Skip navigation

Microsoft: Google Bypassed IE Privacy Settings Too

It looks like Google's secretive efforts to bypass the privacy settings in Apple's Safari aren't limited to just that browser. Now Microsoft says that Google has similarly bypassed the privacy settings in Internet Explorer (IE). And Google, rather than denying the claim, says instead that it didn't have much of a choice.

Settle in, folks. This one is going to get messy.

Google, as you might remember, was accused recently of bypassing privacy features in Apple's Safari web browser, which runs in the company's popular iPhone handset and also, in much more limited numbers, on PC and Mac desktops. Google owned up to the invasion and halted the practice. But now the Federal Trade Commission (FTC) is investigating, and the online giant has already been slapped with a class-action lawsuit.

This is, of course, where Microsoft enters the picture.

"We've discovered that Google is employing similar methods [to its Safari hack] to get around the default privacy protections in Internet Explorer and track IE users with cookies," Microsoft Corporate Vice President Dean Hachamovitch writes in a blog post explaining Google's latest privacy invasion. "We've found that Google bypasses the P3P Privacy Protection feature in IE. [But] Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google's bypass of P3P Privacy Protection use Internet Explorer 9 and add a Tracking Protection List."

According to Hachamovitch, in both Safari and IE, Google is essentially fooling the browser to believe that "third-party cookies," which are basically used to track user movements online, are "first-party cookies," which can only be associated with the currently viewed website. Most browsers, including Safari and IE, block third-party cookies by default, but not first-party cookies.

But IE offers a workaround to this behavior by allowing third-party cookies that have a valid P3P Compact Policy Statement, explaining how the site will use the cookie and states that the site won't track the user. Google abused this P3P policy to fool IE into accepting third-party cookies that allow Google to track users online.

"Given this real-world behavior, we are investigating what additional changes to make to our products," Hachamovitch added. "Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action."

Google says, however, that the P3P policy used by Microsoft is outdated and not conducive to "modern web functionality." And it points to a Facebook support page that notes that "most modern web browsers do not fully support P3P." But Google is utilizing what is essentially a bug in IE's handling of P3P policy to track users without their permission. Apparently the theory is that if others are doing it, it must be OK.

If you are an IE 9 user and would like to prevent Google from tracking your activities online without your consent, please visit Microsoft's Tracking Protection Lists site for more information and a tracking protection list download.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.