Skip to main content
Technology | Academics | Policy - Home
  • Topics
    • Topics

    • Topics OverviewOverview
    • Artificial Intelligence and Machine Learning
      • Artificial Intelligence and Machine Learning

      • Artificial Intelligence and Machine Learning OverviewOverview
      • Artificial Intelligence Policy
      • Ethics of Artificial Intelligence
      • Generative AI
    • Cybersecurity
      • Cybersecurity

      • Cybersecurity OverviewOverview
      • Cyber Peace / Cyber Warfare
      • Election Security
    • Impact of Tech on Society
      • Impact of Tech on Society

      • Impact of Tech on Society OverviewOverview
      • Future of Work
      • Tech’s Impact on Economic Equity
      • Tech’s Impact on Racial and Gender Equity
    • Innovation and Economic Impact
    • Intellectual Property and Open Source
      • Intellectual Property and Open Source

      • Intellectual Property and Open Source OverviewOverview
      • Copyright and Trademarks
      • Open Source
      • Patents
    • Networks and Infrastructure
      • Networks and Infrastructure

      • Networks and Infrastructure OverviewOverview
      • Broadband and Wireless Technologies
      • Cloud Computing
      • Internet
      • Net Neutrality
    • Platforms and Platform Regulation
      • Platforms and Platform Regulation

      • Platforms and Platform Regulation OverviewOverview
      • Antitrust / Competition
      • Content Moderation/Section 230
      • Disinformation / Misinformation
      • Freedom of Speech
      • Media and Content
    • Privacy
      • Privacy

      • Privacy OverviewOverview
      • Cross-Border Data Transfers
  • Scholars
  • Events
  • For the Media
    • For the Media

    • Media OverviewMedia Overview
    • Fact Sheets
    • Press Releases
  • About TAP
  • Subscribe to our Newsletter

Breadcrumbs

Go up a level to Home is the parent page of

  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Facebook
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Twitter
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Email
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via LinkedIn
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Pinterest
BLOG POST

Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more

Publication Date: February 18, 2012 4 minute read
Written By

Lorrie Faith Cranor

Lorrie Faith CranorTAP Scholar
  • Privacy
  • Internet

I am glad to see the Safari cookie circumvention brouhaha bringing attention to problems of privacy self regulation and privacy protection tools. But Safari is not the only browser with this problem and Google is not the only company to exploit it. And circumventing cookie controls is not a new problem. As Riva Richmond wrote on nytimes.com on September 17, 2010, "Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents I.E.’s ability to block cookies...."

Microsoft is patting themselves on the back for having a browser that doesn't have the Safari circumvention problem. They explain that their Tracking Protection Lists avoid this problem. TPLs do avoid this problem, but the TPL implementation in IE9 is extremely difficult to use (see my blog post when IE9 came out as well as our usability study) and if you don't turn on TPLs, you will be relying on the IE default privacy settings, which are also being circumvented.

The current excitement is about circumventing the default settings on Safari, which are supposed to block third-party cookies. But IE actually has a similar default setting, only the IE setting is a little more nuanced. Ten years ago, back in 2002, Microsoft implemented a default setting that blocks most third-party cookies, but lets in those that either aren't associated with personal data or that provide opt-outs. The way this works, is IE blocks third-party cookies that don't come with a special code called a P3P compact policy (CP) -- basically an extra HTTP header that includes codes that summarize the privacy policy for the cookie. Under the default setting IE checks the CPs and also blocks cookies that have CPs Microsoft considers to be "unsatisfactory" from a privacy perspective. So companies that don't want their third-party cookies blocked need to have satisfactory CPs (basically if they collect anything identifiable they need to offer opt-outs).


But, companies have discovered that they can lie in their CPs and nobody bothers to do anything about it. We've found thousands of companies with CPs that don't seem to match their actual practices.
Companies have also discovered that, due to a bug in IE, if they have an invalid CP, IE will not block it. So P3P:CP="BOGUS CP" allows a company to circumvent IE cookie blocking! Now they don't have to lie. But they can put in this code that basically turns off IE cookie blocking. Looks like a circumvention to me.


BTW, lots of companies do this, and they know full well they are doing it, including the company that has been in the news this week.... Google! Here is Google's compact policy:


P3P:CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."


But Google is not alone. Here is Facebook's CP:

P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"


Amazon used to do this but they got sued over it and now they have a valid CP. (The law suit was dismissed in December, largely because the plaintiffs did not allege harm.)


The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is ok to circumvent browser privacy controls. There is a long painful history associated with P3P (and one that I played a significant role in -- I chaired the P3P working group and literally wrote the book on P3P), and I will be the first to admit that P3P is on life support at best right now. But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser? Or how about going back to the W3C (the organization that standardized P3P) and asking them to declare it dead? I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy. W3C is currently hard at work on a new privacy standard called Do Not Track (DNT) which the industry is currently rallying around. Once the spotlights are off and companies have to live with the standard they created and discover that it prevents them from doing what they want to do, will they declare it dead as well and feel justified in circumventing it too?

  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Facebook
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Twitter
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via Email
  • Share Internet Explorer privacy protections also being circumvented by Google, Facebook, and many more via LinkedIn
Tags
  • Cookies

Related Blog Posts

BLOG POST

Recent Papers from TAP Scholars

Publication Date: January 15, 2021
A selection of articles recently written by TAP scholars explore AI and the impact on privacy, how to safeguard privacy and security in an interconnected world, digital platforms and antitrust, and patent reform to support innovation.
Written By
TAP Staff Blogger
  • Privacy
  • Networks and Infrastructure
  • Internet
  • Artificial Intelligence and Machine Learning
  • Antitrust / Competition
  • Patents
  • Intellectual Property and Open Source
BLOG POST

The Most Read TAP Blogs from 2019

Publication Date: December 31, 2019
Take a look at the top viewed blog posts from this past year that have been written by TAP scholars.
Written By
TAP Staff Blogger
  • Internet
  • Privacy
  • Cloud Computing
  • Media and Content
  • Broadband and Wireless Technologies
  • Artificial Intelligence and Machine Learning
  • Networks and Infrastructure
BLOG POST

The Most Read TAP Blogs from 2020

Publication Date: December 31, 2020
Take a look at the top viewed blog posts from this past year that have been written by TAP scholars.
Written By
TAP Staff Blogger
  • Privacy
  • Artificial Intelligence and Machine Learning
  • Networks and Infrastructure
  • Internet
  • Media and Content
  • Broadband and Wireless Technologies
See All Blog Posts
Technology | Academics | Policy - Home
Follow us on TwitterLink us on LinkedinLike us on FacebookWatch us on youtube
  • Blog Posts
  • Academic Article Summaries
  • Fact Sheets
  • Hot Topic

Subscribe to our Newsletter

Name
  • Privacy & Cookies
  • Terms of Use
  • Feedback
© Copyright 2023