Microsoft has accused Google of bypassing IE privacy preferences to track users as they surf the web, but Google says the workaround is necessary for modern web features such as Facebook 'Like' buttons
Microsoft has accused Google of bypassing the privacy preferences of Internet Explorer users, but Google has countered that Microsoft's privacy mechanism is out of date and frequently ignored.
Internet Explorer (IE) chief Dean Hachamovitch said in a
blog post on Monday that Google was circumventing the Platform for
Privacy Preferences (P3P) implementation in IE6, 7 and 8. P3P lets users define how their browser handles tracking cookies; IE9 introduced
a 'Tracking
Protection' feature that is tougher than P3P.
The P3P standard uses tokens called compact policies (CPs), which
websites can use to tell the browser what their privacy practices are.
This lets the browser then decide whether to block cookies associated
with the site, according to the user's preferences.
Someone may, for example, use their browser's P3P function to say
they are fine with a site using first-party cookies — a common
authentication tool — but they want third-party cookies to be
blocked from tracking them as they move between sites.
Google's advertising-focused business model largely depends on the
use of such third-party cookies. In this latest Google privacy row,
the company has been accused of tricking browsers such as Safari and
IE into not recognising its cookies as third-party, allowing them to
continue tracking users.
Hachamovitch said Microsoft had "contacted Google and asked them to
commit to honouring P3P privacy settings for users of all
browsers".
'Impractical' request
However, IE is the only major browser to support P3P —
Mozilla once used it for Firefox, but ditched it
in 2003, the year after P3P came out.
It is well known — including by Microsoft — that it is impractical to comply with Microsoft's [P3P] request while providing modern web functionality.
– Rachel Whetstone, Google
"It is well known — including by Microsoft — that it is
impractical to comply with Microsoft's [P3P] request while providing
modern web functionality," Google policy chief Rachel Whetstone said
in a statement on Monday. "We have been open about our approach, as
have many other websites."
Whetstone described P3P as "widely non-operational", pointing to a
2010
paper that detailed widespread workarounds for bypassing the
protocol. The Carnegie Mellon paper suggested that around a third of
websites — including giants such as Facebook and Amazon —
were not complying with P3P, either on purpose or by accident.
According to Google, P3P was not particularly problematic when it
was introduced, "but newer cookie-based features are broken by the
Microsoft implementation in IE".
"These include things like Facebook 'Like' buttons, the ability to
sign in to websites using your Google account, and hundreds more
modern web services," Google said in its statement. "It is well known
that it is impractical to comply with Microsoft's request while
providing this web functionality."
Indeed, the Carnegie Mellon paper referenced a 2006 post on
Microsoft's own support site, which detailed a way to bypass P3P. That
article is not currently available, but a German version
remains live on the Microsoft support site.
In his post, Hachamovitch said Microsoft was giving IE users a
Tracking Protection list that they could use to block Google's
third-party cookies from following them around the web. While he did
not go so far as to say Microsoft was dropping support for P3P, he
suggested that the company was no longer focusing on the protocol's
implementation.
"Because of the issues noted above, and the ongoing development of
new mechanisms to track users that do not involve cookies, our focus
is on the new Tracking Protection technology," Hachamovitch wrote.
Get the latest technology news and analysis, blogs and reviews
delivered directly to your inbox with ZDNet UK's
newsletters.
Join Discussion