Google, Microsoft butt heads over IE privacy skirting
'Plenty of blame to go around' for both companies, says privacy researcher
Computerworld - Google yesterday countered Microsoft's contention that it's skirting Internet Explorer's privacy protection, saying it's "impractical" to comply with IE's rules.
One privacy researcher said there was enough blame to apportion to both Google and Microsoft.
The latest dustup over Google's privacy practices began early Monday, when Microsoft's top executive for IE accused Google of circumventing the browser's default privacy defense so that Google's ad network could track IE users' online movements without their permission.
Microsoft's charges were similar to ones made last week after the Wall Street Journal said Google was sidestepping the privacy protection of Apple's Safari, which is bundled with Mac OS X and is the only authorized browser on the iPhone and iPad.
On Monday, Dean Hachamovitch, who leads the IE team, said Google was getting around Microsoft's browser, too.
"Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," Hachamovitch said in a blog post.
Google, said Hachamovitch, was gaming P3P to trick IE into accepting tracking cookies, even though Google's Compact Policy Statement does not spell out the search giant's intent. "Google bypasses the cookie protection [in IE] and enables its third-party cookies to be allowed rather than blocked," Hachamovitch charged.
Google returned volley today.
In a statement issued by Rachel Whetstone, senior vice president of communications and policy, Google asserted that it was "impractical to comply" with IE's P3P request because doing so prevented sites and services from providing features, including sign-in to multiple Google services.
"Today the Microsoft policy is widely non-operational," said Whetstone, citing a 2010 report that claimed more than 11,000 websites were not issuing valid P3P policies. "The reality is that consumers don't, by and large, use the P3P framework to make decisions about personal information disclosure."
Whetstone went on to say that Google has "been open about our approach" to P3P, and said Microsoft itself had recommended using invalid P3P codes as a work-around for a problem in IE. "This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft," she said.
The study referenced by Whetstone was conducted by a team at Carnegie Mellon University's CyLab and published in September 2010 (download PDF).
In the report, the researchers noted the widespread circumvention -- some apparently purposeful, some accidental -- of IE's cookie-blocking with malformed P3P compact policies. Among the companies involved, the report named Amazon, Facebook and Google.
"I think there is plenty of blame to go around," said Lorrie Faith Cranor, an associate professor of computer science at Carnegie Mellon, the director of its CyLab Usable Privacy and Security Laboratory and the faculty member who lead the team that produced the 2010 report.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
- The Critical Incident Response Maturity Journey As organizations rebalance their security defenses to combat today's sophisticated threats, they're recognizing that centralized incident response capabilities are key.
- Energy Efficient Servers Supermicro at Work. View Now>>
- Don't Trust Your Data Center to Generic Memory Discover How LRDIMMs Break Through Density and Speed Limitations
- Insist on High Quality, Server-Grade Memory Not All Memory is Created Equal - Make Sure Yours Passes Rigorous Margin and Stress Testing
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!