Playing against type (again) Microsoft has announced plans to give its browser the ability to stop certain sites from tracking end users, giving users some control over the sites with which they share and the data sites can collect.
Microsoft is so uncredible a guardian of customers' security and privacy that I'd normally 'uh-huh' and go on to something else. Its timing is great -- immediately after the FTC announced plans to create a "do not track" list designed to let normal people choose whether or not they'd like to be tracked, and by whom.
And, even after the list or a tool that supports all major browsers is up and running, government budget and development schedules will keep it far enough behind the cutting edge to be useless for anyone but technology laggards and public PCs at the library that can only run last year's malware.
Microsoft's tracking protection would be built into IE9 and be based on its existing InPrivate Filtering, a function in IE8 that will block some sites but has to be turned on every time the browser is.
The IE9 version would be on or off all the time, at the user's choice, and would remember preferences about particular sites between sessions.
Its usual MO is to develop a Windows-centric API or interoperability technique, then either donates it to a standards body (MS SOAP, W3C SOAP) so it looks like a community developed open standard, or just builds the standard into everything Microsoft sells so it's still not accepted, but is so commonly available that people use it anyway (MAPI, ActiveX, Internet Explorer, Windows, Steve "Monkey Boy"Ballmer).
There's no guarantee the do-not-track feature it won't be more dangerous that not using it, though. Earlier this week researchers revealed how to bypass IE's Protected Mode, which is based on security settings on Windows and which is the basis for security settings for other applications, including ChromeOS. Bypassing Protected Mode, by default, makes those other applications vulnerable, too.
The new tool, from Microsoft Research, is called Zozzle.
Zozzle comes with a blacklist of malicious or suspicious Java source, gathered from scans of millions of Web sites by Microsoft's related Nozzle tool. Though updates will almost certainly be available, IT people trying to do it for their own user populations will have to isolate the suspicious code to let Zozzle have a good look, or use another tool that can pull it out of the cover of other Java code.