put enough people to work on it.
What the W3C and MS have separately and sequentially created has got to be one of the most confusing, user-unfriendly arrangements possible. I am not sure anyone could create something more obscure or unintelligible for the average web surfer. And then Microsoft packages all this behind something with beautiful simplicity -- the infamous Privacy Slider. Dang, that looks SO easy! Just slide it up, and you get more privacy. NOT!:)
The reality is that the number of cookies that are actually blocked when moving the slider from Medium to High is essentially unmeasurable. This is for various reasons -- primarily the incredible laxity of the "acceptance" policies at each slider level -- but also due to the fact that the majority of third-party advertising web sites can easily make a Compact Policy that Microsoft will ALWAYS consider acceptable. The result is, NO site will EVER be stupid enough to make a Compact Policy that is unacceptable, so ALL third-party sites can use cookies!
The overall effect is to give the users the illusion of Privacy Control, while giving third-party advertisers carte blanche to set and retrieve cookies -- and your data. The winners in this arrangement are quite obvious.
While using a different browser is good for some people, the reality is that IE is the dominant browser on the market -- so we must learn to live with it. Many of us may not have a choice -- due to business constraints, etc. I also have no insight into any modifications being made in SP1. However, given the minimal level of complaints about the IE6 Privacy Slider (present company excluded), I doubt Microsoft sees this as a problem. I think in general the wool has been pulled over most people's eyes and it remains securely in place.
________________________________
All this being said, what do I do? I have an imported XML file that is my first line of defense. You can find out about how to use these in one of Eric's links above. He has done a superb job of creating a huge collection of XML files that you can download and use. I highly recommend any one who is serious about privacy to at least consider this option.
Next, I have AnalogX's CookieWall as a second line of defense. Why? Because my computer is not used just by me. My family members are all adept at adding sites to the Trusted zone (they use the buttons). Therefore, CookieWall lets me quickly see what made it through my XML import settings.
Regardless, I believe a cookie program (such as CookieWall, Jason Levine's CookieJar, and CookiePal) is still a VERY viable means to control cookies. If you *only* plan to use the 'slider' for privacy control, then a cookie program should be considered essential.
DenFortapte, I know of no program that reads the cookie alert window caption -- but I have never used CookiePal. One would think that CookiePal would update their product to fix this anomaly. (?)
Lastly, other full-featured 'blocking' or 'screening' programs like Proxomitron would be considered an excellent choice as well. The point is, you need to do something other than rely on the slider. Anything is better than that. |
|
| reply to Time Out
Time Out:
You asked:
said by Time Out:
Eric,
It is not cast in concrete..but the lid is on the box.
Do you have any comment or information to share?????
Thanks you for all your information>
Errrm...I guess I'm not sure sure just what you wanted me to comment on. The latest draft of P3P? IBM's P3P Policy Editor (which I haven't had time to play around with)? The comment about this being just "another Microsoft con"?
One observation about these policy editors: having looked at a few of them, I note that so many of them are presented as simply tools to generate yet another web page element that will allow cookies to be accepted by IE 6.0 users. In other words, IE 6.0's implementation of P3P is regarded as just another low hurdle on the way to setting cookies on users. The problem is presented as one of generating a compact policy that will allow the cookies to be set, not as one of a company's underlying privacy practices.
But those are just random observations.
Eric L. Howes |
|
jacourPremium
join:2001-12-11
Matthews, NC Reviews:
 ·RoadRunner Cable
·SureWest Cable
 ·AT&T Southwest
| reply to eburger68
Some cookies are good so it is nice to have a solution that allows some, but not all, cookies. CookieWall is a nice little freeware program that puts cookies into one of three categories: Delete, Keep, or New.
As new cookies arrive, you decide whether to keep them or not. If you decide not, all future cookies from that site are automatically sent to electron hell. If you decide to keep, it does nothing. Presently, I have kept 35 and have 384 set to delete and CookieWall has killed almost 4,000 cookies since the last time I reset the statistics.
True freeware, no nags, no anything, well behaved, less than 100K. Get it here:
www.analogx.com
They have other cool, and free, stuff too. Check out POW! which does the same for those annoying pop-up windows. |
|
