Slashdot Mirror
Google: IE Privacy Policy Is Impractical
itwbennett writes "In response to Microsoft's claim that Google circumvented Internet Explorer privacy protections (following the discovery that Google also worked around Safari's privacy settings), Google on Monday said that IE's privacy protection, called P3P, is impractical to comply with."
I suppose privacy is impractical to those who want to sell our personal information.
We should get over the privacy aspect, if you truly want privacy there are ways to deal with it, and second I find it amusing that as often as IE gets raped on the Internet Microsoft chose this to get public about.
"If any question why we died, Tell them because our fathers lied."
Stop including P3P header data if all you're going to put is "this is not a P3P policy" in it. How impractical is that?
Do No... errr, nevermind.
Thank goodness they're not an evil company. It could have been M$ breaking the Web standard...
IE privacy protections were "circumvented" by Google sending a string stating, "This is not a P3P policy." Typical Microsoft quality product, that's like getting conned by a guy wearing a shirt that says "I don't guarantee I won't run off with your money" and then sueing them.
Google on Monday said that IE's privacy protection, called P3P, is unprofitable to comply with."
SJW: Someone who has run out of real oppression, and has to fake it.
it's itworld!
So you're telling me it's impractical to send nothing or to NOT SEND BS in the field?
Congratulations for being as evil as MS
how long until
P3P has been Old and Busted since Slashdot first covered it in 2002.
Microsoft would never bring it up, if they weren't already in panic mode. This seems to indicate that MS is in far worse shape than we know.
Free unix account: freeshell.org
I think Google is being polite, as do people who quote a "lack of value"
From http://en.wikipedia.org/wiki/P3P
The main content of a privacy policy is the following:
which information the server stores:
which kind of information is collected (identifying or not);
which particular information is collected (IP address, email address, name, etc.);
Kind of information??? As if the AI problems were all solved. IP Address? Of course it is collected. Email address? Yes if there is an input box that says email address then the address is collected.
http://stephan.sugarmotor.org
The question that should be asked is: Why does IE have some part of their framework in place which can be simply ignored/violated?
If it was the other way around, there would be a pile of MS hating nitwits here already.
Indeed. I can't fap to itworld.
So tell me again why I would want to use Android? No way I want Google to have built my phone. They know enough about me, thank you.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
I find it interesting that Microsoft also sends an invalid privacy header, just as they are complaining about Google doing.
I also find it interesting that MS is blaming Google for IE's failed handling on invalid P3P headers rather than fixing their product.
I've just reported your post as "anti-censorship."
so long,
As I understand it, Microsoft is following the spec properly. Google is exploiting a loophole in the spec.
"I use a Mac because I'm just better than you are."
" Google is exploiting a loophole in the spec."
Which is another way of saying: Google is also following the spec. The problem is, the spec is faulty, and doesn't provide what it's intended to.
"National Security is the chief cause of national insecurity." - Celine's First Law
All these bugs bring back my favorite quote from that movie. " Elliot Carver: Mr. Jones, are we ready to release our new software? Jones: Yes, sir. As requested, it's full of bugs, which means people will be forced to upgrade for years. Elliot Carver: Outstanding. " If Microsoft and Apple knew about the bug, why left them open? Hoping that somebody would find the bug for them?
IP Address? Of course it is collected.
Why is this an "of course" item? There is no immediate reason to collect and store IP addresses for long term, past the end of the current TCP connection.
read this again, mate:
P3P is a machine-readable language that helps to express a websiteâ(TM)s data management practices
MACHINE READABLE.
is english machine readable? english sentences?
NO.
google fucked up. such a simple thing and they fucked it up.
ON PURPOSE.
this was not incompetance. what is difficult about making something either blank or token scannable via a simple grammar?
english grammar? sorry google, but you lose in the worst possible way if you think THIS is the correct answer.
--
"It is now safe to switch off your computer."
How does Facebook do it (the Like button)? Does Facebook also circumvent it this way? Either Facebook found a way to do it better, or they are both doing the same thing.
Can we stop the Google/Microsoft bashing and focus on the techniques please?
Wow! My respect for Microsoft just went up a notch. Release IE for Mac again and I'll use it as long as you have strict privacy standards like this. LOVE IT!!!
Thy name is Corporate.
Check your premises.
