NOW THAT EXPLORER 9 HAS FINALLY COME OUT IN ADULT FORM, JON HONEYBALL FINDS MUCH TO LIKE, BUT COULD DO WITH A BIT OF PRIVACY NOW AND AGAIN
Microsoft’s latest web browser release, Internet Explorer 9, has emerged from the shadows after a rather public gestation period. I don’t really mind public betas, so long as their function is to ensure the quality of the final product, but public betas that exist solely to be part of the marketing ramp tend to be rather unpleasant affairs.When all is said and done, if it’s good enough to release, then bloody well release it; if it isn’t then don’t infict it on millions of your most enthusiastic users.
There’s no doubting that IE9 is an awful lot better than some of its predecessors, but that’s a comparison that doesn’t set the bar astronomically high, given that there are low points such as IE6 in the equation. There are still hundreds of businesses that are stuck with Windows XP because they need IE6. Why are they stuck with IE6? Because they were foolish enough to believe Microsoft when it told them that this was a great development platform, and here are the tools to write some rich, IE6-specifc applications. Once IE6 support was dropped from subsequent browser versions, these wretched customers found themselves abandoned up a dank and dreary cul-de-sac.
Of course, IE9 will not run on Windows XP – that would be too helpful. Customers who don’t upgrade aren’t spending money on new licences,and a powerful lever to pry them away from XP is to ensure that IE9 doesn’t work on it. Job done, the team delivered faultlessly, and never mind that other companies – Google, Mozilla and Opera – have shipped browsers that work just fine on XP.
There’s much to like in IE9. At first I liked its clean,minimalist design, but I’m an old-fashioned stick-in-the-mud when it comes to user interface design, and if there isn’t aproper File | Edit | Insert menu bar I start to feel a little twitchy.Doubtless this is just a symptom of advancing age, but I feel that hiding everything useful behind a gear-cog symbol is a little Web 2.0, and it just doesn’t feel right. I like the integrated searching within one edit box, even if the default engine is,predictably, Bing. I find the visuals of the edit box alongside the tabs annoying, first because there isn’t enough visual distinction between the edit box and a tab, and second because the edit box takes up valuable column width that could be used for more tabs. The alternative would have been to devote one row to the edit box and another to the tabs, but I guess that would have spoilt the stripped-bare look and feel (although it is an option).
Under the bonnet, IE9 definitely has a quick browsing engine, but that depends upon your using the right version. You see, there are two: the 32-bit and the 64-bit versions. If you have 32-bit Windows, then you’ll only get the 32-bit version, of course, but 64-bit Windows comes with both. You might think that sounds sensible, until you realise that the default versionis the 32-bit one on both 32-bit and 64-bit Windows, and you have to dig deep to find the 64-bit version on 64-bit Windows. Why has this happened? Well, there’s a perfectly sensible excuse – by focusing on the 32-bit version, the IE9 team was able to make it the best one possible, with the 64-bit version coming second. I could just about handle this grimly realistic attitude, were it not for a couple of key points.
First, 64-bit Windows 7 is the predominant version that’s shipping today, if the laptops that I see being bought and deployed are anything to go by; and second, the 64-bit version of Windows 7 has the old JavaScript engine in it, which is far slower than the 32-bit version, so Microsoft prefers to hide it from public view. I can understand the pragmatism of this decision, but it still grates. We need to move over to 64-bit across the board, and we’ll only have a strong 64-bit experience if people push the platform hard in a fully 64-bit way.
I accept that there are few web pages that require 2GB of RAM, but if the reality is that 64-bit IE9 is to be left as the runt of the litter, then Microsoft shouldn’t install it by default.Make it an optional download or installer, and make it clear that it isn’t as good/fast/optimised/tested as the 32-bit version. Call it a developer 64-bit pre-release version of IE9 or whatever, but sticking it on every 64-bit machine and then hiding it away just irritates me enormously.
PRIVACY ISSUES
I’d quite like IE9 to offer the InPrivate browsing facility as a default option. With InPrivate you can set the browser so that it records nothing about your browsing session: no history, no cache of files, no record of clicks, no cookies and so forth. You can’t make this the default mode (at least, not from the browser UI), which is rather disappointing. I’ll have to have a poke around the Group Policy tools to see if I can force it from there. You might wonder why I’d like this mode turned on by default? Well, I have a particular hatred of the way some sites insist ontracking what I’m doing, and an even bigger hatred of the way that advertising engines use cookies to target me. Using InPrivate browsing mode as the default would automatically ensure that this doesn’t happen, but Microsoft won’t allow it.
That takes me onto the subject of Tracking Protection Lists(TPLs), a new technology in IE9 that allows you to control the way that third-party websites track what you’re doing. If you go to Contoso.com and look at some items, it might be that advertising.com links are embedded within the Contoso.com website, and advertising.com stores cookies on your machine logging what you were browsing. Now move over to happyclappy.com, which is anentirely different site, but also uses advertising.com advert management – those advertising.com links from happyclappy.com can see what you’ve been looking at while on other sites that use its engine, and so can present you with targeted suggestions and adverts. Naturally, the advertising industry thinks this is a really cool, whizzo feature that’s a benefit to all of us (but especially the advertising industry, because a targeted advert can attract a higher click-through price than an anonymous item).
