Google Circumvented IE's Privacy Settings As well, Microsoft

Microsoft officials after talking about how Google had bypassed user privacy settings on Safari, in a latest post revealing that Google has also circumvented Internet Explorer users' privacy settings as well.In the February 20 blog post, Dean Hachamovitch, CVP of IE, blogged, "Google is employing similar methods to get around the default privacy protections in […]

After tracking Safari, Google now accused of violating IE privacyMicrosoft officials after talking about how Google had bypassed user privacy settings on Safari, in a latest post revealing that Google has also circumvented Internet Explorer users' privacy settings as well.

In the February 20 blog post, Dean Hachamovitch, CVP of IE, blogged, "Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we've discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We've also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers."

Adding, "We've found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different," he posted.

Explaining why IE also is vulnerable to Google's cookie practices, Hachamovitch said, "IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent."

Adding, "Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy. It's intended for humans to read even though P3P policies are designed for browsers to 'read'":

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

"P3P-compliant browsers interpret Google's policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," explains Hachamovitch.

Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google's bypass of P3P Privacy Protection use Internet Explorer 9 and click the following link to add a Tracking Protection List, he said.

javascript:window.external.msAddTrackingProtectionList('http://ie.microsoft.com/testdrive/browser/p3p/google.txt',%20'Block%20third-party%20Google%20site%20tracking')

Microsoft is "investigating what additional changes to make to its products -- including the possibility that IE, going forward, will ignore the P3P specification and block cookies with unrecognized tokens. He said that , "Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action."

Lorrie Faith Cranor, Director, CyLab Usable Privacy and Security Laboratory (CUPS) and an Associate Professor at Carnegie Mellon University, and her students alerted Microsoft to this potential P3P-centric privacy breach in 2010. And, in a latest blog post, she noted that not just Google, but Facebook, also can track IE users via the same P3P loophole.

In response to Cranor's post, a Microsoft spokesperson stated, "The IE team is looking into the reports about Facebook, but we have no additional information to share at this time."

In a response to Microsoft's blog post, Rachel Whetstone, svp of Communications and Policy at Google, said "Microsoft omitted important information from its blog post today."

Adding, "Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft," Whetstone said.