Microsoft released a blog post Monday condemning Google in light of the controversy over their circumvention of Safari users’ privacy settings. Stanford researcher Jonathan Mayer discovered that Google and three other companies had “tricked” Safari into believing visitors had interacted with the page and therefore allowing third-party cookies.
There’s a good technical explanation of how this particular incident happened over at WSJ.com. We will be bringing more information on the practice of circumventing browser settings later this week.
Microsoft Skewers Google, Forgets to Mention Facebook is Doing the Same Thing
“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”
Oddly, though, Microsoft’s “discovery” comes two days after TAP blog published Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more, by Carnegie Mellon University Associate Professor Lorrie Faith Cranor.
It’s entirely possible Microsoft wasn’t aware of Cranor’s post, which names Facebook as another of the thousands of companies who take advantage of a bug in IE9 to get around cookie settings. Of course, that would be easier to swallow if the blog Cranor published on were not also owned by Microsoft.
For all the hype and technical jargon in Microsoft’s blog post about the P3P loophole and how terrible Google is for using it, what does Facebookhave to say about it?
Google’s Gaffe = An IE9 Marketing Opportunity?
Authored by Dean Hachamovitch, IE Corporate Vice President, Microsoft’s post goes on to tell users how their browser settings woes can be solved:
“We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.
Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List.”
Microsoft also seized on the opportunity to tell users to “browse without being browsed,” because Internet Explorer “respects your privacy.”
“But, companies have discovered that they can lie in their CPs and nobody bothers to do anything about it. We've found thousands of companies with CPs that don't seem to match their actual practices. Companies have also discovered that, due to a bug in IE, if they have an invalid CP, IE will not block it. So P3P:CP="BOGUS CP" allows a company to circumvent IE cookie blocking! Now they don't have to lie. But they can put in this code that basically turns off IE cookie blocking. Looks like a circumvention to me.”
Cranor also wrote about IE9’s privacy features when it was first released in March, 2011. At that time, she wrote a lengthy review and surmised that it still presented a number of very real problems for users.
“IE9 now has a confusing array of poorly-implemented privacy features that interact with each other in strange ways. If I don't turn on a TPL or change any privacy settings, then third-party cookies might be blocked depending on their P3P compact policies,” she wrote. “If I turn on a TPL that allows a particular site, does it unblock third-party cookies that would otherwise be blocked? And some day when the do-not-track header actually means something, will IE continue to send it to every website if I turn it on, even sites where I have explicitly turned off Tracking Protection or used a TPL to allow tracking?”
Google will not escape this latest controversy unscathed; that much is clear even based on the PR nightmare generated by the WSJ article. Microsoft, however, would do well to remember that they are not innocentwhen it comes to cookie controversy. What is it they say about those in glass houses?
Google: Microsoft's Privacy Practices 'Impractical'
For their part, Google released a lengthy rebuttal late Monday evening. Rachel Whetstone, SVP of Communications and Policy, said in a statement sent to Search Engine Watch:
“Microsoft omitted important information from its blog post today.
Microsoft uses a 'self-declaration' protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.”
In the 2010 report Whetstone speaks of, Cranor and fellow researchers found that of 33,139 CPs collected and evaluated, 11,176 had errors, including 174 TRUST e-certified sites and 21 of the top 100 most visited websites. They found and reported at that time that they had found thousands of websites using identical, invalid CPs that had been recommended for getting around IE’s cookie blocking.
While Microsoft’s lengthy post is certainly technical and will blow the mind of the average user, it completely disregards the fact that Google is one of tens of thousands of websites using this workaround. The whole situation around P3P points to massive and well-known problems with CPs, almost a dead requirement that is regularly gamed, making Microsoft’s marching it out in the war against Google more than a little disingenuous.