Privacy spat: Microsoft vs. Google vs. the truth

Expert who helped write relevant privacy standard says they're both wrong

Hoping to fuel the controversy created news that Google sidesteps privacy controls within Apple's Safari Web browser, Microsoft over the holiday weekend accused Google of taking similar liberties with Internet Explorer, a charge Google doesn't actually deny but essentially calls frivolous because everybody does it.

And one expert, who played a role in creating the privacy standard at issue here, says they're all partially right ... but ultimately wrong.

(2012’s 25 Geekiest 25th Anniversaries)

In the interest of quickly getting to the person who seems to be offering the most candor, here are: an IDG News Service story about Microsoft's allegation and the Microsoft blog post upon which it is based; and, a News Service story about Google's response in which the company calls IE's privacy policy "widely non-operational."

Now, from page 2 of that first News Services story, we hear from Lorrie Faith Cranor, an associate professor at Carnegie Mellon University who chaired the committee that wrote the relevant standard - Platform for Privacy Preferences (P3P) - and literally authored a book about it 10 years ago.  

"Companies have discovered that they can lie in their [P3P Compact Privacy Statements] and nobody bothers to do anything about it. ... Companies have also discovered that, due to a bug in IE, if they have an invalid [privacy statement], IE will not block it."

She said that Google is not alone in circumventing P3P and that this issue points to a larger problem in browser privacy. In fact, Facebook presents a P3P statement that says: "Facebook does not have a P3P policy." That line is an invalid P3P privacy statement so it essentially turns off IE cookie blocking, she said. "Thousands" of other sites have P3P privacy statements that don't match their actual practices, she said. ...

"The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is OK to circumvent browser privacy controls," she said. Cranor chaired the P3P working group and acknowledged that the protocol is struggling. But she suggests that if the industry doesn't like P3P, it should ask Microsoft to remove it from its browser. Or, the industry could also ask standards bodies to declare P3P dead.

For more details and background you can read her weekend blog post here.

And here you can find a 2010 Carnegie Mellon study documenting the extent to which P3P is being ignored.

(Update: A Wall Street Journal item about the flap points to a line at the very bottom of Microsoft's blog post that I had missed: "Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.")

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT