On February 17, 2012 I passed along the news that Google had been caught bypassing the default privacy settings in Apple’s Safari browser and that the Consumer Watchdog advocacy group was calling for the FTC to investigate the matter. Well it seems that Google wasn’t happy with just Safari as Microsoft announced today that Google is doing the same thing in regards to Microsoft’s Internet Explorer browser.
In a blog post Dean Hachamovitch, IE chief at Microsoft, says that Google is bypassing the IE9′s P3P Privacy Protection settings that like Safari are set to keep web services from installing cookies by default. The P3P technology is an official recommendation from the W3C Web standards body and describes how sites intend on using cookies and user information. By supporting this standard browsers can block or allow cookies to honor a user’s privacy settings.
As noted in the post from Hachamovitch these P#P policies are not easily accessible by the user and that web sites send these policies directly to web browsers via the browser’s HTTP headers, and that only specialized tools, like Fiddler, can see these P3P policies being sent.
For example, here is the P3P Compact Policy (CP) statement from Microsoft.com:
P3P: CP=”ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI”
Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web browser. For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ The details of privacy are complex, and the P3P standard is complex as well. You can read more about P3P here.
What Google does is utilize a ‘nuance’ in the P3P specification that allows it to bypass the user’s preferences about how cookies are treated. In fact the company actually sends a P3P policy that is a statement that it is not a P3P policy:
P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”
So by sending out this text Google is in effect enabling its third-party cookies to be allowed rather than blocked.
While Microsoft waits for Google to get back to them with some answers to the issues raised by Microsoft they have made a Tracking Protection List available for users of IE9 that they can add by clicking here.