Facebook to Microsoft: P3P is outdated, what else ya got?

Facebook has confirmed it is also bypassing IE's privacy settings. The social networking giant has told the software giant that P3P is outdated. As they say on the playground: too bad, so sad.
Written by Emil Protalinski, Contributor

After Microsoft blamed Google for bypassing Internet Explorer's privacy settings, it soon became clear Facebook and tens of thousands of websites were doing the same thing by writing incorrectly formatted compact policies (CPs) for the Platform for Privacy Preferences Project (P3P). Microsoft yesterday told me it is looking into the Facebook angle. IE is the only major browser to support P3P. Facebook got back to me today.

"Facebook social plugins are built and designed to protect privacy by providing people with engaging social experiences on other websites without requiring any additional cookies to be set," a Facebook spokesperson said in a statement. "Therefore, our P3P policy is not intended to enable us to set additional cookies or to track users. While we would like to be able to express our cookie policy in a format that a browser could read, P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform. Instead, we have posted a public notice describing our practices that is consistent with Section 3.2 of P3P. We have reached out directly to Microsoft in hopes of developing additional solutions and we would welcome the opportunity to work with W3 to update P3P to account for the advances in social networking and the web since 2007."

If you're wondering, Section 3.2 defines the syntax and semantics of P3P policies. As for the five year mention, I think it should be 10. I'm not quite sure where Facebook got the year 2007 from, unless that's when it implemented its P3P policy (it also happens to be the year when Microsoft invested $240 million in Facebook). The World Wide Web Consortium (W3C) designed PP3 to give users more control of their personal information when browsing, and officially recommended it on April 16, 2002. Furthermore, P3P has been part of Internet Explorer since IE6, which was released on August 27, 2001.

By default, IE blocks cookies that have CPs deemed unsatisfactory from a privacy perspective (such as collecting anything identifiable). Facebook is essentially saying that it is completely aware of the bug in IE that allows them to use an invalid CP so that the browser does not block the social network's cookies. Since PP3 is outdated, Facebook is telling Microsoft to use something better. Until then, the social networking giant has no plans to change its practices.

I have contacted Facebook for further clarification and also reached out to Microsoft again in case Redmond has more to add regarding Menlo Park's stance.

Update at 9:15 AM PST: "We have had our current P3P policy in place for ~2 years, 2007 was the last time the P3P Project had any updates," a Facebook spokesperson said in a statement. Microsoft told me it is still looking into Facebook's response.

Update at 10:00 AM PST: Microsoft declined to comment.

See also:

Editorial standards