Google’s cookie runaround in IE? Not a big deal

Google garnered a lot of attention last week — not in a good way. But does it really deserve the shellacking for its tracking cookie practices? On the one hand — when it comes to circumventing cookie blocking in Safari — Google’s clearly out of line. On the other hand — when it comes to tricking Internet Explorer’s P3P squasher so that it will allow cookies — the line’s not at all well defined.

The ball started rollling late last week when the Wall Street Journal published a front-page story about Google and three other online ad companies (Vibrant Media, Media Innovation Group, and PointRoll) bypassing the third-party cookie security default built into Apple’s Safari Web browser. Jonathan Mayer, a grad student at Stanford, discovered the technique and has a thorough description on the Webpolicy blog of how Google and other advertising companies do the dirty deed. The WSJ has a good infographic, complete with cookie contents.

Safari is unique among the major browsers in that it blocks third party cookies by default. Google and the others found a way to wiggle around the default setting and plant its third-party cookies on computers running Safari.

Shocking? No. Reprehensible? Sure. The Electronic Frontier Foundation explains why in its article “Google Circumvents Safari Privacy Protections — This is Why We Need Do Not Track.” Google’s given us yet another reason to believe that it’s entered the post-“Don’t be evil” era.

Over the long weekend, another Google privacy slip came to light. In a blog post dated 1:30 a.m. on Tuesday, Dean Hachamovitch, Microsoft corporate vice president of Internet Explorer, declared Google was bypassing user privacy settings in Internet Explorer. “We’ve found that Google bypasses the P3P Privacy Protection feature in IE,” Hachamovitch says. “The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.”

Well, no. That’s not true at all.

In spite of its blustering, Microsoft knows all about the bypass method Google used, has known about it for years, and hasn’t plugged the hole that lets Google, Facebook, and 10,000 other websites into the IE third-party cookie jar despite the straitjacket known as P3P. What’s more, Microsoft once published details (since taken down) on how to make the bypass work.

P3P, the Platform for Privacy Preferences, developed in the late 1990s by the W3C and officially promulgated in 2002, defines a collection of three- and four-character codes, called compact policies (CPs), that describe a Web page’s cookie policy. For example, “NON ADM DEV PSD” means that the website will use non-user-identificable cookies, for website administration and research and development, and that the cookies can be used for pseudonymous (non-user-identifiable but unique) analysis. Compact policies can have dozens of entries. Each page on a website can have a different compact policy.

Acceptance of the P3P spec has been, ahem, slow at best. Of all the major browsers, only Internet Explorer (versions 6, 7, 8, 9, and 10) recognizes P3P policies. Firefox used to enforce P3P policies, but now it’s an obscure option.

When Internet Explorer encounters an invalid compact policy, it simply accepts all cookies. Microsoft says that’s in conformance with the W3C spec. Here’s what the spec says, in Section 6.4: “P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies.” You may read that as saying, “if the CP is invalid, accepts all cookies.” I don’t.

In Internet Explorer 9 or 10, the slider that controls IE’s behavior with CPs (found in Tools, Options, Privacy) starts at “Medium: Blocks third-party cookies that do not have a compact privacy policy.” There’s no admonition about invalid CPs — and certainly no indication that invalid CPs are accepted. Many people consider this a bug in IE.

Want to check it yourself? Fire up IE 9 or 10. If you’ve changed your IE Privacy setting, put it back at Medium, the default. Go to google.com. Click the gear-shaped icon on the right, then choose Safety, Webpage Privacy Policy. See how the Privacy Report says that cookies on Google.com have been accepted? Now click once on http://www.google.com, and click Summary. IE will gladly tell you that it just accepted cookies even though it “Could not find a privacy policy for http://www.google.com. To view this site’s privacy policy, contact the website directly.”

That’s a bug, and it’s existed since Internet Explorer 6. Should Google be penalized for taking advantage of IE’s bug? What about Facebook and Amazon and 11,000 others?

Now for the kicker: Microsoft once published specific instructions on how to make an “unsatisfactory” CP code for IE6. MSDN had instructions for creating CP codes that would fail the IE6 validity check. Microsoft has since taken down the page, but you can find a reference to it in the old Knowledge Base article 323752. (Microsoft yanked that KB article, too, but a copy still exists on the Wayback Machine.) To quote the Knowledge Base article, “Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes.”

Who knows? Maybe Google and Facebook and Amazon just followed Microsoft’s old instructions to circumvent third-party cookie blocking.

If you want to take Google to the woodshed, do it for intentionally subverting Safari. But for ignoring P3P? Bah.

This story, “Google’s cookie runaround in IE? Not a big deal,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.