Not just Google: Facebook also bypasses privacy settings in IE

Google isn't the only one bypassing Microsoft Internet Explorer's privacy settings: Facebook does it too, as do tens of thousands of other companies. So, who is to blame?
Written by Emil Protalinski, Contributor

Update: Facebook has responded. Facebook to Microsoft: P3P is outdated, what else ya got?

Following the news that Google is tricking Apple's Safari browser by including privacy-circumventing code in its ads, Microsoft is now saying that Google bypassed privacy settings in Internet Explorer as well. The story goes deeper than that. Google isn't the only company to blame here: Facebook is doing the same thing, as are tens of thousands of other companies, according to TechPolicy.

Internet Explorer blocks third-party cookies that don't come with a special code – the Platform for Privacy Preferences Project (P3P) is a protocol allowing websites to declare their intended use of information they collect about browsing users. The World Wide Web Consortium (W3C) designed PP3 to give users more control of their personal information when browsing, and officially recommended it on April 16, 2002. IE is the only major browser to support P3P.

By default, IE blocks cookies that have PP3 compact policies (CPs) deemed unsatisfactory from a privacy perspective (such as collecting anything identifiable). Companies such as Google and Facebook have discovered that they can lie in their CPs and nobody does anything about it. Furthermore, due to a bug in IE, if they have an invalid CP, IE will not block their cookies. In other words, even if companies have an accurate CP, they just have to format it incorrectly to circumvent IE's cookie blocking.

A 26-page research paper from September 2010 titled "Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens" (PDF) looked into the issue. After examining the CPs of 33,139 websites, the researchers from Carnegie Mellon University detected errors in 11,176 of them, including 21 of the top 100 most-visited websites (like Microsoft's own live.com and msn.com).

Facebook's compact policy states: P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p." The link in question takes you to a Facebook Help Center entry, which reads as follows:

Facebook's Platform for Privacy Preferences (P3P)

Thanks for your interest in privacy at Facebook. You are seeing this message because you attempted to access Facebook's Platform for Privacy Preferences (P3P) compact policy.

The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.

In short, many companies are taking advantage of Internet Explorer's poor cookie blocking implementation for their own purposes. Their excuse is that P3P is dead and IE's cookie blocking would break their website, so they just work around the browser's privacy controls.

I have contacted Facebook and Microsoft about this issue and will update you if I hear back.

Update: "The IE team is looking into the reports about Facebook, but we have no additional information to share at this time," a Microsoft spokesperson said in a statement. Facebook has yet to reply.

Update 2: Facebook has responded. Facebook to Microsoft: P3P is outdated, what else ya got?

See also:

Editorial standards