Microsoft tries too hard, flubs privacy-related attack on Google

Ah, competitive marketing: the game in which if you don’t have anything bad to say, you wing it anyway. In its haste to pile onto Google’s(s goog) shaky start to the year, Microsoft tried a little too hard over the holiday weekend to slam Google for privacy violations involving a browser standard that is gathering dust.

In case you missed it, Microsoft’s(s msft) Dean Hachamovitch, corporate vice president for Internet Explorer, posted at what first glance Monday appeared to be another alarming expose of Google’s disregard for user privacy: “Google Bypassing User Privacy Settings.” Hachamovitch charged that Google was trying to pull the same trick on IE users that it shamefully employed to install third-party cookies on the computers of Safari(s aapl) users, but the reality wasn’t quite as damning as the headline.

IE uses a privacy protocol called P3P, a well-meaning but ill-fated attempt by the World Wide Web Consortium to introduce common privacy standards into Web browsers. The idea was to give users more control over how they were tracked by Web sites by asking those sites to declare their data-collection intentions in machine language (known as CPs) that could be understood by the browInternet Explorer 9ser and dealt with according to the user’s preferences.

But IE is the only browser that has implemented P3P, and the Web page for the standard itself hasn’t been updated since 2007. Also, P3P was designed before the time of the “Like” or “+1” buttons, meaning it doesn’t know how to deal with the concept of one Web page needing to understand that you’re logged into another Web site in order to provide you with the ability to share content through Facebook and Google, among others.

As a result, Google and Facebook simply don’t participate, substituting the code strings outlined in the P3P specifications for real text and a link to their P3P policies. As noted in Microsoft’s blog post, Google sends this message:

P3P: CP=”This is not a P3P policy! See for more info.”

This confuses IE, since it is looking for a set of three and four-letter code strings in order to enforce the P3P privacy policy, not actual words and links. That means Google’s third-party cookies will be installed on the machines of IE users.

But Microsoft protests way too much in flagging Google for this behavior.

For one thing, Google had already disclosed that it didn’t honor the aging standard. Facebook, a close partner of Microsoft’s and the recipient of $240 million in investment from Microsoft, has also confirmed to ZDNet (and previously disclosed) that it doesn’t follow the P3P guidelines for many of the same reasons as Google. Microsoft refused to comment to ZDNet regarding Facebook’s similar treatment of the P3P standard.

And even Microsoft once recommended that Web sites feed invalid P3P code to browsers, as shown in a 2010 study on P3P by Carnegie Mellon that was distributed by Google after Microsoft published its “findings.”

“Even if the CPs were valid, Microsoft’s recommendation undermines the purpose of P3P since it encourages web administrators to use CPs that do not represent their actual data practices,” the authors wrote in Section 5 of their long report.

In a statement distributed Monday, Google said “Today the Microsoft policy is widely non-operational. … The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.” Instead, they use clearer options in browsers like Firefox, Chrome, and Safari regarding how Web sites set cookies on their machine.

This situation is far different from Google’s approach to Safari privacy standards, in which it bypassed cookie restrictions without disclosure by tricking the browser into thinking an ad was a form submission and was deservedly chastised. We can all agree that a common privacy standard for Web browsers is a nice idea, but modern Web services operating in 2012 can’t be expected to adhere to privacy policies abandoned by their creators in 2007.

You have to wonder what Microsoft was thinking: it’s quite similar to the 2011 blog post in which Google whined about Microsoft’s patent-licensing policies, which are completely legal even if some of the patents themselves might be questionable.

Microsoft would probably be better served by just sitting back and letting Google continue to make mistakes rather than lobbing a petty attack while giving another company following the exact same policy (a company that stands to return a nice chunk of change to Microsoft’s coffers in a few months) a free pass.