Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

← Back to Stories (view on slashdot.org)

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

Posted by Soulskill on Monday February 20, 2012 @10:00AM from the capitalizing-on-bad-publicity dept.

New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."

33 of 197 comments (clear)

Min score:

Reason:

Sort:

So... by The+MAZZTer · 2012-02-20 10:02 · Score: 5, Interesting

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.
1. Re:So... by samkass · 2012-02-20 10:07 · Score: 5, Insightful
  
  In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.
  Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.
  
  --
  E pluribus unum
2. Re:So... by TheGratefulNet · 2012-02-20 10:12 · Score: 5, Insightful
  
  funny: I'll have to remember this to rub their noses in it, next time I run into a googler.
  or, if they interview me, I'll ask THEM: "so, what is the proper response to a machine parsable field? TLV things or human-intended english? please support your answer."
  sigh. I cannot give google a pass. they act like god's gift to networking yet they make 'mistakes' like this? sorry, but I don't buy it.
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:So... by betterunixthanunix · 2012-02-20 10:18 · Score: 5, Insightful
  
  P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?
  
  If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.
  
  --
  Palm trees and 8
4. Re:So... by ganjadude · 2012-02-20 10:22 · Score: 5, Funny
  
  P3P, Im still trying to master P2P!
  
  --
  have you seen my sig? there are many others like it but none that are the same
5. Re:So... by ArsenneLupin · 2012-02-20 10:23 · Score: 3, Insightful
  
  P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?
  P3P is a honor system anyways. The same effect could be obtained by a syntactically well-formed promise not to abuse the 3rd party cookies, but which google would never intend to keep...
6. Re:So... by irregular_hero · 2012-02-20 10:25 · Score: 5, Insightful
  
  Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.
  Can't say I really can fault Google for this. Explaining why would require an understanding of how P3P 1.0 objects are configured and how limited those types really are.
  P3P 1.1 work has stalled (albeit in provisionally final state) and is likely to not restart; in its absence is P3P 1.0 which exists firmly in the world-as-it-was of 2000/2001. It covers cookies and certain types of form transmission, but doesn't cover privacy aspects of other types of persistent data, new transmission protocols (like SPDY), advanced caching techniques, or HTML5 storage. Technology has advanced past the point that P3P 1.0 is useful -- and quite simply, it's doubtful it ever really was. If you visit the link Google supplies it explains some of their reasoning, and it's pretty dang valid for a post-2007 view of the Web.
  Those chucking bombs over this would be better served to focus their efforts on either modernizing or replacing P3P 1.0 -- or, better yet, trying something radically different like PRIME or Policy-Aware-Web tried to do.
7. Re:So... by recoiledsnake · 2012-02-20 10:42 · Score: 4, Interesting
  
  P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?
  If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.
  Reading your Gmail emails should very trivial for Google employees. That doesn't make it okay does it? One would expect Google to have higher standards.
  You'd expect shady sites to "attack" a gentleman's agreement, not Google. If you think they're the same, would you be okay with hosting your mail on warez-email.com ? After all, they're both on the big bad internet.
  
  --
  This space for rent.
8. Re:So... by recoiledsnake · 2012-02-20 10:45 · Score: 4, Insightful
  
  Google is using +1 buttons to track visitors browsing on 3rd party sites to enhance their ad profiles for users. This is explicitly why P3P was even made as a standard. Circumventing the standard by sending invalid data while saying nothing exactly fits the definition is a cop-out.
  
  --
  This space for rent.
9. Re:So... by hairyfeet · 2012-02-20 10:50 · Score: 3, Interesting
  
  Because then you have tens of millions of users screaming "My Gmail won't load!"? lets face it folks can "spin" all they want but Google ain't THAT dumb. they have some of the best engineers of the planet. So can we all just accept that "Do no evil" is nothing more than "Think different" aka marketing bullshit and realize that Google is only gonna do what is best for Google already?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
10. Re:So... by noh8rz2 · 2012-02-20 10:53 · Score: 4, Insightful
  
  don't blame the abuser! it's the victim's fault. she should have known better than to try to talk to him when he was stinking drunk again. Look what she made him do!
11. Re:So... by recoiledsnake · 2012-02-20 10:54 · Score: 3, Informative
  
  Gmail doesn't need third party cookies. This is about sites with +1 buttons. They allow Google to track all users across all sites that have them.
  
