This Page Last Updated: Sep 20 '01
Internet Explorer 6.0 (IE6) offers users a new set of options for handling cookies. These options, which can be found of the new Privacy tab (Tools >> Internet Options... >> Privacy), supersede the cookie settings which were formerly located in each Security zone (Tools >> Internet Options... >> Security). With these new cookie settings, several questions have been raised with respect to the level of privacy afforded by this new Privacy tab and how the Privacy tab's cookie settings can be used in conjunction with the Trusted and Restricted zones. Briefly summarized, these questions are:
In order to answer these questions, several sets of trials on a select group of sites using different mixes of Security zone and Privacy tab settings were conducted.
Two sets of trials with IE6 were conducted on a two groups of six internet sites (9/2/01, 9/4/01). These trials were distinguised from each other by the differing mixes of Internet zone and Privacy tab options that were selected for each trial.
Following these initial sets of trials, two additional trials were performed on all twelve sites (9/5/01 & 9/8/01):
One final trial was conducted on all twelve sites (9/16/01):
Additionally, the "All Default" trial for www.msnbc.com was repeated twice (9/5/01) in order to verify the results for the popup ad at that site. When the "Advanced" setting's "override automatic cookie handling" option was selected, the "always allow session cookies" box was left unchecked (effectively blocking session cookies). Between trials, IE6 was closed and then restarted. Between primary sites, IE6's file cache and URL history were flushed and all cookies were deleted. All other ad/cookie blocking software on this computer was disabled (i.e., no AtGuard, no HOSTS file).
IE6 distinguises first-party from third-party cookies based on the domain alone. By contrast IE6 distinguishes between compact policies based on the entire URL. According to Microsoft:
All Default Settings With the default Security Zone and Privacy tab settings in place, IE6 is very lax in accepting cookies. The only cookies blocked were third-party cookies from domains without a compact policy. As expected, Doubleclick's third-party cookies were readily accepted. While IE6 will block third-party cookies from sites without compact policies (see the results for www.csmonitor.com for a good example of this), this limited protection will likely become increasingly marginal as more and more domains construct P3P policies which satisfy IE6's lenient "Medium" Privacy tab settings (as Doubleclick has). As these default settings offer little protection from cookies, users who do not customize IE6's Security Zone and Privacy tab settings will see little change in the level of privacy surrounding their web surfing. Bottom line: if you want privacy from third-party advertisers and their cookies in IE6, DO NOT accept the default IE6 Security zone and Privacy tab settings. All Default Settings / IE-SPYAD The Restricted zone appears to offer one very effective way to block cookies from third-party advertisers and marketers. Once IE-SPYAD's Restricted zone list was loaded into the Restricted zone, third-party cookies from the big online advertisers like Doubleclick were effectively blocked (the only exceptions being specific servers like chkpt.zdnet.com and gserv-cnet.zdnet.com, which are not included in IE-SPYAD). Of particular interest is the fact that cookies from doubleclick.net, which were formerly accepted using the default IE6 Privacy tab settings, were blocked this time around because doubleclick.net was loaded into the Restricted zone by IE-SPYAD. Note also that the Restricted zone blocked these cookies despite the fact that IE6's lax "Medium" Privacy tab settings were still in place, indicating that the Restricted zone takes precedence over the Privacy tab's cookie settings. Restrictive Internet Zone Settings / The Internet Zone settings (which control such things as ActiveX, JavaScript, Java, et al) can be used to gain some increased level of privacy from cookies, but the results are not as dramatic as can be had from manipulating the Privacy tab cookie handling settings or using a Restricted Zone block list (like IE-SPYAD). At the very least, a highly "restrictive" set of Internet Zone options will prevent popup and popunder ads from appearing, effectively blocking any cookies associated with them. Restrictive Internet Zone settings also appear to block cookies which rely on JavaScript in order to be set. Despite the slight increase in blocked cookies, the improvement in privacy seen in this trial was marginal at best. Default Internet Zone Settings / Given the complexity of the Security zones feature of IE6, it is entirely possible that some users may shy away from using them, choosing instead to manipulate only the cookie handling settings on the Privacy tab. Users who are primarily concerned with the privacy implications of cookies (and less concerned about such technologies as JavaScript, ActiveX, and Java, among other aspects of IE6's behavior) can expect to see a meaningful improvement in the protection of their privacy from cookies if they simply use the "Advanced" settings on the Privacy tab to "override automatic cookies handling" with "blocks" for both first-party and third-party cookies. The "override automatic cookie handling" option can be used in conjunction with other strategies for privacy