Google doesn’t need your stinking privacy rules

You wouldn’t let the inmates run the insane asylum. You wouldn’t hire a fox to handle security at your henhouse. And it’s probably not the best idea to hand America’s Biggest Losers the keys to the Oreo cookie factory.

And yet on the InterWebs, the companies entrusted to keep our personal data safe are invariably the ones who have the most to gain from not doing so.

[ Meet the new cookie monster: Google has been secretly bypassing privacy settings on iPads and iPhones, via the Safari browser. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

Today’s meditation on this topic returns to Google, which has been accused of tricking users into thinking their privacy is protected when it really isn’t. In this case, the accuser is Microsoft and the trickery involves privacy settings in Internet Explorer.

More specifically, it’s about the Platform for Privacy Preferences (P3P), an effort started in the late 1990s to provide machine-readable privacy policies. The idea was you’d customize your browser privacy settings exactly as you wanted them, then IE or Netscape Navigator or Apple’s Safari would automatically adjust how the websites you visited dealt with your data — for example, whether to block cookies deposited by third-party ad networks.

Only nobody really used it. Or rather, like Google, they pretended to and moved on. Google’s response, in part:

It is well known — including by Microsoft — that it is impractical to comply with Microsoft’s request while providing modern web functionality. … [N]ewer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Yes, P3P has been in a persistent vegetative state since the mid-2000s. Yes, this is no secret within the industry; the New York Times’ Riva Richmond reported on this well over a year ago. Yes, Microsoft is using this as an opportunity to kick Google in the pubic — er, public arena.

Still, Google should know better than to leave itself open to yet another charge of blithely ignoring users’ privacy preferences for its own monetary gain. The semi-hysterical tone of its responses to both the Safari cookie controversy and this one suggests that Google does know better, but Larry Page will be damned before he admits it.

Google is in good, or bad, company, depending on your point of view. More than 20 of the 100 most popular websites — including Facebook, IMDB, AOL, and Hulu — also blow off P3P, per the Times. In fact, more than 11,000 sites bypass P3P by issuing a bogus “compact policy” (CP) code, notes Carnegie Mellon University’s Lorrie Cranor. She should know; Cranor was involved in the creation of P3P.

In September 2010, CMU analyzed 33,000 websites’ privacy practices:

We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it’s default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective.

If P3P is so lame, Cranor asks, why don’t companies like Google and Facebook stop pretending they’re complying and instead ask the World Wide Web Consortium (W3C) to declare it dead and move on? Her answer:

I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy. W3C is currently hard at work on a new privacy standard called Do Not Track (DNT) which the industry is currently rallying around. Once the spotlights are off and companies have to live with the standard they created and discover that it prevents them from doing what they want to do, will they declare it dead as well and feel justified in circumventing it too?

The problem: Nearly every privacy policy on the Web starts with the phrase “we value your privacy,” but almost none of them actually mean it. Until they do, this kind of abuse, intentional or otherwise, is just going to continue. There need to be actual consequences when big companies violate users’ trust, or soon there won’t be any trust left to violate.

If the Internet giants can’t or won’t do it — so far, they’ve failed miserably — then our mutual Uncle needs to step in and do it for them.

I’ve asked it before and I’ll ask it again: Do we need a national data privacy law? Cast your votes below or email me: cringe@infoworld.com.

This article, “Google doesn’t need your stinking privacy rules,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.