Microsoft is pointing fingers at Google and Facebook for circumventing the privacy mechanism baked into Internet Explorer, but the real problem lies in its own failure to implement the P3P privacy standard well, an expert says.
The company has chosen to use the abbreviated format of the Platform for Privacy Preferences (P3P) to decide whether IE should block cookies that are pushed at the browser by Web sites, and doesn't use the information it gleans from that format to make good decisions, says Lorrie Faith Cranor, an associate professor of computer science and engineering and public policy at Carnegie Mellon University.
In particular, the browser evaluates data sent by cookie-spreading Web sites that is sent in a format called a compact policy (CP), which includes machine-readable tokens describing the visited sites' privacy policies as they pertain to cookies.
CPs tell what use would be made of data gathered by the cookies, giving the user discretion to accept or block them based on that information.
The P3P standard says these three- and four-character tokens should be considered invalid unless they are considered in combination with full policy (FP) data sent via XML, Cranor says, but Microsoft ignores that proviso; it only considers the CPs.
Further, if a CP comes through with no stated policy or with a made-up token or tokens with format errors, IE will accept the cookie by default, she says. "Microsoft did some things implementing P3P that just seemed foolish," Cranor says.
A better way would be for the user agent within IE to treat invalid CPs as if the site has sent no CP at all, and then decide whether to accept cookies based on where the cookie actually comes from. If it's coming from the site the browser is visiting, then accept; if it's from a third-party site, block, Cranor says.
Microsoft is a big part of the reason CPs exist at all, she says. As the World Wide Web Consortium was winding down its work on P3P 10 years ago, it was headed toward standardizing the more stringent FPs, but representatives from Microsoft pushed for CPs because they take less time to process.
Today with XML integrated in most browsers, using FPs today would not create delay problems, Cranor says. "I don't think it would be a problem, but somebody would have to implement it," she says.
And that doesn't seem likely, she says. Support is growing for an alternative called Do Not Track that allows users to opt out of tracking by Web sites by filling in an HTTP header.
With Web sites such as Google, Facebook and many others using faulty, empty or made up CP tokens as a means to circumvent user P3P preferences, the only remedy is via legal enforcement, Cranor says.
When P3P was being written, the W3C consulted with the Federal Trade Commission, state attorneys general and European privacy commissions, all of which said they would apply their enforcement rules to machine-readable P3P policies as if they were natural language policies. But Cranor says she knows of no enforcement agency that has taken any sites to task for misrepresenting their policies or purposely sending invalid P3P tokens.
Some private class-action lawsuits have changed the policies of individual sites, but that is spotty.