I’ve blogged a few times this past week about a new study out of CMU CyLab about how many sites are using Compact Policies that are inaccurate and that might subvert an IE user’s cookies settings. TRUSTe responded to the study and questions I raised earlier this week. Today I received a response from Microsoft. The CMU researchers had indicated that Microsoft had used an invalid CP in their KB article that might weaken an IE user’s privacy protection with respect to cookies. According to the researchers, thousands of web sites seemingly copied and deployed the sample Compact Policy Microsoft had used in its article.
I asked Microsoft to respond to statements made by the researchers, and they have. Here is a statement I received from a Microsoft spokesperson:
The Microsoft KB article in question has been marked as “retired” (and we’re actually in the process of removing it) and has been superseded by additional, newer MSDN guidance: http://msdn.microsoft.com/en-us/library/ms537341 (VS.85).aspx.
The updated guidance highlights three things web developers should be doing:
a. Name the policy-reference file p3p.xml and deploy it at /w3c/p3p.xml.
b. Deploy full P3P policy files within the same directory, for example, /w3c/full_p3p_policy.xml.
c. Set compact policies for all cookies in the HTTP headerIn addition, the work around cited in CM’s research is not a work around, but is by design -Internet Explorer behavior was changed to incorporate P3P settings. The CP provided in the initial KB article was used as an example and was not intended as official Microsoft guidance.
Great thanks to Microsoft for responding and for revising its guidance to help web site operators comply with P3P.
I still hope to hear from the FTC on its role in this type of situation with respect to their authority to enforce or investigate companies that use erroneous CPs: are they engaging in “deceptive business practices” or “unjust enrichment” if they bypass a user’s settings? I would think that they are, but I am not a lawyer or a regulator. And if any litigators want to chime in as to whether they think consumers have a cause of action, I’d love to hear from you.