Not so fast Microsoft! Google fires back at MS privacy claims.

Not so fast Microsoft! Google fires back at MS privacy claims.

Summary: Yesterday, Microsoft accused Google of bypassing an Internet Explorer's privacy policy. Today, Google declared that Microsoft's claim were FUD and the Windows giant knows darn well that “Microsoft policy is widely non-operational.”

SHARE:
74

On President's Day, February 20th, Microsoft accused Google of bypassing Internet Explorer's privacy settings in a Microsoft Software Developer Network posting by Dean Hachamovitch, Corporate Vice President of IE. Google's Rachel Whetstone, Senior Vice President of Communications and Policy, replied that, “Microsoft omitted important information from its blog post today.”

Specifically, Whestone states that “Microsoft uses a “self-declaration” protocol (known as “P3P” [Platform for Privacy Preferences Project]) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other Websites.”

Indeed, Facebook doesn't work with Microsoft's P3P policy either. A Facebook representative said, “P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform. Instead, we have posted a public notice describing our practices that is consistent with Section 3.2 of P3P. We have reached out directly to Microsoft in hopes of developing additional solutions and we would welcome the opportunity to work with W3 to update P3P to account for the advances in social networking and the web since 2007.”

Whetstone continued, “Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.” According to Whetstone this “Issue has been around since 2002. For many years, Microsoft’s browser has requested every website to 'self-declare' its cookies and privacy policies in machine readable form, using particular 'P3P' three-letter policies.”

“Essentially, Microsoft’s Internet Explorer browser requests of Websites [to] 'Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.' This didn’t have a huge impact in 2002 when P3P was introduced , but newer cookie-based features are broken by the Microsoft implementation in IE.  These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services.  It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.”

Whetstone added, “in fact the Wall Street Journal (WSJ) states that our DoubleClick ad cookies comply with Microsoft’s request.” Indeed, WSJ author Jennifer Valentino-DeVries added that while “P3P is a good idea, but it’s one that has never really caught on, and other Web browsers don’t support it.

True, P3P hasn't caught on. It's a near-dead privacy protocol.  Whetston cites TRUSTe, a firm that helps companies implement privacy standards, as confirming in 2010 that most of the websites it certifies were not using valid Microsoft P3P policies, Thus, concluded Whetstone, “The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.,”

True, Valentino-DeVries continued, IE supports P3P by default; if a Web company tells IE that it tracks users, or if it doesn’t have a P3P policy at all, IE stops it from placing 'third party' cookies, the kind usually used by advertisers and tracking companies. But there’s a big loophole in this setting: If a Web company doesn’t follow the right format in its P3P policy, it’s allowed to set cookies anyway.”

Valentino-DeVries added that “Privacy researchers have been complaining for years about this IE loophole and the companies that use it. Lorrie Cranor, a professor at Carnegie Mellon University, wrote a blog post on Saturday pointing out yet again that lots of companies use this loophole including Google and Facebook. [Cranor] also has been calling on Microsoft to make changes to close the loophole.”

So, continued Whetstone, “Today the Microsoft policy is widely non-operational. Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.”

Adding insult to injury, Whetstone cites a A 2010 research paper by Carnegie Mellon, Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens (PDF Link) found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft and that among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.

The Carnegie Mellon researchers also “discovered that Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” Thus concluded Whetstone, “This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.”

Other independent privacy researchers have spotted that Microsoft's privacy accusations are more than a little FUDish. P3P's flaws and disuse has been well known for years. Privacy researcher Lauren Weinstein wrote: “The reality of browser, site, and cookie interactions are complex from both technical and policy standpoints. P3P has never actually been more than a relative footnote all along, and has only served to make matters more confusing, not less. In any case, Microsoft's posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Chris Soghoian, a well known privacy researcher, tweeted: “Instead of fixing P3P loophole in IE that FB & Amazon exploited … MS did nothing. Now they complain after Google uses it.”

In short, while there are serious privacy concerns about Google's practices, this particular attack by Microsoft has far more to do with trying to score points against Google than any real privacy violation problem.

Related Stories:

Microsoft: Google bypassed privacy settings in IE, too

Facebook to Microsoft: P3P is outdated, what else ya got?

Congress demands FTC investigation into Google's Safari tracking

Did Google trick Apple's Safari into tracking users?