Microsoft's privacy protection feature in Internet Explorer, known as P3P
This is simply utterly preposterous. P3P is not a Internet Explorer thing. Even google search knows its a w3c thing - but apparently those coming up with such excuses do not use Google search. Google can do with a doze of being at least a bit less evil.
User: "I don't wish to be tracked. I've opted out using this P3P setting."
Google: "Haha there's a loophole that we're gonna use to track you anyway. Blame Microsoft if you don't like it, sucker!"
Yep, Google has done nothing wrong here whatsoever. They're completely right to exploit a known loophole which allows them to disregard the wishes of the users accessing their services, if those wishes would make Google's services less profitable.
If this is "Do no evil," I shudder to think about the damage Google could do if they decided one day to deliberately engage in evil.
If it's something that can be exploited then it's a bug. Any security/privacy feature of the browser should be in the control of the user not at the mercy of the http server.
If it was something like a buffer overflow would microsoft still complain how that bad guys should stop sending invalid data packets to the browser?
I don't like googles extensive tracking either, but complaining that it's not using some unpopular protocol is just silly. If you are going to implement privacy control then make it work regardless of the information that the site may send or just don't bother.
what the text SHOULD look like (assme angle brackets here; sorry for having to reformat to get around slash filters)
[META xmlns="http://www.w3.org/2002/01/P3Pv1"]
[POLICY-REFERENCES]
[POLICY-REF about="/P3P/Policies.xml#first"]
[COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/]
[COOKIE-EXCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[POLICY-REF about="/P3P/Policies.xml#second"]
[COOKIE-INCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[/POLICY-REFERENCES]
[/META]
and what googles looks like:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 [google.com] for more info.
now, without even having a compsci101 level course, anyone here see which is the more correct parseable string and which is weasel bullshit?
--
"It is now safe to switch off your computer."
I gather you've never ran any ecommerce sites have you? Or any other kind of site that needs to keep track of customers to prevent fraud. You are a clueless idiot.
Let's put it the other way around. If you were to tell your browser you only want to visit websites that do not store your IP address, how far would you get?
Or, how tired would you get of pop-up's saying " This site stores your IP address. Continue viewing?"
http://stephan.sugarmotor.org
cf. Hank Scorpio, Globex Corporation.
----
Not to be confused with Col.
The file may be machine readable, but someone has to configure the other side, the client's preferences.
Here you will run into an overwhelming list of options that an average user is simply not going to bother with ---> Ridiculous waste of time.
http://stephan.sugarmotor.org
They are also impractical. We should just get rid of them.
I am sorry, but Google has outlived it's mantra. They should change it to:
Don't get caught.
Because honestly, they are now evil-er than almost any other company. At least with facebook, they admit they are stealing your personal data.
Obligatory!
Don't make Google angry. You wouldn't like it if it became angry.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Suggested update for Internet Explorer:
IE should try to parse the P3P according to the spec. If that fails, then display the contents to a user, with buttons: "Accept cookie", "Reject cookie", and "never allow visits to this site again".
Consider the following (from http://www.w3.org/TR/P3P11/#ua_compact;
6.4 Compact Policy Processing
P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies.
As I understand this, IE should actually search the Google P3P header for a valid statement of what Google intends to do with regard to tracking cookies. If it does not find those, it should apply the default behaviour for web sites without any P3P header. As described by Dean Hachamovitch (the author of the blog post):
By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the sites use does not include tracking the user.
Fine. So your browser sees a Google P3P header without any valid policies. At this point, the clause "unless the site presents..." should kick in and cookies should be blocked. To me this looks like a bug in IE, as they failed to implement the default behavior in this case. It would be appropriate for Microsoft to fix this bug, send the fix as update on next patch day and otherwise be very humble about their error.
Instead, Dean Hachamovitch tries to paint this as conspiracy by Google to circumvent IE's security protection. FAIL.
C - the footgun of programming languages
So they merely rent our personal information instead of selling it. That's a pretty small distinction.
“Common sense is not so common.” — Voltaire
You got that wrong - it's 'Do know evil' not 'Do no evil'
If you don't want websites to store your IP address, I recommend browsing with TOR. ;-)
You better pray like hell nothing ever goes wrong, Mr Buttle http://en.wikipedia.org/wiki/Brazil_(film)
Yea, that End-User Allow/Deny thing did wonders for ActiveX security. How about if it's malformed, throw it out entirely and treat the request as if the P3P was not present?
