Google Bypassing User Privacy Settings in IE

According to Microsoft, Google circumnavigates Internet Explorer's P3P Privacy Protection feature to track cookies of users.

Dean Hachamovitch, corporate vice president of Internet Explorer, wrote in a blog post that Microsoft started looking into the issue after a last week Wall Street Journal article discussed how Google got around tracking blockers in Apple's Safari browser to keep tabs on Web users.

"When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We've discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies," said Hachamovitch.

Internet Explorer automatically blocks third-party cookies from sites that haven't presented a P3P Compact Policy Statement to the W3C Web standards body. This statement publically discloses how and when a site will document data (in the form of cookies).

In Google's case, it has been bypassing the P3P requirements for Internet Explorer to track cookies without presenting a clear intent on how it would use the information.

"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," said Hachamovitch. "The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter."

When the news hit last week concerning Google avoding Safari's privacy protocol, Google responded by saying it was accidental, and the unintentional bypass was part of some bad code connected with its "+1" button that is integrated into many Web sites.

Today, in response to the Internet Explorer blog post, Google said that Microsoft purposely omitted information in its blog post, including its opinion that using P3P specifications was outdated. "It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality," said Google in a statement released today. "We have been open about our approach, as have many other websites.

According to Microsoft insider Mary Jo Foley, this workaround of Internet Explorer's privacy policy had been known for some time. In a blog post discussing the matter, Foley said she received an e-mail from Lorrie Faith Cranor, director at CyLab Usable Privacy and Security Laboratory, saying that a research team at Carnegie Mellon University had disclosed the practice used by Google (and Facebook) back in 2010.

Microsoft made no mention on whether it previously had knowledge or investigated this issue in the blog posting.

Apple and Microsoft aren't the only ones raising concern over Google's privacy circumnavigation -- A class-action lawsuit was filed today with the U.S. District Court for Delaware, alleging that Google violated the Stored Electronic Communication Act, the Federal Computer Fraud and Abuse Act and the Federal Wiretap Act.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube