Microsoft Says Google Circumvents IE Privacy Policies Too
In a blog post, Dean Hachamovitch, corporate vice president for Internet Explorer, described how Microsoft believes Google is getting around IE privacy policies.
IE by default blocks so-called third-party cookies unless a site presents to the browser a P3P Compact Policy Statement describing how the site will use the cookie and pledging not to track the user. P3P is a protocol that websites use to disclose details in a standard format about how they plan to use information collected from users. Browsers that support P3P can block cookies or allow them in compliance with user privacy preferences. Third party cookies are those dropped by domains other than the one in the user's browser address bar.
"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," Hachamovitch wrote. "Google's P3P policy is actually a statement that it is not a P3P policy. It's intended for humans to read even though P3P policies are designed for browsers to 'read'," he said.
P3P-compliant browsers read Google's policy as saying that the cookie won't be used for tracking or any purpose, he said. "By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," he wrote.
Google did not reply to a request for comment on the blog post.
One researcher, however, suggested that Microsoft is also partly to blame. "Companies have discovered that they can lie in their [P3P Compact Privacy Statements] and nobody bothers to do anything about it," said Lorrie Faith Cranor, an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, in a blog post over the weekend. "Companies have also discovered that, due to a bug in IE, if they have an invalid [privacy statement], IE will not block it."
She said that Google is not alone in circumventing P3P and that this issue points to a larger problem in browser privacy. In fact, Facebook presents a P3P statement that says: "Facebook does not have a P3P policy." That line is an invalid P3P privacy statement so it essentially turns off IE cookie blocking, she said. "Thousands" of other sites have P3P privacy statements that don't match their actual practices, she said.
Facebook did not reply to a request for comment about the allegation.
"The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is ok to circumvent browser privacy controls," she said. Cranor chaired the P3P working group and acknowledged that the protocol is struggling. But she suggests that if the industry doesn't like P3P, it should ask Microsoft to remove it from its browser. Or, the industry could also ask standards bodies to declare P3P dead.
"I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy," she said.
Cranor reportedly alerted Microsoft back in 2010 to the potential for the kind of privacy breach it describes Google uses, according to the All About Microsoft blog.
Microsoft said it has asked Google to honor P3P privacy settings for users of all browsers, Hachamovitch said.
In addition, he noted that this issue does not impact users of a new privacy feature called Tracking Protection in IE 9.
Microsoft's Monday blog post follows an uproar last week following a Wall Street Journal article that charged Google with circumventing privacy policies in Safari, allowing it to track user movement across web sites. The activity would allow Google to track users of iPhones and other devices that use Apple's Safari browser.
Google said the story mischaracterizes what happens and why. It denied that it was tracking users but acknowledged that it inadvertently was dropping advertising cookies on users' phones against their wishes.