Google defense cites study arguing for stronger privacy regulation

Last week the Wall Street Journal published a report accusing Google of deliberately circumventing privacy settings in Apple’s Safari browser, by implementing a technical workaround that tricks the browser into accepting tracking cookies from a third-party site.

Yesterday, Microsoft accused Google of “employing similar methods to get around the default privacy protections in IE.”

Google fired back with a blast email message that was widely reported by tech news sites, including ZDNet. My colleague Mary Jo Foley included the Google statement as an update to her post. This sentence was a key part of Google’s defense:

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

The implication is that P3P is outdated and widely ignored, and that Microsoft is relying on a technicality to score meaningless points.

It took some digging, but I found the study Google was referring to. Its title is Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens.  The study was published in September 2010 by Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire of Carnegie Mellon University.

The abstract of that study makes fascinating reading. In fact. I suspect that Google’s communications staff didn’t read it carefully. If they had, I don’t believe they would have wanted to world to read it.

Judge for yourself. The Carnegie Mellon researchers say this:

We collected CPs [Compact Privacy Policies] from 33,139 websites and detected errors in 11,176 of them, including … 21 of the top 100 most-visited sites.

Let’s turn that around, shall we? Using this study’s results, these researchers concluded that 79% of the top 100 most-visited websites in the world have perfectly valid compact policies. That seems to contradict Google’s assertion that “the Microsoft policy is widely non-operational.”

In addition, those errors were, in many cases, minor:

Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors.

Indeed, a look at the detailed results from the Carnegie Mellon study shows that some Microsoft-owned web properties have errors in their CPs. Appendix D cites msn.com, safety.live.com, and windows.com—all owned by Microsoft—as having “slight differences between CP and privacy policy.” By contrast, the same appendix criticized facebook,com, godaddy.com, and hulu.com using more severe language language: “Policies do not match.” Amazon.com and imdb.com were listed as “Invalid CP, unable to compare.”

The abstract concludes:

It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies. [emphasis added]

That’s an eye-opener. The study that Google uses to justify its behavior concludes that regulators should “take action against companies that provide erroneous machine-readable policies.”

They’re talking about Google, among others.

This is a complicated topic, filled with nuance and opportunities for confusion. I'll be digging into the details more and will have a follow-up next week.