Google: Microsoft's IE privacy system is broken

Facebook agrees.
Google has fired back at Microsoft’s claim it bypassed Internet Explorer browser privacy settings, claiming the browser’s requirements are impractical, outdated and also unsupported by Facebook.

Yesterday Microsoft accused Google of violating a W3C-recommended protocol for browser privacy, Platform for Privacy Preferences (P3P), which requires websites to declare cookies and privacy policies in machine-readable form.

Google doesn’t comply with the policy in order to allow cookies to facilitate the authentication of Google accounts on pages that contain, for example, the Google +1 button.

“Today the Microsoft policy is widely non-operational,” Rachel Whetstone, Google’s senior vice president of communications and policy said in a statement, which also points out that new cookie-based features that also support Facebook’s “Like” button are broken by Microsoft’s implementation of P3P in IE.

“Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality.  We have been open about our approach, as have many other websites.”  

Facebook’s support page on P3P draws similar conclusions to Google about the standard, pointing out that the “P3P standard is now out of date” and that most websites don’t have P3P policies.

A Carnegie Mellon study in 2006 found that just 15 percent of the world’s top 5000 websites had valid P3P policies.

A subsequent Carnegie Mellon study in 2010 also found that 33 percent (or 11,176) websites out of 33,139 websites surveyed contained errors that caused P3P to be dysfunctional as a means to communicate and enforce privacy choices.

The only way to fix it would be for regulators to step in.

“Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies,” the researchers argued.