Google is tracking users of the Internet Explorer Web browser without their knowledge, Microsoft has asserted.
After news emerged last week that Google had bypassed the privacy settings of Apple’s Safari browser, Microsoft researchers began looking into whether the search giant was also playing fast and loose with IE’s settings.
However, IE 9 has an additional privacy feature called “Tracking Protection” that blocks the method Google is using, Microsoft said. Users without IE 9 or who have the feature turned off may be susceptible.
Google “basically hacked IE differently than they hacked Safari, but the result is pretty much the same — they overrode the browsers’ capability to block cookies and prevent reporting,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. Google “appears to be intentionally violating the privacy rights of users of third party products.”
Google’s actions are “concerning at any level, being misleading to consumers who expect these [privacy] controls to be honored and working,” Chris Babel, CEO of TrustE, told TechNewsWorld.
However, Google spokesperson Rachel Whetstone contended that Microsoft’s policy “is widely non-operational.”
What Google Did
Internet Explorer uses the Platform for Privacy Preferences Project (P3P) feature to block third-party cookies unless the site they’re from sends along a Compact Policy (CP) statement indicating how it will use the cookie and stating that it won’t track the user. That policy must be in machine-readable form.
In other words, P3P appears to work on the honor system. Tell it you’ll comply and it OKs you. But if you’re sneaky enough to lie, it will let you get by anyway.
Microsoft said Google gets around P3P by leveraging a nuance that requires browsers to ignore any undefined policies they encounter. It sends along a P3P CP that is not in machine-readable form and is, therefore, undefined.
With Safari, Google used an iFrame that loaded a page containing a meta refresh to a Google ad link. If the user wasn’t logged into Google, the response directed the browser back to Google’s DoubleClick advertising platform. If the user was logged into Google, the user was directed first to Google’s authentication service and then to DoubleClick.
In the case of Safari, Google claimed the whole thing was the accidental byproduct of its creating a temporary communication link between the browser and Google servers.
No Internet for Old Technology
Google’s response to Microsoft’s complaint about tracking IE users was that this is necessary for today’s Internet.
“It is well-known — including by Microsoft — that it is impractical to comply with Microsoft’s request while providing modern Web functionality,” Google’s Whetstone told TechNewsWorld. “We have been open about our approach, as have many other websites.”
Thousands of websites don’t use valid P3P policies, Whetstone said.
P3P was officially recommended as a standard by the World Wide Web Consortium (W3C) back in 2002. However, development work on the standard ceased shortly after it had been made a standard, and Microsoft is the only major browser vendor to support P3P.
“As a result of P3P’s failed attempts to get market traction in the early 2000s, TrustE and other key industry players shifted energies towards the W3C on Do Not Track,” TrustE’s Babel said.
“An industry standard adopted by all browser vendors provides the best clarity for consumers and avoids the challenges of partial adoption that we’ve seen in the past, such as P3P adoption by Microsoft IE alone,” Babel continued.
Fallout For Google
Google’s tracking of third-party browser users might draw a lawsuit from angry users as well as other problems, Enderle warned.
“I expect this will come back to haunt them in terms of regulation and litigation, either directly or as future evidence showcasing a trend of bad behavior,” Enderle said.
A class-action complaint has reportedly been filed by one Matthew Soble against Google in the U.S. District Court for Delaware over its circumvention of Safari’s privacy features. Soble accuses Google of willfully violating the Federal Wiretap Act, the Stored Electronic Communication Act and the Federal Computer Fraud and Abuse Act.