GRC | Gibson Research Corporation Home Page

Internet Explorer v7: Ignores its Privacy Settings!!

Shortly after beginning work on this third‑party cookie notification system, we and our many pre-release testers discovered that version 7 of Microsoft's Internet Explorer web browser is unable to distinguish between first-party and third-party cookies. IEv7 ignores any third-party cookie settings applied through its user-interface controls, including the use of advanced XML configuration files, and treats third-party cookies exactly like first-party cookies. There is nothing we have discovered that any user can do to change this.

Initially released on October 18th of 2006, we assumed that somewhere along the way, as a result of IEv7's virtually continual security patching, fixing, and updating, Microsoft must have inadvertently broken its third-party cookie handling. But the earliest version of IE7 we could find, dated several months after its initial release (April, 2007), is just as broken as today's fully patched version.

Both IEv6 and the current beta releases of IEv8 behave correctly. It is only IEv7, the most-used web browser in the world, that is unable to selectively block third-party cookies.

Since this is a significant defect in the browser's operation, it must be that Microsoft does not know about this. It could not be that they don't care, though it's somewhat difficult to imagine that they never noticed that IEv7 has never honored a fundamental aspect of Internet privacy enforcement. Since this really needs to be fixed, it is our hope that these pages will help to raise awareness of this trouble, and that Microsoft will quickly address this issue.

Until then—unfortunately—there is no way that we have found for IEv7 users to enforce their privacy against pervasive third-party Internet tracking while using IEv7. Users who cannot wait for a fix from Microsoft could either install the pre-release beta of IEv8 (which does work) or switch to a different make & model of web browser (Firefox, Opera, or Safari) which correctly obeys its user interface controls.

Firefox v2: Third-Party Cookie Leakage

Though not as sweeping as the lack of IEv7 third-party cookie discrimination, this system also quickly revealed cookie-handling bugs in both v2 and the pre-release beta v3 of Firefox. (These bugs allowed blocked third-party cookies to "leak out" during third-party asset queries in web page headers.) The Firefox developers, who were monitoring this work, quickly rewrote the critical aspects of FFv3 to fix this problem, but so far, as of FF v2.0.0.14, they have not returned to fix the current release of Firefox version 2. It is not known whether they plan to, or will (if you would like them to, please shake their tree a bit.) And while you're at it, you might also ask them to add back the simple "[ ] Accept third-party cookies" user-interface checkbox which earlier versions of Firefox had, but which was removed from FFv2. Note that in apparent reaction to these third-party cookie pages, the Firefox developers recently returned this simple-to-use checkbox to the FFv3 user-interface, thus earning FFv3 a nice green indicator in the chart below. (Thank you FFv3 developers!)

And speaking of the chart below...
The following chart characterizes many details of cookie handling by all major Windows and Macintosh browsers. Where a browser is cross-platform (such as Firefox that runs on many platforms, or Apple's Safari that runs on Macs and PCs), the browser's common codebase causes it to offer identical behavior and options across all supported platforms.

For an explanation of each line of the chart, please see "The significance of each chart line" below:
For those items accompanied by a number, please see the corresponding note below the table:

Web Browser Behavior Notes

The current release of Microsoft's Internet Explorer v7 is unable to selectively block third-party cookies. It can block all cookies (which is not very useful on today's web), but it is unable to selectively allow intended first-party cookies while blocking unintended third-party cookies.
The current release (v2.0.0.14) of Firefox v2 contains a cookie handling bug that allows blocked third-party cookies to leak out during browser requests for assets located in page headers. It is impossible to fully block third-party cookie transactions with FFv2.
Internet Explorer's privacy configuration user-interface provides a slider for specifying the browser's cookie handling. Unfortunately, due to IE's usage of P3P headers, either all cookies are blocked or third-party cookies are allowed. See the Internet Explorer page for additional information.
The Firefox developers removed the simple "[ ] Accept third-party cookies" option from the current version 2 of Firefox. The previous Firefox v1.5 had this option, and v3 recently added it back . . . but not v2. See our Firefox page for information on manually setting this option.
Firefox v2 and earlier reluctantly supported this nutty P3P idea. But it was dropped from FFv3 so that today only Internet Explorer continues to support this really bad idea.

The significance of each chart line:

Can block third-party cookies
Believe it or not, in this day and age the two most popular web browsers in the world don't allow their users to configure blocking all third-party Internet tracking cookies! In fairness to both browsers (IEv7 and FFv2), in both cases there are mechanisms in place that purport to provide third-party cookie blocking . . . they just don't work at the moment.

So as soon as Microsoft and the Firefox developers fix their respective browsers this line of the chart can be removed . . . and not a moment too soon!
Blocks third-parties by default
Only one browser on the planet is configured the way all browsers should be: Apple's Safari browser — Bravo Apple! Safari, alone among all others, is set by default to "Accept cookies: Only from sites you navigate to":

(And in this case they are entirely forgiven for ending that phrase with a preposition.)
We can pretty much abandon hope that Microsoft might suddenly start caring about their users' Internet privacy and fix IEv8 before its release. But perhaps the Firefox developers, designers of the world's second most used web browser, might decide to follow Apple?
Easy to use user-interface
As a consequence of "the tyranny of the default" the only way most users will ever have their Internet privacy protected is for browsers to block third-party cookies by default — as they clearly should. But failing that, browsers should at the very least provide a clear and simple means for allowing a user who browses its settings to see something like "[X] Allow third-party cookies" and click it to off. Firefox v3, Opera, and Safari all do (and Safari goes the extra mile of saying "For example, not from advertisers on those sites." Amazing.)

Unfortunately, obtaining even basic "allow first-party / block third-parties" operation from either Internet Explorer or Firefox v2 (the two most used web browsers in the world) requires "Advanced" configuration efforts (see links to their respective configuration pages below), which is an insult to the idea of end-user privacy enforcement.
Built-in cookie manager
All web browsers, with the single exception of Internet Explorer, offer their users a built-in facility to easily view, examine, delete, and manage their browser's collection of cookies. For users who wish to take a more proactive role in managing their online privacy and anonymity, this is a terrific convenience.
Per-site cookie exceptions
All web browsers except Safari allow "per-site" exceptions to be applied to the browser's prevailing cookie management rules. This is useful for users who wish to always block certain domains' cookies or always allow other. This would be a nice feature for a future version of Safari to add. But since Firefox has this feature, and
Blocks outgoing cookies
All web browsers (known bugs notwithstanding) are able to block incoming cookies and prevent them from being stored and used either temporarily or permanently. But only Firefox and Opera are designed to block the sending of any cookies they might have previously acquired but which the browser's cookie policy now blocks. If either Internet Explorer or Safari are set to block cookies, only newly arriving (incoming) cookies are blocked. They will both continue sending any (undesired) cookies outbound that they had previously acquired . . . which is almost certainly not what their user intends.
Can discard new cookies
Firefox and Opera offer the very useful option of automatically dumping any "new" cookies they have received once the browser is closed. This allows websites to use cookies during a single visit, but it prevents any long-term cookie accumulation and it prevents websites from linking separate visits together.
Honors P3P headers
P3P headers are a website's way of stating that it will not misuse any intelligence gathered about its visitors. Internet Explorer takes websites at their word to enable third-party cookie transactions — despite the fact that all Internet tracking, advertising, and adware websites now use these P3P headers to assure that their third-party tracking cookies are not blocked by Internet Explorer. Unbelievable.

This P3P specification was briefly supported by Firefox (v2, but even then not in its default configuration), but that support has been removed from FFv3, and no other web browsers are as privacy brain-dead Internet Explorer.

- Good, desirable behavior - Bad, undesirable behavior - See indicated note	Internet Explorer			Firefox		Opera	Safari
	v6	v7	v8	v2	v3	v9	Mac/PC
Can block third‑party cookies		¹		²
Blocks third‑parties by default
Easy to use user‑interface	³	³	³	⁴
Built‑in cookie manager
Per‑site cookie exceptions
Blocks outgoing cookies
Can discard new cookies
Honors P3P headers				⁵