Feb. 21, 2012 at 8:48 AM ET
After it was discovered that Google's bypassing privacy settings in Apple's mobile Safari browser, the Internet Explorer team decided to check if the search engine giant is engaging in any similar behavior with Microsoft's browser as well. Turns out that it is — but there's no need to hit any panic alarms just yet.
Long story short: Microsoft is calling out Google for failing to comply with a decade-old, uncommonly used protocol — one plenty of other tech companies don't comply with either, including (in some cases), Microsoft.
(Msnbc.com is a joint venture of Microsoft and NBC Universal.)
According to a blog post by Microsoft's Dean Hachamovitch, Google is circumventing something called the Platform for Privacy Preferences Project (P3P) in order to use third-party cookies. This protocol was first developed in the 1990s, according to the New York Times, and never took off. Most modern browsers rely on alternative security and privacy features.
Microsoft's Internet Explorer is the only major browser to truly integrate and support P3P. Internet Explorer blocks third-party cookies — such as those used to track Web-browsing habits or to personalize ads — by default, unless a website presents something called a P3P Compact Policy Statement. This P3P statement comes in the form of machine-readable tokens — meaning that browsers, not humans, are meant to interpret it — and indicates "how the site will use the cookie[s] and that the site’s use does not include tracking the user."
Hachamovitch shared the P3P Compact Policy Statement from Microsoft.com to provide an example of what a browser is presented with:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Each of those letter strings means something to the browser, writes Hachamovitch:
For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’
So how's Google circumventing the P3P Privacy Protection and preventing its third-party cookies from being blocked? Simple: By taking advantage of a little loophole in the policy specifications and sending the following text in place of the P3P Compact Policy statement:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
"Wait, that looks nothing like that letter salad sent by Microsoft.com and other websites," you might be thinking. And you're very right to call that out.
Google's text is intended to be read by humans — even though most won't ever dig deep enough into their browser to encounter the text — and it confuses browsers who are expecting the previously-mentioned letter salad. These confused browsers interpret Google's text to mean that cookies "will not be used for any tracking purpose or any purpose at all" and so they allow the company's third-party cookies instead of blocking them.
Hachamovitch blog post suggests that Google should be aware that this happens and that Microsoft has asked the company to commit to honoring P3P privacy policies and settings.
Based on a statement we received from Rachel Whetstone, Google's Senior Vice President of Communications and Policy, it doesn't appear as if the search engine giant has any plans to change what it's doing though:
Microsoft omitted important information from its blog post [on Monday].
Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known — including by Microsoft — that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.
Additional information provided by Google also calls attention to an awkward detail: That the 2010 research report, which came out of Carnegie Mellon, revealed that Microsoft’s own live.com and msn.com websites were among the "websites that were most frequently providing different code to that requested by Microsoft," just like Google.
Want more tech news, silly puns, or amusing links? You'll get plenty of all three if you keep up with Rosa Golijan, the writer of this post, by following her on Twitter, subscribing to her Facebook posts, or circling her on Google+.