  --
  This space for rent.
12. Re:So... by CowTipperGore · 2012-02-20 11:01 · Score: 4, Insightful
  
  From my reading of Microsoft's long blog post, Google didn't violate the spec. IE does not correctly implement the spec and Google is abusing that by using a legal but illogical header. If Google doesn't say what they are doing with the data, then IE shouldn't provide it. Instead, Google says "I'm not telling you anything about my intent" and IE says "Good enough. The key's under the mat. Lock up when you're done." The whole system is trust based. Google doesn't promise anything and IE doesn't care. Google is being shady and Microsoft is being incompetent.
  My biggest problem here is Microsoft releasing this now in a lengthy blog post and trying to tie it to the Safari dust up. They know that the blogs will not include their full release and will instead carry the headline like you see here. This is a PR move at least as dishonest as what Google appears to be doing with their P3P header.
13. Re:So... by cheater512 · 2012-02-20 11:07 · Score: 4, Informative
  
  Course it is deliberate. Question: So what?
  It doesn't do anything to IE and is ignored by every other browser.
  P3P is deprecated and has been for years - no other browser pays any attention to it.
  All it does is make Google's products work properly with IE (not just ad tracking).
  If I needed to add gibberish to one of my sites like that P3P policy to make it work, I would.
14. Re:So... by irregular_hero · 2012-02-20 11:12 · Score: 5, Informative
  
  You're splitting hairs here.
  P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.
  A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.
  The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.
15. Re:So... by GIL_Dude · 2012-02-20 11:17 · Score: 4, Insightful
  
  Well, it is certainly trust based and open for abuse (people can certainly lie in the header). However, what Google should be doing is not providing a P3P header at all. It is only someone who is openly abusing the trust system who would create a P3P header that doesn't contain any P3P information. It is fairly clear that it was done on purpose - to abuse the trust system. Is that system a crap design? Yes. Yes, it is. Should major companies be out there abusing it if they want us to trust them? No. No, they should not. It is pretty clear from this that:
  
  1) We need to call out companies that do this type of thing. Not just with P3P but anytime they abuse the system or game it. They need to be made to understand that a very vocal set of folks will make it known what they are doing and that it is bad for their business to be found gaming trust systems.
  2) We need better systems that don't just trust whatever a company says about their intentions with our data.
16. Re:So... by Richard_at_work · 2012-02-20 11:18 · Score: 4, Insightful
  
  Quite simply, it allows stories like this - which is a good thing.
  P3P allows a website to make a very obvious statement about their intentions, to a set specification - if the website specifically sets a P3P that they don't honour then it becomes a PR issue, as it has in this case.
  Google were breaking the spec here, in such a way that creates a valid P3P statement in the process which says "we won't be doing anything untoward with your cookies" - the field they use is not a text field and therefor the content they put into it is ignored, resulting in a zero length list of items they *will* do with the cookies...
  That definitely should get Google into the tech media at least.
17. Re:So... by CowTipperGore · 2012-02-20 11:28 · Score: 3, Informative
  
  Not even Microsoft supports your argument. From their blog post:
  
  Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.
  
  Rather than ignoring it, IE is assuming that Google told them something positive.
18. Re:So... by amicusNYCL · 2012-02-20 11:59 · Score: 3, Insightful
  
  In this case, "ignoring undefined policies" means that there are no stated privacy implications. If the P3P policy is blank then the site is saying there are no privacy implications for its cookies.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
19. Re:So... by AngryDeuce · 2012-02-20 13:21 · Score: 5, Interesting
  
  If you're using Chrome, I highly recommend ScriptNo. It took a while, but they've finally got a decent analogue of NoScript for Firefox. With it's most restricted settings, it pretty much blocks everything you don't whitelist yourself, and has a special "antisocial" mode that automatically blocks all the social networking bullshit every fucking site in the world has now.
  ScriptNo and Adblock Plus are pretty much a necessity for web browsing these days, in my opinion.
20. Re:So... by davester666 · 2012-02-20 16:18 · Score: 5, Interesting
  
  Actually, I would say it's worse in Microsoft's case because:
  1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
  2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.
  
  --
  Sleep your way to a whiter smile...date a dentist!
21. Re:So... by ArsenneLupin · 2012-02-20 21:17 · Score: 3, Insightful
  
  Yes, but that would not be legal.
  Exactly.
  And what we're trying to argue here is that google's subterfuge should not be legal either. What they did was say something to the computer in such a weird way that it means exactly the contrary to a human. This can't be right.
  It's as if a party A drafted a contract with a party B, and deliberately inserted some spelling errors in his promises to B, and later renegated on these promises under pretense that the text is just gobbledygook and thus not a legal commitment (all the while insisting that B should uphold his part of the deal). Very shady.
  A honor system works because of the implicit threat of shaming (or suing) a would-be infringer. Google infringed. So we are trying to shame them by pointing out what they did. If you take this away by saying "but the scheme is broken, it can be subverted by just making false promises, so Google is ok in doing what they did and Microsoft is stupid by behaving according to standard (ha!)", then you are indeed breaking it by helping Google out of a well-deserved public shame.
  It's the same as with robots.txt or similar schemes really. Trivially easy to ignore, but reputable spiders won't ignore it because they know that people will notice, and call them to it.
  
  I am not sure most tracking sites bother with such fine distinctions, but they cannot hide from the law forever.
  Only small sites need to hide. Big sites (apparently) don't need to, they're "too big to be considered rude" / "too big to be sued".
IE's fault? by Todd+Knarr · 2012-02-20 10:16 · Score: 5, Insightful

When I was configuring P3P for Mozilla/Firefox, it distinguished between what exactly the P3P policy was stating. If the site didn't say in the P3P policy what it was doing with cookies, Firefox assumed the worst. It seems to me that if the IE devs were dumb enough to stop after seeing a P3P policy presented and didn't bother checking what it said, or if they assumed a lack of a statement indicated respect for privacy, that's a failure in IE. The code needs to start out assuming personal information is collected and used without consent, and then upgrade only if the P3P header specifically says something better. It's not like that's hard to implement.
Then again, we've seen similar problems in Microsoft software time and time again: they assume the best (input's valid, doesn't contain special characters, etc.) until they detect otherwise, even though best practices say to do the opposite (assume input's invalid until analyzed and proven correct, list the known non-special characters and filter out or escape everything not in that list).
1. Re:IE's fault? by OverlordQ · 2012-02-20 10:31 · Score: 4, Informative
  
  It looks to me that Google is doing exactly what their p3p policy says they will do.
  No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.
  
  --
  Your hair look like poop, Bob! - Wanker.
it's because IE implementation is buggy by Twillerror · 2012-02-20 10:26 · Score: 5, Insightful

In IE iframes will block cookies if you don't have the right P3P policy. There where other bugs that would prevent your site's cookies from being read.
I've "faked" a P3P header just so users of certain IE browser versions could use my site.
At the end of the day the standard is a proposal and only MS thinks it's worth a hill of beans.
In cases where P3P is not precise enough by tepples · 2012-02-20 10:29 · Score: 4, Informative

According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. [In such a case,] how should a website fill use the P3P header?
The article answers this question by quoting a section from the P3P spec:

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.
1. Re:In cases where P3P is not precise enough by irregular_hero · 2012-02-20 11:04 · Score: 4, Informative
  
  The article answers this question by quoting a section from the P3P spec:
  
  In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.
  This is correct. However, as stated further down in the same section, the effect of such policies is to be positive and declarative (meaning the policy should state what the site DOES do, not what it DOES NOT do), and be informative to the user. The standard allows for user agents to then use the P3P policy to make it the basis for "authorization" but then goes on to state that implementers of user-agents can make their own decisions as to what the declarations mean in the context of the connection.
  This has led to situations where browsers that implement P3P and tie it to certain "security features" end up with a browser implementation that works dramatically different than other browsers for the very same privacy declaraion. In most cases, browsers do not even IMPLEMENT a user-readable informational dialog for P3P -- it is by standard the browser implementers' decision.
  If you're keeping score at home, that's bad.
Re:Dear Microsoft Iexplore team by smelch · 2012-02-20 10:31 · Score: 4, Insightful

Yeah, just build a secure OS and browser that doesn't allow people to use cookies as tracking cookies. Oh shit, the only way to do that would be to not support cookies at all. And holy crap, IE allows you to turn cookie support off.

You don't really understand the problem here, do you? It's a potential ethics violation by Google, not a technical violation. It's like if a company published inaccurate ingredients on a can of nuts, and you're bitching about shoddy can manufacturing.

--
If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
Remember DoubleClick? by SSpade · 2012-02-20 10:40 · Score: 5, Interesting

Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?
Remember when they merged with a search company, changed their name to Google and kept doing all the same things?
No? Thought not.
Re:Dear Microsoft Iexplore team by maxwell+demon · 2012-02-20 10:45 · Score: 4, Interesting

The problem is that, according to the standard, the browser should ignore any policy it cannot understand. Ignoring a policy means acting as if it wouldn't exist. If no policy exists, IE's behaviour with default settings is to not allow the cookie. Therefore by the standard, it shouldn't accept cookies when it doesn't understand the policy. If IE doesn't do that, it's the browser's fault.

--
The Tao of math: The numbers you can count are not the real numbers.
Evil bit? by mwvdlee · 2012-02-20 10:54 · Score: 3, Insightful

This whole P3P thing just sounds like the evil bit all over again.
How exactly is P3P supposed to protect users' privacy?

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Re:Wait, how is this not an IE issue? by AK+Marc · 2012-02-20 11:25 · Score: 3, Insightful

Google is offering up the tainted cookies, so it's a Google issue. IE is mishandling the cookies, so it's a Google issue, or so says MS. If either of them handled the standard correctly, there would be no issue. Neither follow it, so both have issues.

--
Learn to love Alaska
Re:This is like Jack the Ripper by SydShamino · 2012-02-20 11:35 · Score: 3, Insightful

The problem with that line of thought is that it allows one person to dominate the discussion by shouting nonsense. If someone keeps saying un- and half-truths repeatedly, and you take the time to independently analyze the validity of what they say, you never have any time to consider the viewpoints of others or to form your own opinions.
It's much easier, and indeed human nature, to eventually decide that source doesn't contribute anything meaningful to the discussion, and ignore it entirely.
Examples:
a) Microsoft and anything about unfair trade practices (to some people)
b) 126.67.234.x and spam (to many spam filters, and I just made up that IP address range)
c) Political talking heads who fill various cable news channels 24/7
d) Boys who previously cried wolf

--
It doesn't hurt to be nice.