On President's Day, February 20th, Microsoft accused Google of bypassing Internet Explorer's privacy settings in a Microsoft Software Developer Network posting by Dean Hachamovitch, Corporate Vice President of IE. Google's Rachel Whetstone, Senior Vice President of Communications and Policy, replied that, “Microsoft omitted important information from its blog post today.”
Specifically, Whestone states that “Microsoft uses a “self-declaration” protocol (known as “P3P” [Platform for Privacy Preferences Project]) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other Websites.”
Indeed, Facebook doesn't work with Microsoft's P3P policy either. A Facebook representative said, “P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform. Instead, we have posted a public notice describing our practices that is consistent with Section 3.2 of P3P. We have reached out directly to Microsoft in hopes of developing additional solutions and we would welcome the opportunity to work with W3 to update P3P to account for the advances in social networking and the web since 2007.”
Whetstone continued, “Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.” According to Whetstone this “Issue has been around since 2002. For many years, Microsoft’s browser has requested every website to 'self-declare' its cookies and privacy policies in machine readable form, using particular 'P3P' three-letter policies.”
“Essentially, Microsoft’s Internet Explorer browser requests of Websites [to] 'Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.' This didn’t have a huge impact in 2002 when P3P was introduced , but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.”
Whetstone added, “in fact the Wall Street Journal (WSJ) states that our DoubleClick ad cookies comply with Microsoft’s request.” Indeed, WSJ author Jennifer Valentino-DeVries added that while “P3P is a good idea, but it’s one that has never really caught on, and other Web browsers don’t support it.”
True, P3P hasn't caught on. It's a near-dead privacy protocol. Whetston cites TRUSTe, a firm that helps companies implement privacy standards, as confirming in 2010 that most of the websites it certifies were not using valid Microsoft P3P policies, Thus, concluded Whetstone, “The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.,”
True, Valentino-DeVries continued, IE supports P3P by default; if a Web company tells IE that it tracks users, or if it doesn’t have a P3P policy at all, IE stops it from placing 'third party' cookies, the kind usually used by advertisers and tracking companies. But there’s a big loophole in this setting: If a Web company doesn’t follow the right format in its P3P policy, it’s allowed to set cookies anyway.”
Valentino-DeVries added that “Privacy researchers have been complaining for years about this IE loophole and the companies that use it. Lorrie Cranor, a professor at Carnegie Mellon University, wrote a blog post on Saturday pointing out yet again that lots of companies use this loophole including Google and Facebook. [Cranor] also has been calling on Microsoft to make changes to close the loophole.”
So, continued Whetstone, “Today the Microsoft policy is widely non-operational. Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.”
Adding insult to injury, Whetstone cites a A 2010 research paper by Carnegie Mellon, Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens (PDF Link) found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft and that among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.
The Carnegie Mellon researchers also “discovered that Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” Thus concluded Whetstone, “This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.”
Other independent privacy researchers have spotted that Microsoft's privacy accusations are more than a little FUDish. P3P's flaws and disuse has been well known for years. Privacy researcher Lauren Weinstein wrote: “The reality of browser, site, and cookie interactions are complex from both technical and policy standpoints. P3P has never actually been more than a relative footnote all along, and has only served to make matters more confusing, not less. In any case, Microsoft's posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
Chris Soghoian, a well known privacy researcher, tweeted: “Instead of fixing P3P loophole in IE that FB & Amazon exploited … MS did nothing. Now they complain after Google uses it.”
In short, while there are serious privacy concerns about Google's practices, this particular attack by Microsoft has far more to do with trying to score points against Google than any real privacy violation problem.