Not just Google: Facebook also bypasses privacy settings in IE

Not just Google: Facebook also bypasses privacy settings in IE

Summary: Google isn't the only one bypassing Microsoft Internet Explorer's privacy settings: Facebook does it too, as do tens of thousands of other companies. So, who is to blame?

SHARE:

Update: Facebook has responded. Facebook to Microsoft: P3P is outdated, what else ya got?

Following the news that Google is tricking Apple's Safari browser by including privacy-circumventing code in its ads, Microsoft is now saying that Google bypassed privacy settings in Internet Explorer as well. The story goes deeper than that. Google isn't the only company to blame here: Facebook is doing the same thing, as are tens of thousands of other companies, according to TechPolicy.

Internet Explorer blocks third-party cookies that don't come with a special code – the Platform for Privacy Preferences Project (P3P) is a protocol allowing websites to declare their intended use of information they collect about browsing users. The World Wide Web Consortium (W3C) designed PP3 to give users more control of their personal information when browsing, and officially recommended it on April 16, 2002. IE is the only major browser to support P3P.

By default, IE blocks cookies that have PP3 compact policies (CPs) deemed unsatisfactory from a privacy perspective (such as collecting anything identifiable). Companies such as Google and Facebook have discovered that they can lie in their CPs and nobody does anything about it. Furthermore, due to a bug in IE, if they have an invalid CP, IE will not block their cookies. In other words, even if companies have an accurate CP, they just have to format it incorrectly to circumvent IE's cookie blocking.

A 26-page research paper from September 2010 titled "Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens" (PDF) looked into the issue. After examining the CPs of 33,139 websites, the researchers from Carnegie Mellon University detected errors in 11,176 of them, including 21 of the top 100 most-visited websites (like Microsoft's own live.com and msn.com).

Facebook's compact policy states: P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p." The link in question takes you to a Facebook Help Center entry, which reads as follows:

Facebook's Platform for Privacy Preferences (P3P)

Thanks for your interest in privacy at Facebook. You are seeing this message because you attempted to access Facebook's Platform for Privacy Preferences (P3P) compact policy.

The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.

In short, many companies are taking advantage of Internet Explorer's poor cookie blocking implementation for their own purposes. Their excuse is that P3P is dead and IE's cookie blocking would break their website, so they just work around the browser's privacy controls.

I have contacted Facebook and Microsoft about this issue and will update you if I hear back.

Update: "The IE team is looking into the reports about Facebook, but we have no additional information to share at this time," a Microsoft spokesperson said in a statement. Facebook has yet to reply.

Update 2: Facebook has responded. Facebook to Microsoft: P3P is outdated, what else ya got?

See also:

Topics: Browser, Google, Microsoft, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Let me ask a similar question

    Thousands of homes are broke into every day. Who is to blame?
    Michael Alan Goff
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      @Michael Alan Goff Yeah and now you are seeing more sites coming out stating that the security model is the problem but you keep making analogies and the rest of the world will figure out that this was really a non-issue.
      slickjim
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        Microsoft isn't off the hook, but the people abusing this problem aren't innocent. You might not agree because it says something bad about Google, but get over it.
        Michael Alan Goff
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      @Michael Alan Goff. I assume you mean; "Thousands of homes are broken into everyday. Who is to blame?"<br>I respond that once the general public (thieves included) discover that all one has to do is use a broken key to open the locks, at some point the blame needs to at least be shared by the lock maker. Or so it would seem to me.
      DoYouKnow?
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        Yes, shared.

        But the thieves are still going to jail for breaking and entering.
        Michael Alan Goff
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        @DoYouKnow?<br>In days of people kept their houses unlocked and never worried for thieves breaking in. Theft was unheard of, and then modern times; neighbors and "so called" friends steal off each other. Locks and security systems become stronger but not infallible. Only in modern liberal times do people blame the lock maker (passing blame where it does not belong). Those bending code to their profitable desires are to blame. Do you comfort the rapist because your wife or daughter was shopping or coming home from school and didn't carry a gun? Are your cars really safer because you have the loudest, most expensive security systems? The BAD guys only need more time to pillage. You've only slowed them down. Companies with any morals would have shown IE and Safari the loopholes in their security. Both Facebook and Google have been known for lax security and massive profits yet the liberal tech communities give them a pass. Time and time again the hypocrites speak in favor of their chosen platforms and never seek what's right. I'm sorry your beloved Google and Facebook are evil and can only pity your complete submissiveness and loyalty to them.
        partman1969@...
  • Even Microsoft Sites