Topics: Google, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

74 comments
Log in or register to join the discussion
  • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

    Microsoft spreading F.U.D? Tell me it is not true???. Microsoft would never resort to lying about the competition, and all Microsoft products are perfect, blessedly Ballmer, the great software fairy. /sarcasm.
    Joel-r
    • I agree, apple and M$ spread FUD

      @Joel-r
      against google who is eating their lunch. Instead of innovating and implementing standards and cutting edge technologies like google, M$ and apple complain and deceive their users with a false sense of security.
      I think a class action lawsuit it's needed to close these privacy and security holes that apple and M$ have refuse to fix for many years.
      In the meantime people should use chrome that protects your privacy against spyware and hackers.
      The Linux Geek
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @The Linux Geek : Funny how someone with the name "Linux Geek" would make a comment that includes Apple in a story that never mentioned that said. Even then, siding with Google who clearly are taking open source code and using it as if it was their own. As for privacy, maybe Google should clean up their own house first before complaining.
        Gisabun
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @The Linux Geek<br>I think your promotion of malicious activities, wether from whatever company, and particularly your ever beloved Google for the user's privacy concerns as a fault to your character. You like the rest of the liberals pass blame, promote unneeded frivolous litigation and only extend the worries for privacy in current times. Privacy concerns should be confirmed addressed and passed to all parties concerned, not taken advantage of for profit and certainly never endorsed. You are a sick individual with corporate before public concerns. Google and Facebook needs spanked and you just brush it under the rug.
        partman1969@...
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @partman1969: "malicious activities" - prove it.
        Natanael_L
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @The Linux Geek What a dumb suggestion. Use Chrome, and Google browser, to protect your privacy from Google. Go swim with the sharks, Joel!
        rollguy
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @Gisabun
        What's the problem with using Open Source as their own? Most big companies (including Google and Apple) use open source software as their own, most of them also contribute back (including again Google and Apple).In fact both Google and Apple contribute heavily on WebKit, which is an Open Source software created from KHTML from KDE. This is the expected behavior. This is the way open source is meant to be.
        rivasdiaz
    • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

      @Joel-r
      Think this is typical. Microsoft and Apple trying to kill Google with all the means they can, FUD, litigation's, negative PR-campaigns, using proxy company's, web-loggers, etc. But a little bit to lazy to look at their own products.

      Microsoft, when it at last got knowledge about the problem, starts communicating about it in stead of fixing it. Is it a public relation issue or is it still a security issue giving people a false sense, of privacy?

      It is typical because Microsoft did create the monopoly with all means possible, except one, the quality of their products. All documented in the records of some anti-trust litigation's. It was only later they used some of all the money to improve somewhat their products. But they used it mainly for buying other company's for selling things they could not make themselves.
      somereader
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @somereader<br>Google and Facebook would have larger teams assigned to cracking more secure code. You can't seem to understand that stronger locks will still be broken and that the perfect security systems still haven't thwarted automobile theft. Your passing blame is a very liberal behavior which never solves the actual problem. Abusing a loophole for profit is a crime and near as I can see we are nowhere close to the Utopia which will prevent companies from extracting profit from man-made imperfect code.
        partman1969@...
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @somereader : What else should we expect from the generation of liars that Bill Gates spawned? Surprised? Not.
        Willnott
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @partman1969: "Abusing a loophole for profit is a crime" - only when it's a loophole in *laws*, and then only if it's considered harmful. Otherwise it's civil matters.

        And anyway, can you prove malicious intent? No? Well, thought so.
        Natanael_L
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        @Natanael_L<br>Ok so if I were to say that maybe there was no intentional malice by Google directly, but that the results of said browser exploits and collected information led to third parties taking advantage because they bought your personal information from Google (they profited) and then now your personal information is used for identity fraud or stolen identity leads to financial losses of said user or other parties all because your collected information ended up with third and fourth parties which advertised on google. This is very possible and highly likely. 36 states in the U.S. have dispatched numerous attorneys because of privacy concerns for people using Google and Google sponsored sites. Maybe you should quit looking through such Rosy colored glasses. I don't need proof, I am careful and avoid scenarios where I may have my personal information and shopping habits monitored, I dump and clean all browsing behavior regularly. Identity theft and fraud are crimes and collecting as much information on any individual especially by using exploits not reported to the browsers creators is in poor taste at the least and outright financially harmful at worst. Maybe your defensive front should be directed at the many tech bloggers, newspapers, magazines,and newscasts that informed the public.
        partman1969@...
      • To Google

        @partman1969: I think your answer should be directed more to Google then to me. Many big Internet company's play for commercial reasons with our privacy, and I don't think this is a good thing.
        But would you compare this with some loopholes that every complex code has, and that may be exceptionally and temporally exploited by some hackers? Seriously? If I searched for that protocol I found more indications that everybody knew for a long time that it was broken.
        I don't now about you but it makes Microsoft comments sound more pathetic than professional to me.
        somereader
    • Not so fast Google is more like it.

      @Joel-r

      I'm hoping here that your comments are simply based on this ridiculously truncated article. I say ridiculously truncated because it speaks of Google referring to a report alleged to come to their defence when the truth is when one actually reads the report in its entirety it does the very opposite. Its always the risk one runs when they rely on a party with a specific interest to spoon feed them whatever snippets of a report they want others to hear.

      First off, lets keep it straight what info is coming from exactly where. Keep the following name in mind as we continue:
      " Google???s Rachel Whetstone, Senior Vice President of Communications and Policy"

      From Stevens article:
      "Whetstone continued, ???Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft"

      Google says that.

      What the report actually says is that out of 33139 sites checked 11176 have a P3P error. Thats obviously far too many but its still only just under 34%. Further out of the top 100 websites only 21% had an error. This by any sane standard does not qualify as "widely non-operational".

      What Steven fails to mention in his article that the report Google relies on does say is that many of the errors are not intentional. In other words, the websites have no issue with P3P compliance beyond the fact that somebody along the way botched something. What Stevens article also doesn't mention is that many of the errors are minor. Some actually singular in nature, hence the suspicion that they are simply human error causing non compliance, not simply the fact that the website has moved on to some other system. Here are some quotes from the report Google relies on:

      "In 2002, regulators from several countries agreed that a P3P policy is legally binding and constitutes a representation to consumers on which they can be expected to rely"

      "We found that nearly 34% of the CPs evaluated in August 2010 have at least one error in these categories"

      "While some of the invalid token errors are likely typos and many appear to be harmless, these errors may cause user agents to incorrectly interpret a CP, which could confuse and mislead users."

      "Many invalid token errors are likely to be accidental"

      In relation to the stupidly offending Microsoft websites the report says:

      "We believe that these websites are likely attempting to comply with P3P;however, they are not using P3P properly." This is a situation to which anyone who actually reads the report would soon realize is likely often the case for many offending sites, not simply that they opted out of the P3P system.

      And does this report in any place allege that the P3P system has fallen into disuse or that it be scrapped or that its not worth using? No, in fact what it dos say is this:

      "Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

      In other words they are saying its an issue that needs to be fixed so that people can rely on it.

      Read it all for yourself.

      http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf

      Google is going to make themselves famous for playing fast and loose with the facts if they keep this up.
      Cayble
  • So nobody want's to follow or adhere to W3's P3P standards?

    [i]Google???s Rachel Whetstone, Senior Vice President of Communications and Policy, replied that, ???Microsoft omitted important information from its blog post today.[/i]

    What else is she going to say? The truth? Like when they got cuaght tracking users via cell phones -
    "Oh, it was a programming error"
    Or when they got caught bypassing Safari's settings -
    "Oh, it was a programming error".
    Or when they got caught logging people's wifi info -
    "Oh, it was a programming error"

    Just saying, it sounds like another Google FUDfest to me.
    William Farrel
    • Reading 101 Dumb

      Not even Microsoft's own sites "obey" this protocol. Grow up and be honest, please. Or not, and just be yet another useless piece of wasted bandwith.
      ego.sum.stig
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        So they should enforce it on themselves and then Google can shut it.
        Michael Alan Goff
    • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

      @William Farrel You wouldn't know the truth if somebody tied it to a brick amd hit you with it.
      slickjim
      • RE: Not so fast Microsoft! Google fires back at MS privacy claims.

        Neither would you when it comes to Google doing something wrong.
        Michael Alan Goff
      • Kettle meet pot... Pot...Kettle.

        @Peter Perry

        Pagan jim
        James Quinn