X

Microsoft: Google bypassed IE privacy settings too

Discovery comes just days after Web giant was found to be sidestepping the user privacy preferences in Apple's Safari.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read

In the wake of reports that Google had sidestepped privacy settings in Apple's Safari browser, Microsoft announced today it had discovered that the Web giant had done the same with Internet Explorer.

"When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?" IE executive Dean Hachamovitch wrote in a blog post this morning. "We've discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies."

The blog post, which details Microsoft's findings and offers privacy protection tips, said it has contacted Google about its concerns and asked it to "commit to honoring P3P privacy settings for users of all browsers."

In the blog post, Hachamovitch explained how the bypass occurs:

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy.

Google countered that Microsoft backs a system that is dated and impractical.

"It is well known--including by Microsoft--that it is impractical to comply with Microsoft's request while providing modern Web functionality," Rachel Whetstone, senior vice president of communications and policy for Google, said in a statement to CNET this evening. "We have been open about our approach, as have many other Web sites."

"Today the Microsoft policy is widely non-operational," she continued. "A 2010 research report indicated that over 11,000 Web sites were not issuing valid P3P policies as requested by Microsoft."

P3P, or Platform for Privacy Preferences, is an official recommendation of the World Wide Web Consortium that sites use to summarize their privacy policies. However, the recommendation has been largely ignored since its introduction a decade ago, with many major Web sites such as Google.com, Apple.com, CNN.com, and Twitter.com opting not to use it to describe their policies.

Hachamovitch also took the opportunity to point out that IE users have access to a Tracking Protection List intended to prevent the P3P bypass. Additionally, he said Microsoft is "investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens."

Microsoft slammed Google earlier this week after The Wall Street Journal reported that Google had sidestepped Safari user privacy settings to track Internet users. The search giant and other ad companies reportedly used special code to get around Safari's privacy controls in order to track users on computers and mobile devices.

Updated at 6:45 p.m. PT with Google comment.