Late last week the Wall Street Journal made quite a splash when it accused Google of tracking Safari users' activities without their knowledge. This past weekend Dean Hachamovitch, corporate vice president for Internet Explorer at Microsoft, penned a blog post that claims Google also circumvented the privacy settings of IE users.
Hachomovitch says that by default, Internet Explorer blocks third-party cookies unless the site presents a P3P Compact Policy Statement that describes how the site will use the cookie and that it will not use it to track a user. P3P, an official recommendation of the World Wide Web Consortium, is a technology that all browsers and websites can support and sites use P3P to indicate how they intend to use cookies and user information. Hachomovitch says that by supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. However, according to Microsoft, Google approaches things a bit different.
"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to "read":
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Google has responded to Hachomovitch's lengthy post with its own statement that dubs Microsoft's P3P cookie technology "widely non-operational" and highlights the fact that it is not alone in its tactics to attempt to get around this technology. Google says that P3P didn’t have a huge impact when it was introduced in 2002 when P3P, but these days, it actually breaks cookie-based features, such as Facebook's 'Like' feature (incidentally, Facebook is another company that doesn't comply with P3P).
"Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure," said Rachel Whetstone, Senior Vice President of Communications and Policy at Google. "A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft. In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.
What's more, Whetstone goes on to say that the reason all of these websites have decided against issuing valid P3P policies is because Microsoft said it was okay not to. Apparently that same Carnegie Mellon research paper from two years ago found that "Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE."
Microsoft has yet to respond to Google's lengthy statement but Google seems pretty adamant that it's not doing anything wrong. Or at least, if it is, it's not alone. This is the second time in the space of a few weeks that Microsoft has targeted Google publicly over privacy issues. Earlier this month, the company highlighted Google's controversial changes to its privacy policy with an ad campaign in several of the country's biggest newspapers. Redmond encouraged users unhappy with Google's actions to jump ship and try competing Microsoft products such as IE and Hotmail.
Further Reading
- Tom's Guide: WSJ: Safari Loophole Allowed Google to Track Users via Ads
- Microsoft: Google Bypassing User Privacy Settings
- Parislemon: Google's complete statement on the issue.