The Wall Street Journal a few days ago described how Google and other advertising companies bypassed a user privacy feature of Apple’s Safari browser to drop “ad-tracking cookies on [..] Safari users”. Safari by default blocks third party cookies, which are often used by advertising companies to track users on the Internet. These cookies are used to track the user on every site the scripts of the advertising company run on, which in the case of Google are a lot of different sites.
Google released a statement shortly afterwards that claimed that the WSJ article was mischaracterizing the company’s intentions.
We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.
Microsoft today describes a similar circumvention in the company’s Internet Explorer browser. IE blocks third party cookies by default, unless the site in question “presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user”.
Google now has created a P3P policy that is causing the browser to accept Google cookies, even though the policy the company submits does not “state Google’s intent”.
P3P policies are included in a site’s HTTP headers which users only see if they use specialized tools. Instead of using a valid statement, Google is sending one that is not a P3P policy. The problem here is that browsers will interpret Google’s policy as an indication that the cookies that will be saved to the user’s system won’t be used for tracking purposes, when in fact they do not verify that at all.
Microsoft has created a tracking protection list that allows Internet Explorer 9 users to protect the browser from Google’s practice.
# Blocks 3rd-party Google tracking
# Last Modified: 2/19/2012
Microsoft is now actively investigating options to change the browser’s interpretation of unrecognized tokens.
Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.
Google being caught red-handed reaching into the cookie jar twice in a week’s time. What’s your take on this?
Update: Google has posted a statement
Statement: Attributable to Rachel Whetstone, Senior Vice President of Communications and Policy, Google
Microsoft omitted important information from its blog post today.
Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.
Here is some more information.
Issue has been around since 2002
For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.
Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.
Today the Microsoft policy is widely non-operational.
In 2010 it was reported:
Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..
Thousands of sites don’t use valid P3P policies….
A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:
Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.
A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.
In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.
Microsoft support website
The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.
Google’s provided a link that explained our practice.
Microsoft could change this today
As others are noting today, this has been well known for years.
Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”
Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”