It's really unbelievable how this paper keeps getting cited as proof Microsoft is doing this too. Page 7 was cited on the other thread; you can read my response here: http://news.ycombinator.com/item?id=3615267
Re: Live doing it too. No, that is not what the paper says. From page 8:
"Only one of these websites, microsoft.com, displayed a full P3P policy."
"Websites under the msn:com domain exhibited a CP that includes the invalid CUSo token. Two other Microsoft owned sites, microsoft:com and windows:com use the same CP. These websites display the TRUSTe EU Safe Harbor Privacy seal. We believe that these websites are likely attempting to comply with P3P; however, they are not using P3P properly."
"The live.com CP does not include any ACCESS tokens. This CP suggests collection of PII, but does not provide any information about whether users can access their personal information."
Microsoft does not always fully comply with the letter of the law, but based on everything that I have read in that paper, they sure seem to be trying to comply with the spirit. It's ridiculous to claim that sending a deliberately misleading P3P header is the same as sending a P3P header that suggests PII is used but does not provide the access policy. One is designed to exploit a weakness in P3P and avoid blatantly lying to browsers in order to track users. The other indicates that PII is used, but does not fully specify how this is used. It seems fairly clear that one company is at least trying to support P3P, even if they are unable to completely reflect their privacy policy with these tokens. To claim these situations is analogous is fairly dishonest IMO.
(NOTE: Page numbers are based on the PDF document for quick access. Subtract 1 for the number printed on the bottom of the page.)
It's not really that unbelievable: Microsoft is berating Google for sending invalid P3P headers and this paper describes that Microsoft is sending invalid P3P headers.
Microsoft does not always fully comply with the letter of the law...
In this case what constitutes the letter of the law isn't really clear. As far as I can tell this is the latest specification for the P3P header:
This Internet-Draft will expire on August 6, 2002.
So it's at least arguable that there isn't a standard for the P3P header, and whatever anyone wants to put in it is just whatever they put in it, nothing is invalid and everyone is fine.
Only IE supports it anyway, and it's not like it prevents websites from doing things they've said in their P3P headers that they're not going to do. And the header is required to make IE accept 3rd party cookies (which are needed for lots of quite normal stuff on the web) you need to send it one of these headers.
Re: Live doing it too. No, that is not what the paper says. From page 8:
"Only one of these websites, microsoft.com, displayed a full P3P policy."
"Websites under the msn:com domain exhibited a CP that includes the invalid CUSo token. Two other Microsoft owned sites, microsoft:com and windows:com use the same CP. These websites display the TRUSTe EU Safe Harbor Privacy seal. We believe that these websites are likely attempting to comply with P3P; however, they are not using P3P properly."
"The live.com CP does not include any ACCESS tokens. This CP suggests collection of PII, but does not provide any information about whether users can access their personal information."
Microsoft does not always fully comply with the letter of the law, but based on everything that I have read in that paper, they sure seem to be trying to comply with the spirit. It's ridiculous to claim that sending a deliberately misleading P3P header is the same as sending a P3P header that suggests PII is used but does not provide the access policy. One is designed to exploit a weakness in P3P and avoid blatantly lying to browsers in order to track users. The other indicates that PII is used, but does not fully specify how this is used. It seems fairly clear that one company is at least trying to support P3P, even if they are unable to completely reflect their privacy policy with these tokens. To claim these situations is analogous is fairly dishonest IMO.
(NOTE: Page numbers are based on the PDF document for quick access. Subtract 1 for the number printed on the bottom of the page.)