Our regular readers know by now that we put a lot of stock in consumer privacy and can be very critical of anyone who takes that privacy for granted. Well rest assured, if the report that we’re covering in today’s post turns out to be valid, there’s could be serious fallout for some very big and well-known e-commerce names. (Bear with us though, because there’s more tech jargon to this story than what we usually do.)
The report in question is called “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens,” and from what we can tell, it was co-authored by an associate professor at Carnegie Mellon University.
The gist: customer privacy preferences are routinely being ignored by such e-commerce outlets as Amazon, Shopzilla and Bizrate, who are exploiting a loophole in Internet Explorer’s versions 6.0, 7.0 and 8.0 to track users’ browsing habits.
The report goes on further to say that numerous sites were found where the published privacy polices do not correspond to how those sites actually interact with Internet Explorer, particularly with regard to the placement of cookies based on user’s privacy preferences.
The sites in question are apparently using invalid three and four character tokens, which are code sequences that summarize privacy policies, to circumvent an Internet Explorer user’s privacy preferences.
Here’s where it gets a little complicated.
IE is the lone major web browser that reads privacy policies that conform to the Platform for Privacy Preferences (P3P) protocol, which is designed to standardize how preferences are communicated between browsers and web sites. Under the protocol, a web browser should immediately be able to detect and understand a site’s privacy policy for cookies. If a site’s privacy policy, which is communicated through a series of token codes, matches up to a web user’s own privacy setting, then cookies are permitted. Cookies are rejected when a site’s cookie usages exceeds what the user’s privacy settings allow for.
The use of P3P protocol, which was developed in 2002 by the World Wide Web Consortium as an effort at self-regulation, is voluntary except for websites owned and operated by the U.S. government.
The study asserts that the manner in which IE interprets the token code is what enables sites to bypass privacy preferences. Administrators can use invalid codes, or fewer codes than normally required, and IE will accept them. The loophole itself results in codes that don’t correctly communicate a site’s privacy policies properly, which then get through IE’s default privacy preferences.
“The loophole is that Internet Explorer only looks for codes that are unsatisfactory,” says Lorrie Faith Cranor, the co-author of the report.
So what does this mean in practice? One of the sites in question could, for example, recommend an item to a shopper based on a cookie placed by an ad network that recognized the shopper once looked at an advertisement for that product on another website. The site could read the cookie and make an unwanted outreach or product recommendation as a result.
Cranor says that while the P3P protocol may be voluntary and hasn’t been adopted broadly by other browsers, not adhering or maliciously circumventing its rules sets a bad example for the entire industry.
Complicated, right? Leave us your thoughts and comments!
