IE Privacy: Microsoft accuses Google of bypassing settings

Microsoft accuses Google of bypassing Internet Explorer 9’s privacy settings. This is another affair related to cookies, but Google has defended their practices.

Microsoft seems to be planning an attack against Google by criticising them for not respecting user’s privacy. While Google is unifying their privacy settings across all products from the 1st of March, Microsoft have used their announcement to criticise these rules through an advertising campaign (see our news).

The battle is not over, with revelations being published in The Wall Street Journal about Google spying on users of Apple’s Safari browser. This indiscretion is based on advertising which is based on cookies.

With Internet Explorer, Microsoft also claims that they have been the victim of Google bypassing their privacy settings: "Google employs similar methods to bypass the default privacy protection settings used in IE, and to while diverting IE users with cookies."

Microsoft’s Vice-president of Internet Explorer, Dean Hachamovitch explains that by default IE blocks third party cookies unless a P3P declaration indicates that the site doesn’t use the cookie to trace users. Microsoft accuses Google of sending a character chain – a "nuance in the P3P specification" – which tricks the browser by making it think that the cookie won’t be used for tracking.

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

"By sending this text, Google bypasses the cookie protection and allows access to third party cookies rather than blocking them". This text indicates that it isn’t a P3P policy and provides a link to a Google help page providing additional information where it explains that W3C’s P3P protocol (Platform for Privacy Preferences) defines the confidentiality settings in practice, although not as they have been conceived for various situations.


Google fires back
Microsoft hasn’t said though that Facebook and a lot of other sites including Amazon react in the same way as Google. Google has also answered that according to a 2010 study (PDF), more than 11 000 Web sites out of 33 000 don’t conform to a P3P policy like that desired by Microsoft.

According to a Google spokesperson (via Ars Technica), Facebook’s Like button, the possibility of connecting to Web sites via a Google account and hundreds of modern services would be made "inoperable with Microsoft’s P3P policy". "Today, Microsoft’s policy is largely non-operational".

The P3P standard dates from 2002. In the study cited by Google, we note that msn.com and live.com... both operated by Microsoft, don’t respect the standard either (although Microsoft.com does).