Feeds

ICO 'enquiring' about Google's serving of tracking cookies

Questions after Microsoft slams Chocolate Factory on privacy

The Power of One Infographic

Microsoft has claimed that Google has been serving third-party cookies capable of tracking users' online behaviour even when those users have adjusted settings in the Internet Explorer browser to prevent it happening.

Dean Hachamovitch, corporate vice president of Internet Explorer (IE) at the software giant, said Google had "bypassed" the settings by using a quirk in privacy technology. He said the company had identified the problem with its system after a researcher had reported that Google had circumvented user settings on the Apple Safari browser in order to send third-party cookies to those users.

Google has argued that Microsoft's reliance on outdated technology had forced thousands of websites to circumvent the 'Platform for Privacy Preferences' (P3P) system it uses in IE in order to deliver "functionality" to web users. It has also claimed that it had unintentionally served advertising cookies to Safari users when trying to deliver a personalised service to them in other ways, according to media reports.

Google has said that it was removing those advertising cookies from Safari and that, in any case, the advertising cookies the company serves "do not collect personal information".

A spokesman for the Information Commissioner's Office (ICO) told Out-Law.com that the watchdog was "making enquiries with Google" to establish whether the way in which it serves cookies complies with UK law.

Websites and third parties, such as advertisers, often like to record users' online interaction in order to serve personalised content, such as adverts, based on that recorded information. Websites can use a number of methods to collect user-specific data, including through the use of cookies. Operators sometimes pass on information stored in cookies to advertisers in order that they can serve behavioural adverts based on users' activity and apparent interests.

EU law

However, EU privacy rules that came into force last May state that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be unambiguous and be explicitly given.

Those laws have been implemented into UK law by the amendment of the Privacy and Electronic Communications Regulations (PECR). The ICO's spokesman said that the watchdog would begin enforcing the law from 26 May this year – a year on from the date the amended PECR was introduced. The ICO previously said it would give website operators a year to work towards complying with the new rules.

In a Microsoft blog, Hachamovitch said that Google had been able to send third-party cookies to Internet Explorer even if users had elected not to receive them.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent," Hachamovitch said.

Web standards

According to web standards body the World Wide Web Consortium (W3C) P3P "allows websites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner [and] enables web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may 'opt out' of or 'opt in' to".

However, Hachamovitch said the technology allows unlabelled P3P 'policies' to circumvent blocking measures.

"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," he said.

Hachamovitch said that IE users can use other 'Tracking Protection' technology to prevent Google serving third-party cookies to them and that Microsoft would change the way its P3P system works.

"The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action," he said.

Google said that using Microsoft's P3P system is "impractical."

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," a Google spokeswoman said.

"It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality," she said.

"Today the Microsoft policy is widely non-operational," she said.

Internet companies have been urged to establish a final standardised system that will allow users to control their privacy settings across websites by the European Commission.

Neelie Kroes, EU Commissioner responsible for the Digital Agenda, last year warned internet companies that she would "not hesitate to employ all available means to ensure our citizens' right to privacy" if a standardised system for indicating user consent to their online activity being tracked was not agreed by June 2012. Last month Kroes reiterated her demand and reported that the technology was at that stage more of an "aspiration rather than a reality".

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.