Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."

So...

[The+MAZZTer]

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

Re:So...

[samkass]

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

Re:So...

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

"sounds to me like an oopsie"

odds are if this was the othe way around and microsoft had "forgotten" to do somthing and had thus comprimised a standard designed to help protect privacy there would be an uproar on our hands.

to many people take it for granted that google arent "evil" and when they do things that are "evil" give google benifit of the doubt that other comanys wouldnt (and shouldnt) be afforded.

even if this is an "oopsie" corperate mistakes like this should be punnished.

captcha : disgust

Re:So...

[TheGratefulNet]

funny: I'll have to remember this to rub their noses in it, next time I run into a googler.

or, if they interview me, I'll ask THEM: "so, what is the proper response to a machine parsable field? TLV things or human-intended english? please support your answer."

sigh. I cannot give google a pass. they act like god's gift to networking yet they make 'mistakes' like this? sorry, but I don't buy it.

Re:So...

[betterunixthanunix]

P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.

Re:So...

[ganjadude]

P3P, Im still trying to master P2P!

Re:So...

[ArsenneLupin]

P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

P3P is a honor system anyways. The same effect could be obtained by a syntactically well-formed promise not to abuse the 3rd party cookies, but which google would never intend to keep...

Re:So...

What does Google do to protect user privacy?
Oh, right... Google tries to steal user data.

Re:So...

[billcopc]

Anything that relies on "voluntary" cooperation is flawed. Either you accept that 99% of the internet will ignore it and quityerbitchin', or... you create a privacy standard that is client-enforced and leaves no room for loose interpretation.

Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will, nor any 3rd world fraudster, which means this whole P3P thing is a joke.

Re:So...

[irregular_hero]

Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

Can't say I really can fault Google for this. Explaining why would require an understanding of how P3P 1.0 objects are configured and how limited those types really are.

P3P 1.1 work has stalled (albeit in provisionally final state) and is likely to not restart; in its absence is P3P 1.0 which exists firmly in the world-as-it-was of 2000/2001. It covers cookies and certain types of form transmission, but doesn't cover privacy aspects of other types of persistent data, new transmission protocols (like SPDY), advanced caching techniques, or HTML5 storage. Technology has advanced past the point that P3P 1.0 is useful -- and quite simply, it's doubtful it ever really was. If you visit the link Google supplies it explains some of their reasoning, and it's pretty dang valid for a post-2007 view of the Web.

Those chucking bombs over this would be better served to focus their efforts on either modernizing or replacing P3P 1.0 -- or, better yet, trying something radically different like PRIME or Policy-Aware-Web tried to do.

Re:So...

[similar_name]

Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will

I think Google owns Doubleclick. But you're right, privacy has to start with the client.

Re:So...

[sjames]

No. The browser is supposed to ignore the whole thing if it doesn't find anything it understands. Why MS doesn't make IE just go with the default of NO in those cases, I don't know.

Of course, why Google sends such a non-statement is questionable as well.

Re:So...

If what you say is right, why would Google release a do not track extension for Chrome?

What's happening here is quite simple. Microsoft and Apple are trying to score cheap PR points while at the same time trying to dent Google's business model because Microsoft specifically just cannot find a way to get that business model to work. MS and Apple don't care a bit about their users as they showed time and again.

Re:So...

[recoiledsnake]

P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.

Reading your Gmail emails should very trivial for Google employees. That doesn't make it okay does it? One would expect Google to have higher standards.

You'd expect shady sites to "attack" a gentleman's agreement, not Google. If you think they're the same, would you be okay with hosting your mail on warez-email.com ? After all, they're both on the big bad internet.

Re:So...

[recoiledsnake]

Google is using +1 buttons to track visitors browsing on 3rd party sites to enhance their ad profiles for users. This is explicitly why P3P was even made as a standard. Circumventing the standard by sending invalid data while saying nothing exactly fits the definition is a cop-out.

Re:So...

[stanlyb]

Nope, they are simply saying that Google does not support P3P policy, hence, what? What is the punishment for a site that does not support it? Marking it as Evil?

Re:So...

[Ethanol-fueled]

You said,

It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

I'll be an annoying Philosophy 101 kid and state right off the bat that's a false dichotomy.

Anyway, anybody who's worked in the tech sector(or read enough Dilbert, or both) knows that even the "above-average" engineers are boneheads. I'll give you a few real-life examples I have encountered - an engineer who though it would be a good idea to couple zinc anodes to a titanium plate to be deployed under the sea, the engineer who didn't overdesign a power circuit which resulted in exploding power transistors, the engineer whose published programs are riddled with misspellings, the engineer who didn't design for standard industry sizes resulting in having to stretch gaskets to get them to fit, the multitude of engineers who don't comment their code except for their initials at the tops of the source files, and the list goes on and on.

Re:So...

[stanlyb]

Does it matter that they are actually right about their accusations? Oh, wait, they are evil, guilty until....forever.

Re:So...

[hairyfeet]

Because then you have tens of millions of users screaming "My Gmail won't load!"? lets face it folks can "spin" all they want but Google ain't THAT dumb. they have some of the best engineers of the planet. So can we all just accept that "Do no evil" is nothing more than "Think different" aka marketing bullshit and realize that Google is only gonna do what is best for Google already?

Re:So...

[noh8rz2]

don't blame the abuser! it's the victim's fault. she should have known better than to try to talk to him when he was stinking drunk again. Look what she made him do!

Re:So...

[recoiledsnake]

Gmail doesn't need third party cookies. This is about sites with +1 buttons. They allow Google to track all users across all sites that have them.

Re:So...

[mycroft16]

I have to agree. With the quality of engineers that Google claims to have, this is a no-brainer. Especially in light of all the "oopsies" Google has had in the last year. This on top of the Safari incident after everything else adds up to bad news for Google.

Re:So...

It does matter Microsoft is lying about this being a new revelation. Microsoft knew Facebook and Amazon do the same thing back in 2010 - so they obviously knew Google is doing this too. The timing of this is just cheap PR which is typical for Microsoft. Why don't they spend this time and effort in building a better standard and a better product?

Re:So...

[CowTipperGore]

From my reading of Microsoft's long blog post, Google didn't violate the spec. IE does not correctly implement the spec and Google is abusing that by using a legal but illogical header. If Google doesn't say what they are doing with the data, then IE shouldn't provide it. Instead, Google says "I'm not telling you anything about my intent" and IE says "Good enough. The key's under the mat. Lock up when you're done." The whole system is trust based. Google doesn't promise anything and IE doesn't care. Google is being shady and Microsoft is being incompetent.

My biggest problem here is Microsoft releasing this now in a lengthy blog post and trying to tie it to the Safari dust up. They know that the blogs will not include their full release and will instead carry the headline like you see here. This is a PR move at least as dishonest as what Google appears to be doing with their P3P header.

Re:So...

[cheater512]

Course it is deliberate. Question: So what?

It doesn't do anything to IE and is ignored by every other browser.
P3P is deprecated and has been for years - no other browser pays any attention to it.
All it does is make Google's products work properly with IE (not just ad tracking).

If I needed to add gibberish to one of my sites like that P3P policy to make it work, I would.

Re:So...

[mystikkman]

> Google didn't violate the spec

The list is supposed to be populated with the code(s) of what they're doing with the info. They're lying by not stating they're tracking users browsing habits when they visit pages with +1 buttons. Leaving it blank is not in the spec.

Re:So...

[mystikkman]

Anything that relies on "voluntary" cooperation is flawed. Either you accept that 99% of the internet will ignore it and quityerbitchin', or... you create a privacy standard that is client-enforced and leaves no room for loose interpretation.

Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will, nor any 3rd world fraudster, which means this whole P3P thing is a joke.

I am sure you will say the same thing if Google employees starts reading your email for fun and profit.

"Oh it's okay, it's your fault for trusting a site on the internet, stop demanding them to stop it, would warezemail.com stop?".

Re:So...

Exactly. And I don't want those buttons anyway. Most people don't want them. What this kerfluffle made me realize is that Chrome allows third-party cookies by default. It makes sense that an advertising company would do this I guess. But IE and Safari obviously don't allow them by default. Firefox I am not sure. I used to use FF a lot, but may have customized my settings. Right now it is set to allow the 3rd party cookies but treat them as session cookies and delete them when FF is closed. Chrome was just allowing them all. I went in and cleaned out a lot of cookies from sites I never had visited (advertising cookies) and told Chrome to quit accepting 3rd party cookies. So it at least shed light on which browser vendors are at least attempting to help users not be tracked.

