"I think, at the end of the day, privacy has never been a priority for the developers of Web browsers," states Dr. Lorrie Faith Cranor. She's an associate professor of computer science at Carnegie Mellon University, but more importantly for this discussion, she's a contributing architect and former W3C working group chair for the Platform for Privacy Preferences (P3P). It may or may not be at the center of the latest privacy controversy surrounding Google's alleged thwarting of Web browser privacy policies, depending on whether you see things from Microsoft's perspective.

Privacy may indeed be a priority for certain people within browser companies, Dr. Cranor continues. "But there is a disconnect between what's important to the browser development team, versus what's important to the privacy officer and the lawyers and other people within their companies."

Fuel for the Spitwad Wars

You could say this story began last Friday, but as you'll see, it really begins in 1996. As it happens, on February 17, the advocacy group Consumer Watchdog issued a complaint to the Federal Trade Commission, alleging that Google was actively bypassing Safari Web browsers' privacy policies in order to deliver DoubleClick tracking cookies to users. While that discovery triggered a class-action lawsuit against Google, Microsoft claimed foul by alleging Google was using different tactics to defeat privacy protections in Internet Explorer.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," reads a blog post by Microsoft IE10 team lead Dean Hachamovitch on Monday. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different."

Google retaliated by saying it wasn't defeating anything - that Internet Explorer's implementation of P3P, a never fully realized W3C standard, was "non-operational."

Essentially, P3P is a language that encapsulates standard elements of a Web site's privacy policy, for easy digestion by Web browsers. A plethora of three- and four-letter tokens represent the conditions in which a Web site may collect user data or utilize client-side resources, such as cookies. The collection of those tokens is what's called a CP. The browser, representing its user, may then accept or reject the CP's conditions asserted by a Web site, based on preferences which the user sets in advance.

Evidence from a September 2010 study (PDF available here) indicates that just about everyone - including Microsoft - had a hand in making P3P non-operational. The co-author of that study was Dr. Cranor, the lady who had as great a hand in P3P's creation as anyone else.

“What we see in Internet Explorer - which is the best we have right now - only implements a very small part of P3P, and in a very buggy way to begin with.”
Dr. Lorrie Faith Cranor
Associate Professor of Computer Science
Carnegie Mellon University

The Carnegie Mellon CyLab study collected P3P CPs from 33,139 sites, including the most visited ones on the Web. Nearly 34% of the CPs sampled contained at least one error, and among those, more than half were errors of omission. Among those erroneous CPs, CyLab concluded some 97% of them could bypass Internet Explorer's default privacy filters. (IE was the only browser brand to implement P3P in a general release version.)

So the fact that erroneous CPs can bypass privacy filters, was public knowledge. The CM team's most amazing discovery, however, was that Microsoft's own support site at one point advocated intentionally malforming a CP as a workaround for a problem where a third-party site embedded in a <FRAME> element used a different CP than the site in which the element is contained.

"Even if the CP were valid, Microsoft's recommendation undermines the purpose of P3P since it encourages web administrators to use CPs that do not represent their actual data practices," the CyLab team wrote. "We found several technical blogs recommending similar solutions. Some of them suggested the exact CP described [earlier in the study] and referred to the Microsoft support Web site as the source of their advice."


Portion of a quilt entitled "Circular Reasoning," quilted in 2002 by Dr. Lorrie Faith Cranor. More of her quilts are displayed here.


Is There, In Truth, No Privacy?

The storm of tech press furor that erupted this week in the wake of the Consumer Watchdog complaint and the subsequent class-action suit, compelled ReadWriteWeb's Dan Rowinski to throw in the towel on the whole personal data issue, saying, "You know, screw it." Dr. Cranor tells RWW about receiving a phone call from a former P3P collaborator who said P3P hadn't received this much attention in the more-than-15 years of its existence.

"There's certainly some political sniping that's been going on this week. It's not really about privacy or P3P - it's about finding ways to snipe at your competitor," she remarks. "A number of people have said, Microsoft has issued this indignate blog post about what was going on, and they claimed that they just discovered this. And I saw on Twitter, somebody posted, 'Well, Lorrie Cranor has been shouting this from the rooftops for years! How did they just discover it?' I think the planets aligned - it's been these one-after-another privacy issues in the press. This time, when I posted the blog post this weekend that I've been saying for years and years, suddenly everybody took notice."

That blog post, which appeared on TechPolicy.com, demonstrated that Facebook essentially uses the same trick that Hachamovitch attributed to Google, for exactly the same purposes: putting up a decoy CP that explicitly states it's not a real CP, but whose erroneous parsing enables privacy settings to be bypassed. Cranor took essentially everyone to task for enabling the defense that since everyone else declared P3P dead, except for IE (whose support for P3P is tepid anyway), it's perfectly fair to table the whole topic of privacy policy for now until someone else declares it open again.

"I will be the first to admit that P3P is on life support at best right now," Dr. Cranor wrote. "But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser? Or how about going back to the W3C (the organization that standardized P3P) and asking them to declare it dead? I suspect nobody wants to do that because it might call into question the effectiveness of industry self-regulation on privacy."

In her interview with us, she added: "If it were fully realized in a browser implementation, P3P should allow the user to set up their preferences and have their Web browser automatically determine what's going on as they go along, turning privacy controls on and off as needed. Now, that was the vision, but we never saw any complete implementation of P3P in any Web browser. So what we see in Internet Explorer - which is the best we have right now - only implements a very small part of P3P, and in a very buggy way to begin with.

"On the one hand, I agree that the way Microsoft chose to implement P3P was not very good or very effective," Dr. Cranor continues. "On the other hand, it did implement at least part of the P3P standard; and it did provide, I believe, a useful function. But by bypassing that, Google is actually doing something which is detracting from privacy protections that hundreds of thousands, millions of people actually do rely upon."

This morning, the White House officially proposed its version of the Consumer Privacy Bill of Rights, which includes support for the long-debated Do Not Track (DNT) privacy controls system. Dr. Cranor describes DNT as a "watered-down" version of P3P, and her outlook for the standard actually goes downhill from there. In part 2 of our interview, she'll explain her misgivings, while at the same time asserting her long-held opinion that maybe some privacy is better than none at all.