Google, Microsoft Butt Heads Over IE Privacy Skirting

Google yesterday countered Microsoft's contention that it's skirting Internet Explorer's privacy protection, saying it's "impractical" to comply with IE's rules.

One privacy researcher said there was enough blame to apportion to both Google and Microsoft.

The latest dustup over Google's privacy practices began early Monday, when Microsoft's top executive for IE accused Google of circumventing the browser's default privacy defense so that Google's ad network could track IE users' online movements without their permission.

Microsoft's charges were similar to ones made last week after the Wall Street Journal said Google was sidestepping the privacy protection of Apple's Safari, which is bundled with Mac OS X and is the only authorized browser on the iPhone and iPad.

On Monday, Dean Hachamovitch, who leads the IE team, said Google was getting around Microsoft's browser, too.

"Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," Hachamovitch said in a blog post .

P3P, for "Platform for Privacy Preferences," is a 10-year-old Web standard that websites can use to describe how they use cookies and user information. By default, IE blocks all tracking cookies from sites that do not present a valid P3P compact policy (CP), a string of codes sent to browsers as part of the HTTP header.

Google, said Hachamovitch, was gaming P3P to trick IE into accepting tracking cookies, even though Google's Compact Policy Statement does not spell out the search giant's intent. "Google bypasses the cookie protection [in IE] and enables its third-party cookies to be allowed rather than blocked," Hachamovitch charged.

Google returned volley today.

In a statement issued by Rachel Whetstone, senior vice president of communications and policy, Google asserted that it was "impractical to comply" with IE's P3P request because doing so prevented sites and services from providing features, including sign-in to multiple Google services.

"Today the Microsoft policy is widely non-operational," said Whetstone, citing a 2010 report that claimed more than 11,000 websites were not issuing valid P3P policies. "The reality is that consumers don't, by and large, use the P3P framework to make decisions about personal information disclosure."

Whetstone went on to say that Google has "been open about our approach" to P3P, and said Microsoft itself had recommended using invalid P3P codes as a work-around for a problem in IE. "This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft," she said.

The study referenced by Whetstone was conducted by a team at Carnegie Mellon University's CyLab and published in September 2010 ( download PDF ).

In the report, the researchers noted the widespread circumvention -- some apparently purposeful, some accidental -- of IE's cookie-blocking with malformed P3P compact policies. Among the companies involved, the report named Amazon, Facebook and Google.

"I think there is plenty of blame to go around," said Lorrie Faith Cranor, an associate professor of computer science at Carnegie Mellon, the director of its CyLab Usable Privacy and Security Laboratory and the faculty member who lead the team that produced the 2010 report.

She said Microsoft was partly to blame for not complaining about companies circumventing its privacy policy and not taking steps to modify IE. Cranor reported her team's findings to Microsoft in the fall of 2010, but she did not receive any formal reply. However, Cranor said that shortly afterward, Microsoft scrubbed its support site of the workaround recommendation Whetstone mentioned.

"But organizations have some responsibility for using a technical trick to circumvent the IE privacy controls," Cranor said, referring to Google, Facebook and others.

She also was suspicious of Google's claim that P3P was impractical, noting that the company's DoubleClick ad network does present valid CPs to IE. "They figured out how they worked there," she said. "I'm skeptical that they couldn't do the same elsewhere."

Others have pointed fingers at Microsoft more than at Google.

"Microsoft's posting, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues," said Lauren Weinstein , a privacy advocate and co-founder of the People for Internet Responsibility group.

While Cranor said P3P was "unhealthy, perhaps even dead" at the moment -- echoing Whetstone's assertion -- she said the standard had been useful in advancing the Web privacy debate. And she wasn't ready to give up on P3P.

"Nothing exists that is better," she said of P3P. "There's nothing fundamentally wrong with P3P. The problems with it are not technical, but a lack of interest in using it."

Cranor chaired the P3P working group, and has written a book on the standard.

Although "Do Not Track," a browser-and-website privacy initiative that the Federal Trade Commission (FTC) backs -- and that Microsoft supports in IE9 -- has gotten much of the attention recently, P3P remains a better solution, Cranor argued.

But that's only when it's enforced.

"It's more readily enforced than Do Not Track, because it forces a website to declare its privacy policies. But it's really important for regulators to enforce the policies," Cranor said.

And that's not happened.

"Once people saw that there were bugs in P3P that could be used to circumvent privacy policies, and that when they did, nothing happened, then all bets were off," said Cranor.

Yesterday, Microsoft's Hachamovitch told users how to set IE to block all cookies from a specific website, such as Google, and offered a Tracking Protection List to IE9 users "in the event that Google continues this practice."

He also confirmed that Microsoft is re-considering its use of P3P.

"We are investigating what additional changes to make to our products," Hachamovitch said. "Privacy advocates involved in the original [P3P] specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action."