Re:So...

So how do you propose companies like Apple and Microsoft distinguish between cases where they should follow established industry standards and specs or deviate from them? When either decides it's better for their users to do so? And they should just go ahead and not implement the standard properly instead of following up with the appropriate standards bodies? I'm confused about how Slashdot can be so pro-standard and then advocate ignoring them when it suits...

Re:So...

[irregular_hero]

You're splitting hairs here.

P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.

A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.

The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.

Re:So...

[wireloose]

from OP:

The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

Also can't give Microsoft a pass, especially if they're truly supposed to be ignoring undefined policies. It's not like Microsoft has ever been particularly supportive of standards they didn't develop, or like they've ever really developed a secure browser.

Re:So...

[GIL_Dude]

Well, it is certainly trust based and open for abuse (people can certainly lie in the header). However, what Google should be doing is not providing a P3P header at all. It is only someone who is openly abusing the trust system who would create a P3P header that doesn't contain any P3P information. It is fairly clear that it was done on purpose - to abuse the trust system. Is that system a crap design? Yes. Yes, it is. Should major companies be out there abusing it if they want us to trust them? No. No, they should not. It is pretty clear from this that:

1) We need to call out companies that do this type of thing. Not just with P3P but anytime they abuse the system or game it. They need to be made to understand that a very vocal set of folks will make it known what they are doing and that it is bad for their business to be found gaming trust systems.
2) We need better systems that don't just trust whatever a company says about their intentions with our data.

Re:So...

[Richard_at_work]

Quite simply, it allows stories like this - which is a good thing.

P3P allows a website to make a very obvious statement about their intentions, to a set specification - if the website specifically sets a P3P that they don't honour then it becomes a PR issue, as it has in this case.

Google were breaking the spec here, in such a way that creates a valid P3P statement in the process which says "we won't be doing anything untoward with your cookies" - the field they use is not a text field and therefor the content they put into it is ignored, resulting in a zero length list of items they *will* do with the cookies...

That definitely should get Google into the tech media at least.

Re:So...

I didn't even know Sony was still making portable gaming equipment.

Re:So...

You are trying to solve a social problem with technology ("client enforced" privacy standard with "no room for loose interpretation"). It doesn't work like that.

P3P may well be useless but saying that the assumption of cooperation automatically leads to failure is just plain wrong. Think about payment systems; I'm sure there are theoretically secure technologies for money transfer... but what is still one the most common methods in the real world? handing over a piece of magnetic plastic and writing your name on a paper.A system fully based on trusting complete strangers has been the basis of our economy for a long time and it's worked wonderfully (to me the amount of fraud is surprisingly low).

Re:So...

[CowTipperGore]

Not even Microsoft supports your argument. From their blog post:

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

Rather than ignoring it, IE is assuming that Google told them something positive.

Re:So...

That's why I wouldn't use warezmail.com, yes. I trust Google to not read my email, yet I still expect them to try to harvest information for targeting ads from it. Similarly I expect them to try to harvest this information from +1 buttons idiots sprinkle on their site, so I pro-actively stop that kind of shit client-side because I don't benefit from it (as opposed to them taking care of spam filtering and storage for email). In short, I accept that Google will do data mining but not reading by a human and as a consequence will only give data to Google if it benefits me. Fuck warezmail.com, I don't trust them with anything.

Re:So...

[ozmanjusri]

FTFY

odds are this was the othe way around and microsoft had "forgotten" to do somthing

Bingo.

Microsoft is just being opportunistic with some Google-bashing. In practice, Google is not complying with a vendor (Microsoft)-specific standard which many other sites also don't comply with.

When good browsers do apply that standard, the Google server response is human-readable text, including hyperlink, explaining why Google doesn't support the standard.

Re:So...

[marcosdumay]

So the offending part can all by itself circunvent the barriers the standar dictates against him. Isn't that alone enough reason to abandon the standard? Or we do expect the dishonet to act honestly on the web?

I'm not defending Google, by the way. I just don't understand why Microsoft (or anybody else) is trusting the "evil bit" when it claims a package isn't evil.

Re:So...

[CowTipperGore]

What Google is doing certainly is outside the spirit of the P3P system. They clearly are doing it on purpose.

That said, P3P was an incomplete idea that has sat around a decade or so waiting to be finished. This issue has been documented and pretty well known for at least two years. It wouldn't be an issue if Microsoft correctly parsed the P3P header. Microsoft bringing this up now and trying to lay all the blame on Google is a calculated PR pile on.

Re:So...

[amicusNYCL]

In this case, "ignoring undefined policies" means that there are no stated privacy implications. If the P3P policy is blank then the site is saying there are no privacy implications for its cookies.

Re:So...

[CowTipperGore]

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO.

And the standard agrees with you. Even Microsoft admits as much in their blog post:

The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

Re:So...

[CowTipperGore]

No. The browser is supposed to ignore the whole thing if it doesn't find anything it understands. Why MS doesn't make IE just go with the default of NO in those cases, I don't know.

Because their implementation of P3P is broken. Of course, P3P itself is a broken standard that was never finished and is horribly out of date.

Of course, why Google sends such a non-statement is questionable as well.

Because Google does not support the crap standard but some browsers still want it. They pass a P3P header to the browser. They don't provide any P3P-compliant statements, instead providing a link to why they don't support P3P.

Re:So...

"Breaking and ignoring standards only matters when Microsoft does it. If Google does it then it's fine."

This is why I absolutely do not treat Slashdot as a real news source or as a place of intelligent discussion. This place is basically a fanboy-fest.

Re:So...

Oh yeah? What about Facebook like button?

I don't see any mention of that in Microsoft's complaints. This is nothing but a cheap PR stunt by Microsoft. They should try to compete by building a better product and not resort to cheap tricks like this.

Re:So...

[arose]

We were so wrong to blame MS for istaowned windows and drive by trojans! Well, that or we can blame them for this as well. Take your pick.

Re:So...

[AngryDeuce]

They are...

Oh, you said better...never mind.

Re:So...

[cynyr]

no, "no stated privacy implications" != "No privacy implications"... You have not been definitively told there are none, so the "safe" thing to do is to assume the worst and nuke it from orbit. TBH I'm not sure who wrote the spec the other way.

Re:So...

[arose]

Google were breaking the spec here, in such a way that creates a valid P3P statement in the process which says "we won't be doing anything untoward with your cookies" - the field they use is not a text field and therefor the content they put into it is ignored, resulting in a zero length list of items they *will* do with the cookies...

At which point any conforming client shouldn't let them do set or read cookies...

Re:So...

funny: I'll have to remember this to rub their noses in it, next time I run into a googler.

or, if they interview me, I'll ask THEM: "so, what is the proper response to a machine parsable field? TLV things or human-intended english? please support your answer."

sigh. I cannot give google a pass. they act like god's gift to networking yet they make 'mistakes' like this? sorry, but I don't buy it.

They did it properly, using a machine parsable field with no policy. They English part is just so confused users like you can go read their web page that explains why they need to do that. How would you suggest that they implement the "+1" feature on other web sites without doing this?

Re:So...

[AngryDeuce]

If you're using Chrome, I highly recommend ScriptNo. It took a while, but they've finally got a decent analogue of NoScript for Firefox. With it's most restricted settings, it pretty much blocks everything you don't whitelist yourself, and has a special "antisocial" mode that automatically blocks all the social networking bullshit every fucking site in the world has now.

ScriptNo and Adblock Plus are pretty much a necessity for web browsing these days, in my opinion.

Re:So...

[Obfuscant]

I am sure you will say the same thing if Google employees starts reading your email for fun and profit.

The ECPA doesn't call for voluntary compliance. Please stop using this silly analogy.

Re:So...

...One would expect Google to have higher standards...

No, none of us were born yesterday. We expect that Google is just like any other multinational corporation. They would turn you over and rape you for a penny of profit if they thought they could get away with it.

Re:So...

Seriously? This stupid bullshit was modded up? This asshole didn't even say anything factual.

Re:So...

You misspelled "standards compliant implementation".

Re:So...

agreed, been using adblock, saves my life not having to see as many ads. just installed sciptno.

Re:So...

[Rich0]

Yup. This sounds like the whole "GPL\0 is not the license this module is offered under. This module is proprietary." thing that was going on with some proprietary kernel modules a few years ago. In that case it really didn't have any negative impact to the end-user - just to kernel developers.

While this is a bit of an exploit in P3P, I despise loopholes, so I'm not going to give Google a free pass here...

Re:So...

[amicusNYCL]

It definitely sounds backwards, and may be only like that so that when it was implemented that everything would continue to work like it already did. But, I disagree that an empty P3P header is the same as a missing P3P header, or "no stated privacy implications" != "No privacy implications". An empty P3P header implies that the server is responding to a request for P3P information, and has no implications to disclose (which is the correct response if that is true). A missing P3P header would mean that the server is not even responding to P3P requests. Google should have left out the header, not supplied a header that had human-readable text which told browsers that there are no privacy implications. The cookies would have been blocked if there was no header, so this is Google's way of not restricting any cookies based on the user's IE settings. I was faced with the same problem, but unlike Google I actually took the time to research what the P3P keywords meant and put together a policy that reasonably described our cookie usage.

Re:So...

[Barbara,+not+Barbie]

How would you suggest that they implement the "+1" feature on other web sites without doing this?

Short answer - don't! I'm sick and tired of all this bogus tracking crap. If you absolutely insist on having a +1, then also have a -1, so we can tell you how we really feel! Same as if you're going to have a Like button, also have a Hate button.

Re:So...

[Whuffo]

Microsoft is just using the same kind of "logic" that my ex-wife did during our divorce. Accuse, accuse, accuse with all the bad information they can manufacture.

It doesn't matter if you're innocent or not; most folks will only remember the accusation.

Get the facts and you'll see what this is really all about; Microsoft trying to beat down a competitor using any and all tactics they can

Re:So...

[Tepic++]

I believe the idea is that it is legally binding promise from the website operator to the user. It's not trying to be a technical fix.

Re:So...

[davester666]

Actually, I would say it's worse in Microsoft's case because:

1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.

Re:So...

[fast+turtle]

This is exactly what the problem is with the "Allow All" thinking. If everyone went with the "Deny All" and whitelist what is actually needed, we wouldn't have most of the damn problems we do as this shit wouldn't be possible to begin with

Re:So...

[MidGe]

:...they have some of the best engineers of the planet."

That may be so, but the best engineers are still immersed in a corporate culture. A corporate culture that seems to have changed a lot since the pre-float days! It is quite different from the founders motto of those days!

I used to evangelize for Google, well before the float, that is. I am currently moving as completely as I can from all their services. I don't like the new deal about combining their various services one bit.

Re:So...

[Ash-Fox]

What Google is doing certainly is outside the spirit of the P3P system. They clearly are doing it on purpose.

I remember having to break P3P the EXACT same way Google did to make things embedded elements like iframes work properly from the same site, which should have worked properly to begin with according to the spec, but guess which browser failed at doing that...

You'd think being the IE team, they'd know about some of the really bad workarounds created to deal with their browser.

Re:So...

[Ash-Fox]

This is why I absolutely do not treat Slashdot as a real news source or as a place of intelligent discussion. This place is basically a fanboy-fest.

Did you know that msn.com and live.com use the same technique Google uses?

Also, I have used the exact same technique to workaround issues with a certain browser (name begins with an 'i') where the only way to get embedded elements to work properly (such as iframes), from the same website, which the spec doesn't prevent, but that specific browser does!

Re:So...

Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will

That's those rat bastards at Doubleclick by Google?

Uh-oh, someone needs to adjust their World view...

Re:So...

Source for 2?

Re:So...

[ozmanjusri]

So how do you propose companies like Apple and Microsoft distinguish between cases where they should follow established industry standards and specs or deviate from them?

They pay attention when the organisations proposing the standards suspend work on them? Note that this happened with P3P in 2007.

"After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.
The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation. "

http://www.w3.org/P3P/

Re:So...

No, P3P is trying to fit a social solution to a technical problem.

Cookies. A Netscape invention like BLINK and frames, to make it easy to track people across visits. It then became used to track people within the same visit, because it looks nicer than using a querystring, and because of that we can't get rid of the stupid thing. And now that AJAX gives us a new way of keeping track of people within the same visit, people still use cookies instead, and we still can't get rid of the stupid thing.

Cookies were a stupid idea from the beginning. It could have been done much better by letting the browser control it, rather than the server. Have the browser generate an ID per session, per site, and let the server match IDs to users. Problem solved. If people want to "remember me", that would be a setting in the browser, making a fixed ID for that one site. No storing things on the client, no tracking unless the user specifically asks for it.

Heck, it would even have stopped those stupid webshop developers who decided to store prices in a cookie, and got surprised when people bought a TV for $1.

Re:So...

[Adrian+Harvey]

Anyone know how to turn off the ones that pop up on slashdot? I can't moderate from my iPad since they came along - as they pop up when finger touches screen and steal the focus from the moderation drop down box.

I can't find any option in slashdot options, and there's no noscript for safari for iOS...

Re:So...

[thsths]

> P3P is a honor system anyways. The same effect could be obtained by a syntactically well-formed promise not to abuse the 3rd party cookies, but which google would never intend to keep...

Yes, but that would not be legal. User tracking happens with the presumed consent of the user. Once a site known that the user does not want to be tracked and continues, or even tricks the browser into tracking despite a setting that demands the opposite, the tracking becomes illegal activity.

I am not sure most tracking sites bother with such fine distinctions, but they cannot hide from the law forever. The wild west days of the Internet are over.

Re:So...

[ArsenneLupin]

Yes, but that would not be legal.

Exactly.

And what we're trying to argue here is that google's subterfuge should not be legal either. What they did was say something to the computer in such a weird way that it means exactly the contrary to a human. This can't be right.

It's as if a party A drafted a contract with a party B, and deliberately inserted some spelling errors in his promises to B, and later renegated on these promises under pretense that the text is just gobbledygook and thus not a legal commitment (all the while insisting that B should uphold his part of the deal). Very shady.

A honor system works because of the implicit threat of shaming (or suing) a would-be infringer. Google infringed. So we are trying to shame them by pointing out what they did. If you take this away by saying "but the scheme is broken, it can be subverted by just making false promises, so Google is ok in doing what they did and Microsoft is stupid by behaving according to standard (ha!)", then you are indeed breaking it by helping Google out of a well-deserved public shame.

It's the same as with robots.txt or similar schemes really. Trivially easy to ignore, but reputable spiders won't ignore it because they know that people will notice, and call them to it.

I am not sure most tracking sites bother with such fine distinctions, but they cannot hide from the law forever.

Only small sites need to hide. Big sites (apparently) don't need to, they're "too big to be considered rude" / "too big to be sued".

Re:So...

The standard mandates to ignore unkown policies, not to ignore the policy field, i. e. the complete string "This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." must be ignored by conforming implementations because it contains no defined policy (like "ALL", "IND", "DSP", etc.). Microsoft does just that; that leaves and empty policy field, which according to P3P means that there are no privacy implications.

Re:So...

Actually, I would say it's worse in Microsoft's case because:

1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.

Could you provide some specifics (links/source code) on this claim? I took at quick look and could not find this, but I'd be happy to be proved wrong.

Re:So...

FWIW, Facebook does the same thing:

P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"

Re:So...

[Cyberllama]

To be fair, these are just technicalities. People with a grudge going over their practices with a fine-toothed comb. Remember the Wall Street Journal is owned Rupert Murdoch and that Microsoft is Microsoft. The people making the claims here have a bone to pick in both cases. Google is only doing with their +1 button what Facebook does with their like button--except that Facebook actually keeps tracking you when you log out.

Yes, Google is violating the spec to make things work they way they want them to, but they're only doing it to track logged-in users--something which logged-in users already opted in to. So at the end of the day, you can't say anybody's privacy was violated. Google is doing exactly what they told users they'd be doing, and just side-stepping some roadblocks thrown up by popular browsers in order to do it. They are violating a privacy-protection feature in order to do something which is not privacy-violating. They're cheating, and if they wanted to be evil, they could use those "cheats" to track people. I don't know about you, but I really can't get be bothered to go get my pitchfork out of the barn for a hypothetical problem.

