Another recent discussion was about Microsoft blaming Google and Facebook for circumventing IE privacy policies. There were many articles about that issue, two of them you’ll find here:
However blaming IE for not allowing the users to do the cool things users want to do is definitely the wrong approach. It is about allowing the user to choose what he wants to do. At least it is about accepting that users might opt for privacy. If P3P fails in this from the viewpoint of Google and Facebook, then we need another standard. But clearly, if the user expresses his will of keeping some privacy, actively bypassing this would be nothing else than an attack. I don’t really see a difference in acting that way to other types of attacks like phishing attacks and all the other types of malware we are confronted with on a daily basis.
The interesting question is now about what really is the case. Let’s look at some options. There are some cases around what Microsoft could do in IE:
1. Microsoft IE interprets P3P statements correctly
1a. Microsoft ignores incorrect P3P statements and allows access (to privacy-relevant information in the broadest sense)
1b. Microsoft interprets incorrect P3P statements and denies access (or asks the user)
2. Microsoft IE misinterprets P3P statements
On the other hand, there are some cases for companies like Facebook and Google providing P3P policies:
A. They don’t provide any P3P policy.
B. They provide something that has nothing to do with a P3P policy (like Facebook does).
C. They provide incorrect information about how they deal with privacy, but as a correct P3P policy.
D. They provide incorrect P3P policies.
D1. They do this accidentally.
D2. They do this to bypass the IE privacy settings.
It becomes obvious by just looking at the different cases that there are many situations. You can build a matrix and then decide on whom to blame. I want specifically to look at the situation of case 1b and case C. Having Microsoft IE ask the user for permission and thus inform him about a potential privacy violation would be the best approach from my perspective. In that case, IE would either ask the users in case A, B, and D or deny access to privacy-relevant information at all. So it is about case C – that would be the attack: Someone sending P3P policy information, but not acting according to that policy. Simply said: Case C from my perspective always is about attacking the user.
Honestly, I don’t have sufficient information to decide whom to really blame in the end. It looks as if IE could be more rigid regarding the way it deals with P3P policies. However, that might be inconvenient to some users (the privacy agnostic ones). But with a simple option to deactivate P3P “monitoring”, this could be circumvented. So some users might opt for giving away their privacy while others might opt for more control.
And that would again be about letting the user decide. And, like stated above: If the users opts for privacy, any active bypassing of this is illegitimate at best and potentially illegal.