[Updated with comment from Google below]
Google has gotten a lot of flak this week over a Wall Street Journal report that the search company was bypassing privacy settings for users of Apple’s Safari browser.
Turns out, Google seems to be doing the same thing with Microsoft’s Internet Explorer browser, according to Microsoft.
“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” Dean Hachamovitch, Corporate Vice President of Internet Explorer, wrote in an official IE Blog post. “We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”
Hachamovitch said Microsoft has found that Google bypasses the P3P Privacy Protection feature in IE, with results similar to Google (and other ad companies’) bypassing of Apple’s Safari browser privacy settings, “even though the actual bypass mechanism Google uses is different.”
Microsoft says IE9 has “Tracking Protection which is not susceptible to this type of bypass,” and has made available a tracking protection list that users can add.
Microsoft says it’s asked Google to commit to honoring P3P privacy settings for users of all browsers.
We’ve asked Google for comment and will update this post if we hear back.
[Update 6:55 p.m.: We heard back from Google. Here, in part, is a statement from Rachel Whetstone, senior vice president of communications and policy at Google:
Microsoft omitted important information from its blog post today.
Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft. …
For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.
Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.
Today the Microsoft policy is widely non-operational..]