Microsoft accuses Google of exploiting Internet Explorer

On the heels of the discovery that Google has circumvented the default privacy protections on Apple’s Safari browser comes a statement from Microsoft accusing Google of doing the same to their Internet Explorer (IE) browsers. In a blog post on, Microsoft’s Dean Hachamovitch, Corporate Vice President for the company’s IE line, states: “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Specifically, Hachamovitch writes, “We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.”

The last part is crucial. P3P is a privacy protocol Microsoft adopted in 2002. That’s ten years ago—an eternity in the computing world. In theory, it requires websites to provide IE with a policy statement promising not to use cookies to collect personal information without the user’s knowledge. In practice, P3P has been afflicted by serious flaws in its design and implementation, such that a long list of websites—including Facebook and Amazon—have routinely subverted its restrictions, according to Carnegie Mellon University’s Lorrie Faith Cranor. Cranor, a privacy researcher, observed that companies “have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it.”

Google, for its part, has stated that many in the industry, including Microsoft, recognize “that it is impractical to comply with Microsoft’s request while providing modern web functionality.” Compliance with P3P, they say, would make it difficult or impossible to implement features such as Facebook’s “Like” button, or to log in to Google’s suite of email and personalization services.

The irony is that Microsoft itself seems to have once provided invalid P3P policy statements to the public. The sites where these could be found have since been taken down, but according to InfoWorld’s Woody Leonhard, the instructions were quite specific. “Who knows,” Leonhard writes. “Maybe Google and Facebook and Amazon just followed Microsoft’s old instructions to circumvent third party cookie blocking.”

For more information, see Ars Technica’s full report here.

On the one hand, it seems as though Google’s IE “exploit” is relatively benign, and taking them to task for it would require us, in the name of consistency, to pursue Facebook, Amazon, and countless other websites in similar fashion.

On the other, the Safari work-around seems a little more insidious—the mechanism is different, and Google’s cookies were used not to provide users with “modern web functionality,” but to provide advertisers with information about users.

As the Internet becomes ever more deeply ingrained in our lives, difficult questions must be asked about privacy: questions about the consumer’s rights and expectations, questions about what kinds of information companies like Google, Microsoft, and Apple should, or should not, be permitted to collect about individuals. It seems those questions will remain open for some time.