Asia's Source for Enterprise Network Knowledge

Thursday, April 24th, 2014

Information security management

Microsoft fails to implement P3P privacy standard, says expert

Microsoft is pointing fingers at Google and Facebook for circumventing the privacy mechanism baked into Internet Explorer, but the real problem lies in its own failure to implement the P3P privacy standard well, an expert says.

The company has chosen to use the abbreviated format of the Platform for Privacy Preferences (P3P) to decide whether IE should block cookies that are pushed at the browser by Web sites, and doesn't use the information it gleans from that format to make good decisions, says Lorrie Faith Cranor, an associate professor of computer science and engineering and public policy at Carnegie Mellon University.

In particular, the browser evaluates data sent by cookie-spreading Web sites that is sent in a format called a compact policy (CP), which includes machine-readable tokens describing the visited sites' privacy policies as they pertain to cookies.

CPs tell what use would be made of data gathered by the cookies, giving the user discretion to accept or block them based on that information.

The P3P standard says these three- and four-character tokens should be considered invalid unless they are considered in combination with full police (FP) data sent via XML, Cranor says, but Microsoft ignores that proviso; it only considers the CPs.

Further, if a CP comes through with no stated policy or with a made-up token or tokens with format errors, IE will accept the cookie by default, she says. "Microsoft did some things implementing P3P that just seemed foolish," Cranor says.

A better way would be for the user agent within IE to treat invalid CPs as if the site has sent no CP at all, and then decide whether to accept cookies based on where the cookie actually comes from. If it's coming from the site the browser is visiting, then accept; if it's from a third-party site, block, Cranor says.