Google Caught Red-Handed Reaching Into Internet Explorer's Cookie Jar

Martin Brinkmann
Feb 21, 2012
Updated • Apr 20, 2012
Google, Internet Explorer, Microsoft

The Wall Street Journal a few days ago described how Google and other advertising companies bypassed a user privacy feature of Apple's Safari browser to drop "ad-tracking cookies on [..] Safari users". Safari by default blocks third party cookies, which are often used by advertising companies to track users on the Internet. These cookies are used to track the user on every site the scripts of the advertising company run on, which in the case of Google are a lot of different sites.

Google released a statement shortly afterwards that claimed that the WSJ article was mischaracterizing the company's intentions.

We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.


Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.

Microsoft today describes a similar circumvention in the company's Internet Explorer browser. IE blocks third party cookies by default, unless the site in question "presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user".

Google now has created a P3P policy that is causing the browser to accept Google cookies, even though the policy the company submits does not "state Google's intent".

P3P policies are included in a site's HTTP headers which users only see if they use specialized tools. Instead of using a valid statement, Google is sending one that is not a P3P policy. The problem here is that browsers will interpret Google's policy as an indication that the cookies that will be saved to the user's system won't be used for tracking purposes, when in fact they do not verify that at all.

Microsoft has created a tracking protection list that allows Internet Explorer 9 users to protect the browser from Google's practice.

: Expires=1
# Blocks 3rd-party Google tracking
# Last Modified: 2/19/2012
- http://google.*/api/sclk?
- http://google.*/client_204?
- http://google.*/gen204?

Microsoft is now actively investigating options to change the browser's interpretation of unrecognized tokens.

Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.

Google being caught red-handed reaching into the cookie jar twice in a week's time. What's your take on this?

Update: Google has posted a statement

Statement: Attributable to Rachel Whetstone, Senior Vice President of Communications and Policy, Google

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.....

Thousands of sites don’t use valid P3P policies....

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own and websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google’s provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

Privacy researcher Lauren Weinstein states: “In any case, Microsoft's posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ...…MS did nothing. Now they complain after Google uses it.”

Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers....”


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Sean said on May 22, 2012 at 10:27 pm

    P3P’s busted and you know it. It’s a waste of time and always has been.

  2. Seeaech said on February 22, 2012 at 2:59 pm

    Wow. These are really pot-meets-kettle moments. So, two competitors who are either losing (iOS vs. Android) or who have failed to gain (Bing vs Google) market share versus Google, decide to spin charges of misconduct to add fuel to the already ridiculous fire that Google is some horrible privacy thief. Ironically, Google is being made to pay the price for being transparent in its policies – check Microsoft’s charges against Google for a lesson in “convoluted.”

    Newsflash! EVERYONE is collecting data on your web activities: Google, Apple (iCloud/iTunes), Amazon, PayPal, eBay, Microsoft (Bing, Hotmail, SkyDrive), Netflix, Pandora, Spotify, Twitter, LinkedIn and – perhaps most impressive of all – Facebook. Basically, if you are logging in, your activities are being monitored. And, if it’s free, something needs to pay for developer time, data centers, bandwidth, etc. Tell you what… give up your Facebook, Twitter, and LinkedIn accounts and you’ll be a lot more credible when you plea that your privacy is being affonted.

    Apple and Microsoft are simply trying to strangle Google’s oxygen supply (advertising) to weaken their opponent. Now to make this fair, let’s see how Microsoft adCenter, Bing Analytics, iTunes/iCloud, and the (closed source) browsers associated with Microsoft and Apple, respectively, treat web usage (cookies, competitors ads, competitor web pages). Anyone up for that challenge?

  3. acr said on February 22, 2012 at 9:26 am

    Maybe there should be a name for this phenomena. Supposedly legit companies exploiting known vulnerabilities in web and mobile browsers to track and gather info of users who think they are protected…not sure what to call it, but it seems like it deserves its own name. The vulnerability in IE and Safari (from a few days ago) are being reported as known for some time now. Apparently the vulnerabilities have not been fixed by Apple and MS, or so that’s what is being reported.

    I liken this phenomena to the Hans Christian Andersen story of The Emporer’s New Clothes. Maybe call this stealth cookie dropping TENCware ?

  4. berttie said on February 21, 2012 at 10:53 pm

    Sorry, Martin, but I disagree with the whole thrust of this article, especially your headline. Seems to me Microsoft is in the wrong here, not Google, and Microsoft’s shock-horror whining is disingenuous at best, and quite possibly self serving. Things not going well at Bing, perhaps?

    Anyway, there is an easy way of blocking any snooping by Google while still taking advantage of its search expertise:

  5. Credomane said on February 21, 2012 at 7:08 pm

    The funny thing is I never heard of P3P until now. After looking it over P3P was pointless since its creation, assuming what I’m reading about P3P is true.

    P3P relies on the remote site being honest with what it plans to do with cookies. Ad/Tracking will just lie to get around the “protection” P3P offers. Most sites might even be forced to lie to get around P3P causing problems.

    The security offered by P3P is as pointless as security-by-obscurity possibly even more so.

    I look at this like the server client roles in video games where the client can not be trusted to be honest ever. Only with P3P the role is reversed; the server can never be trusted and yet, P3P is trusting the server.

    SSL relies on a third party to verify the honesty of the server. Even if P3P had the same type of system as SSL with cookies changing so rapidly and easily the system wouldn’t be reliable.

    P3P needs to go away entirely. Just my two cents.

  6. Transcontinental said on February 21, 2012 at 12:27 pm

    Microsoft’s P3P policy was perverted ever since the beginning. To block 3d party cookies except those that would comply to this or that is absurd. 3d party means 3d party, period. And that means to the precision of the domain name, even if another domain belongs to the same company (like Google & Youtube, for instance). Users must be able to believe that if they say yes to cookies except 3d party cookies it means no exception.
    This is relevant of what the Web is going to : centralization. The Web belongs to no one, and that includes Microsoft, Google, Facebook, Twitter, otherwise more and more users will start having a defense attitude, and “that ain’t no good”.

  7. Allen said on February 21, 2012 at 10:44 am

    is that IE is going to come in new version?

    1. Martin Brinkmann said on February 21, 2012 at 10:45 am

      Microsoft will release Internet Explorer 10 with Windows 8.

  8. EuroScept1C said on February 21, 2012 at 9:19 am

    I’m really impressed MS has as ‘recommended’ lists those of Easylist’s and Fanboy’s along with this new one… They pushed back some sneaky lists like ‘eTrust’ etc…

    If IE10 x64 had a better, more reliable with better usuability anti-tracking system ( which can work generally as an Ad-block too ), I’d totally consider to go back to IE…

    1. Dee said on February 21, 2012 at 10:33 am

      Hopefully they will also introduce a built-in spell checker with IE10 too. Obviously, there’s the IEspell add-on, but in this day ‘n’ age every browser should have it as standard.

      1. Martin Brinkmann said on February 21, 2012 at 10:46 am

        As far as I know, there will be a spell checker in IE10

  9. Neal said on February 21, 2012 at 4:18 am

    Google is shown to have lied and to be deliberately deceptive.

    1. Robert Palmar said on February 21, 2012 at 5:58 pm

      I’ll take your copy and paste of my reply as a compliment.

  10. ReX said on February 21, 2012 at 4:13 am

    So, IE’s non-standard implementation of a standard (no surprise here) that should just ignore invalid header values instead of allowing them is now Google’s fault. That makes sense.

  11. vasa1 said on February 21, 2012 at 4:10 am

    “Microsoft has created a tracking protection list that allows Internet Explorer 9 users to ***protect*** the browser from Google’s practice.”

    I guess that’s how Microsoft rates its own Smart Screen so highly … by blocking Google and claiming to protect the browser. It makes business sense for Microsoft and Apple to try to dent Google’s earnings anyway they can. The uproar about privacy is just another game.

  12. Q said on February 21, 2012 at 4:01 am

    I would not have expeccted anything less from Google.

  13. Paul(us) said on February 21, 2012 at 3:59 am

    Main question is a legally question. Why does the international law court in Den Haag the Netherlands and the American law court nothing up to now? Is this maybe because Google is a big billion rotating turnover business?

  14. ódio said on February 21, 2012 at 2:23 am

    martin, we got it!!! finally!!

    just go to youtube history videos… and hit the “pause viewing history”…

    and you see what i was talking about….

  15. Morely the IT Guy said on February 21, 2012 at 1:29 am

    I guess it’s a matter of interpretation. I would interpret this as “Microsoft fails to implement security in Internet Explorer (again).”

    Anyone browsing any Internet site (e.g., not intranet) not owned by Microsoft and using IE is risking major problems anyhow. I’d say Google did them a favor.

  16. Dee said on February 21, 2012 at 12:52 am

    In IE9, if you go to Tools > Manage Add-ons > Tracking Protection, enable “Your Personalized List” (with automatically block selected), would this automatically stop websites from doing this as well?

    1. EuroScept1C said on February 21, 2012 at 9:33 am

      @Dee, I think not, ain’t enough… Go for example on YouTube’s Homepage only with your personal automated list enabled… The icon in adress bar which indicates if something has been blocked, doesn’t appear…. If you install this new list or ‘EasyPrivacy’, then it works… So, I assume you need to install an additional list…

      1. Dee said on February 21, 2012 at 10:26 am

        True, good point.

    2. Martin Brinkmann said on February 21, 2012 at 1:06 am

      Good question, I do not know.

  17. Robert Palmar said on February 21, 2012 at 12:37 am

    Google is shown to have lied and to be deliberately deceptive.
    Not exactly meeting their self-proclaimed core value of “Do No Evil”.

    1. Anonymous said on February 4, 2016 at 2:48 am


    2. Chris said on February 21, 2012 at 4:45 pm

      It’s don’t be evil. And that’s a lofty goal for any company 100% of the time. What if Google’s inaction would lead to a statistically probable “evil-er” outcome. Evil prevails when [good] fails to act right? These questions and more.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.