Google Bypassing User Privacy Settings

When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.

We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.

Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page.

Background: Google Bypassing Apple’s Privacy Settings

A recent front page Wall Street Journal article described how Google “bypassed Apple browser settings for guarding privacy.” The editor and CEO of Business Insider, a business news and analysis site, summarized the situation:

Google secretly developed a way to circumvent default privacy settings established by a… competitor, Apple… [and] Google then used the workaround to drop ad-tracking cookies on the Safari users, which is exactly the sort of practice that Apple was trying to prevent.

Third-party cookies are a common mechanism used to track what people do online.  Safari protects its users from being tracked this way by a default user setting that blocks third-party cookies.  Here’s Business Insider’s summary:

What Safari does NOT allow, by default, is for third-party … cookies on users' computers without their permission. It is these ad-tracking cookies that cause lots of Internet users to freak out that their privacy is being violated, so it's understandable that Apple decided to block them by default.

But these default settings have created a problem for Google, at least with respect to its goals for its advertising business.

Google’s approach to third-party cookies seems to have the side effect of Safari believing they are first-party cookies.

What Happens in IE

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.

P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions.

It’s worth noting that users cannot easily access P3P policies. Web sites send these policies directly to Web browsers using HTTP headers. The only people who see P3P descriptions are technically skilled and use special tools, like the Cookie inspector in the Fiddler tool. For example, here is the P3P Compact Policy (CP) statement from


Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web browser. For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ The details of privacy are complex, and the P3P standard is complex as well. You can read more about P3P here.

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to “read”: 

P3P: CP="This is not a P3P policy! See for more info."

P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”) calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”

Similarly, it’s worth noting section “3.2 Policies” from the P3P specification:

3.2 Policies

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

P3P is designed to support sites that convey their privacy intentions. Google’s use of P3P does not convey those intentions in a manner consistent with the technology. 

Because of the issues noted above, and the ongoing development of new mechanisms to track users that do not involve cookies, our focus is on the new Tracking Protection technology.

Next Steps

After investigating what Google sends to IE, we confirmed what we describe above. We have made a Tracking Protection List available that IE9 users can add by clicking here as a protection in the event that Google continues this practice. Customers can find additional lists and information on this page.

The premise of Tracking Protection in IE9 is that tracking servers never have the opportunity to use cookies or any other mechanism to track the user if the user never sends anything to a tracking server. This logic underlies why Tracking Protection blocks network requests entirely. This new technology approach is currently undergoing the standardization process at the W3C.

This blog post has additional information about IE’s cookie controls, and shows how you can block all cookies from a given site (e.g. * regardless of whether they are first- or third-party. This method of blocking cookies would not be subject to the methods Google used. We recommend that users not yet running IE9 take steps described in this post.

Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.

―Dean Hachamovitch, Corporate Vice President, Internet Explorer

Comments (163)
  1. Obvious says:

    Google and Facebook are children of the Internet. It's not surprising that they consider privacy protections as damage and simply route around them.

  2. J. Swift says:

    Of course they circumvented P3P– you didn't say "pretty please"!

  3. G.W. says:

    It's President's Day, Google– fess up and admit that you chopped down that cherry tree.

  4. Eric says:

    I don't see how this is Google's fault. They ARE following the standard and IE is choosing to accept it by also following the standard. If the standard sucks, that's not Google's fault or your fault, it's the W3C's fault.

  5. albk says:

    "in shaking your hand, we imply agreement with the code of conduct, but reserve the right to direct you to an external policy elsewhere that disavows any intent to agree to anything and continue as before,

    -insincerely, Google"

  6. SnarkMaiden says:

    Eric, if the standard says the P3P policy can't make false claims and the CP policy makes false claims, that's not following the standard. But the P3P standard is very trusting of the sites making the claims; that no longer seems adequate behaviour.

  7. Josh says:

    "They ARE following the standard "

    Except for the part where they are not.  See this from the W3C (it was in the article above): "In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements."

    What that means is that Google WAS NOT following the standard when they put a human readable link as the CP value.  They were in fact willfully contradicting the guidance.

  8. Paperino says:

    Eric: that's not a good definition of "following" a standard. It's more like "abusing" the standard.

  9. Thanks for this blog post. If the IE team has more information related to protecting personal privacy while usine IE, please let us know. Cheers. C.

  10. Carlos says:


    Yes, because sending a deliberately incorrect string with the explicit intent of bypassing the privacy settings system is totally OK.

    Also, if you didn't want your house stolen clean, you should have installed a better door. Completely your fault!

  11. Paperino says:

    To the IE team. Please create a plugin that is "restrict all Google invasive pages". We are sick. Then if you can make a plugin for Chrome, it would add a sense of irony like their "Privacy Matters" page.…/

  12. Phillip Malone says:

    a) Did you investigate if Google was the only on doing this, or are you just scared of Google because their eating  your lunch?

    b) Anyone smart enough to use Google isn't dumb enough to use IE

    c) Why would some one the uses IE be silly enough to think they had privacy? I assumed you were spying on us!

    d) Get over it, and build a decent product

    e) Why did you let google spy on them! Looks like you dropped the ball big time! But what would we expect?

    F) I trust google with my stuff about a 1 gugillion times more then MS or Apple!

  13. Duh says:

    @Phillip Malone: While you're obviously just here to troll, I'll still point out that Google is using this attack to track people who aren't "using Google." That's the whole point– they're tracking everyone, and willing to lie to accomplish that.

  14. the_dees says:

    I usually have cookies disabled for every web site except a few chosen ones.

    Unfortunately, IE does not tell websites that they are allowed to set cookies if the global setting disables cookies to be set.


    This leads to websites telling you that they can't let you in or give you information because you have cookies disabled when in fact you allow those websites to set cookies.

