Google bypassed IE too, says Microsoft

Microsoft has accused Google of bypassing the privacy settings of Internet Explorer users after Safari faux pas

Microsoft has accused Google of bypassing the privacy settings of Internet Explorer users, just days after researchers blew the whistle on Google for doing the same thing on Apple's Safari browser.

"Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies," Dean Hachamovitch, corporate vice president, IE, wrote in a blog post.

Microsoft found that Google bypasses the P3P Privacy Protection feature in IE, with similar results to its circumvention of privacy protections in Safari, even though the actual bypass mechanism Google uses is different.

According to the Wall Street Journal, Google put code onto some of its ads served by DoubleClick's servers at doubleclick.net to fool the Safari browser into thinking the user was interacting with DoubleClick, which meant Safari allowed the code which it would normally have blocked.

Microsoft recommends that IE users switch to version 9, which has an additional privacy feature called Tracking Protection that is not susceptible to this type of bypass.

The reason Google is able to bypass privacy settings on earlier versions of IE is that the browser blocks third-party cookies by default only if the site does not  presents a P3P Compact Policy Statement that is meant to indicate how the site will use the cookie and that the site’s use does not include tracking the user.

However, Google’s P3P policy causes IE to accept Google’s cookies even though the policy does not state Google’s intent.

"Technically, Google utilises a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," wrote Hachamovitch.

This is possible because the P3P specification states that browsers should ignore any undefined policies they encounter, and Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information, he said.

P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending a particular text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked.

Microsoft said it has now requested Google to commit to honouring P3P privacy settings for users of all browsers.  By supporting P3P, browsers can block or allow cookies to honour user privacy preferences with respect to the site’s stated intentions.

Read more on Internet infrastructure

CIO
Security
Networking
Data Center
Data Management
Close