Google Bypassing User Privacy Settings in IE

According to Microsoft, Google circumnavigates Internet Explorer's P3P Privacy Protection feature to track cookies of users.

Dean Hachamovitch, corporate vice president of Internet Explorer, wrote in a blog post that Microsoft started looking into the issue after a last week Wall Street Journal article discussed how Google got around tracking blockers in Apple's Safari browser to keep tabs on Web users.

"When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We've discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies," said Hachamovitch.

Internet Explorer automatically blocks third-party cookies from sites that haven't presented a P3P Compact Policy Statement to the W3C Web standards body. This statement publically discloses how and when a site will document data (in the form of cookies).

In Google's case, it has been bypassing the P3P requirements for Internet Explorer to track cookies without presenting a clear intent on how it would use the information.

"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," said Hachamovitch. "The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter."

When the news hit last week concerning Google avoding Safari's privacy protocol, Google responded by saying it was accidental, and the unintentional bypass was part of some bad code connected with its "+1" button that is integrated into many Web sites.

Today, in response to the Internet Explorer blog post, Google said that Microsoft purposely omitted information in its blog post, including its opinion that using P3P specifications was outdated. "It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality," said Google in a statement released today. "We have been open about our approach, as have many other websites.

According to Microsoft insider Mary Jo Foley, this workaround of Internet Explorer's privacy policy had been known for some time. In a blog post discussing the matter, Foley said she received an e-mail from Lorrie Faith Cranor, director at CyLab Usable Privacy and Security Laboratory, saying that a research team at Carnegie Mellon University had disclosed the practice used by Google (and Facebook) back in 2010.

Microsoft made no mention on whether it previously had knowledge or investigated this issue in the blog posting.

Apple and Microsoft aren't the only ones raising concern over Google's privacy circumnavigation -- A class-action lawsuit was filed today with the U.S. District Court for Delaware, alleging that Google violated the Stored Electronic Communication Act, the Federal Computer Fraud and Abuse Act and the Federal Wiretap Act.

About the Author

Chris Paoli is the site producer for and


  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • AI-Driven Solution Tracks Packets Through the Datacenter

    Datacenter solutions vendor Kaloom this week unveiled a new offering the company says will enable the development of "self-driving" datacenter networks.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.