Over the past week, Google has been called out for bypassing default privacy settings in both Safari and Internet Explorer in order to serve up advertising cookies. The two cases were quite different. With Safari, Google acknowledged the problem and said it was an accident. With Internet Explorer, Google said it was using the best available workaround for an outdated browser privacy technology that limits the capabilities of modern websites—and noted that thousands of other websites do much the same thing to get past IE's privacy policy.

Despite the differences, each case demonstrates one thing that may be troubling to Web users: privacy settings in browsers can be easily circumvented. There are few technological barriers preventing companies like Google and Facebook from tracking users to serve up personalized ads, and there are few legal barriers as well.

To dig into these issues, Ars spoke with Lorrie Faith Cranor, a computer science professor at Carnegie Mellon University and director of the institution's Usable Privacy and Security Laboratory. Protecting user privacy on the Web is an ongoing struggle, and one that is not going well, she said.

"Every time we come up with a technical solution that protects privacy, the websites come up with something they want to do that is broken by this privacy protection, and so they find a workaround for it and they basically break the privacy protection," she said.

Cranor played a central role in developing the privacy standard used by Internet Explorer, which is called the Platform for Privacy Preferences Project, or P3P. P3P was built in 2002 by the World Wide Web Consortium (W3C), with Cranor serving as chairperson of the P3P working group. She also authored a book on P3P that same year.

The usefulness of P3P was put under the microscope this past week. Microsoft, the only major browser vendor to use P3P, notes that it blocks third-party cookies unless presented with a Compact Policy Statement (CP) promising not to use the cookie to track the user. Microsoft accused Google of circumventing this requirement with a fake policy that says "This is not a P3P policy" and a link to a Google page describing the company's opposition to P3P.

Google fired back that it is "impractical to comply with Microsoft’s request while providing modern web functionality," such as signing into websites using one's Google account, or using Facebook's "Like" button. To prove its point, Google pointed to Cranor's own research showing that about a third of 33,000 studied sites were circumventing P3P in Internet Explorer.

Is P3P outdated?

Cranor acknowledges that standards work on P3P has been nonexistent in recent years, and that it is only implemented by Internet Explorer. That said, IE is still the world's most widely used browser, and "there is nothing about P3P that goes bad. It doesn't have a sell by date. The standard we put out in 2002 is still a perfectly good standard."

Cranor is also skeptical of the claim that Google can't devise functionality that doesn't also comply with P3P, saying "It's not obvious to me there's any fundamental reason why a proper P3P compact policy wouldn't work in that scenario."

Google noted that Cranor's research called out Microsoft's own msn.com and live.com for providing invalid P3P policy statements, and notes that the research (from 2010) also showed that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."

The report, Cranor explains, discovered several methods for circumventing P3P policy. One method is submitting a CP statement "that is clearly not a P3P policy, and that's what Google and Facebook and at one point Amazon did," she said. Other offenders had "P3P policies that were almost right but not quite," and it was unclear whether the violations were purposeful or accidental. That's the category Microsoft fell into.

But the more puzzling accusation that a Microsoft support website provided advice recommending the use of invalid P3P statements is true, Cranor said.

Microsoft had received a question from a website developer about cookies breaking website content, and the answer Microsoft provided "was put the P3P compact policy on your website, and [Microsoft] gave an example of a P3P compact policy with no mention that you should write one that matches your website and not just blindly copy this one," Cranor said. The sample policy was invalid, yet "we found that thousands of websites just copied that string and it fixed the problem on their website."

Microsoft deleted that advice shortly after the report from Cranor and her Carnegie Mellon colleagues came out in 2010, although it apparently still existed on a Spanish language version of the site as of a few days ago, she said.

Privacy tools lack teeth

While the Google said/Microsoft said battles can be occasionally entertaining, the real problem is the lack of privacy standards that are both difficult to circumvent and enforceable through legal processes. Whether there would be a legal obligation to comply with P3P is a question that "came up a lot" during the standards process a decade ago, Cranor said.

"We asked regulators from the US, Europe, Canada, Australia, lots of places this question and their response was always the same: 'To the extent that I have the authority to enforce privacy policies written in human-readable languages, English, French, German, whatever, we can use that authority to enforce computer-readable policies like P3P.' So based on that statement, we concluded that the Federal Trade Commission [in the US] can go after companies who say deceptive things in their privacy policies and they had even more authority in some of the other countries."

Cranor has argued that Microsoft hasn't done a good job implementing P3P. But Google's use of the text "This is not a P3P policy," while understandable to a human, is clearly deceptive because it's "tricking the Internet Explorer Web browser that cant read those words and treats it as a P3P policy and unblocks the cookie," Cranor said.

Still, Google is not the only company doing this by a long shot, and in the ten years since P3P was implemented, Cranor said, "I don't know of any regulator that has gone after a company for P3P violations."

"It's both a technical problem and a legal problem," Cranor further said. "The technical ways these things are being enforced are rather brittle. If we had good legal enforcement that would make up for the fact that the technology is brittle, because then if somebody goes ahead and breaks the technology you would have the law come swooping in to go after them. But as it is they're both brittle."

Amazon actually faced a lawsuit over its use of invalid P3P policies to trick Internet Explorer into accepting cookies. Amazon now uses a valid policy, but the lawsuit was dismissed in December.

Google is facing complaints to the FTC and a class-action lawsuit over its cookie circumvention in Safari. An advocacy group that complained to the FTC said Google's bypassing of Safari's privacy protections—which Google has now stopped—violated a previous privacy agreement with the FTC.

The FTC is the more promising venue for privacy rights advocates, Cranor says. Lawsuits filed by individuals have to show some tangible monetary harm, but the FTC isn't held to that burden.

"In the US, the lawsuits are a much more difficult way to go than having the FTC or state attorneys general handle it," Cranor said. "We don't have much in the way of privacy laws in the US."

Can Do Not Track save the day?

The Electronic Frontier Foundation (EFF) argued that Google's Safari trick proves the need for so-called "Do Not Track" technology. The likes of Firefox and Internet Explorer have implemented such functionality, and Google Chrome has a similar option called "Keep My Opt-Outs."

The idea is fairly simple: give users a button to press, having the browser send a header to all websites informing them that the user who pressed the button is not to be tracked. Do Not Track could potentially replace P3P as a standard.

But Cranor, despite serving on the EFF board, is skeptical. There are problematic questions, including what it means to track and what it means to not track. Google could argue that setting advertising-related cookies is OK because the cookies don't collect any personal information, and Facebook could say technology used to customize content for signed-in users shouldn't be subject to new restrictions, either.

Today's implementations rely on websites essentially following the honor system, and making Do Not Track a standard wouldn't necessarily change that, Cranor said.

"Like P3P, this would just be a standard and it would be in the same boat P3P was in," she said. "If the industry agrees on a standard and we find out some companies are ignoring this and tracking you anyway, could the FTC do anything about it? I don't know. I think they'd be in an even worse position than they are with P3P, because the companies will claim 'we never even signed on to this. We didn't send any 'do not track' header, we just ignored the one you sent us.'"

Finding the right balance between privacy and functionality will be difficult, she said. Cranor noted that Microsoft's Tracking Protection Lists for IE9 are quite good at stopping websites from placing tracking cookies, preventing the kind of circumvention Google and Facebook practice. But the implementation can break functionality users want, she noted.

Chrome and Firefox also have options for blocking cookies. Some third-party companies are building browser add-ons, such as Abine and Evidon, the usability of which Cranor and colleagues examined in a recent report. Generally the tools tend to just block everything, although some vendors are working toward a more nuanced solution, she said. Cranor and her colleagues found "serious usability flaws" in all nine tools they evaluated.

"Having been involved in privacy technology now for about 15 years, I"m not optimistic that technology alone here is going to solve the problem," she said.