Microsoft leaves privacy hole in browser, Google uses it


Microsoft Corp. left a big privacy loophole in its Internet Explorer browser and is now going afterGoogle Inc. for driving a truck through it.

Microsoft said Google has been rolling over a privacy safeguard in its Internet Explorer 9 browser that helps users prevent advertisers from placing tracking files on their computers. Microsoft’s allegations come a few days after the Mountain View, Calif., search giant took licks for appearing to circumvent privacy protections onApple Inc.’s Safari browser.

“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: Is Google circumventing the privacy preferences of Internet Explorer users too?” Dean Hachamovitch, Microsoft’s vice president of Internet Explorer, wrote in a blog post. “We’ve discovered the answer is yes.”


Hachamovitch goes on to detail a nuanced process that goes something like this:

IE9 blocks sites from installing tracking files (called cookies) for other sites, so shouldn’t be able to install a cookie for its advertising arm, The exception is that IE9 does allow sites to install third-party cookies if they flash a kind of digital ID card called P3P, or the Platform for Privacy Preferences. P3P is a Web standard meant to help users exercise some control over which types of sites can install cookies on their computers and mobile devices.

The problem is that P3P relies on sites like Google to volunteer a description of themselves, including what they will do with information they glean from tracking users. Theoretically, those descriptions can help users decide whether to block cookies from sites collecting advertising data, diagnostic data or any other kind of information the user would prefer not to share.

But here’s the asterisk that might as well be a bullet hole in the policy: Any site that deliberately refuses to describe itself to Microsoft’s browser is rewarded by getting a tracking cookie anyway. In other words, the system can block only sites that explicitly identify themselves as advertisers. Those that don’t identify themselves at all slip through.

Microsoft said it was “actively investigating” whether to change IE9 so it blocked sites that did not correctly identify themselves.

Still, the loophole is not new. Researchers and the media have known about it for several years, and both Google and Facebook say the P3P privacy rules are outdated and that they don’t subscribe or adhere to them.

Coupled with last week’s disclosures about Safari as well as the many firms that of scan users’ mobile address books without direct permission, Monday’s development further shows that advertising-driven Internet companies regularly find ways around privacy protections -- and that such practices are increasingly part of doing business online.


Update, February 21st, 4:35p.m.: Google responded on Monday to say the P3P policy used by Microsoft’s browser is based on a decade-old standard that is now “widely non-operational.” That’s in part because P3P is not compatible with a number of current web technologies, Google said, such as Facebook “Like” buttons, as well as the ability to sign into web sites using just a Google account.

“It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality,” said Rachel Whetstone, Google’s senior vice president of communications and policy, in a statement.


Feds ask if Google violated FTC agreementApple, Google apps dial up privacy worries

Apple responds to congressmen’s privacy concerns