    As presented in the paper here
    http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf
    PaulusNet
  • RE: Not just Google: Facebook also bypasses privacy settings in IE

    It sounds to me like P3P is the problem. If this is a dead standard then they need to look at deprecating support for the program.
    slickjim
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      @Peter Perry

      I'd have to agree with you here. Tracking protection in IE would take care of this I'm guessing but that's an additional option very few people actually turn on. AdBlock would likely have the same result on Firefox and any other browser it's available on.

      I'm not a huge Google fan but this seems like the original story was drummed up to fling mud at them, despite the fact that 1/3 of the sites they tested were doing it. Including live.com and who knows who else...
      LiquidLearner
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        @LiquidLearner
        Story is not anything new. I've been adamantly against Facebook and Google social networking as long as they have been. Funny how enticing the slightest mention of social networking is and the zombies that have been created.
        partman1969@...
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      P3P is a Microsoft thing that never caught on. Why should MS dictate cookie content? To monopolize their power over the web even further?

      That doesn't excuse Google and Facebook, though...
      ScorpioBlack
  • RE: Not just Google: Facebook also bypasses privacy settings in IE

    So if you steal something and you are caught, you can just say, hey, other people are stealing too. That makes it ok? I don't see the point of this post, because all you are saying is that Facebook does the same thing so that makes it ok for Google to continue invading privacy? Poor journalism.
    slickmagic
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      The worst part is that people were saying that Google was okay to do it before this post.
      Michael Alan Goff
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        @Michael Alan Goff
        Who said that? Few over in the Safari blog were condoning it.
        ScorpioBlack
      • RE: Not just Google: Facebook also bypasses privacy settings in IE

        Just poke your head around at any article and you'll find people blaming IE for this. Don't ask me how it makes sense.
        Michael Alan Goff
  • RE: Not just Google: Facebook also bypasses privacy settings in IE

    I have set privacy for both IE9 and Chrome to always block 3rd party cookies, period. I don't care what P3P says or does. Are you saying that Google, Facebook, others(?) can by-pass this setting? Or that they can only bypass the more lenient P3P settings?
    Jim Johnson
    • RE: Not just Google: Facebook also bypasses privacy settings in IE

      @Jim Johnson

      In IE, due to a bug, if they present a malformed P3P policy it will be as if no P3P policy was set and your setting may or may not be honored.
      PollyProteus
  • RE: Not just Google: Facebook also bypasses privacy settings in IE

    Okay, let's look at this. From Facebook:

    "The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P."

    What this translates to is this: "Simply because other browsers decided not to implement it, or implement it fully, we're not going to use this already established standard that will help you with controlling your privacy on the web."

    Or, in plain english: "We really don't give a shit about your privacy."
    PollyProteus
  • tracking protection

    IE is also the only browser to include tracking protection in the browser itself. The federal government asked browser manufacturers to inlude features to allow end uses a high level of privacy. So far Microsoft is the only company to build that in. Everybody else uses an add-on for better privacy. IE10 on ARM will not allow add-ons. Firefox only exists as a carrier for third party add-ons, without those add-ons, Firefox is neither flexible nor safe.
    mswift@...
  • RE: Not just Google: Facebook also bypasses privacy settings in IE

    You have sites like Austin Energy's new customer portal. They simply through a minimum P3P placeholder in their site to fool IE: <br><br><pre>p3p: CP="NON CUR OTPi OUR NOR UNI"</pre><br><br>In part, this means:<br><blockquote>Information may be used in other ways not captured by the above definitions. Opt-in means prior consent must be provided by users.<br><br>Information is not retained for more than a brief period of time necessary to make use of it during the course of a single online interaction. Information MUST be destroyed following this interaction and MUST NOT be logged, archived, or otherwise stored.</blockquote><br><br>This in no way reflects their actual privacy policy.
    pbarnhart@...