Google, Microsoft, or Facebook: Who Dropped The Ball With Your Online Privacy?

    February 21, 2012

Google, Microsoft, and Facebook are locked in a precarious blame game about who failed with your online privacy. First, Google gets caught bypassing a security feature in Safari that allowed the company to track users despite the no-tracking settings in Safari. Then yesterday, Microsoft charged Google for doing a similar thing with Internet Explorer users. Lots of smoke so far, but is there a fire?

Google responded today to Microsoft’s accusation that the search engine company was not acting unscrupulously by tracking IE users and, instead, said that it’s Microsoft’s fault for not addressing a known flaw in their browser. To strengthen their argument, Google cited Facebook’s ubiquitous “Like” button found on websites and said that feature uses the same method to track user info so, therefore, this isn’t a Google problem but a Microsoft problem. Facebook basically shrugged at Google’s attempt to drag it into the mix because the social networking site insouciantly confirmed today that it is in fact using the same bypass as Google.

Consider this: Is it okay for companies like Google and Facebook to be aggressively looking for ways to exploit browsers in order to continue raking in browsing information from users as long as it falls into the fuzzy parameters of legality? Or does Microsoft have a responsibility to protect Internet Explorer users by updating their privacy protections to block aggressive info-vampires like Google and Facebook? Have your say below in the comments.

As mentioned above, Microsoft revealed that Google’s been sidestepping a privacy setting in Internet Explorer in order to continue tracking users’ browsing habits despite the users selecting a feature to block websites from collecting data on them. Basically, the exploit that Google found involved a P3P policy statement that checks the intent of websites like Google. While the P3P policy should reject cookies from sites that don’t clearly express their purpose, Google intentionally used a vaguely defined cookie in order to bypass the P3P policy and still track the browsing habits of Internet Explorer users. Microsoft vilified Google after the revelation and, as you can imagine, Google was quick to defend itself.

But Google’s defense is basically to point the fault back at Microsoft for using outdated security settings. In a response provided to WebProNews, Google’s Senior Vice President of Communications and Policy, Rachel Whetstone, shared the following:

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide,
and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don’t use valid P3P policies….

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own and websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google’s provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”

Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy

So here’s one thing I’m still unclear on. That last bit from Chris Soghoian that asserts Facebook and Amazon have previously “exploited” the same P3P loophole and yet Microsoft did nothing to fix it. While I agree with the gist that Microsoft should have fixed the flaw in order to protect Internet Explorer users, that doesn’t make what Google and Facebook have done okay to do.

Incredibly, Facebook entered the fray today and sided with Google by confirming, yes, they bypass the same P3P policy to track Internet Explorer users. In a statement to ZDNet, Facebook claimed, “Our P3P policy is not intended to enable us to set additional cookies or to track users. While we would like to be able to express our cookie policy in a format that a browser could read, P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform.” The statement goes on to explain how Facebook reached out to Microsoft to develop additional solutions but no resolution was given.

Facebook’s response is coy but make no mistake: these are companies led and maintained by highly intelligent people that didn’t get to where they are by happenstance. It wasn’t an accident that Facebook and Google just happened to be running loops around Microsoft’s privacy settings.

Consider this: Suppose two of my friends both get away with stealing cars from an auto dealer. My larcenous pals say they took the cars because the dealer left the keys in the them. My friends don’t get in trouble, fine, but the auto dealer continues the practice of leaving the keys in the cars. So does that make it okay for me to come around and steal a car just because the dealer didn’t change their policies and then defend myself by saying, “Well, my friends did it and you didn’t do anything about it.” Who’s at fault in this scenario?

Honestly, it doesn’t matter because all companies are at fault for something in this hot potato-blame game. Google and Facebook definitely knew of the Internet Explorer exploit and, even though they shouldn’t have taken advantage of a possible flaw in IE, they did it anyways. Microsoft also knew of the possible exploit in Internet Explorer and, whether naively or stubbornly, did nothing about it to protect IE users from sites like Google and Facebook.

Regardless of who ends up wearing the blame, it’s the people who use these services that are going to lose. Google and Facebook don’t respect your privacy enough to politely acknowledge you probably don’t want them to become your online shadow; if there’s a way for them to stab their digital proboscis into the vein of your browsing info, they’ll do it. Alternately, Microsoft doesn’t prioritize the protection of Internet Explorer users high enough to update the browser in order to prevent the Facebooks and Googles of the world from stalking people across the Internet.

To paraphrase a quote from a movie I saw recently: It’s all there, black and white, clear as crystal. You lose, internet users.

So who should take the fall for this snafu? Microsoft for sitting on their hands about a problem with Internet Explorer security, or Google and Facebook for having no qualms about exploiting a known privacy problem in Internet Explorer in order to continue tracking users? What improvements to online privacy would you like to see come from this debacle? Take your comments to the discussion below.