privacy

Browser privacy tools still lack bite, security analysts say

Browser vendors continue to implement privacy in a halfhearted way, with Internet Explorer's default use of cookie "do not track" technology being the best of a weak job, a new assessment by NSS Labs has argued.

Currently, the latest versions of all four leading browsers—IE, Firefox, Chrome, and Safari—implement Do not track - but only Internet Explorer 10 installs it switched on by default, NSS Labs' latest Comparative Analysis found.

The cookie-tracking setting can be enabled in the other three, but only by locating an option in a menu setting. The authors are especially critical of Chrome, which requires users to find and expand a nested Advanced Settings tab to enable the feature.

Even Microsoft treats the do not track as a design afterthought, burying the settings where only the most curious non-expert users might chance upon it.

Do Not Track doesn't help

NSS Labs interprets this lack of enthusiasm for the setting as revealing each vendor's "philosophical views on consumer privacy," while accepting that do not track remains ineffective as a privacy control while advertisers remain free to ignore it as they please.

browsers

"Until legislation is passed that will mandate compliance with the user intent of Do not track, the feature will remain a polite request that will be ignored by the advertising industry," write authors Randy Abrams and Jayendra Pathak.

With third-party cookies, Safari and IE are given the thumbs up, with the former blocking all by default, and IE implementing a partial block. Although Firefox and Chrome don't activate this setting by default, Firefox in particular offers granular control over a setting that is vital to automate access to many commonly used sites.

Other privacy features—the ability to control geolocation, private browsing, and tracking protection lists—all fall down to some extent.

Controlling geolocation (the ability for a site to detect a user's country location), all four browsers prompt as required, but in order to disable the setting completely Firefox forces users to access the technically demanding about:config page.

Microsoft's browser best of bad bunch

Uniquely, IE9/10 allows Tracking Protection lists from third-party vendors, essentially lists of sites for IE to block third-party cookies automatically unless the setting is overridden by the user.

Overall, then, IE comes out on top for privacy thanks to the relative simplicity of its slider controls and privacy templates, but none of the four are given a ringing endorsement.

It remains unclear to what extent browser privacy and features such as do not track are valued or even understood by users. A YouGov poll from late last year found that consumers valued ease of use more highly than the ability to block cookies, although the same survey admitted that many disliked targeted ads which follow users even when they have left sites.

Do not track has certainly upset some advertisers, with the Digital Advertising Alliance (DAA) recently lobbying a W3C discussion on how to standardize the way that not track should work.

Subscribe to the Security Watch Newsletter

Comments