There was quite a stir sparked last week when it was revealed
that Google was exploiting a loophole in a Apple's Safari browser to track users through web ads, and that has now prompted a response from Microsoft's Internet Explorer team, who unsurprisingly turned their attention to their own browser. In an official blog post today, they revealed that Google is indeed bypassing privacy settings in IE as well, although that's only part of the story (more on that later). As Microsoft explains at some length, Google took advantage of what it describes as a "nuance" in the P3P specification, which effectively allowed it to bypass a user's privacy settings and track them using cookies -- a different method than that used in the case of Safari, but one that ultimately has the same goal. Microsoft says it's contacted Google about the matter, but it's offering a solution of its own in the meantime. It'll require you to first upgrade to Internet Explorer 9 if you haven't already, then install a Tracking Protection List that will completely block any such attempts by Google -- details on it can be found at the source link below.
Mary Jo Foley notes, however, Google isn't the only company that was discovered to be taking advantage of the P3P loophole. Researchers from Carnegie Mellon University's CyLab say they alerted Microsoft to the vulnerability in 2010, and just two days ago the director of the lab, Lorrie Faith Cranor, wrote about about the issue again on the TAP
blog (sponsored by Microsoft, incidentally), detailing how Facebook and others also skirt IE's ability to block cookies. Indeed, Facebook readily admits on its site that it does not have a P3P policy, explaining that the standard is "out of date and does not reflect technologies that are currently in use on the web," and that "most websites" also don't currently have P3P policies. On that matter, Microsoft said in a statement to Foley that the "IE team is looking into the reports about Facebook," but that it has "no additional information to share at this time."Update:
Google's Senior Vice President of Communications and Policy, Rachel Whetstone has now issued a statement in response to Microsoft's blog post. It can be found in full after the break.
Microsoft omitted important information from its blog post today.
Microsoft uses a "self-declaration" protocol (known as "P3P") dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.