Online privacy, Tracking, and IE8’s InPrivate Filtering


Online privacy and tracking have been in several news articles and public hearings lately. The recent attention has been on how visiting one site shares information with many sites, and how those sites can then share the information and effectively ‘track’ your activity on the web. The articles certainly show the complexity of the topic. This blog post offers some context on online safety and privacy and specific information about InPrivate Filtering, a feature in IE8 designed to help protect users from some tracking scenarios, as well as several other features IE8 offers users to help protect their privacy online.

Part of what makes online privacy tricky is that browsing the web is fundamentally an information exchange. Your web browser offers information in order to get information. That information can identify you. Often, that information is sent automatically for your convenience (like the languages you prefer to read) to tailor the content for you.

Because some of the technologies that can be used for tracking are also essential today for basic functionality, there is no “Just give me perfect privacy” feature. The way different tracking and anti-tracking technologies interact can read like a Spy vs. Spy comic strip. Distinguishing between a tracking technology (a beacon) and a useful piece of web content (a stock chart used as a beacon) is not obvious. Some people are concerned about Adobe Flash’s “super cookies”; IE8’s InPrivate browsing clears these as well with newer versions of Flash.  As another example, InPrivate Browsing in IE8 “clears your tracks” and removes information from browser history when you close IE. During the actual browsing session, before you close it, IE still records history (so the back button continues to work) and cookies (so that logins and shopping carts continue to work). Ultimately, people want the web to work and privacy protection.

We designed InPrivate Filtering to help users control who can get information about their browsing. IE enables users to choose how privately they want to browse. Users are in control of several privacy protection features in IE, and how automatically they function. Specifically, users can keep browsing information from going to sites they don’t actually visit directly. IE determines the potential tracking sites on the list based on the sites you browse to directly and how those sites were written. Different sites on the web have articles about more advanced features, like always browsing with InPrivate Filtering on, and importing and exporting InPrivate Filtering lists.

People who are concerned with tracking may be interested in how to use InPrivate Filtering in IE. (People interested in how it works can read more here and here.)

1. From the Safety menu, choose “InPrivate Filtering.”

2. Choose “Block for me” to turn on automatic filtering.

Alternatively, you can choose “InPrivate Filtering Settings” from the Safety menu at any time to see a list of sites that are in position to track your browsing based on the sites you browse to in IE. You can find more detailed instructions in several places around the web with some basic web searches.

The sheer complexity of privacy and online safety spans many disciplines. We’ve posted here about different aspects of web browsing safety. Bad things can happen to good people on the web in many ways. Internet Explorer includes protections for many different kinds of threats people face on the web. People often focus on malicious sites that exploit unpatched security issues in different devices and software. (Microsoft regularly releases updates; please turn on automatic updating if you haven’t already.) Sites host seemingly good downloads (“Free Emoticons! Puppy screensaver!”) that are actually malicious, or attempt to lure people to visit them; users often download them and run them anyway. Otherwise “good” sites unintentionally host malicious content. Phishing sites pretend to be one site (perhaps your bank) but are actually malicious in their use of information. IE’s SmartScreen has protected users over a billion times by blocking these kinds of attacks. Protecting children online is another set of challenges entirely. Some kinds of trust violations that are lower in severity go unhindered. Browser add-ons can leak information across sites, even though add-on developers can prevent it. Protecting a user’s online privacy is just as important to Microsoft as protecting the user from malicious sites.

The web today has lots of great innovation. Unfortunately, threats to online safety and privacy also see rapid innovation. The communities working together to combat online safety issues span the technology industry, financial and commercial institutions, academia, government, and law enforcement agencies.

Dean Hachamovitch

List of articles referenced
Adobe Flash Now Supports InPrivate Browsing – IEBlog – Site Home – MSDN Blogs
Browser Information
Even without cookies, a browser leaves a trail of crumbs
Hearings – U.S. Senate Committee on Commerce, Science, & Transportation
How a browser extension leaks Google history to Amazon | CNET to the Rescue – CNET Blogs
How to Start Internet Explorer 8 in InPrivate Browsing Mode by Default – The Winhelponline Blog
HTTP/1.1: Header Field Definitions
IE June Security Update Now Available – IEBlog – Site Home – MSDN Blogs
IE8 and Privacy – IEBlog – Site Home – MSDN Blogs
IE8 and Trustworthy Browsing – IEBlog – Site Home – MSDN Blogs
IE8 Blocked over 1 Billion Malware Attacks | Windows 7 News
Protect Yourself from Malicious Advertisements with Internet Explorer 8
IE8 Security Part I: DEP/NX Memory Protection – IEBlog – Site Home – MSDN Blogs
IE8 Security Part II: ActiveX Improvements – IEBlog – Site Home – MSDN Blogs
IE8 Security Part III: SmartScreen® Filter – IEBlog – Site Home – MSDN Blogs
IE8 Security Part IV: The XSS Filter – IEBlog – Site Home – MSDN Blogs
IE8 Security Part V: Comprehensive Protection – IEBlog – Site Home – MSDN Blogs
IE8 Security Part VI: Beta 2 Update – IEBlog – Site Home – MSDN Blogs
IE8 Security Part VII: ClickJacking Defenses – IEBlog – Site Home – MSDN Blogs
IE8 Security Part VIII: SmartScreen Filter Release Candidate Update – IEBlog – Site Home – MSDN Blogs
IE8 Security Part IX – Anti-Malware protection with IE8’s SmartScreen Filter – IEBlog – Site Home – MSDN Blogs
IE8 SmartScreen in action – IEBlog – Site Home – MSDN Blogs
IE8: Ad blocking with the InPrivate Filter – SuperSite Blog
Internet Explorer 8 – InPrivate Filtering
Internet Explorer 8: Nine Things You Didn’t Know You Could Do – IE8 Tips 5-9 | PCMag.com
Is Google Watching You? New Plugin Will Let You Know [APPS]
Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated] | ZDNet
My Browser Info
Panopticlick (Electronic Frontier Foundation)
Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Content – IEBlog – Site Home – MSDN Blogs
Privacy, Add-ons, and Cookie-less HTTP Requests – IEBlog – Site Home – MSDN Blogs
Rickrolling – Wikipedia, the free encyclopedia
Spy vs. Spy – Wikipedia, the free encyclopedia
What is Private Filtering on IE8 and How to Prevent Web Sites from Collecting Information About You?
Windows Live Family Safety
Your Privacy Online – What They Know – WSJ.com


Comments (37)

  1. Anonymous says:

    I know this is random but can we expect a Spell Checker In Internet Explorer 9 and maybe a good add on place like Firefox and Google chrome has.

  2. Anonymous says:

    You should've built in better privacy if for no other reason than to stick it to Google. Another piss poor decision by Ballmer.

  3. Anonymous says:

    Matt, please try to read and understand before posting.

    People don't use browsers that don't work.

    The IE team provides plenty of ways to "stick it to Google" including InPrivate Filtering. Users can trivially block all Google ads across all sites by simply putting "*.googlesyndication.com" in the Restricted Sites Zone. That works for Google's *.doubleclick.net as well.

  4. Anonymous says:

    Is there documentation & examples on the rules used by the inprivate filter?

  5. Anonymous says:

    The average user is maybe going to have a look at the privacy settings tab under from Tools -> Internet options, but even that is doubtful.

    However for those who venture this far we see settings of:

    Block All Cookies: A + B

    High: C + D

    Medium High: E + F + G

    Medium: E + F + H

    Low: E + I

    Accept All Cookies: J + L

    A) Blocks All Cookies from All websites.

    B) Cookies already on the computer cannot be read by websites.

    C) Blocks all cookies from websites that do not have a compact privacy policy.

    D) Blocks cookies that save information that can be used to contact you without your consent.

    E) Blocks third party cookies that do not have a compact privacy policy.

    F) Blocks third party cookies that save information that can be used to contact you without your explicit concent.

    G) Blocks first party cookies that save information that can be used to contact you without your explicit concent.

    H) Restricts first party cookies that save information that can be used to contact you without your explicit concent.

    I) Restricts third party cookies that save information that can be used to contact you without your explicit concent.

    J) Save cookies from any website

    L) Cookies already on the computer can be read by the websites that created them.

    Can you explain what the two terms below actually mean and how they relate to the tracking issues and "beacons" that are being discussed?

    "Blocks … cookies that save information that can be used to contact you without your consent."

    and

    "Blocks … cookies that do not have a compact privacy policy."

    The default setting for IE8 is Medium.  What problems are users likely to encounter if they increase their privacy settings to Medium High or High and what security/privacy benifits will be gained from these settings?

  6. Anonymous says:

    @Luddite – the whole point is that it's not just cookies.

  7. Anonymous says:

    @fanboy: InPrivate Filtering is described in prior posts on this blog, and it's quite simple: If content appears in a 3rd party context on more than /n/ sites (a user selected number) then it isn't downloaded on future navigations if the user chooses by enabling InPrivate Filtering.

