On February 17, Microsoft used Google’s circumventing of certain privacy settings on iPhones, iPads and Macs as a reason to tout IE’s superiority in terms of privacy protection. But on February 20, in a post to the IEBlog, Microsoft officials admitted that Google also skirted IE users’  privacy settings, as well.
Dean Hachamovitch, Corporate Vice President of IE, blogged:
In today’s blog post, Hachamovitch explained why IE also is vulnerable to Google’s cookie practices:
Hachamovitch said that IE users can take additional privacy steps by using an IE9 Tracking Protection list Microsoft created to thwart Google’s policy on this specifically. He also said that Microsoft is “investigating what additional changes to make to its products – including the possibility that IE, going forward, will ignore the P3P specification and block cookies with unrecognized tokens.
“Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy.” Update: Lorrie Faith Cranor, Director, CyLab Usable Privacy and Security Laboratory (CUPS) and an Associate Professor at Carnegie Mellon University, emailed me to tell me that she and her students alerted Microsoft to this potential P3P-centric privacy breach in 2010. Here’s a paper she and some of her students wrote about it. She also did a blog post on February 18 on the Microsoft-sponsored Technology/Academics/Policy site noting not just Google, but Facebook, also can track IE users via the same P3P loophole.
Update No. 2: Microsoft’s response to Cranor’s post from a spokesperson: “The IE team is looking into the reports about Facebook, but we have no additional information to share at this time.”
Update No. 3: Google officials (eventually) had plenty to say about Microsoft’s disclosure today. Here’s Google’s response to Microsoft’s blog post from today, attributable to Rachel Whetstone, Senior Vice President of Communications and Policy:
“Microsoft uses a ‘self-declaration’ protocol (known as ‘P3P’) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form.  It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality.  We have been open about our approach, as have many other websites. “Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.”