protection, namely a Restricted zone list like IE-SPYAD (see above) or an Opt-In approach to the full range of IE6's Security and Privacy settings (see below). Opt-In Yet another way to protect one's privacy from online marketers in IE6 is to enforce an "opt-in" policy by setting IE6's Internet zone and Privacy tab options very restrictively. Once the Internet zone options were set to "block," "prompt," or "high," and the Privacy tab's "automatic cookie handling" was overriden with "block" settings for both first-party and third-party cookies, cookies from online advertisers and marketers were uniformly blocked, even though the primary site being visited had been added to the Trusted zone. Thus, it appears that one can use the Trusted zone selectively to allow specific servers to set their own cookies without having to accept all other third-party cookies loaded through that site. That a site is in the Trusted zone does not give all third-party cookies associated with that site carte blanche to slip through under the same lenient Trusted zone cookie policy being applied to cookies from the main, first-party site. Import File Finally, a further means of protecting one's privacy in IE6 is a custom XML Import file. The Import file used in the trial conducted here imposed a customized, highly restrictive set of options on the Internet and Trusted zones: all third-party cookies were blocked; most first-party cookies were forced to behave as session cookies (not persistent cookies). Although the trial tested sites only in the Internet zone (i.e., no primary sites were added to the Trusted zone), the results are nonetheless noteworthy in that most cookies were blocked -- any that weren't were turned into session cookies. These results suggest that a custom XML Import file can be used as an effective tool to protect one's privacy from unwanted cookies in IE6. The advantage of an Import file over the other methods tested is that it allows IE6's handling of cookies in Trusted zone to be controlled (by default the Privacy tab affects only the Internet zone). Without an Import file, IE6 will accept all cookies from sites in the Trusted zone; with an Import file, IE6 can be forced to be selective in accepting cookies. An Import file is not necessarily the simplest solution for the majority of users of IE6, though. Most IE6 users would undoubtedly balk at the complexity of the task of constructing an Import file for personal use: one must work through Microsoft's documentation (see below) on the subject and then experiment liberally with possible files -- a time consuming process. IE6 users who find the job of putting together an Import file beyond their means could rely on pre-made Import files supplied by more experienced users. Ideally, there would be a rich menu of Import files from which to choose, making the option of using an Import file much more readily available to the majority of IE6 users.
Problems with Popups/Popunders At two sites (www.msnbc.com & abcnews.go.com) popup or popunder ads were encountered when IE6's Security zone and Privacy tab options were left at their defaults (see the "All Default" trial). Several problems were noted with IE6's handling of popups and popunders. 1. First-Party Cookies Forced On User The popup/popunder ads at www.msnbc.com and abcnews.go.com appeared in a new IE window with an address bar. Each contained a new address (other than the primary site being visited). In other words, at msnbc.com and abcnews.go.com there were two first-party sites: one for the main site being visited, and one for the popup/popunder ad. This behavior is troublesome because the popup or popunder ad forces a first-party cookie on the user. The user did not choose to surf to the popup/popunder ad's site, yet the ad nonetheless loads as a first-party site and IE6 accepts its cookie as a first-party cookie. (Credit goes to R2 at DSLR for pointing out the problem with this behavior.) 2. Unacceptable Third-Party Cookies Not Blocked Still worse than the problem of forced first-party cookies is that in at least one case (the ads.x10.com popunder for msnbc.com) IE6 accepted a third-party cookie from a site without a compact policy (ad.iwin.com), which it shouldn't have. This behavior was subsequently confirmed twice. It is possible that IE6 became "confused" when dealing with a popup from the main window. That third-party cookie should not have been accepted, however, given the "Medium" Privacy tab slider setting. At this time it is not possible to say definitively why IE6 accepted this third-party cookie. Notes & Observations While we have already seen that IE6's default settings are disappointingly lax, what we have observed with IE6's handling of popup and popunder ads is still more troubling: it will accept first-party cookies from sites the user didn't select, and, in some instances, it will erroneously accept third-party cookies from sites without a compact policy. Interestingly, popups and popunders appeared only when these settings were left unchanged. During the "Default/Override" trial the popup ads at abcnews.go.com and www.msnbc.com did not load at all. For that trial the only aspect of IE6's Security and Privacy settings to be changed was the Privacy tab slider, which was "overriden" with the "Advanced" settings to block all first-party and third-party cookies. When the Privacy tab was restored to its default "Medium" setting, the popup ads appeared once again.
