Microsoft accused Google of bypassing privacy protections used in Internet Explorer yesterday, following on from a revelation last week that the Internet search giant was bypassing privacy settings in Apple's Safari browser to track users.
The news came to light after an investigation by the Wall Street Journal found evidence showing that even though Safari’s default privacy settings block cookies from third parties, Google was actively circumventing this and installed a cookie that helped them serve personalized ads.
In a post to the MSDN IEBlog yesterday, Dean Hachamovitch, Corporate VP of Internet Explorer has this to say in the wake of last week's news. “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”
“Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies,” Hachamovitch wrote. “Google's P3P policy is actually a statement that it is not a P3P policy. It's intended for humans to read even though P3P policies are designed for browsers to 'read'."
The P3P (Platform for Privacy Preferences Project) Compact Policy Statement indicates that the site will not use the cookie to track the user. Microsoft’s accusation is that Google is sending a string of text that tricks IE into thinking the cookie won’t be used for tracking purposes. “By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked,” he wrote.
Since the announcement by IE’s team, it has come to light that Google is not alone in these actions. "Companies have discovered that they can lie in their [P3P Compact Privacy Statements] and nobody bothers to do anything about it," said Lorrie Cranor, an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, in a blog post during the weekend. She commented that the problem is partly Microsoft’s fault as well, as companies have also discovered that due to a bug in IE, using an invalid privacy statement results in the browser not blocking the tracking cookies being used.
“Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form,” Google Senior vice president of Communications and Policy Rachel Whetstone said in a emailed statement to Ars Technica. “It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft’s request while providing modern web functionality.”
Whetstone argues that Microsoft’s system is outdated and over-involved, and more crucially breaks web functionality such as the popular Facebook “like” button. He also claims that the Redmond-based software giant omitted important information from the blog post.
It is also worth pointing out that the 2010 research by Carnegie Mellon University found that Microsoft’s own msn.com and live.com were equally guilty of providing invalid P3P policy statements. The research paper even pointed out that “Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE” that was being experienced at the time.