Google tricks IE privacy settings too, says Microsoft

Posted by Emma Woollacott

Following last week's revelation that Google was bypassing privacy settings in Apple's Safari browser, Microsoft's accused it of doing the same thing with Internet Explorer.

In a blog post, Dean Hachamovitch, corporate vice president for Internet Explorer, says Google's using the same technique to dish up tracking cookies to its users.

"We’ve found that Google bypasses the P3P Privacy Protection feature in IE," he says.

"The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different."

Internet Explorer is set to block third-party cookies unless the site includes a P3P Compact Policy Statement, explaining how it will use cookies and promising not to track users.

But, says Hachamovitch, Google's exploiting a loophole in the PSP specification, which - in an attempt to leave room for future advances in privacy policies - states that browsers should ignore any undefined policies they encounter.

And, he says, Google is sending a P3P policy that fails to inform the browser about its use of cookies and user information - indeed, the policy itself says so.

"P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info," it reads.

The browser, though, interprets this as indicating that the cookie won't be used for any tracking purpose - or, indeed, any purpose at all.

Hachamovitch's advising users to take advantage of an additional privacy feature in IE9, called Tracking Protection, which isn't susceptible to this type of bypass.

"Given this real-world behavior, we are investigating what additional changes to make to our products," he says.

"The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action."

The FTC's been urged to investigate the Safari tracking accusations; no doubt, if it does, these allegations will be checked out too.