Re:So...

[Cyberllama]

Genuinely curious here. What law exactly makes that illegal? I've never heard of such a law.

Re:So...

[makomk]

Actually, from what I can tell it doesn't say that they won't be doing anything untoward with the cookies. In order for them to make that statement they'd have to include one of the P3P policy tokens declaring that they didn't. In actual fact it's not a valid P3P policy at all precisely because it doesn't say anything about their privacy policies that's machine readable.

For some reason, Internet Explorer just assumes that any P3P policy not containing one of a specific set of forbidden policies is saying that the site meets the privacy requirements to set third-party cookies even when it's not a P3P policy at all.

Re:So...

[hairyfeet]

Hey thanks for the heads up, the one thing I missed when I switched from Firefox (which has gotten too bloated and slow) is my NoScript. It works perfectly in Comodo dragon BTW, and combined with Comodo Dragon's security features really works great. if you haven't tried the Dragon give it a spin, it has some really nice security options like SecureDNS for the browser only and site inspector.

Re:So...

[hairyfeet]

I think there is like a rule that once a company gets a certain size they just HAVE to turn evil, its like the greed of that many people combined just tips the scale. Hell look at MSFT, once upon a time they were just this small software and OS company that was undercutting the competition while Kildall was the more elitist of the two, but then one day they got to a certain size and it was like the little nerds grew Snidely Whiplash mustaches and doing Dr Evil laughs. Now Google has gone from a bunch of nerds going "hey wouldn't this be cool?" to "How can we monetize this for maximum shareholder value?" and is just another nasty company. damned shame but it seems to happen to all of them eventually.

Re:So...

Computer Fraud and Abuse Act. Anti wire-tapping statutes. About 50 state laws.

Re:So...

I use gmail, and I'm fully prepared for the possibility of someone on their end reading my email :) If I wanted to talk about things I'd be scared to have someone at Google (or the government, or whatever) read, I'd try harder: set up my own sendmail, use gpg, or something.

Re:So...

[ceoyoyo]

The standard says such headers should be ignored. It's a hole in IE. exploited by Google, of course, but still a bug in the browser.

Re:So...

[Sloppy]

How does it protect user privacy if something as trivial as the attack described above totally defeats it?

It expresses desire/intent to good-faith actors, just like do-not-track. It's useless for "protecting" things, but otherwise a pretty decent idea in optimistic settings, and vastly better-than-nothing when interacting with good-faith actors. It's not stupid, just not a good general-purpose approach for the Internet.

Re:So...

[davester666]

I copied the info from here:

http://www.webmonkey.com/2012/02/google-tricks-internet-explorer-into-accepting-tracking-cookies-microsoft-claims/

Re:So...

[ArtDent]

Wait, are you concerned with the privacy implications of +1 or are you bothered by the lack of -1? Pick one.

In any case, Google users get to choose whether they want to opt in or out of the service:

https://profiles.google.com/+1/personalization/

Re:So...

[Barbara,+not+Barbie]

Both. It's not an either-or thing. False dichotomy and all that ...

Re:So...

[billcopc]

I see no reason to protect the stupid from themselves. If someone wants to write sloppy software that opens them up to abuse, that's their right. We already have too many bad programmers in this industry. Let them make embarrassing mistakes so those of us who are actually competent can point, laugh, and negotiate raises.

Re:So...

I've interviewed there twice. They may have some of the most aspy engineers on the planet, and those engineers may be very good at working with machines, but they'll never be best where it counts: working with human beings.

Re:So...

[Cyberllama]

That doesn't appear to be correct information. Nothing in the Computer Fraud and Abuse act really covers it, and I can't imagine how you could possibly construe a cookie as "wiretapping". There's a difference between tracking someone's computer with a cookie (or some other method) and illegally accessing it. We're talking about a law that obliges advertisers to "play fair" and respect the wishes of of people on the internet, but I doubt such a law exists. I've heard of "Do Not Track" list laws being proposed, but I don't think any of them have been passed. As far as I know, at least in the United States, you opt out of tracking by taking software measures against it (disabling cookies, blacklisting domains in your hosts file, etc)--not by saying "pretty please stop" and then magically expecting that request to have the force of law behind it.

Of course, standard IANAL disclaimer applies here and I'd love to be proven wrong--I just don't think such a law exists.

Re:So...

[Cyberllama]

I should add that the closest thing I could think of is COPA, but even then, the law doesn't give users a *legal right* to opt out of tracking, it just specifically exempts children (regardless of consent).

Re:So...

Yes, Google are breaking the spec. Did they do it deliberately? Probably yes, in order to to get certain features to work which because P3P is badly designed and doesn't handle the case of a single company using multiple domains to provides integrated services very well.* Did Google present a valid P3P token? No. So should it have been accepted by IE and Safari? No, but it was anyway. Quite frankly I think any privacy spec which relies on websites to be honest (like P3P and DNT), is fatally flawed, but the problem is most users don't care to learn enough to use an explicit whitelisting approach to privacy.

In this situation neither Google or MS come out looking squeaky clean IMO.

*I do wonder about the anti-trust implications of Google breaking their services in IE and Safari, leaving their browser (Chrome) and the other one they provide most of the funding for (Firefox) working.

Film at 11

Browser requires link to allow cookies, website provides link, browser allows cookies. Film at 11.

This is like Jack the Ripper

[Spy+Handler]

telling us that Charles Manson does bad things...

Re:This is like Jack the Ripper

Yes and it also warns users that Google is not following the rules.

Re:This is like Jack the Ripper

telling us that Charles Manson does bad things...

... and has no impact on the validity of they're saying. Who gives a fuck if you don't like the messenger. Doesn't make the message any less true.

Re:This is like Jack the Ripper

[cupantae]

No it's not. It's one company making a complaint about another.
If this is the beginning of the big companies goading one another into following standards, it's great news for the user.
But it probably isn't.

Re:This is like Jack the Ripper

[AK+Marc]

Wait, so Rush Limbaugh talking about Nancy Pelosi was unbiased and just as true as anything the NYT says about Nancy?

Re:This is like Jack the Ripper

[SydShamino]

The problem with that line of thought is that it allows one person to dominate the discussion by shouting nonsense. If someone keeps saying un- and half-truths repeatedly, and you take the time to independently analyze the validity of what they say, you never have any time to consider the viewpoints of others or to form your own opinions.

It's much easier, and indeed human nature, to eventually decide that source doesn't contribute anything meaningful to the discussion, and ignore it entirely.

Examples:
a) Microsoft and anything about unfair trade practices (to some people)
b) 126.67.234.x and spam (to many spam filters, and I just made up that IP address range)
c) Political talking heads who fill various cable news channels 24/7
d) Boys who previously cried wolf

"Do no evil"......or.....

[__aasehi2499]

NOT!!!

Re:"Do no evil"......or.....

Do mo' evil

A broken standard was shipped

And it's Google's fault, of course.

Dear Microsoft Iexplore team

[FudRucker]

if a website (including google) can bend your browser over and sodomize it then they will, so instead of crying about a website violating some rule of conduct just build a secure operating system & browser that can not be taken advantage of (since they are supposed to be integrated and inseparable)

Re:Dear Microsoft Iexplore team

[smelch]

Yeah, just build a secure OS and browser that doesn't allow people to use cookies as tracking cookies. Oh shit, the only way to do that would be to not support cookies at all. And holy crap, IE allows you to turn cookie support off.

You don't really understand the problem here, do you? It's a potential ethics violation by Google, not a technical violation. It's like if a company published inaccurate ingredients on a can of nuts, and you're bitching about shoddy can manufacturing.

Re:Dear Microsoft Iexplore team

[maxwell+demon]

The problem is that, according to the standard, the browser should ignore any policy it cannot understand. Ignoring a policy means acting as if it wouldn't exist. If no policy exists, IE's behaviour with default settings is to not allow the cookie. Therefore by the standard, it shouldn't accept cookies when it doesn't understand the policy. If IE doesn't do that, it's the browser's fault.

Re:Dear Microsoft Iexplore team

[DavidRawling]

I'm with you on this one - well, partially at least. The problem is that the spec doesn't really plan for a site saying "We don't want to tell you that we do lots of stuff that may or may not be parseable in this header, so here's some text plus a URL for the browser to not show". Microsoft should definitely have assumed the worst case scenario for PII use, not the best case.

Now I'll agree that the URL is valid - but it's completely useless because no browser on earth actually shows that info. The engineer who decided the compact policy reference should be JUST the URL because the other parts of the spec aren't perfect deliberately chose to obfuscate Google's information use, just as much as Microsoft chose not to show the P3P URL to users (except when it's buried in the UI - I haven't seen it ever work).

Let's also not forget that Google chose not to make the XML version available to the browser for evaluation - so there's a second deliberate avoidance of any machine-readable information. And the fact that it's twice avoided is the red flag to me.

Re:Dear Microsoft Iexplore team

[BZ]

No. According to the standard, the browser should ignore any policy _statement_ it doesn't understand. That's very different from what you said, because a _policy_ is a list of statements indicating what the cookies are used for. A policy containing no statements is the way for a site to use P3P to say "we don't use the cookies for anything".

So the the standard requires that a policy with only invalid statements be treated like a policy with no statements at all, which is the "these cookies are not used for anything" policy.

You can argue that that's a dumb standard (and I would agree), but IE is in fact implementing it correctly as far as I can tell. And Google is purposefully abusing the standard, again as far as I can tell.

Hm...interesting approach...

[betterunixthanunix]

Sounds like you are asking the bad guys to cooperate with you. If you want to protect user privacy, do not allow sites to set arbitrary cookies, do not allow iframes to set or read cookies, and so forth. Does anyone really think that Google is going to voluntarily respect privacy, when their entire business is based on tracking people?

We have see proposal after proposal based on the idea that either users should be forced to opt-out of invasions of their privacy, or that the people who want to violate users' privacy will cooperate and not commit such violations. How about giving browsers some teeth, and creating browsers that actually protect user privacy without regard to advertiser profits?

Re:Hm...interesting approach...

Sounds great, but all of the browser vendors (save Opera) are in bed with advertisers.

Internet Explorer: Microsoft: Bing
Chrome: Google (ads and analytics)
Firefox: Google (ads and analytics)
Opera: ????

Re:Hm...interesting approach...

[recoiledsnake]

Opera too gets a lot of money from Google.

Re:Hm...interesting approach...

Opera just recently announced they're buying two ad-serving networks.

What does Bing do?

[ardeez]

What does Bing do?

Re:What does Bing do?

[phonewebcam]

It serves results from Google. And that sites been up an awful long time for any errors, misconceptions and ... FUD to have been discovered and corrected by now, so we'll just leave it to the astroturfers to mod down the truth whilst enjoying their hugely entertaining comedy squirming around having been caught red handed. This happens every time that link is mentioned on Slashdot. Why, its almost like the $5 per handset Android extortion - there's clearly no way to deal with such disgusting behaviour other than paying shills to bury it.

Re:What does Bing do?

[recoiledsnake]

That link is much ado about nothing. If the user has agreed to the conditions of the Bing bar, it uploads the keyword and the link that was clicked on. No other information like the results returned or the ranking of the results is sent to MS. This is used as one of the many signals by Bing. I fail to see how this is the same as "serving results from Google".

Re:What does Bing do?

[mystikkman]

>It serves results from Google [blogspot.com]. And that sites been up an awful long time for any errors, misconceptions and ... FUD to have been discovered and corrected by now,

OMG, I've just found conclusive proof that the earth is flat!!!

The below site hasn't been updated in ages and is still up, it means whatever it says is true!!!

http://www.alaska.net/~clund/e_djublonskopf/Flatearthsociety.htm

Off for a drive to the edge of the earth. Hope they have erected a barrier so people won't fall off.

Re:What does Bing do?

The results came from Google. How they were pilfered doesn't matter. The user of the Bing bar cannot give Microsoft permission to pilfer those results on behalf of Google.

It's no different than if The Pirate Bay put up an EULA where the user has to accept giving TPB permission to share the music he uploads. The user doesn't own the music in the first place. (Ok, TPB is a bad example, because while Bing hosts those pilfered results themselves, TPB only provides pointers to the source. Sorry for that, but I don't remember which sites work in what way - I still prefer music on CDs).

IE's fault?

[Todd+Knarr]

When I was configuring P3P for Mozilla/Firefox, it distinguished between what exactly the P3P policy was stating. If the site didn't say in the P3P policy what it was doing with cookies, Firefox assumed the worst. It seems to me that if the IE devs were dumb enough to stop after seeing a P3P policy presented and didn't bother checking what it said, or if they assumed a lack of a statement indicated respect for privacy, that's a failure in IE. The code needs to start out assuming personal information is collected and used without consent, and then upgrade only if the P3P header specifically says something better. It's not like that's hard to implement.

Then again, we've seen similar problems in Microsoft software time and time again: they assume the best (input's valid, doesn't contain special characters, etc.) until they detect otherwise, even though best practices say to do the opposite (assume input's invalid until analyzed and proven correct, list the known non-special characters and filter out or escape everything not in that list).

Re:IE's fault?

[rusty0101]

It looks to me that Google is doing exactly what their p3p policy says they will do. It also looks to me like IE is assuming that simply because there is a reference to a p3p that it says whatever the developer thinks a pep should say, rather than whatever it actually says.

I'm not saying that Google shouldn't be setting up a situation where 3rd party cookies may be accepted when they are not wanted. I don't know how the p3p in place was decided upon, but just because I have a valid drivers license, doesn't give me authority to drive any vehicle known to exist. My curiosity may be such that if someone offers to let me try my hand at operating a Peterbuilt tractor, I might give it a go, but that's not part of the class of license that I carry and can present.

Re:IE's fault?

Why on earth would Google return a P3P policy that only contains "P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info" instead of just, oh I don't know, not sending anything at all in the absence of a policy?

Re:IE's fault?

[OverlordQ]

It looks to me that Google is doing exactly what their p3p policy says they will do.

No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

Re:IE's fault?

[Todd+Knarr]

Wrong. "P3P=" isn't saying they won't use it for anything, it's not saying anything about what they'll use it for. You're supposed to be able to trust anything said in the P3P header, but nothing in the P3P spec says they have to say anything. And if they don't say anything about a specific subject, best practice is to assume the same as if they hadn't included the P3P header at all (at least regarding whatever item you're looking at at the moment).

If you need someone to drive a vehicle for you and they won't say whether they have a driver's license or not, do you assume they've got one and it's valid for the vehicle you need them to drive? No, you assume they don't.

Re:IE's fault?

[thatbloke83]

But I thought that we were supposed to assume that everyone is innocent until proven guilty? :)

Re:IE's fault?

[recoiledsnake]

Google intentionally breaks a W3C standard for its profit and it's totally MS' fault and Google is the knight in shining armor that deserves no blame whatsoever. Wow, just wow.

Re:IE's fault?

I just wasted a bunch of time searching the spec and I can't find anything to confirm what you or the handful of others defending IE6's behavior. There's no default in the spec of promising anything. I looked, because I couldn't believe the spec could be that stupid. It's not. If I'm wrong, show the part of the spec that agrees with you.

Re:IE's fault?

[arose]

If it's not a policy IE shouldn't accept it as one.

Re:IE's fault?

You completely missed the point. Please research how P3P actually works before posting again. Absence of a policy means nothing should be sent, not a "policy" that says "this is not a policy." It's absurd, and so was your reply.

Re:IE's fault?

Actually, IE does assume something bad is going to happen with your data by default, and only assumes something good is going to happen if you futz around with the P3P header.

Firefox assumes something good is going to happen by default. You don't even have to set a P3P header to get it to think that.

Compare reading and writing of cookies from sites displayed in an iframe between the two browsers. FF will allow it no matter what, IE will only allow it with a P3P header (set in the headers of the site being displayed in the iframe) set correctly (or incorrectly, whatever).

Re:IE's fault?

Agree. I can't believe the acrobatics that the Google apologists are going through to defend this. I would expect this from some home brew or shady site, but not Google. Let's call foul when we see it rather than trying to put lipstick on a pig shall we?

Re:IE's fault?

Internet Explorer is the only thing breaking a W3C standard here.

P3P has been flagged as deprecated since 2007, and not to be used.

ALL the other browsers out there can follow the standards just fine, yet IE breaks it by honoring tags that are specifically documented as not to be used.

This is no different than all the websites that work perfect in standards compliant browsers but broke in IE, so they use javascript or server side detection to send totally different HTML just to get IE to display it in the first place.

Are you trying to claim it is the websites fault for having to do that just to support IE, and NOT the fault of IE for not working correctly?

Re:IE's fault?

[arose]

You deliberately ignored the point. If Google is sending a malformed policy (which I'm not disputing), IE shouldn't accept it, or at least not accept it in the most liberal way possible. Malformed data is a fact of life on the web and if they can't deal with undefined behavior they need to close shop and direct people to Firefox instead, because this is the lesser of the problems you get from that mindset. If MS wants to point out that Google are sending malformed headers that's what they should do (though they might need to clean up first), what they are doing however is blaming Google for IE being a piece of shit that can't be trusted on the web. I mean really, just about no website out there is completely to spec, if my browser sent my login password every time it encountered a non closed tag I'd blame the browser first and who ever compromised my system as a result second.

Re:IE's fault?

[mariasama16]

It looks to me that Google is doing exactly what their p3p policy says they will do.

No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

Then, since Google's p3p policy is sent as just a URL, shouldn't IE be ignoring it since its not valid?

Re:IE's fault?

[arose]

A policy, whether malformed or not, is intended to convey what an organization will do with things like cookie data, not what they won't do.

Right, so why the fuck does IE send data if the policy didn't give a reason? Because it's broken, that's why. Everything else is secondary, fix your browser first because that's what is leaking the damn information then, AND ONLY THEN we can worry about what severs should and shouldn't do.

Did you even bother to do as you were advised earlier and read about how P3P works?

That's easy, it doesn't. The server promises you to do X with the info, but there is nothing that will prevent it from doing whatever it wants. That makes all of this charade even more stupid.

Of course you didn't, you'd rather to continue to post replies about something you have zero information on. Good job, fuckwad.

Insults don't change the fact that your rants ignore the point that IE is leaking data.

Re:IE's fault?

The entire point of P3P is that it's an honor system, and when companies abuse the system, bad (not security holes, mind you, but use of cookie data outside of user-specified preferences) things can happen depending on circumstances. In this case, it's Google blatantly abusing the system for commercial gain. You'd know that if you spent 60 seconds learning about what P3P is and what it is intended to provide. Jesus, you're truly a fucking idiot, but at least you've openly admitted you don't know a fucking thing about what you're talking about.

Re:IE's fault?

[arose]

You are clearly reading something entirely different, then responding here. Whatever. Enjoy IE if a badly implemented security theater makes you feel better.

Re:IE's fault?

You've got it all wrong (again). I'm reading the actual specs on what P3P is and what it is intended to do, and then using this thing called reason to apply that knowledge to the situation being discussed. Of course, I'm also making it obvious that you're a pompous idiot, but that's your fault, not mine. Keep clinging to your completely errant notions about things, though; I bet the sand you've got your head stuck in tastes great.

Re:IE's fault?

[Ash-Fox]

The entire point of P3P is that it's an honor system, and when companies abuse the system, bad (not security holes, mind you, but use of cookie data outside of user-specified preferences) things can happen depending on circumstances.

What's the point if following P3P to the letter if browsers like IE is going to break things like iframes from the same website and the only way you can get them to work is to break the spec in order to get something to work that should be working to begin with?

I say this from previous experience.

In this case, it's Google blatantly abusing the system for commercial gain.

Guess you never ran into my problem with iframes on the same site.

Re:IE's fault?

[BradleyUffner]

It looks to me that Google is doing exactly what their p3p policy says they will do.

No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

Then, since Google's p3p policy is sent as just a URL, shouldn't IE be ignoring it since its not valid?

That's exactly what they are doing. Think of the P3P tag as a list of "bad" things the site says it will do. An empty tag says that the site won't do anything bad. Google is abusing the spec by sending an invalid P3P entry that makes it /look/ like they are reporting their cookie use, but the malformed tag gets ignored and looks to the browser like a tag that says "I won't do anything bad". The tag actually says "Here is a URL with a list of all the stuff I will use this cookie for", but spec doesn't define how to parse this so it gets ignored.

At least that's my understanding.

Re:IE's fault?

[Todd+Knarr]

Then your understanding would be incorrect. The P3P compact policy isn't a list of the "bad" things the site says it will do. It's a list of the things, both good and bad, that the site promises to abide by. An empty tag isn't a promise not to do anything bad, it's a lack of a promise either way. Think of it as deciding whether to loan money to someone or not and asking them to say whether they intend to pay the money back or take it and disappear. If they refuse to say either way, you're not going to take that as a promise to pay it back, are you?

As for a URL in the compact policy, the spec does in fact define how to parse it: you tokenize it, ignore those tokens that don't match those defined by the P3P spec and interpret what's left. If there aren't any recognizable tokens, you interpret it as if the CP had been empty. Sensible code interprets that as a lack of any firm promise about anything.

Re:IE's fault?

Ok, they could not do this, with the result being their services don't work as well in IE, then get accused of anti-competitive action by favouring Chrome and Firefox.

Question

[miltonw]

According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. In other words, they can't accurately describe it in standard P3P code.

I'm not trolling, I'm actually curious. If we assume that statement is accurate, how should a website fill use the P3P header?

it's because IE implementation is buggy

[Twillerror]

In IE iframes will block cookies if you don't have the right P3P policy. There where other bugs that would prevent your site's cookies from being read.

I've "faked" a P3P header just so users of certain IE browser versions could use my site.

At the end of the day the standard is a proposal and only MS thinks it's worth a hill of beans.

Re:it's because IE implementation is buggy

They certainly didn't code to the "standard." You can clearly read it on the P3P page:

      P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous.
      Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following
      guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.

So if IE were conforming to, well any standard at all, let alone the P3P one, it would do what the standard says with Google's malformed P3P - ignore it as if it didn't exist and act accordingly. This is not a 'nuance' as the author suggests but rather one company blatantly violating the proposed standard (Google) and another failing to code to the condition correctly (Microsoft). Yet another case of two jerks wanting a public battle in which both sides are in the wrong.

Pissing matches make for poor reading material, IMO.

Re:it's because IE implementation is buggy

[Mouldy]

Parent has hit the nail right on the head. I used to work on Facebook games for an indie games company and now I'm in charge of 'doing Facebook' for another company and so cross domain Iframe cookie problems are something I come across a lot. Maintaining user sessions inside iframes isn't straightforward.

Relatively recently, Facebook updated their apps platform so that app iframes to 3rd party sites are POSTed to via JavaScript to avoid safari's limitation on accepting 3rd party cookies. Previously the work around was to have some js in your page that would post to itself - both methods trick safari into thinking the user actively navigated to the Iframe and so should accept cookies.

Facebook have yet to implement a trick to make ie accept 3rd party cookies and so the widely used work around is use either a genuine or dud p3p header.

Yes, these hacks and workarounds are nasty and yes they're bad for standards - but if browser vendors insist on such privacy controls they need to make it much more user friendly for users to whitelist sites. Most of users we get through Facebook don't know what cookies are - they just want our apps to work. Blocking cookies without even prompting the user is not the way forward.

In cases where P3P is not precise enough

[tepples]

According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. [In such a case,] how should a website fill use the P3P header?

The article answers this question by quoting a section from the P3P spec:

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

Re:In cases where P3P is not precise enough

[irregular_hero]

The article answers this question by quoting a section from the P3P spec:

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

This is correct. However, as stated further down in the same section, the effect of such policies is to be positive and declarative (meaning the policy should state what the site DOES do, not what it DOES NOT do), and be informative to the user. The standard allows for user agents to then use the P3P policy to make it the basis for "authorization" but then goes on to state that implementers of user-agents can make their own decisions as to what the declarations mean in the context of the connection.

This has led to situations where browsers that implement P3P and tie it to certain "security features" end up with a browser implementation that works dramatically different than other browsers for the very same privacy declaraion. In most cases, browsers do not even IMPLEMENT a user-readable informational dialog for P3P -- it is by standard the browser implementers' decision.

If you're keeping score at home, that's bad.

Which cookie are we talking about here?

[Lussarn]

Just asking... I do not think we are talking about a tracking/advertising cookie here. I'm very certain google uses first-party cookies for tracking/advertising (meaning it's your site and not google that sets/owns the cookie). And first-party cookies needs no P3P. Or am I wrong?

Re:Which cookie are we talking about here?

[viperidaenz]

As stated in the URL they send in the invalid P3P policy, they use third party cookies to make Google+ +1 buttons work and other unimportant things

Wait, how is this not an IE issue?

How is this a Google issue and not an IE issue?

If a site offers a tainted cookie, isn't it the responsibility of the browser to reject it? How exactly is a browser "tricked" into accepting it?

Re:Wait, how is this not an IE issue?

[AK+Marc]

Google is offering up the tainted cookies, so it's a Google issue. IE is mishandling the cookies, so it's a Google issue, or so says MS. If either of them handled the standard correctly, there would be no issue. Neither follow it, so both have issues.

Don't Be Evil

[EverlastingPhelps]

Did we say evil? We mean Don't Get Caught.

Re:Don't Be Evil

You've got that wrong - it was:

Don't! Be Evil!

Remember DoubleClick?

[SSpade]

Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?

Remember when they merged with a search company, changed their name to Google and kept doing all the same things?

No? Thought not.

Re:Remember DoubleClick?

> ...the FTC launched investigations...

Ever wonder what became of those "investigations"?

No? Thought not. ;-)

Re:Remember DoubleClick?

[tapspace]

*swish*

Re:Remember DoubleClick?

Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?

Remember when they merged with a search company, changed their name to Google and kept doing all the same things?

No? Thought not.

You need to get with the Slashdot program. DoubleClick is now Google, so not doing anything evil. And if they are, someone else is probably worse, so it is ok.

Don't be Evil

[mschaffer]

So, does running a truck through loopholes, bad specs, known bugs, etc.---when the intent is clear---constitute being evil?

The Good the Bad and the Bull

Google bad....Bing good. And so goes the bullshit from Redmond, read this bullshit however you wish it is just continuation of the already advanced "screw Google" campaign... http://www.dailyfinance.com/2009/08/28/microsofts-secret-screw-google-meetings-in-d-c/ which unfortunately has now become a daily post item essential on Slashdot. Until the Microsoft shills are stopped from posting shit like this on Slashdot the only reason I come here is to see how much damage they have done to a once very relevant tech forum.

Evil bit?

[mwvdlee]

This whole P3P thing just sounds like the evil bit all over again.
How exactly is P3P supposed to protect users' privacy?

Re:Evil bit?

It protects users from future violations by making violators undeniably accountable for their past violations. If Google sets the evil bit to false and then goes on to do evil inspite of that then they're not living up their promises and the evidence is out in the open.

Re:Evil bit?

haha, new article title, "google server refuses to follow standards, will not set the evil bit when required"

yes, the point is that p3p doesn't really work, but it is nice to have something that always lets you get at the privacy, eula, ip, etc agreements associated with the service currently being displayed in the browser. maybe its arguable that these are enforceable but its just good business to know what you are being demanded to agree to.

Hows about...

Google honor the DNT header? I've got javascript and meta redirects disabled and it's really irritating when google start redirecting their search results to track clicks.

Time to have opt-in as a default

It's really time that tracking, cookies, online advertising became opt-in instead of opt-out. I block EVERYTHING by default now and have for some months. I started off with just Adblock Plus, but that wasn't good enough. Then I added a very aggressive hosts file with over 300k entries. Still not good enough. It seems there are new tracking mechanism being put in place almost daily. Basically I have to whitelist content and sites I want to see because of the absolute cesspool of Internet monetization out there. Ghostery doesn't cover nearly enough bad stuff. Basicaly I want websites down to the bare metal and I've pretty much got it down to a science now, but it took awhile and the right combination of tools and command line tricks to get this far.

I refuse to see any online ads, get tracked, and allow websites to use me for profit when I am not allowed to realize any of that profit myself. No thanks. I block all social media "like" buttons and scripts because they track you even when you do not have a profile with the respective service. It's getting ridiculous and I know I'm not the only one angry over this stuff. I already pay to use the Internet so my bandwidth and eyeballs are mine. It's surprising just how quick sites load without all the useless, evil dreck.

Re:Time to have opt-in as a default

I refuse to see any online ads, get tracked, and allow websites to use me for profit when I am not allowed to realize any of that profit myself.

Do you know how you profit yourself? By looking at the content created by those who host those pages you block the ads on.

I guess they should just be providing that content to you gratis.

Re:Time to have opt-in as a default

[Barbara,+not+Barbie]

People don't mind the advertising so much - it's the tracking that bugs us the most. The all-prevasive, obsessive-cumpulsive, privacy-invading stalking behavioural tracking ...

Just like we don't mind ads on TV - we either watch them, channel surf, or go do a couple minutes worth of housework, but if TV ads watched us back, we'd find that unacceptable as well.

Cookies to preserve state in client-server web apps == good. Cookies to track peoples behaviour == bad. Cross-site cookies == bad by definition.

Re:Time to have opt-in as a default

People don't mind the advertising so much

Yes, we do. We mind is sufficiently to block it where possible.

Re:Time to have opt-in as a default

What nin the phuck u talkin bout? "We" (an over-abused group-think word) hate ads.

On TV - post DTS, "We" (there's group-think word again) had to get laws passed to normalize the fuckin sound as teh commercials were so fuckin loud it blasted some globalist puppet psychopath senator out of his/her bed. Even the mainstream fascist propaganda single story news stations advertise how their news is so phucking good, how they have so much integrity, or "where the news comes first" horseshit since their news is anywhere from two days to two months fucking old, all neatly re-edited with the establishment spin on the shit. War War War motherfucker.

On Radio - ads suck, they can go for HOURS, get tje prostate, the super c, the hylaronic acid, the purity products, the

On Streaming video - With all the fuckin annotations and pop-ups and ads, some videos are literally getting to be impossible to watch.

On Websites - Nothing but trojans, worms, and ads come in on iframes. Look at ebay a site which is nothing but an ad in theory, needs to dirty itself up with even more ads in their phucking headers. No wonder people wish eBay Desktop (AIR) would get an update! Where's those adobe air programmers?

On Electronic Billboards - Snooping on your radio's IF to find which ch you listend to and displaying in real time some shit fine tuned to you as you drive your vehicle off the road rubber necking.

In Email - I think one of the worst--since I don use duh webmail or pop3 html mail, plain text only bitchez--ashampoo, next time use a throw away account.

Pre-Patriot Act -- Search engines are here to make a profit. Using +Fravia (RIP) methods to fight back, that was about it.
Post-Patriot Act -- Clearly Search engines along with social media (another sick globalist psychopath terminology-used to be called a fuckin bbs, a forum, a messageboard) now have allowed DHS/NSA claws into their shit, since the only terrorists now are the ones the FBI creat false flags, combined with fascist media, in true 1984 fashion / tje hegelian dialectic problem reaction solution results in tracking to target Americans with the unconstitutional psychopathic bullshit instead of terrorists, like the globalist puppets breaking the logan act, gutting the constitution. and allowing the banksters to fuck everyone in the ass.

But you know what I won't call you stupid. Just wake the fuck up now that you know.
Don't drink flouride, just say no to flu vaccines, put monsanto out, stop voting for globalist puppets I dont' give a shit if they are democrat or republican, if they have ties to CFR, AIPAC, PNAC, UN, NATO, IPCC, what the fuck do you think they will do locally?? --This is why they are slowly shoving Agenda 21 down our throats--and take note-- even your local city council is globalist psychopaths with their sustainable bullshit.

However your punishment is now...
1. Get your ass over to landdestroyer.blogspot.com and connect the dots.
2. Get your ass over to http://mapper.nndb.com/start/?map=16545

Re:Time to have opt-in as a default

[Barbara,+not+Barbie]

Freetards - alive and well, and now with twice the stupidity.

Re: TV - over-modulated ads haven't been much of a problem since BEFORE the regulations requiring normalization of sound - unless you bought a cheap set that didn't have auto volume control. As for the length of time of TV ads, I prefer a 3-minute block of ads - it lets me put away the dishes or fold some laundry or make the bed or any one of a number of things that need to be done.

Re: Radio - if you don't like the ads on it, again, the technical solution is to carry your own music, audiobooks, etc.

Re: Streaming video: so pay to stream stuff ad-free (oh wait, you want it for nothing)

Re: Websites: So go elsewhere. Start your own. Go into the big blue room and take a break. Relax.

Re: Electronic billboards: Get a better-shielded radio, duh! Or some duct tape and tin foil ...

Re: Email: so what's the problem again, since you don't use webmail or html mail? Oh right, there isn't one, you just want to complain.

Re: Search engines: So instead of using them, just bookmark the damn site once and be done with it. Is it *that* hard? Or create your own. It's not that hard to write a crawler. It's even easier to pay someone else to, if you can't. Just put your money where your mouth is.

Eh?

What muppets still use IE anyway? :s

Pot, kettle...

[sxyzzx]

For some reason, they neglected to mention that Microsoft's own sites have also been found doing EXACTLY THE SAME THING. Weird.

Mozilla and Opera?

Any word from, or about, Mozilla and Opera yet?

Life Imitates Art

[divide+overflow]

>Google’s P3P policy is actually a statement that it is not a P3P policy.

As Rene Magritte would say: "Ceci n'est pas une politique P3P."

Do not track... others

[SuperKendall]

If what you say is right, why would Google release a do not track extension for Chrome?

Two possible answers:

1) Google knows only a handful of people will download and install such things anyway, leaving the general population easily tracked.

2) You know they Google does not track you even with the extension installed how again? Preventing anyone BUT Google from tracking you is quite the competitive advantage.

A P3P Policy which isn't a P3P Policy?

[idontgno]

That's very surreal, Google.

René Magritte would approve.

What?

[AmberBlackCat]

Never mind the protocol failure. If I'm reading this right, and it is right, then it seems the real problem is the W3C is attempting to create a standard designed to make web browsers accept third party cookies even though the user sets the browser to not accept any third party cookies. Now we'll need a setting to not accept third party cookies and another setting to really not accept third party cookies.

Cookie Privacy

Flash Player plugins fail in privacy, also. They do NOT retain my user settings (Either in IE of Firefox)-- no storage of anything on my PC! So every Flash video page think it can set a flash cookie. Adobe's Fault?

Bad Indeed

[Nicknamename]

You know things have gotten bad when Microsoft are the good guys.

Facebook too

Facebook does exactly the same thing:

P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"

If IE is doing anything based on these bogus headers, that's Microsoft's own fault.

Comment removed

[account_deleted]

Comment removed based on user account deletion

enough is enough, google confirmed evil.

[smash]

Once or twice is a mistake, but google have been doing "evil" things repeatedly for a while now. I'm moving my stuff to iCloud (don't laugh). As a paid service (with mac purchase, subscription for additional data, etc) the payment is not my privacy.

Blaming it on the browser is a cop out. if you're NOT evil, you wouldn't exploit it. I'm sure if the shoe was on the other foot (and someone was exploiting say, a hole in google's network to steal trade secrets) google would be mighty pissed.

g))GLE

oo is a spying man in the middle attacking deception of a front corporation sucking all the big toes yumm yumm why is any one surprised over this seemingly docile misuse of aMerican citizens basic right to the pursuit of happiness and this fucknut spy bunch is shredding it right before the world's eyes

BLOCK P3P

what rules do we put into squid to block p3p policies everywhere?
can the files be named anything and in any directory?
or do p3p come in iframes?

toss a brutha a bone here.

Who else has been doing this?

[0-9a-f]

Everyone seems to be getting all het-up about Google abusing trust, being deceptive, yada yada... But it's a fact: Google get headlines worldwide.

In a world of clouds, +1s, and Likes, people want to circumvent the 2001 P3P objectives because that's how they want the web to work in 2012. So if IE is quietly ignoring P3P for Google, what other unknown, untrusted, and non-headline-grabbing sites might have been doing the same thing for the last 10 years? It seems other browsers ignore P3P as pointless, but not IE.

It may be that by Google risking a minor PR hit, they might encourage Microsoft to drop the charade of P3P protection, and just maybe get enough people interested in pursuing a real solution.

Re:Who else has been doing this?

[FloydTheDroid]

People are probably so up in arms about it because Google was taken to court over privacy issues in Buzz and the outcome of that was that Google agreed that they wouldn't make any future privacy misrepresentations.

I personally have my browsers set to block 3rd party and advertiser cookies so if some company were to put a cookie on my machine when I was trying my damnedest to not allow them to, well, that would make me a little miffed. The thing that gets me is all the companies doing this make me agree to a eula to use their site but when I ask them to obey the settings I've made on my machine they conveniently ignore them.

Patch Tuesday?

[GoochOwnsYou]

So can not Microsoft patch P3P in IE to identify these work arounds or simply reject Google cookies?

Re:Patch Tuesday?

[Duncan+Booth]

They could, but then they'd have to reject Facebook's similar abuse of P3P and they don't want to do that.

IE Code

[Wattos]

Let me guess. This is how IE code looks like

[...]
SecuritySettings s= new SecuritySettings();
try {
        s.allowCookied= true;
        parseP3P(header, s);
} catch (Exception e) { /* NEVER GOING TO HAPPEN!!111one */ }
[...]

Re:IE Code

[BradleyUffner]

Let me guess. This is how IE code looks like

[...]
SecuritySettings s= new SecuritySettings();
try {

        s.allowCookied= true;

        parseP3P(header, s);
} catch (Exception e) { /* NEVER GOING TO HAPPEN!!111one */ }
[...]

IE is correctly parsing the P3P data according to the spec. The problem is that the spec has a giant hole it it that Google is abusing.

It's Compliant

As I just posted on their blog

This is just a case of Microsoft being incompetent and blaming the competition for their mistakes. I find this post to be nothing but a defamatory post in shameless self-promotion of Microsoft's anti-tracking cookie technology - put in place to address the security shortcomings of their own browser product.

Did any of the IE team actually read the P3P specifications?. Googles Compact Policy, while it does not adhere to the required machine readable vocabulary, does not make any false or misleading statements whatsoever. There is no valid CP vocabulary in this string at all and therefore should be treated as such, invalid or non-existant.

I would like to also quote from the document under the same section:

"3.2.2 The POLICY element

The POLICY element contains a complete P3P policy. Each P3P policy MUST contain exactly one POLICY element. The policy element MUST contain an ENTITY element that identifies the legal entity making the representation of the privacy practices contained in the policy. In addition, the policy element MUST contain an ACCESS element and one or more STATEMENT elements.It SHOULD contain a DISPUTES-GROUP element. It may contain a P3P data schema and one or more extensions."

As there are no valid ACCESS or STATEMENT (That would be COMPACT-ACCESS, and COMPACT STATEMENT) elements in valid Compact Policy vocabulary as required above, I back up my argument that it is Internet Explorer itself that does not correctly conform to the aforementioned standards.

It seems that w3's own validator tool would also agree with me:
http://validator.w3.org/p3p/20020128/p3p.pl?uri=http%3A%2F%2Fwww.google.com

bad programming?

[ticktickboom]

my question, how does a webpage override a program that's actually on your computer? it doesn't seem like rocket science to me. i only know a tad about mirc scripting, and and-if-else pops into my head. the way it sounds, safari and internet exploder want to make the internet comply to them. whereas they should actually do what they advertize. the worlds worst browser doesn't have much of a leg to stand on, i'm not sure where safari falls into this. but if the browsers were truly secure, there shouldn't be a prob. i am not a fan of google. i do not agree with that blasted google anylitics (sp) everywhere. if you click secure, it should be somewhat secure, not spark a lawsuit because they don't want to do actual programming. it really seems like they want the image of being secure, but do not actually want it to be. like most things. laptop encryption is in court atm, what about smart phone encryption? also, wanting to be secure is on the list of the fbis 'you could be a terrorist if...' statement. they only want it to look like its secure, not actually be secure.

Accept all is bad

[mysidia]

The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

Just as you shouldn't configure a firewall to allow incoming traffic to private computers on unknown (unassigned port numbers); default accept, the P3P specification's choice of "default accept" for unknown policy tokens is a very poor one.

It's not Google's fault that the spec is defunct and permissive.