Google, Microsoft butt heads over IE privacy skirting

Computerworld - Google yesterday countered Microsoft's contention that it's skirting Internet Explorer's privacy protection, saying it's "impractical" to comply with IE's rules.

One privacy researcher said there was enough blame to apportion to both Google and Microsoft.

The latest dustup over Google's privacy practices began early Monday, when Microsoft's top executive for IE accused Google of circumventing the browser's default privacy defense so that Google's ad network could track IE users' online movements without their permission.

Microsoft's charges were similar to ones made last week after the Wall Street Journal said Google was sidestepping the privacy protection of Apple's Safari, which is bundled with Mac OS X and is the only authorized browser on the iPhone and iPad.

On Monday, Dean Hachamovitch, who leads the IE team, said Google was getting around Microsoft's browser, too.

"Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," Hachamovitch said in a blog post.

P3P, for "Platform for Privacy Preferences," is a 10-year-old Web standard that websites can use to describe how they use cookies and user information. By default, IE blocks all tracking cookies from sites that do not present a valid P3P compact policy (CP), a string of codes sent to browsers as part of the HTTP header.

Google, said Hachamovitch, was gaming P3P to trick IE into accepting tracking cookies, even though Google's Compact Policy Statement does not spell out the search giant's intent. "Google bypasses the cookie protection [in IE] and enables its third-party cookies to be allowed rather than blocked," Hachamovitch charged.

Google returned volley today.

In a statement issued by Rachel Whetstone, senior vice president of communications and policy, Google asserted that it was "impractical to comply" with IE's P3P request because doing so prevented sites and services from providing features, including sign-in to multiple Google services.

"Today the Microsoft policy is widely non-operational," said Whetstone, citing a 2010 report that claimed more than 11,000 websites were not issuing valid P3P policies. "The reality is that consumers don't, by and large, use the P3P framework to make decisions about personal information disclosure."

Whetstone went on to say that Google has "been open about our approach" to P3P, and said Microsoft itself had recommended using invalid P3P codes as a work-around for a problem in IE. "This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft," she said.

The study referenced by Whetstone was conducted by a team at Carnegie Mellon University's CyLab and published in September 2010 (download PDF).

In the report, the researchers noted the widespread circumvention -- some apparently purposeful, some accidental -- of IE's cookie-blocking with malformed P3P compact policies. Among the companies involved, the report named Amazon, Facebook and Google.

"I think there is plenty of blame to go around," said Lorrie Faith Cranor, an associate professor of computer science at Carnegie Mellon, the director of its CyLab Usable Privacy and Security Laboratory and the faculty member who lead the team that produced the 2010 report.

She said Microsoft was partly to blame for not complaining about companies circumventing its privacy policy and not taking steps to modify IE. Cranor reported her team's findings to Microsoft in the fall of 2010, but she did not receive any formal reply. However, Cranor said that shortly afterward, Microsoft scrubbed its support site of the workaround recommendation Whetstone mentioned.