IE8 will feature privacy envelope, Microsoft confirms
The concept of privatizing the browsing experience has been the impetus for an entire segment of the anti-malware industry. Now, Microsoft has confirmed it will be claiming that segment for itself in the next version of Internet Explorer.
In a post to the Internet Explorer development team's blog yesterday afternoon, Microsoft IE8 program manager Andy Ziegler confirmed news that reporters anticipated after last week's discovery of a series of trademark filings: The new browser will contain a prominent feature enabling users to switch off any kind of permanent or long-term storage of their history or activities.
It's being called "InPrivate," demonstrating the company's newfound ability to claim a self-explanatory trademark. As Ziegler describes it, essentially every tool a common Web site employs to compensate for the absence of "state" in a Web session -- for a Web server's inability to perceive users as "active" or "online" while they're browsing the site -- can be shut off by the user when she doesn't want either Web sites or other people to be able to see what they're doing.
"Perhaps you're using someone else's computer and you don't want them to know which sites you visited," Ziegler wrote. "Maybe you need to buy a gift for a loved one without ruining the surprise. Maybe you're at an Internet kiosk and don't want the next person using it to know at which Web site you bank."
Of course, Web retailers and online banks nearly all use some type of cookies to retain session states, and SSL requires the generation of session keys that are maintained throughout these sessions for encrypting the connection. Microsoft's solution, according to Ziegler, is for IE8 to alternatively store this data only for the duration of the session, to be deleted when the session closes or before the browser is exited.
No new bookmarks will be recorded, no files added to the typical "Temporary Internet Files" folder for the user logged onto Windows, and no regular history entries will be recorded, while the prominent "InPrivate" feature button is engaged.
This privacy will extend, he added, to another of IE8's new features, announced earlier: DOM storage will be a new method for pairing named variables with single elements of data -- the most common task for which cookies are used today. DOM storage could conceivably replace cookies, if it becomes widespread; and it could also become critical for AJAX applications which need better ways to address session data, while still remaining within their allotted security "sandboxes."
As Ziegler told readers, DOM storage will also be cached only for the duration of the active session, while InPrivate Browsing is turned on.
Furthermore, as part of the new browser's upgraded notification capability, a feature the team's calling "InPrivate Blocking" will give the user a notification of when a Web site appears to be capable of sharing cookie data or other session data with a third party. Typically, a browser can discover this by noticing how that third-party site makes a reference to a cookie or to some other scripting variable (or to a script itself) that was created or instantiated by another site's page.
The way the UI for IE8 appears to work for now, judging from Microsoft's screen shots, once the InPrivate button (to the left of the address bar, at the same place where Firefox 3's certificate validation button now appears) is engaged, both the Browsing and Blocking features of InPrivate will be active. This may mean that these notifications are only available to users when they are browsing "in private." The feature will automatically be disengaged when the IE8 window is closed.
If the InPrivate feature is particularly effective, it may override the need for some users to use any of the new wave of browser virtualization envelope utilities, such as ZoneAlarm ForceField.
Another feature the IE7 team had been working on earlier, letting users blacklist certain sites, will also be added to the InPrivate feature list; a variation of that theme using whitelists appears now as part of Data Execution Prevention, which is turned on by default in Windows Server 2008. And IE8 users will also be able to selectively delete categories of their browsing history, so that they may, for example, retain their cached passwords while purging their lists of visited sites. Yesterday, Ziegler credited this user's suggestion, made in January 2006 for consideration for IE7, as the inspiration behind IE8's new selective history deletion feature.
A very important question among administrators and parents alike: to what degree will this new set of InPrivate features be programmable using group policy? In a response to one reader's question on that very subject, a Microsoft representative said that InPrivate can be controlled through group policy, though he did not specify to what degree.
Group policy is a tool administrators use to determine what defined groups of users (typically through Active Directory) can and cannot do on their machines. There will likely be multitudes of corporations that will prefer their employees not use InPrivate, for any variety of plausible reasons. Whether an InPrivate button that's been deactivated by group policy will remain beside the address bar but just grayed out, or whether it will disappear entirely, won't be known until the first IE8 betas with InPrivate are disseminated.
Meanwhile, group policy is also the engine that Windows Vista uses for parents to implement usage controls for their youngsters -- for example, setting limits for how long they can be online on any particular day. They too may be able to deactivate InPrivate for selected users in a household, if the Microsoft online representative's statement plays out.
Just as importantly, though, the degree to which group policy exposes the features of InPrivate to programmability, may become crucial to determining to what extent those features could be circumvented by malicious use or tampering.