    Until recently I have browsed such websites using Opera which didn't have this bug. Recently my main browser, Firefox, also fixed this issue. That had a great influence ony my surfing experience (a positive one).

  15. Heavy Irony says:

    It's so ironic that Microsoft are complaining about other people violating security.  How many violations of security – and general LACK of security – have Microsoft had and still continue to have?

  16. Master of Desater says:

    The usage of a browser for important Tasks is the biggest fault.

    All Web based stuff are driven by crimical grabage of data.

    The biggest fault here is the System you use and provide.

  17. Harry Richter says:

    I would suggest that Microsoft delivers a security update to all users of IE that enables this TPL for users of IE9 and uses the quoted method for IE8.


  18. Mitch 74 says:

    Yup, Google fskced up here – thing is, they are not the only ones (this doesn't make it right though) and they fessed up to it, and discontinued it – at least, the Safari protection circumvent. That one seems different.

    Bad Google, bad! Even if said P3P declaration contains a human-readable string and a link to an explanation page, it's still bad. But what about all these advertising networks that use the same system? Shouldn't reverting the behaviour from "allow unknown P3P policies" be switched from "true" to "false" by default, with a setting in the "cookies" tab in IE?

    So, Google deserves the bashing. However, something more complete than "Google did bad" would be appreciated  – especially considering that they do provide a link, and an explanation, in their trespassing! "See, I opened your door: I said to your janitor, 'I'm here to fix the smurf-a-tron' and, bewildered, he not only let me in, but also left me a key".

    I wonder how MSN, Live, Passport, Hotmail, Microsoft and msdn track me – I should have a look at the P3P headers sent by these websites, just to be sure – I wonder who the joke will be on if I find something similar… But I'm not too worried, considering the msdn comment form loses track of me in less than 10 minutes, if there IS something akin to this exploit, it may just not work.

  19. Luis says:

    Amazing… Google gives you free awesome products in return on displaying ads that might help you and you get mad. (No, I don't work @ google). Microsoft on the other side, has 30+ years building crap and charging you monkeys for it. Sorry, from these two evils, I side with Google.

  20. WAFSD says:

    Google-blocking TPL loaded.

    Other web commenters (example – Mary Jo Foley, ZDNet) are missing the point of Google's actions. Google didn't "hack" IE or exploit a security problem with IE. Google deliberately violated the spirit and the letter of the W3C standard for ethical use of tracking cookies and similar objects.  IE was in compliance with the P3P policy for how to interact with sites that are offering 3rd party cookies.

    The fault here is 100% with Google for twisting the public standard to suit their own needs. This is akin to a robber saying that it's not enough to lock your doors and windows, it's not enough that breaking and entering is against the law, you'd better put iron bars on everything, too, because if he can get in, it's your own fault and your property is his to take.

  21. EricLaw [MSFT] says:

    @Mitch74: You can easily see what P3P headers are sent using Fiddler. You can either use the COOKIES response inspector tab, or you can type COLS ADD @RESPONSE.P3P in the QuickExec box under the session list and a new column will appear in the Web Sessions list to show you what P3P declaration is present.

  22. Jesper Kristensen says:

    P3P is a joke. Technology, protocols and tech standards supported by a web browser should not have any influence on a decision for at web site to track or not track a user. Neither in IE nor in Safari. I don't think you can show that the average IE user is more concerned about tracking than the average user of another browser not supporting P3P. Therefore I see no problem in circumventing P3P. Decisions of when to track a user should be based on user intent (Like DNT:1 does, because it is off by default, and thus signals explicit user intent), based on the ethics and values of the web site owner, based on industry best practices, and based on law.

    By that, I won't say that Google's tracking is OK, but P3P and IE's default privacy setting are not relevant in the discussion. This blog post seems to not be concerned about privacy. It seems like its only purpose is to generate negative press about your competitor.

  23. wefnkl says:

    Dear IE team, it's obvious that the IE privacy feature failed if Google could bypass it. Don't blame others for your poor work.

  24. Peter says:

    Wow, unbelievable

  25. Hmmm says:

    @wefnkl – yeah, stupid Microsoft for following the W3C's spec.

  26. Master of Desaster says:

    The only poor work here ist the Web Stannard.  ????? Let me think. what Standard?????

    It´s equal — because every browser vendor and every web programmer do what they think is correct or best for him.

  27. Eric says:

    So we'd prefer Google to claim they follow certain privacy policies in order to comply with P3P even though they don't follow those policies at all because they're close? Ya, I bet everyone would love that and no one would criticize Google for that at all. Face it, the standard doesn't work. It's a bad standard, IE decided to implement the standard and set it on by default and Google could either lie to the user by setting tokens that are somewhat correct (which might be illegal) or they could just say to heck with it and point out that they don't have a way to properly apply the standard to their policy.

    Ultimately, P3P is less than useless and I'd be shocked if a single person on this list modified their P3P setting in IE. This is attacking a competitor for doing whatever they need to do to have their site display on MS's browser without lying to the user to do it.

  28. John Danton says:

    Microsoft sure likes to live in glass buildings and throw stones.  How much information loss, malware and viruses is IE responsible for?

  29. Greg says:

    Interesting, especially given Google's own statement on the matter with Safari last week:

    "Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google's Ads Preferences Manager." (Rachel Whetstone, Google SVP of Communications and Public Policy)

    Even if technically true (different settings, for example), seems pretty slimy to state that…

  30. Ben Aston says:

    Delicious irony that Microsoft is complaining about a web standards violation!

  31. GetAClue says:

    @Eric: Funny, yahoo and msn and other major sites work properly. I think you're complaining that if Google wants their cookies to get stored, they'd *GASP* have to actually not violate the user's privacy to do it.

    @Jesper: Get real. Google is going to ignore DNT too.

  32. Jim says:

    It's my understanding that this is an obsolete/failed specification designed by MS and only used in IE. The spec itself isn't very coherent and wasn't accepted as an industry wide standard and is thusly ignored by pretty much everyone. This does look like unfairly mudslinging a competitor, why complain about Google bypassing a dead technology that isn't supported by any major browser?

  33. WhatAboutMicrosoft says:

    And Internet Explorer 8's Privacy Statement, (I don't know where IE 9's statement is hiding), says:

    "From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website. A unique identifier generated by Internet Explorer is also sent. The unique identifier is a randomly generated number that does not contain any personal information and is not used to identify you. This information, along with the information described above, is only used to analyze performance and improve the quality of our products and services."

    And I ask: Which "Products and services" are you talking about? Bing Search, Bing Ads, Microsoft Adcenter? What exactly? You are possibly collecting every URL we browse to and every path and filename of every file we download through your Smartscreen Filter and you are channeling this information to which service?

    Isn't this a form of spying?

  34. Master of desaster says:

    Ok i ´am back to block a all google Traffic in our company via Content Firewall.

  35. Gerben says:

    Seems more like a problem on IE's side.

    They just check if there is a P3P policy present instead of actually parsing it and seeing if the legally-binding statements made in this policy allow for third party cookies to be accepted.

  36. Robert Elliot says:

    This is a very deceptive blog post. I encourage all readers to research more and think more thoroughly about this issue.

  37. temp says:

    Did you count how many clicks you have to do to load a tracking protection list…This is impossible for simple users.

    You don't really want people using TPL…

  38. Duncan Bayne says:

    Apparently the train I'm on just entered a parallel universe: I'm seeing a Microsoft employee complaining about Google 'embracing and extending' an internet protocol! 😉  

    Seriously though, what is Google doing wrong here?  Clearly they're not providing a valid token, & the protocol states that the browser should behave as though no token was provided.   I don't see how the subsequent tracking is Google's fault?  It looks to me as though IE's default behaviour is at fault.

  39. Simple solutions says:

    Google fans install Linux

    Microsoft fans add a line to hosts file:

  40. Protocol Man says:

    What Google wants to do makes sense (track cookie across THEIR domains).

    Currently not in the protocol so they made something work (MS should try this).

  41. Shane P. Brady says:

    Waiting for the admonishment of Facebook, a MS partner, for the exact same behavior.

  42. Lost says:

    @Protocol Man: what domains do Google have? Just wondering what I should look for.  Thanks.

  43. anonymous says:

    @Eric. Is your last name Schmidt?

  44. Anon says:


    So you're comparing an automatic anonymous feedback system to a personalised tracking system to serve ads?

    Can you spot the difference now?

  45. Bruce says:

    So how is this any different than IE ignoring w3 standards all these years?

  46. Wayzom says:

    Do no evil.  Unless it is profitable.

  47. IE has been Googled says:

    Two wrong don't make it right. On this, Google is wrong. If te current p3p doesn't support whats needed by Facebook and Google, they should work to get a new standard. Until that happens, Google and Facebook should respect users settings.

  48. Facebook? says:

    So, Why aren't you calling out Facebook for the same behavior?

    Double standards, much, Dean? Mind your own business and build a standards compliant browser that doesn't suck before slinging mud around.

  49. Wayzom says:

    @Simple Solutions,  that looks like a good way to make it easier to be tracked by Google and harde to find useful programs.

  50. Ivan says:

    Maybe, just maybe, instead of complaining about competitors' products and services, Microsoft should try to improve theirs. I'd pick Google's products and services over Microsoft's any day, and it's your fault, dear Microsoft. Google beats your search engine, browser, email, mobile OS etc. You had luck with the OS at the right time, when there was no competition.

    I don't hate you, dear Microsoft, but you just don't measure up. I would like to see a blog entry for 'What we s*ck at and what we need to do to improve'. I'd respect you more as a company then

  51. Master of Desaster says:

    All Products exclude the search from google are waste.

  52. Srsly? says:

    > Did you count how many clicks you have to do to

    > load a tracking protection list…This is impossible

    > for simple users.


    Troll elsewhere please.

  53. Andre R says:

    This is very distressing. What the heck has happened to Google in the last few years? I used to associate them with innovative ideas and great services. Now I think of them more as an Internet predator just looking for places to exploit users. Serious Jeckyll and Hyde routine.

  54. Ray says:

    Seriously Microsoft? And you've never tracked a single persons movements on the internet using the unstable, unreliable piece of trash software commonly known as Internet Explorer??

    Give me a break you pack of whinging, moaning old women. The more I see Microsoft bashing other companies the more I love to hate them.

  55. Eric says:

    @IE has been Googled – that's the problem, there are no user settings that fit their privacy policy. They have no way of telling the user that. While the standard may allow you to provide tokens that are similar to your privacy policy, that is lying to the user straight out and would probably lead to a serious class action lawsuit and investigation by the FTC. They make no claims about their own privacy policy; they're not lying to the user. IE may interpret this as a valid P3P policy and make decisions based on that but that's up to Microsoft.

  56. Andre R says:

    "Seems more like a problem on IE's side. "

    I think the blog post more or less admits to that. But then explain how that excuses Google for surreptitiously taking advantage of it to gather data the user has asked not be gathered? It's a scummy move, no matter how to try to explain it away. It puts Google on the same level as spyware creators. Would you actually defend virus- and malware-writers because, hey, they wouldn't be able to do it if the software was more secure? Would you argue that?

  57. Clarification... says:

    @Duncan: You're a bit confused. Google's providing a P3P Statement that says:

       "Here's the complete list of what we do with this cookie: []."

    As required by the P3P standard, IE interprets that statement and applies the user's settings: "Block any cookies that are used for List-of-unsatisfactory-or-invasive purposes."

    Since the Google P3P lies and claims that they're not using the cookie to track the user, the cookie is accepted by default.

    @Jim: You say: "It's my understanding that this is an obsolete/failed specification designed by MS"

    Rather than saying to everyone: "Based on my obviously inaccurate understanding", why not spend two minutes looking at the P3P specification. You can even use your favorite search engine. Hint: The P3P spec wasn't written by anyone from Microsoft.

  58. Kuldeep says:

    Send each and every microsoft user a ticker and ask them not to trust google and start using bing instead otherwise microsoft would not take responsibility of any data theft or misuse of personal information.

  59. Why Don't You People Read??? says:

    Erik sez "that's the problem, there are no user settings that fit their privacy policy. They have no way of telling the user that"

    Wrong. The token you're looking for is OTP and it means "Other purposes." It was designed exactly to convey that the cookie is being used for purposes beyond those that are defined in the P3P spec. (Notwithstanding the fact that google is lying by not listing the uses that ARE defined in the spec).

  60. I am going go out on the limb of being slightly stupid, at least I will admit it, and ask if this meant that Google was able to circumvent " inprivate" browsing? Especially with what they have planned come March 1st, I have tried to wean, if not divorce, myself from all things Google.

  61. PR scam says:

    What about facebook? What about the fact that the people this impacted opted in to having Google provide them with services by virtue of being logged in and having third party site services enabled. Furthermore, as you point out, Google doesn't provide an actual P3P policy, therefore they're not really circumventing anything, IE just fails to handle that case.

    The whole point of this article is just transparently a PR smear.

  62. This is another scam from microsoft says:

    Read this, Microsoft. How facebook also uses the long outdated p3p…/microsoft-google-p3p-breaches-facebook.html

  63. Mark Casey says:

    I've got to agree with the other Facebook comments, this is a blatant PR piece to get in a sideswipe at Google. I wholly agree Google/Facebook is doing wrong but the _near instant_ admonishment of Google by MS and total lack of mention of Facebook (a MS partner) smells of hypocrisy and two faced PR.

  64. Master of Desaster says:

    time to disable Google 🙂

  65. You forgot to mention Facebook... says:

    Carnegie Mellon CyLab alerted Microsoft a year ago about this.…/11944…/tr_cylab10014.html

  66. Arf Arf says:

    Yeaaaaah,   this is why you do things like use noscript.           The P3P policy is basically a gentleman's agreement that doesn't actually implement any actual security.      Anyone can whip up a header like that which bypasses P3P policy and install any cookie they want.

  67. WhatAboutMicrosoft says:


    So you're comparing an automatic anonymous feedback system to a personalised tracking system to serve ads?

    No, IE's SmartScreen filter collects the search strings and form data that is attached to any URL it receives. This is not anonymous. My search terms, my downloaded files and the things I type on Web forms are not anonymous. They are highly personal data. The bad thing is not the Microsoft collects it as part of a security service but that it uses them to improve some other unidentified "Products and service", which may include Bing, Adcenter, etc. It might even be shared with Facebook, who knows.

    And the Privacy Statement for IE 9 is hidden somewhere.

  68. booboo says:

    Funny, you forgot to mention how Microsoft's own sites also circumvent IE's restrictions in exactly the same way.…/CMUCyLab10014.pdf

  69. Responsibility of first party websites says:

    Should we be talking about the first-party websites that host a Google's +1 button or Facebook's Like button?

    If you think in terms of contracts (implicit or explicit), the primary privacy policy which is relevant when you visit Arstechnica (or any website) is Arstechnica's privacy policy. Google's privacy policy is secondary (you're not visiting a Google page). So the burden to ensure the right thing is done should be on Arstechnica.

    If Arstechnica's privacy policy says "we don't share your data with other sites", while simultaneously putting a Google/Facebook widget which breaks that pledge, then Arstechnica is responsible.

  70. Mike says:

    I tried to test this too,  but my windows machine is down thanks to a spyware / rootkit that I got thanks to Internet Explorer.

    Hey MS, you've invaded way more people's privacy by your constant security holes that allowed millions of malware apps to highjack systems, send spam, and fool people into paying for fake antivirus software. I never got one piece of malware or any viruses from using a Google product.

  71. This is another scam from microsoft says:

    OMG, so and are also using the same strategy according to this:…/CMUCyLab10014.pdf

    You made my day, microsoft.

    I am waiting for the next blog when you accuse and

  72. Michael says:

    It's about time we start developing browser plugins that do some random webbrowsing and google searching just to fill their databases with noise.

  73. AndyCadley says:

    It's hard to say whether P3P is just a horribly broken standard or whether just the bit about ignoring unknown tokens is the real issue. At a minimum, however, I think a P3P policy that contains no valid tokens should be interpreted by IE as if no privacy policy were specified at all.

  74. AndyCadley says:

    People linking to the cmu report should try reading it. and were, at worst, omitting a DEM (stating that they might use cookies for collecting demographic data) but otherwise had their P3P statement fine. A minor issue, but not nearly in the same league as the example from Google, which is just blatantly wrong.

  75. Peppeddu says:

    If another company did that, it would be branded as malware.

    MSE would have been updated with the latest virus definition signature for this cookie and the problem would have been solved.

    WHY we are wasting a bunch of time discussing it? Because it's Google doing it?

  76. Privacy Statements says:

    Simplest way to see IE's own Privacy Statement; start an InPrivate tab (e.g. CTRL+Shift+P) and click the link to the privacy statement at the bottom.

  77. Who is really surprised by this. Google is a Angel in their own minds when it comes to privacy. We all know Google has no interest in privacy and they believe if they can somehow justify that they are not collecting certain personal information that it is OK. Facebook is the same kind of enemy to privacy. Who puts up a social network for free and thinks they will not collect some private information. Google to me is not evil, they just think your information as long as its mixed up it in a random and non traceable way that its OK.

  78. Paul says:

    All well and good, but it's unfortunate that IE9 isn't available on XP.

  79. Ryan says:

    Did you read the page they linked?  They pretty clearly explain what their intentions are, and why they did what they did, but it seems like you deliberately didn't address that; you're goal seems to be to make the situation look worse than it actually is.

  80. David says:

    While I'd agree they haven't implemented the P3P spec correctly, how on earth did that (P3P) survive any scrutiny?  It's the cookie equivalent of the evil bit joke, only it actually got implemented!

  81. Joe says:

    Oh, so this whining is coming from the company who stole the spyglass source code to build IE, aka actual software theft and tried to destroy Netscape. How's it feel to be on the other side now Microsoft?

    Oh and btw, as pointed out, it's quite amusing to see you complain about google when facebook has been doing this for months.…/a-loophole-big-enough-for-a-cookie-to-fit-through

  82. Mike D says:

    Due to the pervasive presence of Google components in nearly every web page, Google does not actually need cookies at all to effectively track users. Google Analytics, for example, can track users continuously across pages and sites that contain it. Google Analytics is installed on a large majority of web pages, and it is hard to find a web page that does not contain at least one component from Google.…/google-circumvents-privacy-everywhere

  83. anon says:

    How about instead you beef up the security. There's more than Google out there and honestly big brother is the worst is entire job is to imprison you. Your attitude about business over people is the main reason I don't go near IE.

  84. MM says:

    Isn't it really misleading to make it sound as though IE really is secure and the other options are not, though?  Hasn't it been pointed out that blockers based on lists are completely ineffective?  And browser function/usability will never allow for complete privacy.  This is a really one-sided post about it… I get that you want to push your own product, but misleading users into thinking they're somehow totally safe with IE9 is, well… misleading.

  85. Beeej says:

    Who cares.. it's Google…. they are the good guys..

  86. Neal Patel says:

    Shame on Google for ignoring privacy rules; but if you guys decide to deviate from specifications, then you really have not learned from your previous mistakes (IE 6-8).

  87. Randall says:

    Gotcha. There'll be a similar post about Facebook's placeholder P3P policy soon and Facebook will be added to the TPL, right?

  88. Prior Semblance says:

    And if you ask google about it they'll probably say "We didn't mean to do this!"

    Yeah right…. they just hoped nobody would notice.

  89. of course says:

    If you guy made a good and cross platform browser you wouldn't be there whining about google

  90. The reason: Google turned EVIL! says:

    I just see a long, long row of actions by Google since Page's take-over last year that are meant to squeeze the last bit of information out of its users (who are not its customers, but its product sold to the advertisers) with the single goal of making the company more profitable: real-name policy, unified privacy policy, Motorola take-over, various spy actions etc etc. Now Google even wants to take control over our passwords, stored in the cloud and unknown to ourselves (!

    And Google won't leave out any shortcut, however immoral and illegal, to achieve its self-proclaimed goal of world domination. While this goal may have sounded cute and idealistic a couple of years ago when we still thought Google is out to better the lives of humanity, combined with its new "it's all about the profit" objective the company is only one thing: creepy and a danger to humanity! This is real world's SKYNET in the making. You read it here first, folks!

  91. David says:

    It is really strange, but Microsoft seems to be s symbol freedom now:

    – Privacy advocate

    – Can install any app on Windows I want

    – Can get apps on from anybody, no censorship

    – Can install anything on Windows

    – Software vendors don't have to pay Microsoft 30% to sell apps


  92. Steve says:

    Don't you also lie in your User-Agent header? Every time I have ever seen P3P discussed it was about how to best wrangle this spec out of hell. Google be damned for that Safari thing but I don't think you have anything here. How many websites have a serious P3P header? As others have pointed out, Facebook does the exact same thing, though I'm not sure that makes it acceptable. P3P is terrible though.

  93. Shayne says:

    so the solution would thus be to block google. Got it microsoft. I wonder what alternative there is. Oh its bing. I'm glad conflict of interest would never be involved in this. congratulations.

  94. Redditor says:…/c3ta897


    While this might get buried, I wanted to direct you to the P3P standard: P3P Standards – Processing Compact P3P

    Simply passing what Google does to the browser, according to the official W3C standard tells the browser to treat this as if no policy were passed, that is as if they had no policy. they fail at least one criteria – not having a full policy (edited from failing almost all six – thanks for the fact doublecheck sysop).

    Therefore, I can conclude from this that this is not, strictly speaking, a Google problem. They are passing something invalid but the standard says invalid gets treated the same as if you didn't pass that header. IE should be rejecting it as if there was no policy.

    If IE -is- accepting it, as they seem to indicate in their post, all this means is that IE has once again not followed a W3C standard (not at all surprising). And that is the UA's problem – not the standards and not the websites.

  95. zongren says:

    Google has claimed that they have made the policy setting known to all.

  96. Eduardo Cereto Carvalho says:

    If you want to know what the P3P policy, that the post shows as a good example of P3P, indicates:

  97. NNM says:

    Hello World. Just in case you hadn't noticed, google is the biggest evil on internet. Adblocking everything from them… Even have hosts file entried in attempts to block their invasion…

  98. xpclient says:

    Well IE9 doesn't make it easier to see blocked cookies. It removed the cookie blocked icon which also doubled up as the button to see the web page's privacy policy on the status bar that IE8 had. PUT IT BACK IN IE10 IF YOU REALLY WANT TO COMPLAIN ABOUT P3P, COOKIES AND PRIVACY POLICY!!!

  99. Markus Beck says:


    muahahah! Popcorn!

  100. xyzzy says:

    microsoft hating on google for behaviour that microsoft pioneered and that google isn't actually engaged in despite this fluff piece.

    would be interesting at least if anyone still used ie.

  101. - says:

    Oh MS, you so silly. "It's not a bug, it's a feature!"

    If you understand P3P so well, why do you open a backdoor for third-party cookies?

    I can imagine the conversation:

    User: "I have a TP cookie that I don't want! How can that be?"

    You: "Either it has a P3P policy and behaves well or it doesn't – but then it's not our fault: The TP site must be malicious."

    User: "So no security at all."

    You: "We are P3P compliant. Remember: Not a bug – it's feature!"

    Right. On my display a sticky note is written with to lines: "My password is XJGS/DS." and "Please do not read the above (or else!)."

    I don't even…

  102. ####################################################### says:

    Why does this site load content from Aren't you aware of the referer header?

    If there's one place on the internet I should be safe from Google's crimes against privacy, I thought it would be a Microsoft website.


  103. Klimax says:

    Must say number of idiotical hate-fillled troll comments is huge, but amusing. (Basement dwellers are apparently bored while using "superior" browsers. /s )

    And those defending Google are funny too…

    Also as is case with Building 8 comments, many failed reading comprehension.

  104. Brenno says:

    I thought the consensus was that P3P failed and is considered dead?

  105. Jerry S says:

    So there is only a single current privacy standard which has only limited protection and still sites like Google and Facebook are screwing with that standard to avoid providing even the minimal privacy that this standard currently provides.

    I hope IE will become more strict and will block sites that abuse the p3p standard.

    It might not be a very good standard but it will be a good attitude forward to place the control where is should be placed. At the hands of the users.

    Google and Facebook are not just screwing with IE but effectivly screwing with the IE users that have set their privacy levels. They need to become aware that with any privacy standard, either now or in the future, that if you intentionally try to screw the users out of their privacy that you do not get ANY data.

  106. Thomas W says:

    MS has shagged, broken, bought or stolen every single standard it ever could, to undermine the cause of open standards, comparability & user choice.

    No sympathy whatsoever for a losing company. Customers hate you.

  107. KentonFrank says:

    All cloud services should be treated with caution as the providers aims are usually not remotely aligned to the users. If you are using cloud services in a corporate environment, make sure you take some basic precautions:…/strategic-security-cloud-services

  108. This is just a case of Microsoft being incompetent and blaming the competition for their mistakes. I find this post to be nothing but a defamatory post in shameless self-promotion of Microsoft's anti-tracking cookie technology – put in place to address the security shortcomings of their own browser product.

    Did any of the IE team actually read the P3P specifications?. Googles Compact Policy, while it does not adhere to the required machine readable vocabulary, does not make any false or misleading statements whatsoever. There is no valid CP vocabulary in this string at all and therefore should be treated as such, invalid or non-existant.

    I would like to also quote from the document under the same section:

    "3.2.2 The POLICY element

    The POLICY element contains a complete P3P policy. Each P3P policy MUST contain exactly one POLICY element. The policy element MUST contain an ENTITY element that identifies the legal entity making the representation of the privacy practices contained in the policy. In addition, the policy element MUST contain an ACCESS element and one or more STATEMENT elements.It SHOULD contain a DISPUTES-GROUP element. It may contain a P3P data schema and one or more extensions."

    As there are no valid ACCESS or STATEMENT (That would be COMPACT-ACCESS, and COMPACT STATEMENT) elements in valid Compact Policy vocabulary as required above, I back up my argument that it is Internet Explorer itself that does not correctly conform to the aforementioned standards.

    It seems that w3's own validator tool would also agree with me:…/

  109. google extremists denies facts and spread FUD says:

    Google extreme thinks that whining about microsoft or apple or santaclause makes this and many other evil actions go by unnoticed. Sorry but google can't hide its dirty face forever.

  110. Alex says:

    It's not a feature, it's a bug!

  111. bryan says:

    I've got to say that any security specification which allows the site to tell the browser how much security to allow it based on basically promising not to do bad things is itself bad, and a security hazard.

  112. Google: Don't be evil? says:

    Strange that Google doesn't support the P3P protocol but it sends an P3P response. Mmmm…

  113. Lino Barreca says:

    DEAR Microsoft…

    Do you think is it wise to admit that your browser privacy settings could be easily fooled by web sites?

    Don't you realize you're saying "hey men, google is evil..but we are dorks"?

  114. Aaron says:

    You are accepting an invalid header, so your system is at fault.

  115. Steve Jobs says:

    Microsoft tries to buy your love. Fails. Shuts it down. Thinks up something equally lame. Tries again. Fails again. Repeat.

  116. Facebook uses the same "trick" says:

    P3P CP="Facebook does not have a P3P policy. Learn why here:"

    Remember, it's not a bug in IE, it's a feature!

  117. Arieta says:

    Every time I see a new IEBlog post pop up on the RSS, I'm hoping that its a new preview or a beta version of IE10 that can be used in Windows 7, but my hopes are squashed every time.

  118. RiotingPacifist says:

    6.4 Compact Policy Processing

    P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.…/P3P11

  119. Hrusi says:

    Nip the evil in the bud – employ host file blocking

  120. ChrisLamont says:

    These P3P hacks were exposed in Oct' 11 on Security StackExchange

    See this for more info:…/396

  121. Honor; get honor and stay honor says:

    While logged into my Google account, I browsed a website that I am 100% certain I've never before visited; FIAT (.com).  In less than 20 minutes of visiting that automotive website, an email advertisement arrived from FIAT in my Gmail inbox. The disclaimer at the bottom of the email stated that I am in receipt of the email due to a relationship with "one our of media partners". Google is giving away / providing your email address to websites that you're visiting, while logged into Google! They're doing the same thing that AOL did, back in the day. This is truly a breach of MY privacy, despite what fine print Google certainly offers to support their contrary beliefs.

  122. Ron says:

    Let us detect and block all 1 pixel images, 0 pixel images, CSS that is loaded and does not apply to a page element, javascript that only loads a 1 pixel image, etc.

    This greatly slows down IE if you have a fast connection that takes a long time to connect given that many well known sites have 50+ requests given all of the 1 pixel images, unused CSS 1 liners, etc.

  123. HelpFile says:

    P3P, broken by default …

  124. Martin Robins says:

    Just tried adding the "Block 3rd Party Google Site Tracking" TPL to IE10 on Win8DP and it has locked up.

    This happened in both Metro and desktop modes.

    Thought you might want to know.

  125. Mat says:

    Amazing how trolls are unable to see things as they are without distorting the reality in any possible way that blames Microsoft at the end. Scares me that some of these trolls might actually be technology advisors telling companies that whatever Google is doing here is fine and that they should blame IE for it. Crazy people, you need (psychological) help, seriously.

  126. P3P spec reader says:

    Of the two P3P spec portions quoted, one is from P3P 1.1 (not the recommended 1.0 spec) — so, it's irrelevant. The other concerns FULL not COMPACT P3P Policies. So… there you go.

  127. andyzei [msft] says:

    @Martin Robins — This has been tested in IE9 and Windows 8  Developer Preview — if you're still having issues, feel free to email me @ andyzei at microsoft com and I'd be happy to help you debug. Thanks!

  128. Technology Advisor says:

    @Mat: How good is WebGL support in the upcoming IE10?

    I need the answer to advise my company about it.

  129. Matthew Sekol says:

    Has anyone tried Googling "Google hides cookies in Internet Explorer" and then comparing your results to Bing?

    Cover-up, anyone? Yeesh.

  130. I found the use of a WSJ reference interesting in this article.  The WSJ reference that sticks in my mind is this one:…/SB10001424052748703467304575383530439838568.html

    Unless someone at Microsoft (product team or otherwise) can refute the picture this article fairly conclusively paints, we're forced to conclude that the failure of IE 9 to block the kind of "attack" Google waged here is an unintended but not unsurprising consequence of a poor business decision.

  131. Harry Richter says:

    @ Technology Advisor

    I hope it is 0%, as it is NOT a standard and above all has serious security issues.

  132. MHazell says:

    Why not update IE8 also? I'm on XP. Wish you could make an IE9 upgrade for XP, but that will never happen.

    Typed this comment in Chrome.

  133. lenny says:

    Why does it bother you that Google found flaws in a privacy spec?

    Are you just jealous that no one wants use!

    Bing it! then decide!

    PS Bing was the absolute worst product name that Microsoft ever came up with.  It's no wonder no one ever switched from to

  134. MikeGale says:

    This issue raises a couple of thoughts:

    1)  Does Chrome implement P3P?  (It seems that IE, Firefox (with a glitch in version 2), Safari and Opera do.)

    2)  The degree of user control seems thin.  The IE interface gives a number of presets and an advanced mode.  (I've looked at 8 and 9.)  The advanced mode seems to miss out on things (like settings that involve a P3P policy).  Is there a facility to code up a detailed explicit user policy.  Something that enables those who care to define what is and isn't acceptable in more detail.  It could look almost like a compact P3P policy, each option listed with a + for accept and a – for reject.  The details could be saved as a file to be imported into any browser.  (The flavour would be 'P3P: CP=" +CONo -CUR +CUSo -IVAo +IVDo …"', where each option for each factor of interest is listed.  Users can choose to select "cookie only" settings, but are not limited to that!)  Anyone here know if that's possible or contemplated?

  135. Andrew says:

    If you set IE to override automatic cookies handling and block third-party cookies, does it help work around this issue?

  136. Mitch 74 says:

    @MikeGale, to answer your questions:

    Question 1:

    – Chrome, as well as Safari, don't implement P3P at all. At least, I found nothing on either Chrome's, Safari's or Webkit's documentation indicating they implement it. Considering Google used a different exploit to circumvent thrid party cookie protection in Safari, I don't think Safari at least supports P3P.

    – Firefox started implementing P3P in version 2 (it was buggy in it) and has, since then, completed the implementation – and disabled it by default. Enabling it is used in specific cases, like problems in accessing some older Microsoft web-based tools. You also have to modify the values of 2 different keys in "about:config" to do so, as there are no GUI elements to enable it. There's one to disable them, though: changing 3rd-party cookie policy.

    Question 2: your proposal has probably already been considered; the problem here is how P3P in general and IE in particular treat a malformed/unknown P3P header, and not the way it deals with known instructions: if it can't understand it, it simply allows it. It's akin to giving the keys to a flat to a guy showing up and saying "I need to deliver the smurglf to the flart at this address".

    And the latter is the, in hindsight completely stupid decision to consider developer's goodwill the basics of security – remember that P3P was created by Microsoft in 2002, at a time when they didn't give a damn about browser safety, and IE6 was considered the be-all, end-all and state-of-the-art browser ever.

  137. Harry Richter says:

    @ Mich 74

    "…that P3P was created by Microsoft in 2002…"

    This statement is wrong. P3P was created by the W3C, and it still is an official standard by the W3C.

    Microsoft was only one of the first implementers.

  138. Ie lover says:

    here is the great IE enhancement tool with separate bookmarks option for video, images and links

    check it here pls…/IE-Add-Ons.shtml

  139. Trey says:

    This is like IE Troll land.  How many of you people are getting paid to write?

  140. EricLaw [MSFT] says:

    @Andrew: Yes, blocking 3rd party cookies, or all cookies from the selected sites also mitigates this issue, but using a TPL is simpler and addresses other forms of tracking that aren't cookie-based.

