Browser privacy settings still inadequate, NSS Labs analysis argues

IE10 offers the most control

Browser vendors continue to implement privacy in a half-hearted way, with Internet Explorer's default use of cookie 'do not track' technology being the best of a weak job, a new assessment by NSS Labs has argued.

Currently, the latest versions of all four leading browsers - IE, Firefox, Chrome and Safari - implement Do not track - but only Internet Explorer 10 installs it switched on by default, NSS Labs' latest Comparative Analysis found.

The cookie-tracking setting can be enabled in the other three, but only by locating an option in a menu setting. The authors are especially critical of Chrome, which requires users to find and expand a nested Advanced Settings tab to enable the feature.

Even Microsoft treats the do not track as a design afterthought, burying the settings where only the most curious non-expert users might chance upon it.

NSS Labs interprets this lack of enthusiasm for the setting as revealing each vendor's "philosophical views on consumer privacy," while accepting that do not track remains ineffective as a privacy control while advertisers remain free to ignore it as they please.

"Until legislation is passed that will mandate compliance with the user intent of Do not track, the feature will remain a polite request that will be ignored by the advertising industry," write authors Randy Abrams and Jayendra Pathak.

With third-party cookies, Safari and IE are given the thumbs up, with the former blocking all by default, and IE implementing a partial block. Although Firefox and Chrome don't activate this setting by default, Firefox in particular offers granular control over a setting that is vital to automate access to many commonly-used sites.

Other privacy features - the ability to control geo-location, private browsing and tracking protection lists - all fall down to some extent.

Controlling geo-location (the ability for a site to detect a user's country location), all four browsers prompt as required, but in order to disable the setting completely Firefox forces users to access the technically-demanding about:config page.

Uniquely, IE9/10 allows Tracking Protection lists from third-party vendors, essentially lists of sites for IE to block third party cookies automatically unless the setting is over-ridden by the user.

Overall, then, IE comes out on top for privacy thanks to the relative simplicity of its slider controls and privacy templates, but none of the four are given a ringing endorsement.

It remains unclear to what extent browser privacy and features such as do not track are valued or even understood by users. A YouGov poll from late last year found that consumers valued ease of use more highly than the ability to block cookies, although the same survey admitted that many disliked retargeted ads which follow users even when they have left sites.

Do not track has certainly upset some advertisers, with the Digital Advertising Alliance (DAA) recently lobbying a W3C discussion on how to standardise the way that not track should work.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftNSS LabsPersonal Tech

More about MicrosoftW3C

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by John E Dunn

Latest Videos

More videos

Blog Posts