Consumers’ privacy preferences are being ignored by web sites such as Amazon.com, Shopzilla.com and BizRate.com, which are taking advantage of an Internet Explorer loophole to track consumers’ web browsing habits, according to a new report. The loophole is present in Internet Explorer versions 6.0, 7.0 and 8.0.
The report, “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens,” found numerous sites where stated privacy policies do not match the how the sites interact with Internet Explorer, which allows or disallows cookies from being placed based on the web users’ stated preferences.
To do so the sites use invalid three- and four-character tokens—bits of code that summarize their privacy policies—to bypass Internet Explorer users’ privacy preferences.
Internet Explorer is the only popular web browser that reads privacy policies that conform to the Platform for Privacy Preferences (P3P) protocol. P3P is designed to help standardize how privacy preferences are communicated between web sites and browsers so that a web browser like Internet Explorer immediately understands a site’s privacy policy for cookies. If a privacy policy, summarized and communicated through a series of token codes, matches a web user’s privacy settings, then cookies are allowed. If the privacy policy communicates the site’s use of cookies beyond what a web user allows in his privacy settings, the cookies are rejected. Except for U.S. government-operated web sites, the use of P3P protocol is voluntary on the part of the web site operator. P3P was launched as a self-regulation effort by the World Wide Web Consortium, in 2002.
However, the way Internet Explorer interprets the token codes enables web site operators to get around consumers’ preferences, the study says.
“The loophole is that Internet Explorer only looks for codes that are unsatisfactory,” says Lorrie Faith Cranor, a Carnegie Mellon University associate professor and co-author of the report. “If a code is meaningless, it’s fine.” This means that site administrators can use invalid codes, or fewer codes than are required, and that Internet Explorer will accept them. The study found, for example, multiple web sites using the same string of tokens and uncovered posts in web forums aimed at site administrators that offered generic tokens that Internet Explorer has accepted.
The loophole means codes that don’t communicate a site’s privacy policy properly get past Internet Explorer’s default privacy preference, which says to only block cookies when a third-party site’s privacy code is unsatisfactory based on the web user’s preferences. Cranor says this third-party code applies mostly to advertising embedded in web sites. A web user who manually changes his privacy setting to block all cookies is not affected.
The report claims that Amazon.com, No. 1 in the Internet Retailer Top 500 Guide, and IMDB.com, an Amazon-owned site, use meaningless tokens expressly to get past privacy settings. “It appears that these two web sites use [an invalid privacy policy token] only for the purpose of avoiding IE cookie filtering,” the report states.
In practice this means that Amazon.com might recommend a product to a visitor based on a cookie placed by an ad network that noted the shopper looked at an ad for that product on another web site. Amazon could read the cookie and use the data it contains to suggest the product. Amazon.com did not respond to multiple requests for comment.
The report also says privacy policies communicated through these tokens often don’t keep pace as web sites revise their privacy policies, which means Internet Explorer is reading a different privacy policy than the one the company actually uses. Cranor says this is more a matter of miscommunication than purposeful deception. A company’s attorneys may alter or rewrite a privacy policy and not tell the system administrator to modify the tokens in line with the new policy.
Although the P3P protocol has not been broadly adopted by other web browsers and remains voluntary for web site operators, making mistakes in following the protocol or purposefully maneuvering around it sets a bad example for the web industry, Cranor says.
“Right now the industry is trying to bend over backwards to say that self-regulation is working,” she says. “If the industry wants to be credible about self-regulation, it needs to demonstrate that it is. This points to it not working.”