Private Browsing and the Enterprise

By Larry Seltzer  |  Posted 2008-08-27 Print this article Print

In an enterprise, privacy is good-in moderation. But new hyperprivacy features need IT's control.

The rumors were right: Internet Explorer 8 will have new privacy features akin to those in Apple Safari. What role should they play in the enterprise?

InPrivate Browsing ("Private Browsing" was already taken by Apple) lets the user control whether or not IE saves potentially privacy-related data, including cookies (all cookies become session cookies), history entries, form data, search entries, passwords, stuff like that. And all temporary files are deleted when the window is closed.

Delete Browsing History is a new dialog box, analogous to Firefox's Clear Private Data (click Ctrl-Shift-Del for it), puts the manual clearing of potentially privacy-related data into one convenient dialog box. I've complained in the past about how this feature works in Firefox 3, and it looks like Microsoft is planning to borrow some of the behavior I complained about. Private items like cookies won't be deleted if they are in your Favorites and the "Preserve favorite Web site data" box is checked, but at least the configuration of this is both possible and obvious.

InPrivate Blocking let you control how sites monitor you through non-cookie methods. The browser keeps a record of such items and (if you have the InPrivate mode turned on) automatically blocks tracking scripts that have tracked you across more than 10 sites. You can manually control this behavior as well. Related to this, InPrivate Subscriptions are RSS feeds of regular expressions that describe links to block or allow.

Of course these are good features to have, but maybe not for enterprise use. Employees in an enterprise are deserving of some privacy, but not absolute privacy. Therefore, features such as these need to be controlled, if they are implemented at all. For instance, do you really want your employees to have a rock-solid "porn mode"? You can still monitor such things at the gateway, but it's still better that users not have the idea that they can do whatever they want and not leave tracks. Microsoft tells me that "IT administrators have the ability to manage these features settings via Group Policy to enable or disable the use in their environment."

Are there implications for compliance regulations? I'm not sure, but I wouldn't be surprised. One of my general impressions of compliance is that you don't want to destroy records unless it's part of a regular policy and after some period of time. Any lawyers out there, feel free to jump in here and tell me otherwise.

Almost everyone does personal stuff at times on their company PC. Only a jerk of a boss makes a real point of principle about it. I figure that as long as users don't abuse the privilege it's a good thing to make being in the office more convenient. But doing things on your business PC that you wouldn't want other people to see is, to put it kindly, unwise. Someone else will see it, and they should see it, because the company could be held responsible for it.

There are other good aspects of this announcement. It's good that the InPrivate features expose a common misconception about privacy on the Web. Even novices may be aware that cookies can be used to track them (even Tony Soprano knew that), but the fact is that all the same tracking can be done without cookies. The easy way is for different sites to share a script (<e.g. script src=>). InPrivate Blocking and Subscriptions give users some control over that.

Microsoft is surely aware of any problems IT would have with private browsing, and the last people they want to anger are their corporate customers, otherwise known as the cash cow. I'm curious to see where the balance lies.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel