If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy.

Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents I.E.’s ability to block cookies, according to researchers at CyLab at the Carnegie Mellon University School of Engineering.

A technical paper (note: clicking on the link will initiate a download of a pdf) published by the researchers says that a third of the more than 33,000 sites they studied have technical errors that cause I.E. to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu.

Typos and honest mistakes likely explain many of the errors, says Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory and one of the paper’s authors. But she estimates that more than half represent deliberate efforts to keep I.E. from blocking certain types of third-party cookies based on privacy policies.

Cookies are used to store information about a user or computer’s Web use so sites can customize that user’s experience, including what ads they see. So-called persistent or tracking cookies are data placed not by the site visited, but by other third-party Web sites that have placed content or advertising on the visited Web page. These types of cookies can stay on computers for long periods of time and gather data about surfing habits, and have long raised hackles among those concerned about privacy online.

The loophole resides deep in an exchange of data between browser and site. Normally, Internet Explorer checks the privacy policy of a site to see if it complements the browser’s own security settings.

This checking is done through “compact policies”: lines of computer code (in this case, three- or four-letter codes) that reflect the content of the tomelike privacy policies that sites have written out in English. For illustrative purposes, imagine an interaction between browser and site that goes something like this:

Browser: I don’t allow cookies that store personally identifiable information that could be used to contact me without permission.

Site: I do have some cookies to place here, but none do that.

Browser: That sounds fine. Come on in.

Compact policies are voluntary and are part of an Internet standard called Platform for Privacy Preferences, or P3P, that was developed in the 1990s. Dr. Cranor was on the standards committee that developed P3P. The goal of compact policies was to create a way of describing sites’ privacy practices when it comes to cookies that computers could read and use.

Microsoft’s I.E. browser is the only major browser to make meaningful use of P3P; it uses compact policies to block and control certain cookies by default with its “medium” privacy setting. (Access the settings in I.E. Version 8 by clicking “Tools,” then “Internet Options” and then “Privacy.” Change your setting using the slider.) And it has been the power of I.E.’s market share—60 percent, according to NetMarketshare—that has led sites that want to install cookies onto PCs to use compact policies, say experts like Dr. Cranor and Ari Schwartz, vice president at the Center for Democracy and Technology until he joined the Obama administration last month.

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.

The loophole sites are using to evade I.E.’s cookie blocker shows up in the process the browser uses to check compact policies. I.E. checks only for codes that indicate a site doesn’t have the right privacy protections, Dr. Cranor says. If it finds a compact policy with bad inputs — say, the codes are wrong (there are certain three- and four-letter combinations) or there aren’t enough of the codes to complete a proper policy (at least five) — it simply lets the cookies install.

When students at Carnegie Mellon started investigating these bad codes, they noticed the exact same insufficient three-code combination showing up in more than 2,700 Web sites. Curious how everyone could make the same mistake, they searched for the code in Google and found, surprisingly, a Microsoft support page.

Microsoft says it has now “retired” the page cited by CyLab (you can see it, cached, here), adding that the codes shown there were meant only to be an example, not a recommendation. It notes it also provides an article to guide Web developers on how to properly configure P3P so it matches their written privacy policy.

CyLab found that some of the Internet’s largest sites make use of the loophole, and through other means than the inaccurate Microsoft codes. For instance, Facebook last year had a compact policy with the cheeky entry “HONK,” Dr. Cranor says. (“Honk” is not a valid compact-policy code, nor does it resemble any valid codes, which would explain codes that were mistyped.) Facebook now has a policy with two correct codes, which is unusable because there must be at least five codes.

A Facebook spokesman said in an e-mailed statement: “We’re committed to providing clear and transparent policies, as well as comprehensive access to those policies. We’re looking into the paper’s findings to see what, if any, changes we can make.” Ben Maurer, a software engineer at Facebook, said that the site used only two codes instead of five because current compact-policy codes do not “allow a rich enough description to accurately represent our privacy policy.” Mr. Maurer said he did not know the history of how “HONK” made it into a compact policy.

The paper also notes that 134 sites with TRUSTe seals, which are meant to reassure consumers that strong privacy measures are in place at a Web site, have faulty compact policies. Only 391 of more than 3,000 sites with the seal had compact policies at all.

TRUSTe’s president, Fran Maier, said in a blog post that the group was investigating the matter and contacting customers mentioned in the paper. She noted that customers self-attest to the accuracy of their policies, though TRUSTe will help them accomplish that. She said P3P adoption has been poor across the Internet because it was difficult to put into effect and because consumers didn’t see value in it.

Dr. Cranor says she thinks the real trouble is the lack of a regulatory requirement to use P3P, noting that few consumers know what P3P is. “I’m hoping companies will do the right thing, and it may take pressure form regulators to make that happen,” she says. “Beyond companies that are basically trying to look good on privacy, there is no incentive because you don’t have to do it.”