Google and Microsoft spar over user tracking

Microsoft has accused Google of bypassing the privacy preferences of Internet Explorer users, but Google has countered that Microsoft's privacy mechanism is out of date and frequently ignored.

Internet Explorer (IE) chief Dean Hachamovitch said in a blog post on Monday that Google was circumventing the Platform for Privacy Preferences (P3P) implementation in IE6, 7 and 8. P3P lets users define how their browser handles tracking cookies; IE9 introduced a 'Tracking Protection' feature that is tougher than P3P.

"We've found that Google bypasses the P3P privacy protection feature in IE," Hachamovitch wrote. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari web browser, even though the actual bypass mechanism Google uses is different."

The P3P standard uses tokens called compact policies (CPs), which websites can use to tell the browser what their privacy practices are. This lets the browser then decide whether to block cookies associated with the site, according to the user's preferences.

Someone may, for example, use their browser's P3P function to say they are fine with a site using first-party cookies — a common authentication tool — but they want third-party cookies to be blocked from tracking them as they move between sites.

Google's advertising-focused business model largely depends on the use of such third-party cookies. In this latest Google privacy row, the company has been accused of tricking browsers such as Safari and IE into not recognising its cookies as third-party, allowing them to continue tracking users.

Hachamovitch said Microsoft had "contacted Google and asked them to commit to honouring P3P privacy settings for users of all browsers".

'Impractical' request

However, IE is the only major browser to support P3P — Mozilla once used it for Firefox, but ditched it in 2003, the year after P3P came out.

It is well known — including by Microsoft — that it is impractical to comply with Microsoft's [P3P] request while providing modern web functionality.

– Rachel Whetstone, Google

"It is well known — including by Microsoft — that it is impractical to comply with Microsoft's [P3P] request while providing modern web functionality," Google policy chief Rachel Whetstone said in a statement on Monday. "We have been open about our approach, as have many other websites."

Whetstone described P3P as "widely non-operational", pointing to a 2010 paper that detailed widespread workarounds for bypassing the protocol. The Carnegie Mellon paper suggested that around a third of websites — including giants such as Facebook and Amazon — were not complying with P3P, either on purpose or by accident.

According to Google, P3P was not particularly problematic when it was introduced, "but newer cookie-based features are broken by the Microsoft implementation in IE".

"These include things like Facebook 'Like' buttons, the ability to sign in to websites using your Google account, and hundreds more modern web services," Google said in its statement. "It is well known that it is impractical to comply with Microsoft's request while providing this web functionality."

Indeed, the Carnegie Mellon paper referenced a 2006 post on Microsoft's own support site, which detailed a way to bypass P3P. That article is not currently available, but a German version remains live on the Microsoft support site.

In his post, Hachamovitch said Microsoft was giving IE users a Tracking Protection list that they could use to block Google's third-party cookies from following them around the web. While he did not go so far as to say Microsoft was dropping support for P3P, he suggested that the company was no longer focusing on the protocol's implementation.

"Because of the issues noted above, and the ongoing development of new mechanisms to track users that do not involve cookies, our focus is on the new Tracking Protection technology," Hachamovitch wrote.

---

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.