It is not known why the popup ads should be prevented even from appearing when IE6 is configured merely to block first-party and third-party cookies. At the very least, though, this behavior represents yet another problem with IE6's default Security zone and Privacy tab settings, offering IE6 users still more reasons to reject IE6's default Privacy configuration. Given the problems seen with popup and popunder ads, one wonders if online advertisers and marketers won't choose to exploit these anomalies in IE6's handling of popup and popunder ads in order to slip their cookies past the already lenient default Privacy settings of IE6 users. The Privacy Report One noteworthy new feature of IE6 is the Privacy Report that IE6 makes available for the web site the user is currently visiting. The Privacy Report can be accessed by going to to View >> Privacy Report. This Privacy Report is useful inasmuch as it gives the user a summary of all the URL's (or web sites) associated with the primary web site, as well as a rundown of cookies "blocked" or "accepted." The user can also select a URL or cookie within the Privacy Report and view any privacy policies associated with the cookie/web site. While this Privacy Report is indeed helpful, it offers information that is not as complete as it ought to be. At the very least, the Privacy Report should provide additional information about cookies "accepted" or "blocked" such as: Absent this information, IE6's Privacy Report often leaves the user guessing as to why cookies were been blocked or accepted, or what kind of cookies were blocked or accepted. IE6 is capable of displaying these types information; the "Privacy Alert" box (which appears when the user is prompted to accept or block cookies) provides a wealth of information about cookies, including the "party" and "type" of cookie as well as the compact policy (if any) associated with the web site serving the cookie. Unfortunately, the only way to receive this information is to set IE6's "Advanced" Privacy tab options to "prompt" the user when cookies are encountered. This same information should be accessible from the Privacy Report. (Thanks again to R2 at DSLR for calling attention to the information that appears in the "Privacy Alert.") A Note on the Trials These trials were conducted on different days over the course of roughly one week. During that time period primary web sites may have changed the mixes of advertising and cookies offered on their pages. This is especially true of the final trial set (the "Import" trial), because it was conducted less than a week after the World Trade Center/Pentagon bombing (9/16/01). Thus, some of the differences in trial results may be attributable to changing mix of ads and cookies being served from the sites tested, not the alterations made to IE6's Privacy and Security settings. Clearly, IE6's default Privacy tab cookie settings are inadequate to protect users' online privacy. IE6 users who desire privacy from the cookies of online advertisers and marketers should use one of the following methods (or a combination of the following methods) to block those cookies: 1. Restricted Zone Block List Load a list of known advertising/marketing domains (like IE-SPYAD) into the Restricted zone (see the More Information section below for a link to IE-SPYAD). 2. Opt-In Internet Zone Policy Enforce an "opt-in" policy for online advertisers & marketers by setting the Internet zone and Privacy tab options very restrictively. All Internet zone options should be set to "block" or "prompt." On the Privacy tab, select "Advanced," then check "Override automatic cookie handling" and select "Block" for both first-party and third-party cookies. Sites which the user trusts and which require cookies in order to function can be added on a per-site basis to the Trusted zone. 3. Custom XML Privacy Import File If you have a specific need to customize IE6's handling of cookies in the Trusted zone, consider using a custom XML Import file. See The Import File section below for more information on creating custom XML Import files for use with IE6. 4. Third-Party Blocking/Filtering Software Use third-party ad & cookie blocking/filtering software like AtGuard, the Proxomitron, WebWasher, Norton Internet Security, a HOSTS file, etc. Even with third-party software, it is still adviseable to customize IE6's Security zones, if only to control the use of ActiveX, Java, and scripting, as well as a number of other Internet Explorer specific behaviors that third-party software might not be able to regulate. Please note that no third-party blocking and filtering programs were tested with IE6 in these trials. Given that IE6 is so new, it is possible that blocking and filtering programs released prior to IE6 may not be compatible with IE6. For links to blocking and filtering software, see the More Information section below. Conclusion While the new cookie handling options in IE6 do provide users with a more finely grained means for controlling cookies, the vast majority of IE6 users will find these options much too confusing and involved to be of any real use. Still worse, the default Privacy settings of IE6 are simply too lax for users to expect any meaningful improvement in the protection of their online privacy by IE6 straight "out-of-the-box." Given these lax default Privacy settings, as well as the confusion and frustration most IE6 users will likely experience when confronted with these new settings, IE6 arguably represents a step backwards in the struggle to offer internet users a reliable way to ensure their online privacy. Unfortunately, in the light of the sheer complexity of the P3P specification as well as IE6's idiosyncratic way of classifying and sorting the P3P compact policies of individual web sites, many IE6 users will find that the simplest and most effective way to guarantee their privacy is to avoid IE6's P3P-based cookie settings altogether. Once users have dispensed with IE6's P3P-based configuration options, they can override the default Privacy settings, employ custom block lists, or use third-party filtering software, all of which provide simpler and more reliable ways for users to protect their privacy while surfing the web. For links to more info on Internet Explorer 6.0 and P3P, see: To download IE-SPYAD (aka, the Restricted zone block list), visit: For links to ad & cookie filtering software and block lists, see: And for yet another summary assessment of Internet Explorer 6.0's Privacy settings, see this discussion: The custom XML Import file used for the "Import" trial was constructed by R2, a frequent poster at DSLR:
If you wish to use this Import file yourself, simply copy and past the above into Notepad, then save the file with the name IMPORT.XML. Open IE6's Privacy tab (Tools >> Internet Options... >> Privacy), hit the "Import..." button, and point IE6 to the XML file you just saved. For more information on custom XML Import files for IE6, see these documents from Microsoft: You can find a set of pre-made Custom XML Import Files on this web site: This page arose out of a long discussion thread on IE6 at DSLR. You can read that thread in its entirety here: Thanks to R2 and all the other readers of DSLR who have patiently reviewed and commented on this page. |
|