Microsoft: Google bypassed privacy settings in IE, too

Microsoft: Google bypassed privacy settings in IE, too

Summary: Microsoft officials are now saying that Google also circumvented IE users' privacy settings, as it did with Safari.

SHARE:
86

A week after Microsoft criticized Google over bypassing user privacy settings on Apple's Safari, the Softies are admitting publicly that Google did the same with Internet Explorer (IE).

On February 17, Microsoft used Google's circumventing of certain privacy settings on iPhones, iPads and Macs as a reason to tout IE's superiority in terms of privacy protection. But on February 20, in a post to the IEBlog, Microsoft officials admitted that Google also skirted IE users'  privacy settings, as well.

Dean Hachamovitch, Corporate Vice President of IE, blogged:

"Google is employing similar methods (to what it employed with Safari) to get around the default privacy protections in IE and track IE users with cookies. ...We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers."

In today's blog post, Hachamovitch explained why IE also is vulnerable to Google's cookie practices:

"IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent....

"Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."

Hachamovitch said that IE users can take additional privacy steps by using an IE9 Tracking Protection list Microsoft created to thwart Google's policy on this specifically. He also said that Microsoft is "investigating what additional changes to make to its products -- including the possibility that IE, going forward, will ignore the P3P specification and block cookies with unrecognized tokens.

Update: Lorrie Faith Cranor, Director, CyLab Usable Privacy and Security Laboratory (CUPS) and an Associate Professor at Carnegie Mellon University, emailed me to tell me that she and her students alerted Microsoft to this potential P3P-centric privacy breach in 2010. Here's a paper she and some of her students wrote about it. She also did a blog post on February 18 on the Microsoft-sponsored Technology/Academics/Policy site noting not just Google, but Facebook, also can track IE users via the same P3P loophole.

Update No. 2: Microsoft's response to Cranor's post from a spokesperson: "The IE team is looking into the reports about Facebook, but we have no additional information to share at this time."

Update No. 3: Google officials (eventually) had plenty to say about Microsoft's disclosure today. Here's Google's response to Microsoft's blog post from today, attributable to Rachel Whetstone, Senior Vice President of Communications and Policy:

"Microsoft omitted important information from its blog post today.

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality.  We have been open about our approach, as have many other websites.

"Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft."

Google officials noted that onstead of fixing the P3P loophole in IE of which Facebook, Google and Amazon all are making use, Microsoft has not done so, yet its officials are complaining about it.

Topics: Browser, Google, Microsoft

About

Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

86 comments
Log in or register to join the discussion
  • RE: Microsoft: Google bypassed privacy settings in IE, too

    Silly, Facebook does this too. Seriously, if anything, it should be Microsoft & Apple to blame for putting out products that are open to exploitation.
    tatiGmail
    • RE: Microsoft: Google bypassed privacy settings in IE, too

      @tatiGmail I second that completely. If anything, this is more of an issue with how weak both IE and Chrome are.
      AWilliams87
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @AWilliams87 you've meant IE and safari. Google's Chrome is rock solid with excellent privacy protections.
        The Linux Geek
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @The Linux Geek
        Yeah excellent protection from anything other than Google. Google on the other hand probably tracks your voice and room through the Mic and Cam so they can pick out products in your room so they can direct the ads at you. Yeah great protection as they said before you don't get privacy protection from Google, they just don't care as money rules the roost there!
        OhTheHumanity
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @AWilliams87

        So the bank robber isn't evil. It's the banks for not having perfect protection.

        Do you even read what you write these days?
        tonymcs@...
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @tonymcs@...
        If my bank account got robbed. I would totally blame the bank.
        anono
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @AWilliams87 I also agree, but keep in mind that this has happened to other browsers as well. The truth be said, companies should act more ethical and not bypass what security exists. Morality and ethics have gone to the dogs in this industy!!!!
        apetti
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @The Linux Geek
        I would never trust Chrome, it is a Google product that enables them to know what you are doing so they can feed the search engine and get more ad revenue. BTW, Google is proving time and again, almost weekly, why it cannot be trusted.
        rmark@...
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @AWilliams87
        I'd liken this to the rapist having your wife because she is a woman. Get real. If you take advantage of any browser for profit, against the users wishes you should be considered criminal and held accountable. Antimalware and antivirus should be updated to quarantine this kind of activity.
        partman1969@...
    • M$ and apple browsers are so lame

      @tatiGmail
      that you can exploit vulnerabilities even without knowing it. Google did them a service by not exposing how lame they are and instead provided an improved user experience. More reasons to switch to Android!
      The Linux Geek
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @The Linux Geek
        Google should have informed both Windows and Apple about the exploit not take advantage of it. You are such a Dolt for Google.
        partman1969@...
    • RE: Microsoft: Google bypassed privacy settings in IE, too

      So the people making the locks are responsible for the break-in, not the thief?
      Michael Alan Goff
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @Michael Alan Goff You honestly have to wonder, why MS and Apple are so intent on blocking Google to begin with... What are they afraid of? Maybe this is just their way of cutting off funding to the company they see as the biggest threat but that's okay because, Chrome is steadily takoing over the Market because it is simply a better browser.
        slickjim
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        IE and Safari aren't blocking Chrome. >>;
        Michael Alan Goff
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @Peter Perry <br>Are you serious or ignorant?<br><br>University researchers have discovered Google has bypassed privacy settings of browsers. Browser makers promised those privacy settings are working. Now shouldn't they repair those loopholes? Is it too difficult to understand for you?
        wmac1
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @Michael Alan Goff If the locks are defective.... Yes!
        Dameadows
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @Dameadows

        Tell that to a judge and see how quickly he laughs you out of the courtroom!
        Michael Alan Goff
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        wmac1:

        While the loophole needs to be closed, Google should be flogged for unethical tactics for using the loophole intentionally! Of coarse if companies like Google were trustworthy, the loophole would not be an issue.
        rmark@...
      • RE: Microsoft: Google bypassed privacy settings in IE, too

        @ANYBODY TRULY CONCERNED <br>Even the most secure alarm systems have not stopped automotive theft. I believe auto theft is still considered a felony so how on Earth can you defend a criminal for his or her activity just because he gets past a lock. I won't defend any tech firm for exploiting loopholes to their advantage no matter their name or what they sell. Only the most liberal defender of FOSS software would be so ignorant to defend Google for blatant use of browser loopholes in competing browsers, and those same liberal defenders of Google care little they are monitored via their own Google Chrome. Too many reasons to list why people should avoid Google, Google Plus and Facebook for their privileged monitoring behaviors.
        partman1969@...
    • RE: Microsoft: Google bypassed privacy settings in IE, too

      @tatiGmail
      So under your thought process, its quite ok for you to rob your neigbors home since they left the door unlocked? Yeah I agree they should plug the hole, but to completely ignore Google in all this really just shows that you like Google and they do no wrong. I don't care what company does this they will not get my best wishes and they need to correct their actions now and stop acting like anything on the internet is theirs to take, like our privacy to browse the freakin web without them gathering data on it. I just turned on tracking protection and wish I would have before all this.
      OhTheHumanity