In February 2010, I reported that UK citizens could sign an online petition which demanded Internet Explorer 6 updates across all Government departments. The 6 June deadline has now passed and the Government has posted their response. You won’t be happy — they’re keeping IE6.
It’s a shame but we shouldn’t be surprised. The petition attracted just 6,223 signatures so it was hardly a mandate from the British people. That’s a reasonable number of web designers and developers but, since we’re the main beneficiaries, no one could say it was unbiased.
The petition’s biggest mistake was to cite security as the main concern:
IE6 has some security flaws that leave users vulnerable. These two governments (France and Germany) have let their populations know that an upgrade will keep them safer online. We should follow them.
The issue was too vague and could be accused of scaremongering. The Government’s response:
Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. There is no evidence that upgrading away from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats. The Government continues to work with Microsoft and other internet browser suppliers to understand the security of the products used by HMG, including Internet Explorer and we welcome the work that Microsoft are continuing do on delivering security solutions which are deployed as quickly as possible to all Internet Explorer users.
Each Department is responsible for managing the risks to its IT systems based on Government Information Assurance policy and technical advice from CESG, the National Technical Authority for Information Assurance. Part of this advice is that regular software patching and updating will help defend against the latest threats. It is for individual departments to make the decision on how best to manage the risk based on this clear guidance.
IE6 has had more it’s fair share of vulnerabilities, but it’s also received a decade’s worth of security patches. In Europe, the browser’s market share has fallen below 3.5% so it’s no longer a high-priority target for hackers. Finally, Government departments have stringent security systems in place: it’s not easy for a user to become infected when they can’t access the outside web.
Perhaps the petition would have had a better chance during less challenging economic times. The final part of the Government response highlights the complexity and cost to the taxpayer:
It is not straightforward for HMG departments to upgrade IE versions on their systems. Upgrading these systems to IE8 can be a very large operation, taking weeks to test and roll out to all users. To test all the web applications currently used by HMG departments can take months at significant potential cost to the taxpayer. It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users.
The new UK Government has embarked on a massive cost-cutting exercise. Citizens are unlikely to be receptive toward millions spent on IT upgrades of negligible benefit when that cost can be directly compared against job losses, nurses salaries, education and defense budgets.
The problem for us is that 12 months is a long time in Internet years and browser upgrading is easy. Yet most Government IT projects have a minimum timescale of 5 to 10 years and the technologies they adopt are reliable (they’re already old). Even those departments undergoing an upgrade are only just moving to IE7. It’s frustrating but, even if they implemented Firefox 3.6 or Chrome 5 today, we’d be demanding further upgrades within a few months.
Ultimately, you have an easy choice. If you don’t want to develop for IE6, don’t undertake jobs where it’s a requirement.