Microsoft defends Internet Explorer 'phone home' feature

Microsoft Friday defended the Internet Explorer 8 (IE8) tool that suggests sites based on the URLs typed into its address bar, saying that the browser "phones home" only a limited amount of information to Microsoft and that the company discards all user IP addresses almost immediately.

Company managers also contrasted IE8 Beta 2's "Suggested Sites" feature with the "Suggest" feature used by rival Google Inc. in its Chrome browser, saying that Microsoft's browser requires the user's explicit permission before it's used. They did, however, acknowledge a bug that prevents the request from reappearing when users reinstalled the browser.

"We capture as little uniquely-identifiable information as possible," said Cyra Richardson, a Microsoft principal program manager on the IE team. "We capture the URL that the user is visiting, the version of the browser and general locale information."

To determine the latter, and to know where to send the suggested site results, Microsoft also captures the IP address of the user, said Richardson. But unlike Google, Microsoft tosses the IP address as soon as it delivers the recommendations. "We take the IP address, get all the information that we need from it, and then throw out the address," said Andy Zeigler, a program manager with the IE group. Richardson confirmed that the Suggested Sites database contained no user IP addresses.

That's in contrast to Google, which keeps the data associated with about 2% of the entries in Chrome's OmniBox, a combination address and search box that logs all keystrokes and sends them to Google so that the search company can return a list of related search queries and Web sites.

Earlier this week, Google announced it would "anonymize" all information, including the IP addresses, of the 2% of the Suggest requests that originate in Chrome and other software. Google made the change in response to criticism from consumers, European Union officials and others who were concerned over the possible privacy implications of Google recording each keystroke entered into the browser.

Richardson also said that Microsoft's Suggested Sites should not be equated with its rival's Suggest feature, because IE8 doesn't record every keystroke. Rather than transmit each character as it's typed, including partial URLs that are abandoned by the user, Suggested Sites logs and transmits only the final URL.

She used that to argue there was a difference between what Microsoft and Google logged in their browsers. "Suggested Sites is connected to the browser's history, and it's not looking at each of the keystrokes," she said. "IE only captures the URL as it is navigated [to], when that URL goes into your history." Nor does Suggested Sites log and transmit cookies to Microsoft's servers, as does Google Suggest. "The data we log is actually pretty innocuous," Richardson said.

The data Microsoft does collect and record, however, is kept intact for 18 months, twice as long as Google will retain search logs under a new policy announced this week. At the end of the year-and-a-half-long period, Microsoft strips some information, particularly the query string, from the URLs it's obtained from IE8 users. The query string is the part of a URL that's passed to Web applications, and often includes a username and password, or other confidential information.

Zeigler also compared IE8's approach with Chrome's. "It's all about user control," he said. "Users decide what information they want to share, and we do that by getting consent via the UI in the opt-in page."

He was referring to a screen that is displayed the first time IE8 Beta is run, when the browser asks: "Do you want to discover Web sites you might like based on Web sites you've visited?" Neither the first option -- "Yes, turn on Suggested Sites" -- or the second, "No, don't turn on," is enabled by default. Choosing neither keeps the feature switched off.

But Zeigler also admitted that IE8 has a bug that blocks IE8 from asking the Suggested Sites on-off question a second time. If a user uninstalls IE8 Beta 2, then later reinstalls it, the browser simply uses the original preference. Microsoft is working on a fix, Zeigler said.

Chrome, on the other hand, defaults to using "Google Suggest" in the browser's OmniBox. Users can disable the feature manually, however.

It was less clear Friday whether Microsoft will revise its privacy policy for IE8 Beta 2 to more accurately describe what it collects, and to spell out what it does with the data after 18 months. Richardson refused to get specific, saying only that she would post an entry to the IE blog on the subject in the next few weeks. "We want to be very accurate in the information we provide about what we capture, and that means going into the code," she said.

But the company is open to changes. "Beta 2 is an opportunity to collect feedback and change the product accordingly," Richardson said, stopping short of making any promises. "We will re-examine the policy and if need be revise it."

This story, "Microsoft defends Internet Explorer 'phone home' feature" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies