Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Expert: Microsoft has itself to blame in browser-privacy flap

Microsoft is pointing fingers at Google and Facebook for circumventing the privacy mechanism baked into Internet Explorer, but the real problem lies in its own failure to implement the P3P privacy standard well, an expert says.

The company has chosen to use the abbreviated format of the Platform for Privacy Preferences (P3P) to decide whether IE should block cookies that are pushed at the browser by Web sites, and doesn't use the information it gleans from that format to make good decisions, says Lorrie Faith Cranor, an associate professor of computer science and engineering and public policy at Carnegie Mellon University.

BACKGROUND: Microsoft says Google circumvents IE privacy policies too 

In particular, the browser evaluates data sent by cookie-spreading Web sites that is sent in a format called a compact policy (CP), which includes machine-readable tokens describing the visited sites' privacy policies as they pertain to cookies.

CPs tell what use would be made of data gathered by the cookies, giving the user discretion to accept or block them based on that information.

The P3P standard says these three- and four-character tokens should be considered invalid unless they are considered in combination with full police (FP) data sent via XML, Cranor says, but Microsoft ignores that proviso; it only considers the CPs.

Further, if a CP comes through with no stated policy or with a made-up token or tokens with format errors, IE will accept the cookie by default, she says. "Microsoft did some things implementing P3P that just seemed foolish," Cranor says.

A better way would be for the user agent within IE to treat invalid CPs as if the site has sent no CP at all, and then decide whether to accept cookies based on where the cookie actually comes from. If it's coming from the site the browser is visiting, then accept; if it's from a third-party site, block, Cranor says.

Microsoft is a big part of the reason CPs exist at all, she says. As the World Wide Web Consortium was winding down its work on P3P 10 years ago, it was headed toward standardizing the more stringent FPs, but representatives from Microsoft pushed for CPs because they take less time to process.

Today with XML integrated in most browsers, using FPs today would not create delay problems, Cranor says. "I don't think it would be a problem, but somebody would have to implement it," she says.

And that doesn't seem likely, she says. Support is growing for an alternative called Do Not Track that allows users to opt out of tracking by Web sites by filling in an HTTP header.

With Web sites such as Google, Facebook and many others using faulty, empty or made up CP tokens as a means to circumvent user P3P preferences, the only remedy is via legal enforcement, Cranor says.

When P3P was being written, the W3C consulted with the Federal Trade Commission, state attorneys general and European privacy commissions, all of which said they would apply their enforcement rules to machine-readable P3P policies as if they were natural language policies. But Cranor says she knows of no enforcement agency that has taken any sites to task for misrepresenting their policies or purposely sending invalid P3P tokens.

Some private class-action lawsuits have changed the policies of individual sites, but that is spotty.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Carnegie Mellon University, Facebook, Federal Trade Commission, Google, LAN, Mellon, Microsoft, W3C, World Wide Web Consortium
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Facebook, Google, internet explorer, Microsoft, P3P, privacy, security
Latest Blog Posts
Whitepapers
  • Case Study: BNP Paribas Deploys Oracle Exadata to Accelerate Information Processing - The Hardware Perspective
    Datacenters are an aggregate of very heterogeneous elements interacting with each other and incurring a complex chain of dependencies, particularly around the point of contact between hardware and software. Against this backdrop, IDC is observing a great push from suppliers and end users alike toward a consumption model based on pre-integrated blocks of optimized hardware and software that IT departments need only to fine-tune, as opposed to build out of a collection of different components. Read on.
    Learn more »
  • Restore control, Reinforce security & Reduce Cost
    Uncontrolled print environments and practices present a serious risk to the profit and security of your organisation. IT is under pressure to protect sensitive information, secure devices, and improve the way they manage the entire fleet. To gain better control, your organisation needs to implement plans that meet industry regulations while also increasing productivity, lowering costs, and providing users with more flexible imaging and printing solutions. Read more.
    Learn more »
  • The Big Six: The CIO Executive Council’s Frameworks for IT Value and Leadership
    This overview of six of the CIO Executive Council’s most important pieces of intellectual capital represents the thought leadership of literally hundreds of global CIOs spanning over half a decade. It is intended to convey the Council’s position on the current and future CIO role and the value that IT should be creating for the enterprise. We hope that it offers the IT community an intriguing and comprehensive roadmap for continued success.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.