    @luddite: You can learn more about IE's cookie settings here: blogs.msdn.com/…/understanding-internet-explorer-cookie-controls.aspx

    As NotJustCookies points out, features like beacons and trackers don't always rely only upon cookies, which is why features like InPrivate Filtering and Zones are useful for blocking other types of unwanted content. The point which "Cluetrain" makes above is that sites can potentially break when you start blocking their content. If there was any way to automatically block content without causing problems, two things would likely happen: 1> Browsers would build that feature in, and 2> Sites would adapt so they'd break when their content was blocked. This isn't speculative: we've seen this happen already with both popup blockers and ad blockers.

  8. Anonymous says:

    @ Eric and Not just cookies: my point is that people reading this blog are not your average user. The average user needs to be able to select a single setting and know that they will be protected.

    What appears to have been determined by the article on beacons and tracking companies is that by default web users privacy is being walked all over.

    Privacy settings and the point about it being not just cookies suggests is well taken.  Is the industry bending over backwards to support advertisers and google to provide them with the information they want?  The result being that users of the web have no privacy.

    As a web publisher who uses affiliate programs I want to receive my commissions, but I really do not want my affiliate partners taking advantage of my visitors or invading their privacy.  Shopping carts and session cookies are welcome for ecommerce, but spyware and tracking cookies are a step too far, unregulated and open to abuse.  The average user needs to be protected by much stronger defaults and simple settings.

  9. Anonymous says:

    Is IE9 going to do something about the potential privacy issues regarding CSS :visited?

    dbaron.org/…/visited-privacy

    hacks.mozilla.org/…/privacy-related-changes-coming-to-css-vistited

    blog.mozilla.com/…/plugging-the-css-history-leak

    The Mozilla Team seems to be pretty serious about it.

    Thank you.

  10. Anonymous says:

    @TheLudditeDeveloper: that is never going to happen completely. There is just too much money into it and web publishers will start ranting at MS/Mozilla/etc if they did. This is also why no major browser includes AdBlocking functionality by default, or why there is no explicit option to automatically enable InPrivate Filtering every time you open the browser (currently you have to hack the windows registry to do that), or why no major browser offers an integrated button/command to clear DOMStore, flash cookies and stuff.

    Sorry if this is a little glass half empty, but I really don't get why it is *technically* so difficult to integrate this kind of features into browsers by default; except for the adblock, the others should be pretty simple to implement and should require minimal testing. So it must be a political/design choice.

  11. Anonymous says:

    @Luddite: You should read the article I provided, particularly the section on P3P.

    @Cooper: All major browsers offer "integrated" features to delete all history. As Dean mentioned in this post, the Flash team made changes to partipate in the Delete Browser History mechanism.

    One major reason that "no major browser includes AdBlocking functionality by default" without additional configuration is that such functionality would stop working as soon as it became popular because websites can defeat any such mechanism.

  12. Anonymous says:

    @EricLaw [MSFT]: I may agree with you about the AdBlocking feature, but apparently I am not the only one who thinks there is something missing here. Take a look at today's Wall Street Journal for example: online.wsj.com/…/SB10001424052748703467304575383530439838568.html

  13. Anonymous says:

    Cooper, as Dean outlines, there are tons of features in IE that put the user in control of their privacy. The idea of "automatically" shielding the user at the cost of putting reliable function of their browsing experience at risk is a hazardous one; users will likely move to browsers that "work correctly" when sites are broken.

    By way of example, consider the InPrivate Filtering feature. There's no programmatic mechanism by which a client can know whether a given script file represents a "beacon" or a library file. So, if there's a centralized script repository (e.g. Google and Microsoft both host JQuery so that websites can benefit from our worldwide CDNs) that repository's host will be flagged as a potential tracker site by the InPrivate logic, because these repositories are DESIGNED to be called from many independent 3rd party contexts. While such sites probably don't do any tracking, there's literally no way for the client to know. So, if InPrivate Filtering was on by default, users would find that the sites they use and care about one-by-one would break as the scripts got blocked.

    Now, the obvious next step is to allow the sites to flag certain responses as innocuous/non-trackers from a privacy point of view, very similar to what is done with P3P. The problem is that you're then back to the problem that privacy isn't a binary thing– it's up to the individual user's preference to decide what privacy policy they themselves are happy with. That, in turn, requires that the user provide a configuration decision, which in practice boils down to what IE provides with the existing InPrivate Filtering feature.

  14. Anonymous says:

    Is the IE Team going to include some protection in IE9 against the potential privacy issues regarding CSS :visited?

    blog.mozilla.com/…/plugging-the-css-history-leak

    The Mozilla Team seems to be pretty serious about it.

    Thank you.

  15. Anonymous says:

    @James: We haven't made any announcements about that topic. You might be interested in checking out blogs.msdn.com/…/csshistoryprobing.aspx which explains the issue and the already-available mitigations present in IE8.

  16. Anonymous says:

    @EricLaw [MSFT]: Thanks! It is an interesting reading. I hope you'll manage to further improve mitigations/solutions for IE9.

  17. Anonymous says:

    There is a fairly decent free adblocker for IE called Simple Adblock.

    It seems to be growing fast since after several updates early 2010.

    After intallation you are requested if privacy filters should be set which should block tracking cookies.

  18. Anonymous says:

    How about…this:

    Microsoft just listens to its customers for once instead of the Redmondland Marketeers?

    I swear…every time theres a debate to be had about consumers and bottom lines with no balance in sight, it's always sales and marketers that end up saying, "but doing good for the customer is…NO!"

    Almost sounds like a U.S. political party I know.

    As for those who might say that providing that extra length of privacy would break sites, how about NOT MAKING SITES THAT BREAK WITH PRIVACY ENABLED?

    Sounds like a big "DUH" moment here.

    So…DUH!!!

  19. Anonymous says:

    You're a genius– I'm sure no one ever considered that sites could simply not infringe on the user's privacy, and then everything would be golden. Thanks for solving this problem for everyone! Now, onto resolving world peace!

  20. Anonymous says:

    From today's WSJ article about InPrivate browsing and the conflict between advertising and consumers:

    "Users must activate the privacy setting every time they start up the browser."

    Hell, I thought InPrivate browsing was activated all this time. It sure looked that way during the setup process. Now I find out it purposely resets itself, because the advertisers won out.

    This is how it's supposed to work: I change a setting, the program keeps the setting. It does not change unless the program gives me an indicator that it has changed it.

  21. Anonymous says:

    What "setup process" are you referring to? Given that there's an icon in your status bar which plainly shows when Filtering is on and when it's not, I'm not sure how you failed to notice this.

  22. Anonymous says:

    Why aren't all index.dat files wiped when deleting browser history?

    Among the various index.dat (there are more than 10 index.dat on my pc), the following are NOT wiped:

    C:Users<Username>AppDataLocalLowMicrosoftInternet ExplorerDOMStoreindex.dat

    C:Users<Username>AppDataLocalMicrosoftWindowsHistoryHistory.IE5MSHistnumberindex.dat

    Could this be a bug?

    It would be very good for privacy if IE wiped ALL index.dat files when deleting browser history.

  23. Anonymous says:

    It's just a drop in the ocean, but… at this point, I'd like to thank Dean and the crew for standing up to the higher-ups concerning our privacy. Nevermind that in the end you had to compromise. Thanks guys.

  24. Anonymous says:

    As for blocking the tracking/web bug stuff, is it better to blacklist those domains in the hosts file or in the restricted zones or both (or somehow else)?

    Thanks.

  25. Anonymous says:

    @David: The Restricted Sites UI is simpler to use (for a small number of hosts) since you don't have to run an elevated text editor and manually edit a hard-to-find file.

    Notably, however,  HTTP requests are still made for hosts in the restricted sites Zone– the Zone blocks the sending or setting of cookies and the ability to run script or ActiveX objects, but doesn't block the request.

    So, if you want to block static images and are worried about information in the request URL, then the Hosts file is the way to go. If you're worried only about script and cookies, then the Restricted Zone should suffice.

  26. Anonymous says:

    One other point to be made: the HOSTS file won't do anything for you if you're behind a proxy (since the proxy does DNS lookups, not the client). In contrast, the Restricted Zone settings are applied regardless of whether you have a proxy or not.

  27. Anonymous says:

    Thanks Eric!

  28. Anonymous says:

    IE8 InPrivate mode filtering is not a complete solution for privacy.  It has been mentioned and proven several times that IE has history issues outside of regular IE browsing as it shares its "history" with the operating system.  Until the IE Team has sorted out the various privacy breaches with Windows Exploring and Windows Media Player – please stop posting that using IE8 InPrivate Mode ensures that no private information is leaked as that is currently a proven fallacy.

