I doubt Facebook shares have anything to do with it. Microsoft wanted to embarrass Google, but the alleged crime is very common because IE's implementation of privacy controls is flawed.
IE's implementation of privacy controls is flawed.
It really doesn't matter what MS does; they get bashed either way.
In this case, their implementation is perfect: afaik, they're the only browser that actually follows the spec. FF, Chrome, etc., are just ignoring the standard. The problem here is that it's a really stupid standard, so that implementing it correctly results in brain-dead "protection". But Microsoft played by the rules, and now gets grief for it.
They played by nonsensical rules and got grief for it. It's kind of fair, actually.
Yet, I refrain from criticizing them - P3P is a broken standard, but Microsoft followed it. I'm criticizing them for singling out Google when, in fact, ignoring P3P or actively disabling it is widespread practice.
It's really unbelievable how this paper keeps getting cited as proof Microsoft is doing this too. Page 7 was cited on the other thread; you can read my response here: http://news.ycombinator.com/item?id=3615267
Re: Live doing it too. No, that is not what the paper says. From page 8:
"Only one of these websites, microsoft.com, displayed a full P3P policy."
"Websites under the msn:com domain exhibited a CP that includes the invalid CUSo token. Two other Microsoft owned sites, microsoft:com and windows:com use the same CP. These websites display the TRUSTe EU Safe Harbor Privacy seal. We believe that these websites are likely attempting to comply with P3P; however, they are not using P3P properly."
"The live.com CP does not include any ACCESS tokens. This CP suggests collection of PII, but does not provide any information about whether users can access their personal information."
Microsoft does not always fully comply with the letter of the law, but based on everything that I have read in that paper, they sure seem to be trying to comply with the spirit. It's ridiculous to claim that sending a deliberately misleading P3P header is the same as sending a P3P header that suggests PII is used but does not provide the access policy. One is designed to exploit a weakness in P3P and avoid blatantly lying to browsers in order to track users. The other indicates that PII is used, but does not fully specify how this is used. It seems fairly clear that one company is at least trying to support P3P, even if they are unable to completely reflect their privacy policy with these tokens. To claim these situations is analogous is fairly dishonest IMO.
(NOTE: Page numbers are based on the PDF document for quick access. Subtract 1 for the number printed on the bottom of the page.)
It's not really that unbelievable: Microsoft is berating Google for sending invalid P3P headers and this paper describes that Microsoft is sending invalid P3P headers.
Microsoft does not always fully comply with the letter of the law...
In this case what constitutes the letter of the law isn't really clear. As far as I can tell this is the latest specification for the P3P header:
This Internet-Draft will expire on August 6, 2002.
So it's at least arguable that there isn't a standard for the P3P header, and whatever anyone wants to put in it is just whatever they put in it, nothing is invalid and everyone is fine.
Only IE supports it anyway, and it's not like it prevents websites from doing things they've said in their P3P headers that they're not going to do. And the header is required to make IE accept 3rd party cookies (which are needed for lots of quite normal stuff on the web) you need to send it one of these headers.
The stupid thing about IE's implementation is that, while it is supposed to restrict third-party cookies unless sites have an acceptable privacy policy, it treats an invalid P3P header as if it were an acceptable privacy policy, rather than treating it as if there were no privacy policy. I don't see anything in the spec which mandates that.
OK, the spec is flawed. Other browser makers have solved that problem quite neatly by not implementing it.
It's also my opinion that while the implementation is strictly speaking correct, IE's default settings are too conservative and it is not at all an easy option for the user to change.
Firefox dropped support for P3P in Firefox 3 because "p3p isn't an effective way to establish trust with a site. it's a one-way system; anyone can say they're the good guy." See item b: https://bugzilla.mozilla.org/show_bug.cgi?id=417800#c11
> but the alleged crime is very common because IE's implementation of privacy controls is flawed
By my understanding (caveat: I've not read through the standards in any detail) IE's implementation is fine by the standard and the standard itself has problems which other browsers get around by breaking the standard.
I'm not usually one to give MS the benefit of the doubt but in this case Google does look to be the one at fault so while calling them out specifically and not mentioning Facebook and others my be disingenuous, it would appear that Google (and others) are using the loophole to perform tracking against the spirit of the standard.
