Consumers’ privacy preferences are being ignored by web sites such as Amazon.com, Shopzilla.com and BizRate.com, which are taking advantage of an Internet Explorer loophole to track consumers’ web browsing habits, according to a new report. The loophole is present in Internet Explorer versions 6.0, 7.0 and 8.0.
The report, “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens,” found numerous sites where stated privacy policies do not match the how the sites interact with Internet Explorer, which allows or disallows cookies from being placed based on the web users’ stated preferences.
To do so the sites use invalid three- and four-character tokens—bits of code that summarize their privacy policies—to bypass Internet Explorer users’ privacy preferences.
However, the way Internet Explorer interprets the token codes enables web site operators to get around consumers’ preferences, the study says.
“The loophole is that Internet Explorer only looks for codes that are unsatisfactory,” says Lorrie Faith Cranor, a Carnegie Mellon University associate professor and co-author of the report. “If a code is meaningless, it’s fine.” This means that site administrators can use invalid codes, or fewer codes than are required, and that Internet Explorer will accept them. The study found, for example, multiple web sites using the same string of tokens and uncovered posts in web forums aimed at site administrators that offered generic tokens that Internet Explorer has accepted.
In practice this means that Amazon.com might recommend a product to a visitor based on a cookie placed by an ad network that noted the shopper looked at an ad for that product on another web site. Amazon could read the cookie and use the data it contains to suggest the product. Amazon.com did not respond to multiple requests for comment.
Although the P3P protocol has not been broadly adopted by other web browsers and remains voluntary for web site operators, making mistakes in following the protocol or purposefully maneuvering around it sets a bad example for the web industry, Cranor says.
“Right now the industry is trying to bend over backwards to say that self-regulation is working,” she says. “If the industry wants to be credible about self-regulation, it needs to demonstrate that it is. This points to it not working.”