My last post was intended to introduce our overall security strategy and the specific features in IE7 Beta1 for XP SP2 and Windows Vista. A lot of responses to my post were questions about why and how the Microsoft Phishing Filter in IE7 will check websites. We have also have heard from a number of site owners who want to know how they can correct an evaluation of “suspicious” or “confirmed phishing”. Before we continue posting on the rest of the IE7 security features, I want to let you know that we’re listening to your feedback about the Phishing Filter and take this opportunity to clarify the process.
The prime directive of the Phishing Filter feature is to help protect users from phishing websites, while maintaining user privacy and being transparent and flexible about how we do it. Protecting your privacy means we will not collect personally identifiable information, we will explain clearly how the feature works, we will give you the choice to use it only when you want to, we will provide a clear indication of how we will use any data, and we’ll use SSL encryption to help protect any queries you send to the anti-phishing server. These are the principles we used to design the Phishing Filter.
You may not find the privacy statement to be a page turner, but it does represent our promise to you. I hope this clarification helps dispel a conspiracy theory or two.
I hope this has helped folks understand the benefits of getting dynamic protection with a real-time service. I encourage you to try it out. Even if you turn real-time protection off, it’s nice to know that you can always manually check on a site if you have reason to suspect foul play.
Tariq’s post is teed up and will go into way more detail about the UX and how Phishing Filter actually works. If you have questions like that you should hold for him. If you have questions or feedback on the privacy concerns, fire away!
Thanks, Rob Franco
Update: Changed the link of the phishing filter whitepaper to reflect the correct URL (it got changed).