Private Browsing and the Enterprise

In an enterprise, privacy is good-in moderation. But new hyperprivacy features need IT's control.

The rumors were right: Internet Explorer 8 will have new privacy features akin to those in Apple Safari. What role should they play in the enterprise?

InPrivate Browsing ("Private Browsing" was already taken by Apple) lets the user control whether or not IE saves potentially privacy-related data, including cookies (all cookies become session cookies), history entries, form data, search entries, passwords, stuff like that. And all temporary files are deleted when the window is closed.

Delete Browsing History is a new dialog box, analogous to Firefox's Clear Private Data (click Ctrl-Shift-Del for it), puts the manual clearing of potentially privacy-related data into one convenient dialog box. I've complained in the past about how this feature works in Firefox 3, and it looks like Microsoft is planning to borrow some of the behavior I complained about. Private items like cookies won't be deleted if they are in your Favorites and the "Preserve favorite Web site data" box is checked, but at least the configuration of this is both possible and obvious.

InPrivate Blocking let you control how sites monitor you through non-cookie methods. The browser keeps a record of such items and (if you have the InPrivate mode turned on) automatically blocks tracking scripts that have tracked you across more than 10 sites. You can manually control this behavior as well. Related to this, InPrivate Subscriptions are RSS feeds of regular expressions that describe links to block or allow.

Of course these are good features to have, but maybe not for enterprise use. Employees in an enterprise are deserving of some privacy, but not absolute privacy. Therefore, features such as these need to be controlled, if they are implemented at all. For instance, do you really want your employees to have a rock-solid "porn mode"? You can still monitor such things at the gateway, but it's still better that users not have the idea that they can do whatever they want and not leave tracks. Microsoft tells me that "IT administrators have the ability to manage these features settings via Group Policy to enable or disable the use in their environment."

Are there implications for compliance regulations? I'm not sure, but I wouldn't be surprised. One of my general impressions of compliance is that you don't want to destroy records unless it's part of a regular policy and after some period of time. Any lawyers out there, feel free to jump in here and tell me otherwise.

Almost everyone does personal stuff at times on their company PC. Only a jerk of a boss makes a real point of principle about it. I figure that as long as users don't abuse the privilege it's a good thing to make being in the office more convenient. But doing things on your business PC that you wouldn't want other people to see is, to put it kindly, unwise. Someone else will see it, and they should see it, because the company could be held responsible for it.

There are other good aspects of this announcement. It's good that the InPrivate features expose a common misconception about privacy on the Web. Even novices may be aware that cookies can be used to track them (even Tony Soprano knew that), but the fact is that all the same tracking can be done without cookies. The easy way is for different sites to share a script (<e.g. script src=>). InPrivate Blocking and Subscriptions give users some control over that.

Microsoft is surely aware of any problems IT would have with private browsing, and the last people they want to anger are their corporate customers, otherwise known as the cash cow. I'm curious to see where the balance lies.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.