Google has issued a detailed rebuttal to Microsoft’s claims that Google is sidestepping a privacy protection in Internet Explorer.

The search company says Microsoft neglected to mention that the IE protocol Google is accused of circumventing is outdated, impractical and also ignored by many other websites. Google also notes that has long been transparent about what it’s doing.

We’ve asked Microsoft if it wants to respond.

Here’s the full text of statement from Rachel Whetstone, Google senior vice president of communications and policy.

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known — including by Microsoft — that it is impractical to comply with Microsoft’s request while providing modern web functionality.  We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.”  This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE.  These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services.  It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don’t use valid P3P policies….

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own and websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.”  This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google’s provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

  • Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
  • Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”
  • Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”

Here’s the original Microsoft post, published yesterday. We’ll let you know if Microsoft has more to say on the topic.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline


  • Chet Kittleson

    What’s the difference between fortune 500 companies arguing over rights and technicalities and 5 year olds arguing over whose pogs are whose? 

  • Guest

    Dear Google,

    I don’t care if other companies violate privacy standards in the same way that you do. You’re Google. Be better.



    • Guest

       Did you even read this?  Their “violation of privacy standards” is the exact method that MICROSOFT recommends in order to make the modern web work (such as using your google account to log into non-google domains).  In fact, if IE implemented P3P correctly, google’s invalid CPs would give you a link to google’s explanation of why they do not (and cannot) have a valid P3P policy.

      • Guest

        I have a hard time believing that Microsoft wants me to enter my Google account credentials onto other domains. Frankly, that’s exactly the kind of behavior I want to see stopped, not encouraged.

        Google should lead by good example, not follow bad advice.

  • Kathy E Gill

    Note (in the sprit of Lessig’s book and research into corruption) : Lauren is the beneficiary of Google $$$. “The Data Wisdom Explorers League (DWEL) has been founded by Internet pioneer Lauren Weinstein, in association with Google, Inc., which is providing funding support.”

    Also, flip Google’s data: 79 of the top 100 sites surveyed by Carnegie Mellon followed P3P protocol; ditto 2/3 of the total corpus. And most of the “mistakes” were, indeed, mistakes – mistyped data shortcuts. Of course, Facebook joined Google in thumbing its nose at the standard. Just because there is a “problem” does not mean Google has a license to exploit it! After all, the final sentence in the CM abstract reads: “Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies.”

    Microsoft’s reasons for supporting P3P may have been perverse, although given the time (early 2000s) they may have been on good behavior due to their anti-trust negotiations. I can guess the reasons that others didn’t follow suit. (The main “other” at the time would have been Firefox as Safari was not available for PCs until 2007.

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.
Flex/Flash EngineerPicMonkey Inc.
Android EngineerPicMonkey Inc.