    @MikeGale: You can import a P3P configuration of any type you'd like. I explain and provide several examples here:…/understanding-internet-explorer-cookie-controls.aspx, but the MSDN documentation on the specifics is here:…/ms537344.aspx

    @Mitch 74: Let's be very clear here– P3P isn't a security feature. There's no real reason for the client to try to be robust against malicious input, because there's no *technical* reason a site cannot simply flat-out lie about their privacy practices in the P3P statement. The enforcement mechanism for P3P was never meant to be technical, a fact well-understood to both the authors and the implementors of the spec.

  141. Hector Santos says:

    Look, the GooKids grew up in a generation where Mom and Dad gave them computers young instead of TVs and didn't teach them the morals of how to use it, slapping their butts "Thou shall steal from people.,"  "This is not yours. Give it back.."   Mark Z, 20 years ago as my lawyer jokingly reminded how proud he did it a few times,  had it work for McDonald's flipping burgers for all  contract violations he did and for breaking many laws.   Times have changed, the kids user don't even know what all the fuss is about, "You mean they weren't suppose to do that in the place?  Why?  We  already shared our toys in Kindergarden!"

  142. Andrew says:

    Anyway, I think IE's Options window really does need a major overhaul…it has not really changed in the last decade! (maybe something Metro-like?). Besides the eye-candy, some features are also currently missing; for example, there is no simple way to view the cookies currently stored (and possibly choose which one to delete, on a one by one basis). The only way is to use Windows Explorer to open the hidden/system folder where they are stored or use some third-party app (like CCleaner). Every other browser has this pretty basic feature already built-in their UI.

    Please, consider this for IE 10. Thank you.

  143. Fred says:

    Whatever happened to "Don't be evil?" I guess when you go public, evil becomes your middle name.

  144. Nonyour says:

    Instead of complaining and crying that Google is bypassing your software.. FIX IT! If you have the ability in your browser to block cookies than it should block cookies. There shouldn't be a workaround. It's your fauly Google was so inventive to find out you left holes in the security of your crappy browser anyways. The same goes for Safari. Stop complaining and fix the problem.

  145. Arieta says:

    I've enabled the TPL posted above, and with it enabled it's impossible to visit any Blogspot pages.

  146. Mitch 74 says:

    Seems a comment of mine was lost… Oh well.

    @EricLaw: true, my mistake, P3P is originally a proposition by IBM and the MIT, first implemented by Netscape and IBM independently around 1997/1998, and elevated to W3C Candidate Recommendation in 2002, when Microsoft first implemented it (IE6sp1, I guess). Version 1.1 merely reached the Note status in 2007, when Mozilla decided to drop it altogether (after noting in 2004 how its default settings were insecure), Webkit never even considered it and Opera toyed with the idea – but no more than that.

    As such, no further work was done on it after 2007, due to complete lack of interest and a bunch of outstanding, and unaddressed, concerns dating back to 1998.

    I would guess that the only thing to do would be to either disable it by default or drop it from IE – and work on a better solution. That would fix Google's abuse, and everybody would be happy.

    But, wait – Facebook, and Yahoo wouldn't work anymore! But, as they are MS partners (or MS subsidiaries), they should be able to  fix that.

    Strange they didn't get bashed in this post, though.

  147. Johan says:

    And… what does microsoft use as p3p header on…?

  148. Xi says:

    Is this a joke? You're complaining that Google (and by the way Facebook as well) isn't respecting a broken protocol that only Internet Explorer (the biggest joke of a browser in history) implements?

    Microsoft just sinks to new lows every single day. All they do now is try to bash the competition because they have surpassed Microsoft so much that it's all Microsoft can do. Bing is a piece of crap too. It's search results are only good for the most trivial of searches.

  149. Jaimes says:

    How does any of this solve the problem of deprecating IE6, IE7 & IE8?!

    People! please focus on the important issues!  Won't anyone think of the children!

  150. crisstinapronie says:

    El robot de google abriò varios de mis correos en hotmail. Tengo la prueba porque inserto un script que me informa cuando un correo fue abierto y el numero de ip. Hostname: La pregunta es còmo denunciar?

  151. ErIs8 says:

    you know what its important to encourace other browsers as it adds to our own knowledge

  152. Duh! says:

    Cookies are the "Devil".  Cookies have an enlarged  abdullah oblongata and that is why.

  153. EricLaw [MSFT] says:

    @Johan:'s P3P statement is: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

  154. charlie chan says:

    ok in english how do i stop google from spying? i do not have a google acount? does that matter?

  155. IE's bug says:

    1) "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user"

    2) "If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present." (Thus according to 1, the cookie should be blocked)

    Google is not presenting any p3p policy (token) and IE9 should block them. I don't understand why this is google's fault !!! can anyone explain please?

  156. whilo pilo says:

    Why not just set your browser to ask for 3rd party cookie sets and decline them. Not that big of a deal really.

    See how here…

  157. stephaniek.Ratliff says:

    3rd part


  158. Bharathi Baskar.B says:

    Thanks for your valuable posting, it was very informative. Am working in <a href="">Cloud Erp In India</a>

  159. belinda says:

    thank you

  160. as.alfy says:


  161. nakeida Arrington says:

    So ppl an opportunity to get over on someone or some company they take it/ Rather greed for money, or their own malicious behavior like sneaking around with a girl who is involved with two men and sneaking with the third. The "ssneaker" is involved himself. so devising a plan to basically ROB google,or any other company that has breeched comtracts or made simple human mistakes as these sme individuals r doing is straight black of integrity, soulless, down right shifty  that doesn't contribute to the basic common goal of this world by helping one another to build a bigger, better world, not only for us but our children, and grandchildren. why not write to, go visit, email, etc. all the above to help the companies achieve greatness for us all united. instead plotting planning how t0 take down and acquire all that's "gpold and precious" to hide gon off hurting others and not b accountable to your own actions, to live so u think happily ever after… Again I stress so u think… cause if u have rotten intentions life for u two will be just thast rotten.

Comments are closed.

Skip to main content