Google doesn’t follow P3P, but then nor does anyone else, says Google’s communications vice president
The P3P policy used by Microsoft dates back to 2002, and asks sites to submit a machine-readable statement, but this is not compatible with modern web functionality, is widely ignored and is effectively “non-operational”, according to a response from a senior Google executive.
Microsoft didn’t tell the whole story
“Microsoft omitted important information from its blog post today,” said Rachel Whetstone, senior vice president of communications and policy at Google, in a statement sent to TechWeekEurope. “The Microsoft policy is widely non-operational.”
Microsoft criticised Google for not complying with the “self-declaration” protocol, P3P, under which websites are asked to provide their practices in machine-readable form. Google provided such a statement, but Microsoft’s Dean Hachamovitc criticised it as “intended for humans to read even though P3P policies are designed for browsers to ‘read’.”
Not so fast, says Whetstone: “It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality.”
P3P dates back to 2002, and its problems have been well known since then. Google explains its issues here, while Facebook claims that P3P is out of date and no longer being developed by the consortium that proposed it. In 2010, a research report found that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft, Whetstone says.
A Wall Street Journal article agrees that the situation with Internet Explorer is different from Safari – where Google actually over-rode the user’s privacy settings – but the WSJ would like Microsoft to “close the loophole” rather than abandon P3P. While Double-Click ads comply with P3P, newer cookie features are “broken by the Microsoft implementation in IE”, says Whetstone. These include things like Facebook ‘Like’ buttons, the ability to sign-in to websites using your Google account and, of course, the Google +1 button.
Chrome, Firefox and Safari all use a simpler approach to cookies, letting the user pick a setting to either block them all, to block third party cookies, or allow all cookies, says Whetstone, arguing that after ten years of stagnation, it may be time to abandon P3P altogether. “The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure,” said a 2010 paper from TRUSTe.
Others are rallying to support Google’s cause. “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues,” said privacy blogger Lauren Weinstein.
How well do you know Internet security? Try our quiz and find out!