Security in Motion

Principles are always taxed. To save the environment, you’ll pay a seven-grand premium for a hybrid car. To keep your driving habits private, your time is taxed while you wait at turnpike tolls rather than speed through the Fast Pass lane. And if you want to be secure online by using an alternative browser, you are denied access to many IE-only Web pages, like Buymusic.com and the site for the U.S. Court for the Eastern District of Michigan. And you won’t get the Web’s latest features like, ESPN Motion.

ESPN Motion is a feature that slickly sticks full-frame video and sound right into the sports empire’s homepage. It downloads content over a broadband connection in the background while you’re doing other stuff. I wanted to try it out one day (at home, boss, I swear). But after ESPN.com tapped on my system, it said I couldn’t use ESPN Motion unless I switched to Internet Explorer.

I use Mozilla Firebird. Firebird is adware-, spyware- and mallware-free. It blocks ads and pop-ups if I want it to. And, in the DIY browser security tests I ran, fewer vulnerabilities turned up on Firebird than on Internet Explorer, suggesting it has more secure code. It’s definitely more secure culturally. The fact that IE is such a fat target for hackers makes avoiding it good risk management.

The Motion feature debuted as part of a major redesign of ESPN.com in which standards compliance was a huge motivating factor. The idea was that as long as your browser was standards-compliant, you got the full experience. Mike Davidson, an associate art director with ESPN, was a roving diplomat for the redesign, posting messages at developer’s blogs, responding to complaints and so forth. In one interview, Davidson said, “Everyone agreed embracing standards was the right thing to do.&” Aha! I thought, I will be able to take advantage of a cool feature while sticking to my security principle. I e-mailed Mike to ask when Motion would work with all standard browsers.

He replied and seemed eager to continue with his diplomacy, but “hating to do this,” he directed me to PR before we spoke. We’ll get back to you, PR said. For a month.

In the meantime, I poked around. Firebird is open source, and developers are constantly adding “extensions” to it. I stumbled across one extension called “User Agent Switcher,” a few K of code that allows you to change the name of your browser from Firebird to Internet Explorer (or anything else, actually). The user agent string is what many (but not all) sites use to detect what kind of browser you use. I installed it and, lo and behold, some sites that would politely tell me to go get IE now let me in. In other words, there was no real technical obstacle to my getting into some sites, just the name of the browser.

I went back to the ESPN Motion site to see if my “Internet Explorer” passed its ESPN Motion compatibility test. Where it used to tell me to download IE, it now said “Passed.”

In other words, ESPN motion wasn’t really looking for IE for any technical reason. When you think about it, ESPN.com and the MSN portal have a tight relationship. Maybe this was just a way to get even more people to switch to IE.

Finally, yesterday, ESPN PR, which had dished me off to Disney PR, which sent me back to ESPN PR, delivered replies to my questions about whether the decision to develop ESPN Motion for IE-only was driven by technical requirements or simple business decisions, or if it was even a real requirement.

The answers weren’t particularly useful and they were varnished with corporate lacquer. (You can see the complete transcript here.) What I gleaned from it is that this was indeed largely a business decision; there simply aren’t enough non-Internet Explorer users for ESPN to worry about them. Mike Davidson in fact had talked in that interview about how “blessed” ESPN.com was to have 98 percent of its traffic come from standard browsers. “The majority of our traffic comes from the workplace, he notes, where companies seem to have settled on IE 5 and 6 in a pretty overwhelming way.”

But something about Davidson’s constant beating of the standards drum in his online postings was a little unsettling when the crown jewel feature in his website (one in which he may or may not have been involvedthey wouldn’t let him talk to me) appears to be anything but standard, unless standard is defined as “most people use it. Not only did it require Internet Explorer when there are plenty of other standard browsers out there (Firebird included), but it also required the user to download and use Windows Media Player, a vendor-specific product. But, hey, most people use it.

And while my “IE” browser passed the test, the install of ESPN Motion didn’t proceed because the site told me I had to install Windows Media Player, which I already had done. Whether this was related to my duping the system with the User Agent Switcher or not remains unclear. Neither ESPN nor Disney answered technical questions.

Normally, I don’t mind paying the security tax; I understand I’m part of a tiny minority that uses Firebird and sometimes, for both business and technical reasons that are valid, that means I get a quirky page load or I miss out on a new feature like ESPN Motion. But in this case, I’m not sure the reason I’m paying the security tax is valid, since all I had to do was change the name of my browser, and not the browser itself to pass a compliance test. If it turns out this is just marketing, just an effort on Disney’s and Microsoft’s part to get more people to say, Oh well, fine, I’ll switch to get the cool feature (Motion technology is now found on ABC and Disney as well), then I mind mightily.

In the meantime, my boss will be happy to know, I’m sticking with Firebird. No ESPN Motion for me. I hear they put commercials in, anyway.

Share your thoughts with me at sberinato@cxo.com.