Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more

By Lorrie Faith Cranor

Posted on February 18, 2012


I am glad to see the Safari cookie circumvention brouhaha bringing attention to problems of privacy self regulation and privacy protection tools. But Safari is not the only browser with this problem and Google is not the only company to exploit it. And circumventing cookie controls is not a new problem. As Riva Richmond wrote on on September 17, 2010, "Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents I.E.’s ability to block cookies...."

Microsoft is patting themselves on the back for having a browser that doesn't have the Safari circumvention problem. They explain that their Tracking Protection Lists avoid this problem. TPLs do avoid this problem, but the TPL implementation in IE9 is extremely difficult to use (see my blog post when IE9 came out as well as our usability study) and if you don't turn on TPLs, you will be relying on the IE default privacy settings, which are also being circumvented.

The current excitement is about circumventing the default settings on Safari, which are supposed to block third-party cookies. But IE actually has a similar default setting, only the IE setting is a little more nuanced. Ten years ago, back in 2002, Microsoft implemented a default setting that blocks most third-party cookies, but lets in those that either aren't associated with personal data or that provide opt-outs. The way this works, is IE blocks third-party cookies that don't come with a special code called a P3P compact policy (CP) -- basically an extra HTTP header that includes codes that summarize the privacy policy for the cookie. Under the default setting IE checks the CPs and also blocks cookies that have CPs Microsoft considers to be "unsatisfactory" from a privacy perspective. So companies that don't want their third-party cookies blocked need to have satisfactory CPs (basically if they collect anything identifiable they need to offer opt-outs).

But, companies have discovered that they can lie in their CPs and nobody bothers to do anything about it. We've found thousands of companies with CPs that don't seem to match their actual practices.

Companies have also discovered that, due to a bug in IE, if they have an invalid CP, IE will not block it. So P3P:CP="BOGUS CP" allows a company to circumvent IE cookie blocking! Now they don't have to lie. But they can put in this code that basically turns off IE cookie blocking. Looks like a circumvention to me.

BTW, lots of companies do this, and they know full well they are doing it, including the company that has been in the news this week.... Google! Here is Google's compact policy:

P3P:CP="This is not a P3P policy! See for more info."

But Google is not alone. Here is Facebook's CP:

P3P:CP="Facebook does not have a P3P policy. Learn why here:"

Amazon used to do this but they got sued over it and now they have a valid CP. (The law suit was dismissed in December, largely because the plaintiffs did not allege harm.)

The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is ok to circumvent browser privacy controls. There is a long painful history associated with P3P (and one that I played a significant role in -- I chaired the P3P working group and literally wrote the book on P3P), and I will be the first to admit that P3P is on life support at best right now. But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser? Or how about going back to the W3C (the organization that standardized P3P) and asking them to declare it dead? I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy. W3C is currently hard at work on a new privacy standard called Do Not Track (DNT) which the industry is currently rallying around. Once the spotlights are off and companies have to live with the standard they created and discover that it prevents them from doing what they want to do, will they declare it dead as well and feel justified in circumventing it too?