Microsoft: Google Breaches P3P Policy, But They Let Facebook "Do It"

Update: See statement from Google at the end of the post

There has been a lot of hoopla about Google breaching privacy and circumnavigating settings in Safari. They have definitely been circumspect at what they are doing but a new report from Microsoft which says that Google did similar things with IE9 as well. Well, here’s the catch, there is nothing illegal Google did and Microsoft just let off the hook with it.

Let’s get to the start of where Microsoft is accusing Google:

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.

Well for starters, P3P is outdated and no longer under development. It is a age old policy which many websites including both Google and Facebook choose to ignore or not follow at all and mind you there is nothing legally wrong with it.

Google and Facebook authentication both have fake P3P policies in the HTTP headers that link to a webpage that explains why they don’t support it:

As you can see from the above, Facebook does not have a P3P policy and Google chooses to ignore it altogether. Now, both these approaches are different but they do the same thing; allow these websites to access third-party cookies because they don’t follow the P3P policies.

P3P also known as Platform for Privacy Preferences was started out by W3C in 2006 and the final draft was published in 2007. However, after P3P 1.1, W3C also effectively suspended all work on P3P as is evident from This means that the technology in question Microsoft has been using to gather information against Google was no longer developed for 5 years or more.

After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.

The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.

On the other hand, P3P keeps being the basis of a number of research directions in the area of privacy world wide. One might cite the PRIME Project as well as the Policy aware Web. Many other approaches also follow the descriptive metadata approach started by P3P. Such projects are invited to send email to <[email protected]> to be listed here.

This puts a big question mark, because Microsoft provided evidence against Google using this outdated technology which several companies and browser no longer honor.

So all in all, Microsoft is more than happy to give the same information to Facebook (because they are their partners) while dishing out hate to Google? This is definitely not the best way for a company which hardly follows W3C standards for web coding and CSS to accuse others of circumnavigating things which are outdated.

Google’s Statement Regards to Microsoft Accusations by Rachel Whetstone, Senior Vice President of Communications and Policy, Google

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Google also goes on to suggest that this has been around since 2002. You’ll find the entire statement from Google below:

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.
Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.
Today the Microsoft policy is widely non-operational.
In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don’t use valid P3P policies….
A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.
In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own and websites.
Microsoft support website
The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.
Google’s provided a link that explained our practice.
Microsoft could change this today
As others are noting today, this has been well known for years.

  • Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
  • Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited …MS did nothing. Now they complain after Google uses it.”
  • Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”

Published by

Keith Dsouza

I am the editor-in-chief and owner of Techie Buzz. I love coding and have contributed to several open source projects in the past. You can know more about me and my projects by visiting my Personal Website. I am also a social networking enthusiast and can be found active on twitter, you can follow Keith on twitter @keithdsouza. You can click on my name to visit my Google+ profile.