Feeds

ICO 'enquiring' about Google's serving of tracking cookies

Questions after Microsoft slams Chocolate Factory on privacy

High performance access to file storage

Microsoft has claimed that Google has been serving third-party cookies capable of tracking users' online behaviour even when those users have adjusted settings in the Internet Explorer browser to prevent it happening.

Dean Hachamovitch, corporate vice president of Internet Explorer (IE) at the software giant, said Google had "bypassed" the settings by using a quirk in privacy technology. He said the company had identified the problem with its system after a researcher had reported that Google had circumvented user settings on the Apple Safari browser in order to send third-party cookies to those users.

Google has argued that Microsoft's reliance on outdated technology had forced thousands of websites to circumvent the 'Platform for Privacy Preferences' (P3P) system it uses in IE in order to deliver "functionality" to web users. It has also claimed that it had unintentionally served advertising cookies to Safari users when trying to deliver a personalised service to them in other ways, according to media reports.

Google has said that it was removing those advertising cookies from Safari and that, in any case, the advertising cookies the company serves "do not collect personal information".

A spokesman for the Information Commissioner's Office (ICO) told Out-Law.com that the watchdog was "making enquiries with Google" to establish whether the way in which it serves cookies complies with UK law.

Websites and third parties, such as advertisers, often like to record users' online interaction in order to serve personalised content, such as adverts, based on that recorded information. Websites can use a number of methods to collect user-specific data, including through the use of cookies. Operators sometimes pass on information stored in cookies to advertisers in order that they can serve behavioural adverts based on users' activity and apparent interests.

EU law

However, EU privacy rules that came into force last May state that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be unambiguous and be explicitly given.

Those laws have been implemented into UK law by the amendment of the Privacy and Electronic Communications Regulations (PECR). The ICO's spokesman said that the watchdog would begin enforcing the law from 26 May this year – a year on from the date the amended PECR was introduced. The ICO previously said it would give website operators a year to work towards complying with the new rules.

In a Microsoft blog, Hachamovitch said that Google had been able to send third-party cookies to Internet Explorer even if users had elected not to receive them.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent," Hachamovitch said.

Web standards

According to web standards body the World Wide Web Consortium (W3C) P3P "allows websites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner [and] enables web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may 'opt out' of or 'opt in' to".

However, Hachamovitch said the technology allows unlabelled P3P 'policies' to circumvent blocking measures.

"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies," he said.

Hachamovitch said that IE users can use other 'Tracking Protection' technology to prevent Google serving third-party cookies to them and that Microsoft would change the way its P3P system works.

"The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action," he said.

Google said that using Microsoft's P3P system is "impractical."

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," a Google spokeswoman said.

"It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality," she said.

"Today the Microsoft policy is widely non-operational," she said.

Internet companies have been urged to establish a final standardised system that will allow users to control their privacy settings across websites by the European Commission.

Neelie Kroes, EU Commissioner responsible for the Digital Agenda, last year warned internet companies that she would "not hesitate to employ all available means to ensure our citizens' right to privacy" if a standardised system for indicating user consent to their online activity being tracked was not agreed by June 2012. Last month Kroes reiterated her demand and reported that the technology was at that stage more of an "aspiration rather than a reality".

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.