Facebook to Microsoft: P3P is outdated, what else ya got?

Facebook to Microsoft: P3P is outdated, what else ya got?

Summary: Facebook has confirmed it is also bypassing IE's privacy settings. The social networking giant has told the software giant that P3P is outdated. As they say on the playground: too bad, so sad.

SHARE:

After Microsoft blamed Google for bypassing Internet Explorer's privacy settings, it soon became clear Facebook and tens of thousands of websites were doing the same thing by writing incorrectly formatted compact policies (CPs) for the Platform for Privacy Preferences Project (P3P). Microsoft yesterday told me it is looking into the Facebook angle. IE is the only major browser to support P3P. Facebook got back to me today.

"Facebook social plugins are built and designed to protect privacy by providing people with engaging social experiences on other websites without requiring any additional cookies to be set," a Facebook spokesperson said in a statement. "Therefore, our P3P policy is not intended to enable us to set additional cookies or to track users. While we would like to be able to express our cookie policy in a format that a browser could read, P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform. Instead, we have posted a public notice describing our practices that is consistent with Section 3.2 of P3P. We have reached out directly to Microsoft in hopes of developing additional solutions and we would welcome the opportunity to work with W3 to update P3P to account for the advances in social networking and the web since 2007."

If you're wondering, Section 3.2 defines the syntax and semantics of P3P policies. As for the five year mention, I think it should be 10. I'm not quite sure where Facebook got the year 2007 from, unless that's when it implemented its P3P policy (it also happens to be the year when Microsoft invested $240 million in Facebook). The World Wide Web Consortium (W3C) designed PP3 to give users more control of their personal information when browsing, and officially recommended it on April 16, 2002. Furthermore, P3P has been part of Internet Explorer since IE6, which was released on August 27, 2001.

By default, IE blocks cookies that have CPs deemed unsatisfactory from a privacy perspective (such as collecting anything identifiable). Facebook is essentially saying that it is completely aware of the bug in IE that allows them to use an invalid CP so that the browser does not block the social network's cookies. Since PP3 is outdated, Facebook is telling Microsoft to use something better. Until then, the social networking giant has no plans to change its practices.

I have contacted Facebook for further clarification and also reached out to Microsoft again in case Redmond has more to add regarding Menlo Park's stance.

Update at 9:15 AM PST: "We have had our current P3P policy in place for ~2 years, 2007 was the last time the P3P Project had any updates," a Facebook spokesperson said in a statement. Microsoft told me it is still looking into Facebook's response.

Update at 10:00 AM PST: Microsoft declined to comment.

See also:

Topics: Social Enterprise, Microsoft

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

    Where are all the Apple Fans now with their bad analogies blaming these other companies! Sorry but, if these other companies are going to complain about people subverting their security then they had better make sure all their bases are covered as well.
    slickjim
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @Peter Perry, I don't understand what Apple Fans have to do with this. This seems to be something all these big companies are indulging in. And maybe Google is doing it in Android too. If you call all Apple hardware buyers as Apple Fans, then I guess their tribe is increasing, and so is the Android tribe. Increasing at an astonishing and alarming rate that Steve Ballmer does not know what to do (LOL).
      GoForTheBest
    • Man up

      @Peter Perry
      Oh, stop whining! Does Steve Ballmer whine? No! He stages funerals for his competitors! He dances on their graves! He disparages their lineage!
      Robert Hahn
  • Shoot me if I do, shoot me if I don't

    Web standards have a tendency to be pretty old, because standards bodies are slow-moving. Wasn't that long ago that everybody was yelling at Microsoft for proprietary extensions and supposedly not supporting web standards. Now, Facebook is yelling at them for sticking with standards, instead of implementing half-baked, newer stuff. People at the cutting edge love to forget that they are not the only ones who matter.
    WebSiteManager
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @WebSiteManager A Microsoft (derived) Standard, which nobody else seems to use...
      wright_is
  • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

    I understand Microsoft hates Google but now Microsoft is looking bad. Microsoft lack of standards in IE seems to be biting now in the butt. Microsoft should have looked more in to p3p use before opening their mouths.
    Randalllind
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @Randalllind IE9 supports more web standards than ever before. What the hell are you smoking. Microsoft is sticking to web standards. They made a huge push with IE9, and are making an ever bigger push with IE10. Get your facts straight.
      jhammackHTH
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @Randalllind

      Let me try translating the article since you didn't read it.

      IE implements W3C P3P privacy standards for cookies. Facebook doesn't want to comply with these policies, so they use an exploit to avoid it.

      Does that make it any clearer?
      tonymcs1
  • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

    Ik hope IE updates soon to completly block third party cookies on google and Facebook and other privacy violators.

    Then we'll see how fast Facebook will comply with privacy settings by IE users.
    IE11
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @IE9
      Blocking Facebook a business partner with Microsoft, Nope.
      daikon
  • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

    @Facebook
    "Instead, we have posted a public notice describing our practices that is consistent with Section 3.2 of P3P"

    The P3P standaard allows for such a statmenet but only in the CONSEQUENCE field. Not in the policy CP field as Facebook is doing.
    IE11
    • RE: Facebook to Microsoft: P3P is outdated, what else ya got?

      @IE9

      Exactly. The first thing that should tip people off is the use of non-commital language within their explanation. "consistent"? Sure, it consistently submits invalid content, and is then ignored and cookies are allowed. If they were to commit to the spec fully, they would in fact have to submit truthful P3P responses. I disagree with that foolish loophole built into the spec, I agree wholeheartedly with it's intent, and I believe IE has proven it conforms to the spec fully. I also believe any company that would hold the intent of the spec to a lowered (yet available) standard for financial gains above users right to opt-out, no matter the method to be unethical.
      TechNickle