UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer's privacy setting, according to
privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. "Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it," Cranor wrote in a recent blog post.
UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft's reliance on P3P forces outdated practices onto modern websites, and points to a
study conducted in 2010 (the
Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.
Facebook's "Like" button, the ability to sign into websites using your Google account "and hundreds more modern Web services" would be broken by Microsoft's P3P policy, Google says. "It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality," Whetstone said. "Today the Microsoft policy is widely non-operational."
That 2010 research even calls out Microsoft's own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."