Microsoft has known about the flaw for years but did nothing to fix it

Feb 21, 2012 11:02 GMT  ·  By
Google, Facebook and many others bypassed a flawed Internet Explorer privacy setting
   Google, Facebook and many others bypassed a flawed Internet Explorer privacy setting

Google took some heat, yet again, last week after it was discovered that it bypassed the default privacy settings in Safari to enable it store cookies locally. By default, Safari blocks third-party cookies, i.e. cookies that come from other domains rather than the one being visited.

This happens most often with advertisers, which serve the ads from other sites than the one being visited. However, Google and other large ad companies were able to trick Safari into storing the cookies even though they were from a third-party domain.

Microsoft boasts about IE privacy features, then explains how to bypass them

At the time, Microsoft gleefully boasted that Internet Explorer had much better security and privacy features in a post titled "browse without being browsed" that would not allow for such a thing to happen.

Now, a few days later, Microsoft is gleefully boasting that Internet Explorer's privacy features are easily bypassed by Google to place third-party cookies regardless of the privacy policies in IE.

P3P is a W3C standard supported only by IE that hasn't been updated in years

The issue comes from a technology dubbed P3P, the Platform for Privacy Preferences Project, which is designed to allow websites to provide data on the type of info they collect in their cookies, though not only, i.e. if they are tracking cookies and the data they track.

P3P is a W3C standard, but Internet Explorer is the only major browser to support it. In IE, users have the possibility of comparing the privacy policies of a website, as declared in the HTTP headers, to their own privacy settings.

The standard hasn't been updated in several years and dates back to 2002. It has never gained any support from other major browsers.

At the time, it was criticized by the EPIC (Electronic Privacy Information Center), a privacy rights group that has been very critical of Google lately, as being too difficult to be used by regular users, thus defeating its own purpose.

Websites can easily bypass P3P protection

Google does not support P3P and, instead of the coded info that it should place in the P3P section of its HTTP headers, it directs users to a help page link explaining why it needs to bypass P3P, to enable users to log into their Google accounts on a different domain, YouTube, Blogger and so on.

Websites that try to place third-party cookies but don't have a stated P3P policy are blocked under the default IE privacy settings. Websites that have a valid P3P policy and try to place third-party cookies or declare that they track users are also blocked.

However, websites that have an invalid P3P policy, either by error, for example typos and so on, or by design, like Google, Facebook and so on, are also allowed to place their cookies. This large hole in the privacy feature has been exploited for years by many websites.

It's important to note that Google's advertising sites use a valid P3P syntax, both doubleclick.net and googleadservices.com. Google only bypasses the feature for products unrelated to advertising.

Microsoft believes that what Google is doing is in violation of privacy settings in IE. It offers to help users block all Google cookies to prevent this behavior, therefore leaving users unable to stay logged into their accounts.

What's more, Microsoft is contemplating whether to start blocking websites that use this method of bypassing P3P, going against the W3C specification but providing better privacy protection.

Google claims everyone is doing it

Google has responded to the accusations by saying that the P3P standard is outdated and unused in practice. It cites research dating from 2010 that found that some 11,000 websites out of 33,000 checked bypassed P3P settings via the method above.

In fact, the Carnegie Mellon researchers found that Microsoft's own sites, live.com and msn.com, didn't provide valid P3P code, at the time.

Facebook also doesn't comply with P3P as stated in a help article of its own. Facebook says that the standard is out of date and doesn't work with the modern web and, as such, won't support it.

Researchers warned Microsoft about the issue a couple of years ago

Microsoft has known about the issue for years, but hasn't done anything to fix it. Facebook, in which Microsoft owns a 5 percent stake, does the exact same thing that Google does and so do many other websites.

Microsoft though decided to focus its attack on Google and only after the company was being attacked over the Safari issues as well. Hopefully, since Microsoft is clearly very concerned with user privacy, it will fix the flaws in its software, even if it has been a couple of years before the issue was taken seriously. That is, if it is being taken seriously and Microsoft won't forget about the whole thing in a week when it finds something else to bash Google with.