Advertising people really want this sort of behavioural analysis to work in their favour, and naturally claim that it’s for our good too, because we’ll no longer be bothered by pesky adverts that aren’t relevant to our areas of interest. What’s more, we won’t see the same advert several times over,because they “know” what we’ve seen already. If all this sounds like a desperate attempt to justify a border line-immoral business model, then you could possibly be right. The problem here is that no user has been asked whether they want to sign up for this sort of tracking – it just happens whether you want it or not – hence the big interest in expelling these cookies and wresting back control from the advertising industry.
TPLs are a way of doing just that, so at first glance they’re clearly a good thing, but dear reader you’d be quite correct if you guessed that there’s a big “however” lurking around the corner. To explain this downside, let’s look at how TPLs work.Each one is a simple text file, which you can view and edit using any text editor you like. A TPL is usually hosted on a web server,and the page it’s referenced from will usually have a button that fires off some JavaScript to install and activate the TPL into your E9 installation. Within the TPL is an instruction that says where the TPL came from and how long it’s valid for, and when this times out, IE9 automatically goes and retrieves an updated copy.
Now, on to the body of the TPL. You might expect that a TPL is basically an exclusion list of third-party domain names that should be blocked whenever you visit a primary site. Inother words, when I visit Contoso.com, I want the third-party site items to be disabled – if one of those “deny” items is analytics.microsoft.com for example, I want that blocked.However, when I go to analytics.microsoft.com itself, the blocking shouldn’t happen because analytics.microsoft.com is now the primary site for the page. Clearly, a well-designed blocking list will help by nuking all references to advertising,tracking and analysis sites, and will help keep my browsing private to me.
ALLOW DENY
However, there’s a problem here. In the hierarchy of permissions that you can apply in a TPL, “allow” beats “deny”.When I read this in Microsoft’s documentation, I confess that I did a double-take. Since when does “allow” ever trump“deny”? The whole principle of security rests on a clear understanding that no matter how many things you “allow”, a single “deny” is enough to prevent access to them. But no, in IE9 TPLs, allow beats deny, so if you have a deny of analytics.microsoft.com in one TPL and an allow of Microsoft.com elsewhere, the allow will win.
On the Microsoft site that deals with IE9 and TPLs, there are five TPL download links. You can, of course, download multiple TPLs, and IE9 concatenates them together, on the basis that you might choose two TPLs from two trusted sources.Now take a look at the TPL from TRUSTe, which is linked from
the Microsoft site. This appears to be an organisation that certifies advertising organisations as being well-behaved,which is why its TPL has a very large number of “allows” within it. But combine this TRUSTe TPL with a blocking one, and because “allow” beats “deny”, you may well find more personal tracking happening than you’re happy with.
I’m not at all happy with the way that IE9 handles TPLs.The UI is basic, and certainly doesn’t give enough explanation to the user about what’s going on. Suggesting that several TPLs might be a good thing isn’t helpful either, because there will be the obvious temptation to believe that “if three are good, then ten are better”. This might carry some weight if this was a deny-only feature, but when the implementation puts allow ahead of deny,multiple TPLs could be highly counterproductive.
Frankly, I’d prefer a simple pair of checkboxes in the IE9 user interface,called “enable deny” and “enable allow”,along with a pair of radio buttons called“deny beats allow” and “allow beats deny”. Then it would be clear what’s going to happen. It’s unreasonable toexpect users to go digging through the TPL files to work out what’s happening,and even more unreasonable to imply that several TPLs might be a good idea when one can override all the others.This goes to the heart of the question:“Who do you trust, and why?The problem is that users want simple solutions they can set and forget. This is, after all, 2011.
Unfortunately, few people appear to have clean hands in this area. Microsoft itself recently tweeted that “at Microsoft today we do 3B+ in ad revenue. It is the most rapidly growing part of our business.” Is it any surprise, then, that Microsoft’s implementation of TPLs puts “allow” before “deny”, or that one of its linked lists puts a blanket “allow” on Microsoft.com? After all, you wouldn’t want to jeopardise a $3bn per year revenue stream, would you? Hearing this $3bn claim left a sour taste in my mouth with regard to the whole TPL issue in IE9.
To finish on a somewhat more upbeat mood, there are some useful tools in IE9 that are worth checking out. I particularly like the F12 Developer Tools, which you can find under the Gear menu. Another window opens up at the bottom of the browser and immediately I feel at home – yes, there’s a traditional menu bar! Now try clicking on the Network tab, hit the Start Capturing button, then visit a few websites. Everything that loads gets detailed, including a superb graphical view of how long each item took to load. You can click through each item in turn and it will even display what the content was. This is a big step forward for web browser debugging, and for helping users who care about this to see what’s loading on the page.