|(Google, using Foxconn teen slave labor logic) "Look, facebook does it too!" Rings hollow. Apple and Microsoft both have browser issues to address, and shame on both for not implementing a fix quickly... but using a security bug/loop-hole to circumvent user cookie settings and track users web activity is evil. Google's arguments on this topic are pure garbage.|
Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more By Lorrie Faith Cranor
Posted on February 18, 2012
I am glad to see the Safari cookie circumvention brouhaha bringing attention to problems of privacy self regulation and privacy protection tools. But Safari is not the only browser with this problem and Google is not the only company to exploit it. And circumventing cookie controls is not a new problem. As Riva Richmond wrote on nytimes.com on September 17, 2010, "Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents I.E.’s ability to block cookies...."
Microsoft is patting themselves on the back for having a browser that doesn't have the Safari circumvention problem. They explain that their Tracking Protection Lists avoid this problem. TPLs do avoid this problem, but the TPL implementation in IE9 is extremely difficult to use ( see my blog post when IE9 came out as well as our usability study) and if you don't turn on TPLs, you will be relying on the IE default privacy settings, which are also being circumvented.
But, companies have discovered that they can lie in their CPs and nobody bothers to do anything about it. We've found thousands of companies with CPs that don't seem to match their actual practices.
Companies have also discovered that, due to a bug in IE, if they have an invalid CP, IE will not block it. So P3P:CP="BOGUS CP" allows a company to circumvent IE cookie blocking! Now they don't have to lie. But they can put in this code that basically turns off IE cookie blocking. Looks like a circumvention to me.
BTW, lots of companies do this, and they know full well they are doing it, including the company that has been in the news this week.... Google! Here is Google's compact policy:
P3P:CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
But Google is not alone. Here is Facebook's CP:
P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Amazon used to do this but they got sued over it and now they have a valid CP. (The law suit was dismissed in December, largely because the plaintiffs did not allege harm.)
The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is ok to circumvent browser privacy controls. There is a long painful history associated with P3P (and one that I played a significant role in -- I chaired the P3P working group and literally wrote the book on P3P), and I will be the first to admit that P3P is on life support at best right now. But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser? Or how about going back to the W3C (the organization that standardized P3P) and asking them to declare it dead? I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy. W3C is currently hard at work on a new privacy standard called Do Not Track (DNT) which the industry is currently rallying around. Once the spotlights are off and companies have to live with the standard they created and discover that it prevents them from doing what they want to do, will they declare it dead as well and feel justified in circumventing it too?