Microsoft: Google bypassed privacy settings in IE, too

A week after Microsoft criticized Google over bypassing user privacy settings on Apple's Safari, the Softies are admitting publicly that Google did the same with Internet Explorer (IE).

On February 17, Microsoft used Google's circumventing of certain privacy settings on iPhones, iPads and Macs as a reason to tout IE's superiority in terms of privacy protection. But on February 20, in a post to the IEBlog, Microsoft officials admitted that Google also skirted IE users'  privacy settings, as well.

Dean Hachamovitch, Corporate Vice President of IE, blogged:

"Google is employing similar methods (to what it employed with Safari) to get around the default privacy protections in IE and track IE users with cookies. ...We've also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers."

In today's blog post, Hachamovitch explained why IE also is vulnerable to Google's cookie practices:

"IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent....

"Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy."

Hachamovitch said that IE users can take additional privacy steps by using an IE9 Tracking Protection list Microsoft created to thwart Google's policy on this specifically. He also said that Microsoft is "investigating what additional changes to make to its products -- including the possibility that IE, going forward, will ignore the P3P specification and block cookies with unrecognized tokens.

Update: Lorrie Faith Cranor, Director, CyLab Usable Privacy and Security Laboratory (CUPS) and an Associate Professor at Carnegie Mellon University, emailed me to tell me that she and her students alerted Microsoft to this potential P3P-centric privacy breach in 2010. Here's a paper she and some of her students wrote about it. She also did a blog post on February 18 on the Microsoft-sponsored Technology/Academics/Policy site noting not just Google, but Facebook, also can track IE users via the same P3P loophole.

Update No. 2: Microsoft's response to Cranor's post from a spokesperson: "The IE team is looking into the reports about Facebook, but we have no additional information to share at this time."

Update No. 3: Google officials (eventually) had plenty to say about Microsoft's disclosure today. Here's Google's response to Microsoft's blog post from today, attributable to Rachel Whetstone, Senior Vice President of Communications and Policy:

"Microsoft omitted important information from its blog post today.

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality.  We have been open about our approach, as have many other websites.

"Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft."

Google officials noted that instead of fixing the P3P loophole in IE of which Facebook, Google and Amazon all are making use, Microsoft has not done so, yet its officials are complaining about it.