Microsoft: Google violates our users' privacy too

@CNNMoneyTech February 21, 2012: 1:28 PM ET
Microsoft: Google violates our users' privacy too

Microsoft's extremely granular privacy settings are the subject of another flare-up with Google.

NEW YORK (CNNMoney) -- Last week, Google was caught circumventing Apple's Safari browser privacy settings. Microsoft chimed in Monday with a "me too" complaint, saying that Google is also dodging around Internet Explorer's privacy settings.

But the Microsoft/Google standoff is especially complicated, and spotlights the technical swampland that surrounds online privacy issues.

In a blog post, Microsoft browser chief Dean Hachamovitch revealed that Google bypasses a feature in IE designed to let users set their cookie preferences. "Cookies" are files that are used to follow users' movements and log-ins as they travel through the Web.

Hachamovitch suggests that Google (GOOG, Fortune 500) is purposefully tricking Microsoft's browser into accepting cookies that users would have otherwise blocked. The implication is that Google could track some IE users even if their privacy settings ask Google not to.

Google slammed Microsoft's criticism, calling it disingenuous.

"It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality," Rachel Whetstone, Google's head of policy, said in a written statement. "We have been open about our approach, as have many other websites."

The problem is that Microsoft made an outdated and commonly ignored standard the cornerstone of its browser's privacy controls.

Microsoft (MSFT, Fortune 500) relies on "P3P," a protocol that was adopted in 2002 by the World Wide Web Consortium, the Web's standards body. It was left for dead soon after. IE is the only major browser that implements P3P, and Google called it "widely non-operational."

Most major browsers, like Chrome, Firefox and Safari, have simple cookie settings: "accept," "do not accept," or "do not accept third-party cookies."

P3P, and by extension IE, allows users to set far more granular privacy controls, including vague terms like, "low," "medium," "medium-high," and "high."

Turns out both users and Web developers hate that approach.

Few people bother adjusting their settings. Meanwhile, those complicated settings make it very tricky for sites to integrate some third-party features like a Facebook "like" button or Google's +1.

As a result, many sites -- including Facebook -- have been exploiting a P3P loophole to get around the privacy settings. A September 2010 paper published by four Carnegie Mellon CyLab researchers found that roughly half of the 33,000 websites they reviewed deliberately tricked Internet Explorer into allowing cookies that would otherwise be blocked.

Violators included Amazon (AMZN, Fortune 500), AOL (AOL), GoDaddy, Hulu and IMDB, among many other popular sites. Even some of Microsoft's own sites -- including,, and -- weren't P3P compliant.

Facebook and Google very openly bypass P3P and flaunt and their opposition to it.

A proper P3P token is a long string of three- and four-letter codes mapping out (in a machine-readable way) a site's privacy policies. But in 2009, when Carnegie Mellon's study was done, Facebook's entire token just read: "HONK."

That's not even close to a valid token, the study's authors dryly note.

Google's compact policy actually reads: "CP='This is not a P3P policy! See // for more info.'"

That link leads to a site that says P3P was not designed for online situations that are now common.

Facebook agrees.

"P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform," the company said in a written statement. "We have reached out directly to Microsoft in hopes of developing additional solutions."

Microsoft admitted that it's easy to violate IE's privacy policy, and said it is considering what to do about that.

"Given this real-world behavior, we are investigating what additional changes to make to our products," Microsoft's Hachamovitch said.  To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.