Feeds

ICO 'enquiring' about Google's serving of tracking cookies

Questions after Microsoft slams Chocolate Factory on privacy

New hybrid storage solutions

Microsoft has claimed that Google has been serving third-party cookies capable of tracking users' online behaviour even when those users have adjusted settings in the Internet Explorer browser to prevent it happening.

Dean Hachamovitch, corporate vice president of Internet Explorer (IE) at the software giant, said Google had "bypassed" the settings by using a quirk in privacy technology. He said the company had identified the problem with its system after a researcher had reported that Google had circumvented user settings on the Apple Safari browser in order to send third-party cookies to those users.

Google has argued that Microsoft's reliance on outdated technology had forced thousands of websites to circumvent the 'Platform for Privacy Preferences' (P3P) system it uses in IE in order to deliver "functionality" to web users. It has also claimed that it had unintentionally served advertising cookies to Safari users when trying to deliver a personalised service to them in other ways, according to media reports.

Google has said that it was removing those advertising cookies from Safari and that, in any case, the advertising cookies the company serves "do not collect personal information".

A spokesman for the Information Commissioner's Office (ICO) told Out-Law.com that the watchdog was "making enquiries with Google" to establish whether the way in which it serves cookies complies with UK law.

Websites and third parties, such as advertisers, often like to record users' online interaction in order to serve personalised content, such as adverts, based on that recorded information. Websites can use a number of methods to collect user-specific data, including through the use of cookies. Operators sometimes pass on information stored in cookies to advertisers in order that they can serve behavioural adverts based on users' activity and apparent interests.

EU law

However, EU privacy rules that came into force last May state that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be unambiguous and be explicitly given.

Those laws have been implemented into UK law by the amendment of the Privacy and Electronic Communications Regulations (PECR). The ICO's spokesman said that the watchdog would begin enforcing the law from 26 May this year – a year on from the date the amended PECR was introduced. The ICO previously said it would give website operators a year to work towards complying with the new rules.

In a Microsoft blog, Hachamovitch said that Google had been able to send third-party cookies to Internet Explorer even if users had elected not to receive them.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent," Hachamovitch said.

Web standards

According to web standards body the World Wide Web Consortium (W3C) P3P "allows websites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner [and] enables web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may 'opt out' of or 'opt in' to".

However, Hachamovitch said the technology allows unlabelled P3P 'policies' to circumvent blocking measures.

"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," he said.

Hachamovitch said that IE users can use other 'Tracking Protection' technology to prevent Google serving third-party cookies to them and that Microsoft would change the way its P3P system works.

"The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action," he said.

Google said that using Microsoft's P3P system is "impractical."

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," a Google spokeswoman said.

"It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality," she said.

"Today the Microsoft policy is widely non-operational," she said.

Internet companies have been urged to establish a final standardised system that will allow users to control their privacy settings across websites by the European Commission.

Neelie Kroes, EU Commissioner responsible for the Digital Agenda, last year warned internet companies that she would "not hesitate to employ all available means to ensure our citizens' right to privacy" if a standardised system for indicating user consent to their online activity being tracked was not agreed by June 2012. Last month Kroes reiterated her demand and reported that the technology was at that stage more of an "aspiration rather than a reality".

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
FAIL.GOV – Government asks Dropbox for accounts that don't exist
Storage locker's transparency report shows rise in government data gobble attempts
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.