Microsoft Says Google Bypassing Users’ IE Privacy Settings

The relations among Microsoft, Apple and Google, which are testy in the best of circumstances, are being pressured even more of late as the controversy surrounding Google’s actions with cookies and user tracking grows. In the latest installment, Microsoft has said that it has found that Google “is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

IE Google cookiesThe relations among Microsoft, Apple and Google, which are testy in the best of circumstances, are being pressured even more of late as the controversy surrounding Google’s actions with cookies and user tracking grows. In the latest installment, Microsoft has said that it has found that Google “is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

The controversy stems from the way that browsers handle third-party cookies and whether they allow third-party sites to track users through the use of those cookies. Many browsers, including Apple Safari and Microsoft Internet Explorer, block third-party cookies by default, but Microsoft officials say that Google is using a small loophole in the P3P privacy specification to allow sites to set third-party cookies without users’ knowledge.

“By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent,” Dean Hachamovitch, corporate vice president for Internet Explorer at Microsoft, said in a blog post

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked.

Microsoft’s issues with Google follow findings by researchers at Stanford University that Google was bypassing the default privacy settings in Safari. That was being done through the addition of some code to ads that mimicked a user interacting with those ads, which would override the default cookie-blocking policy.

Microsoft officials said they’re looking at what they should do in response to what they’ve found.

“Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action,” Hachamovitch wrote.


Suggested articles

Drupal.org Resets Passwords After Data Breach

The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords. Sites that run on Drupal do not appear to be impacted, though the organization stressed an ongoing forensic review may reveal more details and victims. […]