Google, Facebook bypass IE privacy settings; researchers say Microsoft knew since 2010

Microsoft announced Google is bypassing IE privacy settings and tracking users, but researchers told Microsoft in 2010 about the potential of breaching IE privacy protections and about 11,000 websites that were bypassing privacy policy settings.

Microsoft announced that after it learned Google was bypassing Safari privacy settings, that it "discovered" Google is also bypassing IE privacy settings. In 2002 with IE 6, Microsoft implemented a Platform for Privacy Preferences (P3P) which would require websites to have "compact" machine readable descriptions of their privacy policies. However, it's 2012 and there are allegations that Microsoft was warned in 2010 of the possibility for a P3P privacy breach . . . and the 11,000 sites that were doing so without issuing a P3P privacy policy.

According to the IE Blog, "Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different. Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google's bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page."

Lorrie Faith Cranor, Director of Carnegie Mellon University's CyLab "Usable Privacy and Security Laboratory" told ZDNet that Microsoft was alerted to this "potential P3P-centric privacy breach in 2010. Here's a paper she and some of her students wrote about it. She also did a blog post on February 18 on the Microsoft-sponsored Technology/Academics/Policy site noting not just Google, but Facebook, also can track IE users via the same P3P loophole."

Microsoft "is looking into the reports about Facebook." Yet last week the New York Times reported you might want to "rethink" the strategy of using IE's privacy settings for cookie control. The article references the 2010 CyLab research about the IE loophole. Researchers reported "that a third of the more than 33,000 sites they studied have technical errors that cause I.E. to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft's own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu."

Also last week Cranor wrote:

The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is ok to circumvent browser privacy controls. There is a long painful history associated with P3P (and one that I played a significant role in -- I chaired the P3P working group and literally wrote the book on P3P), and I will be the first to admit that P3P is on life support at best right now. But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser?

Google came back with its own allegations that Microsoft knows it is "impractical" for websites to comply with having "machine-readable" privacy practices and "the Microsoft policy is widely non-operational ." Google's Rachel Whetstone, Senior Vice President of Communications and Policy, told ZDNet, "A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft."

Meanwhile, members of the Congressional Bi-Partisan Privacy Caucus wrote a letter [PDF] to the FTC asking about Google bypassing Safari cookies. "Google's practices could have a wide sweeping impact because Safari is a major web browser used by millions of Americans," the letter stated before asking about "any actions the FTC has taken or plans to take  to investigate whether Google has violated the terms of its consent agreement."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!