  29. Anonymous says:

    @Aeroz (and other asking about spell checking, ad blocking, etc.)

    There's a pretty sweet add-on available for IE, from http://ie7pro.com. Despite the name, it works on IE6 through 8, though you'll want to change a couple of settings on 8 since they concern features already built-in*. It provides everything from spell checking to ad blocking to a download manager, plus handy features like a user-agent switcher, fast proxy switcher, the ability to change the default View Source program (although IE8's is decent), the ability to highlight a URL and go straight there, the ability to always have the search box open its results in a new tab… so many features. A few that I don't use much but that some people will love: mouse gestures, GreaseMonkey-like custom scripts, URL aliases, prefetching… seriously, it's an almost frightening amount of customizability.

    Also, IE8 already has an add-on repository; Tools -> Manage Add-ons -> Find more toolbars and extensions (link at bottom of window). It's nowhere near as large as Firefox's, but it gets the job done.

    * Specifically, you can turn off the IE7Pro search-as-you-type bar, which 8 has, and you should remove or change the Ctrl+Shift+T shortcut for Duplicate Tab; IE8 has built in tab duplication that works better, and uses that shortcut for Re-open Closed Tab which it also implements better than IE7Pro does)

  30. Anonymous says:

    I lost a lot of respect for this blog after reading this post. What a load of complete nonsense "Users are in control of several privacy protection features in IE" – actually, they aren't, as pointed out by the many news articles that surfaced over the weekend.

    Has this turned into a politician's blog? Did you even write this, or did your legal team/upper management do so? I love how you completely change the topic at the end "but we're good at security!" which has nothing to do with the issue at hand – the fact InPrivate Filtering was neutered by your upper management.

    Don't waste our time with nonsense like this.

  31. Anonymous says:

    I lost a lot of respect for your comment after reading it. You failed to identify any actual problem and point generically to the poor reporting from the mainstream media that something's amiss.

    Don't you find it a bit suspicious that the primary source they cited was a disgruntled MS executive who got fired?

    This post (and the comments) plainly explain how simply it is to turn on InPrivate Filtering (it's a regkey, for crying out loud) permanently if you're too lazy to click the icon once in a while. Of course, when you find that the feature breaks sites you care about, then you'll turn it off and find that the IE default behavior suddenly makes a lot more sense.

    Think. Then post.

  32. Anonymous says:

    Lets at least be honest – the whole purpose of InPrivate mode is as they say: Pr0nMode the ability to surf porn without leaving traces for others to realize you 45min looking at omg, isThatReal, areYouSerious, ewwwThatsGross, whoSeriouslyDoesThatLikeThat?

    For the most part the feature works just fine the only flaws are with saved video files due to the Windows Media Player Bug. (PS *** surfers – if you viewed a video in WMP after IE was closed, IE will track that you watched that video (even if you delete the video!) )

    For everything else (checking your gmail on a friends PC) its fine because you will log out when done… the fact that you checked your email is irrelevant.

  33. Anonymous says:

    @ What

    It's been mentioned several times elsewhere on this very blog, but you actually can turn on InPrivate Filtering on by default. It's pretty easy actually:

    1. Launch Regedit.exe and navigate to:

    HKEY_CURRENT_USER Software Microsoft Internet Explorer Safety PrivacIE

    2. Create a new DWORD value named StartMode

    3. Double-click StartMode, click the text form and enter 1.

    Enabling this by default would break a ton of sites though, as shared scripts are used across an increasingly entangled web to deliver content. I've also seen people import .xml files with the list from Adblock Plus to give IE 8 adblock functionality, although there isn't a way to auto update the list…

  34. Anonymous says:

    i have an interesting thing i found out. in ie windows 7 if you click an internet shortcut thats on the desk. it will open after done browsing i close the window then open a new 1 with the start menu internet icon it asks if i'd like to restore my session sometimes or it remembers cookies from previous session eventhough its not supposed to. so why does it do that?

  35. Anonymous says:

    8675309: The prompt about restoring your session indicates that one of your add-ons is hanging or crashing on shutdown. As for the fact that your session cookies are preserved, this can also be a symptom of such a hang, because the "zombie" process keeps the session alive. blogs.msdn.com/…/session-cookies-sessionstorage-and-ie8.aspx

  36. Anonymous says:

    the only add on that i could think of causing trouble is flash or after reading blogs.msdn.com/…/add-on-performance-part-1-measuring-add-on-performance.aspx it could also be avg safe search

  37. Anonymous says:

    it also sometimes happens on vista aswell but not that often