Microsoft and Google face off in IE privacy dispute


21 Feb 2012

Microsoft has claimed that Google bypasses Internet Explorer’s (IE) privacy protection features to track users. Google hit back, claiming IE uses outdated technology which prevents “modern web functionality.”

In a blog post, Microsoft claimed Google is bypassing the P3P Privacy Protection feature of Internet Explorer and is tracking users with cookies.

The company said IE blocks third-party cookies unless the site offers a P3P Compact Policy Statement which indicates how the site will use the cookie and that the site won’t track the user.

Microsoft said Google’s P3P policy causes IE to accept Google’s cookies, but the company said the policy does not state Google’s intent, noting it is actually “a statement that it is not a P3P policy.” It claims Google’s P3P policy is intended for humans to read, even though P3P policies are designed for browsers to read.

As a result, Microsoft said P3P-compliant browsers read this policy as indicating that the cookie won’t be used for tracking purposes, allowing Google to bypass this cookie protection and enabling its third-party cookies to be allowed rather than blocked.

Microsoft noted it has created a Tracking Protection List for IE9 users to stop Google allegedly continuing this practice and said it is looking into making IE block cookies with unrecognised tokens.

Google strikes back

Google has hit back at Microsoft’s claims, telling The Verge that Microsoft “omitted important information” from its blog post on the matter.

Google said P3P dates back to 2002, which lets Microsoft ask websites to represent privacy practices in machine-readable form. It claimed it is “impractical” to comply with Microsoft’s privacy requests while providing “modern web functionality” and said it is open about its approach.

“Today, the Microsoft policy is widely non-operational,” said a Google spokesperson.

“A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft,” they said.

Google claimed Facebook and Amazon also used the P3P bypass, pointing out Facebook said P3P doesn’t support its modern web services.

Safari

The dispute stems from a Wall Street Journal report which claimed Google, among others, used a code that tricked Apple’s Safari browser into letting them monitor user behaviour.

Rachel Whetstone, senior vice-president, Communications and Public Policy at Google, said the report “mischaracterises what happened and why”. She said Safari blocks third-party cookies by default but enables web features relying on third party cookies, such as the ‘Like’ button.

“We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information,” she said.

She said that to enable these features, a temporary communication link is created between Safari browsers and Google servers to ascertain whether or not Safari users were signed into Google and opted for its personalisation features.