I've gotten to the point in my Internet life where I rarely use Google anymore. There are better options out there. People will disagree with them and let them. Google has mind share and they are a verb. So what? I want to use services that respect my freedom and my dignity and don't try and monetize everything. I really miss some aspects of the early WWW. I miss the personal websites that seemed to have a greater number than corporate ones. I miss the search engine wars. I miss alot of it.
Several months ago, I became very concerned with tracking online. I already used to block some stuff as a precaution, but the recent tomfoolery by online companies was the last straw. I know block Flash cookies while still using Flash, I block ALL advertising, I block all elements, beacons, trackers, web bugs, pixel bugs, and social media (I don't use any of it). I turn of geolocation, HTTP/S referrer, CSS visited links (avoid sites seeing your history), and I employ an aggressive hosts file with more entries than grains of sand. Ghostery is nice to use as it picks up some newer blocked sites I can add to my hosts file. As a result, I have a super clean, super fast Internet experience free of the evil tracking that occurs as a result of advertising. When advertising doesn't track me, I will allow it once again. Until then, no. I have a RIGHT to not be tracked, to not be monetized without my consent. Disagree all you want. I don't care. This tracking is becoming an issue. The bypassing of set privacy setttings is abhorrent and borderline illegal. Can't bypass a hosts file. What is great about a hosts file is that you can add entries and it never slows anything down.
The rabid desire to monetize everything about the Internet is a shame. People are too greedy, too ready to make a buck at someone else's expense. Tracking should be made illegal as a soon as possible. Advertising should be anonymous and never tied to anyone. Until a saner Internet is forced upon the corporate asshats, I will continue to block everything that is not pure content.
If the machine can't read it, it should default to the most security, not the least.
That's like a password field which isn't supposed to contain any " characters, and if a password with a " is typed, instead of rejecting the login attempt, it logs you in successfully.
Yep, there's a bug in IE with regard to their fallback, but that doesn't excuse Google's actions. If Google didn't *want* to provide a P3P header, they shouldn't have provided one. Instead, they discovered the IE bug and intentionally took advantage of it. (Similarly to how they discovered a Webkit cookie-handling bug and took advantage of it to work around some cookie restriction settings in Safari.)
So are you telling me you actually opted out using P3P? If so, you must be one of the 10 people on earth who actually knew what this was before the story broke. P3P is a broken system, has been a broken system forever, and has been deprecated as a standard since 2007. This is the privacy protection you are relying on? A system that even Microsoft exploits in EXACTLY THE SAME WAY as Google did?
what the text SHOULD look like (assme angle brackets here; sorry for having to reformat to get around slash filters)
[META xmlns="http://www.w3.org/2002/01/P3Pv1"]
[POLICY-REFERENCES]
[POLICY-REF about="/P3P/Policies.xml#first"]
[COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/]
[COOKIE-EXCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[POLICY-REF about="/P3P/Policies.xml#second"]
[COOKIE-INCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[/POLICY-REFERENCES]
[/META]
And what the P3P header at www.microsoft.com looks like:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
now, without even having a compsci101 level course, anyone here see which is the more correct parseable string and which is weasel bullshit?
I guess the first is correct, and the second is bullshit?
Some of the things in my toolset.
I use Linux, so for some of you, some of these tips will not work. I use aggressive settings. YMMV.
Firefox: Settings work in both Linux and Windows
Type about:config in address bar. Accept warning.
geo.enabled (set to false) # Prevents sites seeing your whereabouts, but if they have IP, they can guess.
layout.css.visited_links_enabled (set to false) # Prevents sites from seeing your history. I have history set to no remember anyway.
network.http.sendRefererHeader (set to 0) # Prevents sites from seeing where you came from.
network.http.sendSecureXSiteReferer (set to false) # Same as above for HTTPS.
network.prefetch-next (set to false) # Prevents prefetch of cookies for first page of search engine results for those engines that use prefetch.
Flash: Linux only
To get the "benefits" of Flash without the evil tracking aspects...
Open up a terminal window:
ls -la to ensure both .adobe and .macromedia are present.
rm -rf .adobe .macromedia /dev/null .adobe /dev/null .macromedia
ln -s
ln -s
Ta-da... Flash cookies are written to /dev/null but you can still use it without being tracked as the
I use Ghostery, Adblock Plus with Easylist, Easy Privacy, Fanboy's Adblock List, Fanboy's Tracking, and Fanboy's Annoyances List. I use FlagFox to see what country a given website is in. I use Ghostery to see the companies that are tracking me. I use this information to add those same trackers into a hosts file that is slowly but surely getting better and better.
I also have Firefox set to Private Browsing Mode with no cookies accepted. I allow on an as-needed basis, which so far is only my bank as my webmail doesn't require cookies.
The above gets me down to pretty much bare content. When sites stop the evil tracking, I may not block near as much.
As much as I hate the facebook +1 button, logging in with facebook, the google variants, and other such functionality that is appearing on pretty much every website, I just can't fault Google that hard for this. The P3P spec is old. Ancient. No one follows it. The standards body who created it doesn't even want anything to do with it. The only reason Microsoft is even bringing this up as to take a shot at Google while Apple is taking a shot at Google for their Safari stuff.
Angle brackets: for the "less than" bracket, < will produce <
The greater than bracket just works as is, just hit the key.
Free Martian Whores!
More like this, I think:
User: "Why can't I log into GMail or use Facebook comments? Your sites suck!"
Google and Facebook: "Well, you see there's this thing called P3P that controls..."
User: "P3what now? This sounds too complicated and technical."
Google and Facebook: "Fine, we'll fix it (by sending something that resembles a P3P policy enough that IE won't break stuff)."
The first one is a P3P policy in XML format. The second resembles a P3P policy in compact format. As far as I can tell, IE only supports the compact format and not the XML format that you claim Google's policy should look like. If you don't have a P3P policy that's in the compact format it'll reject all third party cookies and even first party cookies under some circumstances.
Interestingly, any kind of complex privacy policy can only really be represented through adding non-standard extensions to the full XML format, and if you do that you're not you're not supposed to use the compact format. This means that it's effectively useless to try and implement P3P properly; IE is the only browser that actually takes any notice of it at all and it's restricted to the non-descriptive compact version which is useless for most sites.
"Google's just doing the same thing everybody else does."
"The system's broken; Google can't be blamed for exploiting a known bug to make their lives easier while circumventing something users though would protect their privacy."
"If it's not explicitly prevented by Microsoft's software, then there's no problem with Google doing it, even if it goes against the expressed of the users!"
Again: this is the road you want corporations to go down? Seriously? This is the standard you wish them to behave to?
"Circumvented Internet Explorer's privacy protections".
Um. If a third party can circumvent it, it's not actually a protection.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
No, this isn't the road I want them to go down, but since they aren't, and your claims have no bearing on what happened here, it really doesn't matter. Google used a broken implementation to provide targeted ads to users who had specifically opted in to the service. This does not make them evil. Had they been using this to track everyone, then yeah, that would be bad. That is what you don't seem to be understanding, despite the multiple times people have explained it. Using tracking cookies on users who specifically opted in to get them is not wrong or evil.
What is evil is Microsoft using a broken implementation of a non-used standard to try and score points over something that shouldn't even be an issue.
Keep spinning it, people might start to believe that Google did nothing wrong!
I like the way this poster from reddit put it:
Wow... Experienced web developer here... They tried so hard to make that article accessible for non web developers that it was almost harder for me to understand that way.
My "OMG nefarious" meter isn't even going off at all.
This is a misleading headline.
Google is circumventing
"is" implies "still is" - which they are not.
"circumventing" implies intentionally skirting around a bug - which NOTHING in this article says they are or were.
Cross domain security should be built in to all browsers, and all Google was doing was passing cookies when people hit a button in an iFrame, and google's normal tracking activities if you're logged in to google continued.
All that happened here was that a bug in Safari meant that google's stuff kept working even when it wasn't supposed to. There's no indication that this code was specially geared toward Safari. It sounds like their tracking was meant to automatically continue on as usual, and Safari failed to prevent 3rd party cookies from being sent.
This headline is sensationalist bullshit.
If you want to argue that google does too much tracking in general that's a different story. But there is not one tiny iota of information in this article that suggests google was "exploiting a bug in Safari" -- these iFrame based buttons and the cookies that follow them are standard operating procedure for ad networks. /u/powerje, who points out that it was 2 google engineers who fixed the problem in webkit/Safari
EDIT: Also credit to
http://www.reddit.com/r/apple/comments/ptoez/google_is_circumventing_safari_privacy_settings/
What a shocker. Google must be doing something right to have those enemies.
Great Intellect...
Google did not target Safari. Safari's security was just not working until Google fixed it.
All that happened here was that a bug in Safari meant that google's stuff kept working even when it wasn't supposed to
Other browsers just have broken security.
User: "I don't wish to be tracked. I've opted out using this P3P setting."
Microsoft: "Haha our browser is insecure, out of date, and broken. Be sure to blame Google for our crappy browser. Maybe Google will fix our browser too, just like Google had to do for Apple's insecure browser."
What is evil is Microsoft using a broken implementation of a non-used standard to try and score points over something that shouldn't even be an issue.
If anything it should be an issue against Microsoft, not Google.
Microsoft smear campaign seems to be working very well, thanks to ignorant people.
What's the big deal? P3P openly let's you decide to bypass it if you care to do so. So Google decided to do so.
I've gotten to the point in my Internet life where I rarely use Google anymore. There are better options out there
Like what? Please remember that MS, and Facebook, do the same things that the are so desperately trying to smear Google about.
Apple and MS are scared to death of Google. And neither company has ever liked fair competition.
Exactly my point. I wish I could mod and comment, I'd give you a +1. Just not a Google +1.
How far do you want to take this analogy?
“Common sense is not so common.” — Voltaire
Tyrants always find rights and freedom impractical and they assert pressing matters to relieve us of both; do not let them.
Exploiting browser bugs is what hackers have been doing for more than a decade to perform drive-by installations. The mere fact that they managed to exploit a *bug* doesn't justify their actions. Nor does it for Google.
Will it still complain if I navigate to 127.0.0.1 instead of localhost?
Heaven forbid I take DNS out of the equation and watch my perfectly valid certs throw warnings because the IP doesn't match the DNS name. You'd think the damn browser could reverse lookup before throwing up that alert.
Terribly annoying.
If I have a crowbar, do I have the right to just walk into your house and use the restroom and help myself to a snack from the fridge because your lock couldn't stop me? How about me presenting falsified credentials from the electric or cable company and lying my way inside, only to leave a floater and eat some of your tasty snacks?
*Respecting* users and their wishes would seem to be part of "doing no evil," and yet you're defending Google's deliberate circumvention of user preferences. It's certainly possible for Google to display a "Hey, we can't set this cookie that's required, unless you open up your browser settings for us. Here's how to do it, and why we think you should" type of page. Instead, they opted to say, "since you signed up to use my service, I'll assume for you that you want it everywhere you go, despite your default browser settings."
Respecting other people's stuff is kind of a big part of what's known as 'polite society.' I've asked this repeatedly of the Google defenders here: Do you really want the standard of behavior for corporations set so low that "whatever they can get away with" is the only limit on their behavior? So far, all I've seen is a willful refusal to accept the facts of the matter: that if any other corporation did this, you would be going apeshit and calling it "hacking" and demanding blood.
How is Google or others supposed to have their services accessed by legitimate customers if they block access to user cookies. We will be sending ourselves back to the old days of IE6 when we would need to manually mod all of the itty bitty settings just to make the internet work the way we wanted it to. If a user is signed into G+ then a cookie should be granted based on a modded version of the P3P standard. This way Google and others would have no need to use the standards current failings to allow their products to work with a draconian improperly implemented web standard.
"How am I supposed to provide televisions to legitimate customers if tv shops lock up their inventory and don't allow me to take what I need?"
"How am I supposed to provide organs to legitimate organ recipients if people don't allow me to knock them out and steal their kidneys?"
Final time: Do you really want the standard of behavior for corporations set so low that "whatever they can get away with" is the only limit on their behavior?
Google could build a better browser that isn't limited like IE, and convince people to use it; they could educate their users and score points against MSFT for being backwards and out of date, and convince those users to change the settings willingly, but honor them if they haven't been changed; Instead, they opted to simply disregard users' preferences, and do whatever they damn well pleased. And that's a problem, no matter how blindly devoted you are to Google.