• Marketing Land
  • Sections
    • CMO
    • Social
    • SEM
    • SEO
    • Analytics
    • Display
    • Retail
    • MarTech
    • Resources
    • More
    • Home
  • Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • SUBSCRIBE

Marketing Land

Marketing Land
  • CMO
  • Social
  • SEM
  • SEO
  • Analytics
  • Display
  • Retail
  • MarTech
  • Resources
  • More
  • Home
  • Newsletters
  • Home
Content Marketing

Google: “Impractical” To Comply With IE’s P3P Privacy Controls; Microsoft, Facebook & Others Also Fail

Google’s been taking fire for Microsoft accusing it of overriding Internet Explorer privacy controls. But Google’s now out with a response: the controls are out-dated, “impractical” to follow and ignored by other companies besides Google, including Facebook, some of Microsoft’s own sites and over 10,000 others. I’m on vacation this week, so I won’t be […]

Danny Sullivan on February 20, 2012 at 10:11 pm
  • More

microsoft-google-logosGoogle’s been taking fire for Microsoft accusing it of overriding Internet Explorer privacy controls. But Google’s now out with a response: the controls are out-dated, “impractical” to follow and ignored by other companies besides Google, including Facebook, some of Microsoft’s own sites and over 10,000 others.

I’m on vacation this week, so I won’t be doing a deep dive into all of this, though someone else from Marketing Land will in the near future. For now, I’ll just share a few short comments along with the full statement that Google sent us about the issue.

Not The Same As The Safari Bypass

Reading through Microsoft’s blog post myself earlier today, my initial reaction was “Really? You have this system that relies on web sites to self-declare policies about cookies as a security check but you don’t verify this? That’s security?” Or as I tweeted:

Microsoft’s post on Google bypassing IE settings also sounds like IE pretty lame checking what P3P supposed to provide

That’s not to excuse Google from bypassing privacy settings in a browser, as it clearly and self-admittedly did in the case of Safari to allow Google+ buttons to work in ads, as the Wall Street Journal reported last week.

That’s not just lame. That’s a serious breach of user trust. But Microsoft’s post today looks like it tried way too hard to jump on the “Google’s overriding privacy” bandwagon. It felt like a stretch to find some way to say “Google’s doing it to us, too.”

Facebook, Microsoft’s Partner, Ignores P3P

In fact, Facebook seems to be doing exactly the same thing that Google is doing to get around the P3P checking, as Techpolicy covers. Facebook, which if I recall, Microsoft still has 5% ownership in — and has a tight partnership to provide instant personalization of Microsoft’s Bing search engine.

If Google can’t be trusted for this, isn’t Microsoft concerned about working so closely with Facebook, as well?

Again, Google’s not to be excused for what it did with the Safari workaround. But that also doesn’t mean that Microsoft’s accusations were the same thing as with Safari, nor that they carried all the same concerns.

Google’s Statement

Here’s the full statement we were just sent by Google:

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality.  We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.”  This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE.  These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services.  It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported: 

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.….

Thousands of sites don’t use valid P3P policies….

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.”  This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google’s provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

  • Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
  • Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.” 
  • Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”

Normally, I wouldn’t reprint such a long statement but instead focus on the key parts. However, Google hasn’t done this as a blog post that I can see yet, so I wanted to provide the full information for others to read and assess.

Related Articles

  • Microsoft: Google Is Bypassing Internet Explorer Privacy Settings, Too
  • Microsoft Slams Google Privacy Changes With “Putting People First” Ad Campaign
  • Google “Myth Busts” Microsoft’s Privacy Claims
  • No, FairSearch’s Anti-Google Ad In Politico Wasn’t Pulled As “Inaccurate” (Even Though It Was Inaccurate)
  • Google Didn’t “Track” iPhones, But It Did Bypass Safari’s Privacy Settings
  • No Surprise: Congress, Consumer & Privacy Groups Want Google To Explain Safari Privacy Snafu
  • No, You Don’t Need To Fear The Google Privacy Changes: A Reality Check


About The Author

Danny Sullivan
Danny Sullivan was a journalist and analyst who covered the digital and search marketing space from 1996 through 2017. He was also a cofounder of Third Door Media, which publishes Search Engine Land, Marketing Land, MarTech Today and produces the SMX: Search Marketing Expo and MarTech events. He retired from journalism and Third Door Media in June 2017. You can learn more about him on his personal site & blog He can also be found on Facebook and Twitter.

Related Topics

Channel: Content MarketingGoogle: PrivacyLegal: PrivacyMicrosoft: Internet ExplorerMicrosoft: Privacy

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.

Get the daily newsletter digital marketers rely on.
See terms.

ATTEND OUR EVENTS

MarTech 2021: March 16-17

MarTech 2021: Sept. 14-15

MarTech 2020: Watch On-Demand

×

Attend MarTech - Click Here


Learn More About Our MarTech Events

April 13, 2021: SMX Create

May 18-19, 2021: SMX London

June 8-9, 2021: SMX Paris

June 15-16, 2021: SMX Advanced

June 21-22, 2021: SMX Advanced Europe

August 17, 2021: SMX Convert

November 9-10, 2021: SMX Next

December 14, 2021: SMX Code

Available On-Demand: SMX

Available On-Demand: SMX Report

×


Learn More About Our SMX Events

White Papers

  • The Six Principles of Building a Memorable Customer Experience
  • 5 Reasons Agencies Adopt Marketing Automation
  • How to Land Higher-Paying Clients: A 7-Step Framework to Grow Your Agency
  • B2B Marketing Trends Shaping 2021
  • State of Email Marketing 2021 Report
See More Whitepapers

Webinars

  • Crawl Your Way Towards Better Search Results With Dynamic Rendering
  • The AI Revolution Is Coming to Every Stage of Your Buyer’s Journey
  • The Fundamentals of Link Building for E-Commerce & Affiliate Sites in 2021
See More Webinars

Research Reports

  • Local Marketing Solutions for Multi-Location Businesses
  • Enterprise Digital Asset Management Platforms
  • Identity Resolution Platforms
  • Customer Data Platforms
  • B2B Marketing Automation Platforms
  • Call Analytics Platforms
See More Research

Attend SMX For Only $99

h
Receive daily marketing news & analysis.

Channels

  • MarTech
  • CMO
  • Social
  • SEM
  • SEO
  • Mobile
  • Analytics
  • Retail
  • Display

Our Events

  • MarTech
  • SMX

Resources

  • White Papers
  • Research
  • Webinars

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2021 Third Door Media, Inc. All rights reserved.