Microsoft: Google circumventing IE cookie protections too

Microsoft has claimed Google is getting around privacy protections built into Internet Explorer (IE), just as it did in Apple's Safari browser.

The Redmond giant said Google was circumventing its Platform for Privacy Preferences (P3P) settings in order to place cookies on user machines. Microsoft said this was a different method to that used by Google to get around Safari protections.

IE is supposed to block third-party cookies unless a site presents a P3P policy statement. This statement is read by browsers to determine whether to allow cookies depending on a user's privacy settings.

We've also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.

P3P policy statements consist of three-four character tokens, such as TAI, which indicates Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customisation.'

Google's policy managed to get IE to accept cookies "even though the policy does not state Google's intent," Microsoft said.

"Technically, Google utilises a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," said Dean Hachamovitch, corporate vice president for IE, in a blog post.

"The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information."

Google does not actually send a proper P3P policy, according to Microsoft, instead choosing to send a note that users themselves are supposed to read, not browsers.

Rather than contain the three or four character tokens, Microsoft noted that Google's policy looks like this: P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

From Microsoft's standpoint, this policy did not convey Google's intentions "in a manner consistent with the technology."

"P3P-compliant browsers interpret Google's policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," Hachamovitch added.

"The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different.

"We've also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers."

Microsoft has now created a Tracking Protection List,' which lets users prevent cookies from certain sources, including Google.

The company said it was considering making further changes to its browsers for added cookie protection.

Google claimed Microsoft had "omitted important information from its blog post," adding that P3P was all but redundant.

"Microsoft uses a 'self-declaration' protocol (known as "P3P") dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," said Rachel Whetstone, Google's senior vice President of communications and policy.

"It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.

"Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft."