Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

Posted by Soulskill on from the capitalizing-on-bad-publicity dept.

New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."

12 of 197 comments (clear)

  1. So... by The+MAZZTer · · Score: 5, Interesting

    In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

    1. Re:So... by samkass · · Score: 5, Insightful

      In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

      Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

      --
      E pluribus unum
    2. Re:So... by TheGratefulNet · · Score: 5, Insightful

      funny: I'll have to remember this to rub their noses in it, next time I run into a googler.

      or, if they interview me, I'll ask THEM: "so, what is the proper response to a machine parsable field? TLV things or human-intended english? please support your answer."

      sigh. I cannot give google a pass. they act like god's gift to networking yet they make 'mistakes' like this? sorry, but I don't buy it.

      --

      --
      "It is now safe to switch off your computer."
    3. Re:So... by betterunixthanunix · · Score: 5, Insightful

      P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

      If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.

      --
      Palm trees and 8
    4. Re:So... by ganjadude · · Score: 5, Funny

      P3P, Im still trying to master P2P!

      --
      have you seen my sig? there are many others like it but none that are the same
    5. Re:So... by irregular_hero · · Score: 5, Insightful

      Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

      Can't say I really can fault Google for this. Explaining why would require an understanding of how P3P 1.0 objects are configured and how limited those types really are.

      P3P 1.1 work has stalled (albeit in provisionally final state) and is likely to not restart; in its absence is P3P 1.0 which exists firmly in the world-as-it-was of 2000/2001. It covers cookies and certain types of form transmission, but doesn't cover privacy aspects of other types of persistent data, new transmission protocols (like SPDY), advanced caching techniques, or HTML5 storage. Technology has advanced past the point that P3P 1.0 is useful -- and quite simply, it's doubtful it ever really was. If you visit the link Google supplies it explains some of their reasoning, and it's pretty dang valid for a post-2007 view of the Web.

      Those chucking bombs over this would be better served to focus their efforts on either modernizing or replacing P3P 1.0 -- or, better yet, trying something radically different like PRIME or Policy-Aware-Web tried to do.

    6. Re:So... by irregular_hero · · Score: 5, Informative

      You're splitting hairs here.

      P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.

      A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.

      The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.

    7. Re:So... by AngryDeuce · · Score: 5, Interesting

      If you're using Chrome, I highly recommend ScriptNo. It took a while, but they've finally got a decent analogue of NoScript for Firefox. With it's most restricted settings, it pretty much blocks everything you don't whitelist yourself, and has a special "antisocial" mode that automatically blocks all the social networking bullshit every fucking site in the world has now.

      ScriptNo and Adblock Plus are pretty much a necessity for web browsing these days, in my opinion.

    8. Re:So... by davester666 · · Score: 5, Interesting

      Actually, I would say it's worse in Microsoft's case because:

      1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
      2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. IE's fault? by Todd+Knarr · · Score: 5, Insightful

    When I was configuring P3P for Mozilla/Firefox, it distinguished between what exactly the P3P policy was stating. If the site didn't say in the P3P policy what it was doing with cookies, Firefox assumed the worst. It seems to me that if the IE devs were dumb enough to stop after seeing a P3P policy presented and didn't bother checking what it said, or if they assumed a lack of a statement indicated respect for privacy, that's a failure in IE. The code needs to start out assuming personal information is collected and used without consent, and then upgrade only if the P3P header specifically says something better. It's not like that's hard to implement.

    Then again, we've seen similar problems in Microsoft software time and time again: they assume the best (input's valid, doesn't contain special characters, etc.) until they detect otherwise, even though best practices say to do the opposite (assume input's invalid until analyzed and proven correct, list the known non-special characters and filter out or escape everything not in that list).

  3. it's because IE implementation is buggy by Twillerror · · Score: 5, Insightful

    In IE iframes will block cookies if you don't have the right P3P policy. There where other bugs that would prevent your site's cookies from being read.

    I've "faked" a P3P header just so users of certain IE browser versions could use my site.

    At the end of the day the standard is a proposal and only MS thinks it's worth a hill of beans.

  4. Remember DoubleClick? by SSpade · · Score: 5, Interesting

    Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?

    Remember when they merged with a search company, changed their name to Google and kept doing all the same things?

    No? Thought not.