There's a spat going on between Google and Microsoft at the moment because Google has evidently found a way to circumvent Microsoft's privacy controls in Internet Explorer and continue tracking users without their permission. Microsoft has of course taken the opportunity to be for once The Good Guy, and is roundly berating Google for ignoring users' preferences.


Dean Hachamovitch is the Microsoft executive in charge of Internet Explorer, and has written a blog post, "Google Bypassing User Privacy Settings" in which he says that

"Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies"


According to the Computerworld article about this,

P3P, for "Platform for Privacy Preferences," is a 10-year-old Web standard that websites can use to describe how they use cookies and user information. By default, IE blocks all tracking cookies from sites that do not present a valid P3P compact policy (CP), a string of codes sent to browsers as part of the HTTP header.


Google, said Hachamovitch, was gaming P3P to trick IE into accepting tracking cookies, even though Google's Compact Policy Statement does not spell out the search giant's intent. "Google bypasses the cookie protection [in IE] and enables its third-party cookies to be allowed rather than blocked,"  (Dean) Hachamovitch (who leads the IE team) charged.


P3P is said to be a better solution to the problem of cookie-tracking than "Do Not Track", which is backed by the FTC and Microsoft, but is not the perfect answer :

"It's more readily enforced than Do Not Track, because it forces a website to declare its privacy policies. But it's really important for regulators to enforce the policies," Cranor said.


And that's not happened.


"Once people saw that there were bugs in P3P that could be used to circumvent privacy policies, and that when they did, nothing happened, then all bets were off," said Cranor.


Enter the Knight In Shining Armour : Sir Microsoft de Redmond, valiantly doing battle with the Cookie Dragon.

After investigating what Google sends to IE, we confirmed what we describe above. We have made a Tracking Protection List available that IE9 users can add by clicking here as a protection in the event that Google continues this practice. Customers can find additional lists and information on this page.


The premise of Tracking Protection in IE9 is that tracking servers never have the opportunity to use cookies or any other mechanism to track the user if the user never sends anything to a tracking server. This logic underlies why Tracking Protection blocks network requests entirely. This new technology approach is currently undergoing the standardization process at the W3C.


This blog post has additional information about IE’s cookie controls, and shows how you can block all cookies from a given site (e.g. * regardless of whether they are first- or third-party. This method of blocking cookies would not be subject to the methods Google used. We recommend that users not yet running IE9 take steps described in this post.


The most interesting part of this is, for users with versions of Internet Explorer prior to IE9, the how-to tutorial in that blog post. It lets slip nuggets of information that you won't find in the officially-sanctioned Help files, such as this one -

Interestingly, when IE7 reconfigured the Trusted Zone to use the Medium Security Settings template, the default for the URLAction in this zone was changed from Allow (0) to Evaluate P3P Policy (1). Unfortunately, there's no UI for configuring the P3P Policy for the Trusted Zone (oops!), so you may find that cookies are blocked for Trusted Sites by IE7 and later unless you change the Trusted Zone to use the Medium-Low template[2] which will Allow all cookies for the Trusted Site.


Best of all, it shows you how to import Privacy Import Files into Internet Explorer, and explains what they do :

The Import button[3] on the Privacy tab allows you to import a Privacy Import File. Privacy Import Files expose a rich set of XML tags that allow fine-grained specification of the cookie policies desired; you can author your own or import one provided by someone else.


One very cool thing about the Privacy Import Files is that you can specify preferences which aren't available via the UI. For instance:

  • P3P-Medium, except any non-blocked 3rd-party Persistent cookies are downgraded to Session cookies (right-click and Save-Target-As Medium+Downgrade3rdParty.xml)
  • P3P-Medium for 1st-party cookies; all 3rd-party cookies are permitted but downgraded to Session cookies (right-click and Save-Target-As Allow3rdPartyButDowngrade.xml)

You can play around with the impact of these settings using a little test page which sets first-party and third-party session and persistent cookies; open and close the browser to see how the downgraded 3rd party cookies are cleared.


All in all, a very useful blog. Especially if, like many users who post to this Community, you're concerned about tracking cookies - and how not to end with them on your system in the first place. Which is now doubly important since McAfee has taken the decision that cookies are, after all, No Big Deal and no longer blocks them automatically. I advise anyone interested in this to read the Computerworld article and the Microsoft blog posts. The subject of cookies is not, I think, going to go away any time soon.


If you want to see what effect your current cookie-handling settings actually have on cookies, go to where you will see this page illustrating cookies that are currently set : they will all be new ones.

Cookie Test Page.png


Then reload the page. Try it in different browsers. The two examples below are, respectively, from Internet Explorer and Chrome.

Cookie Test Page 2 (IE).png


Cookie Test Page 2 (Chrome).png

I bet you never knew cookies could be such fun.


More fun with cookies :