Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google: IE Privacy Policy Is Impractical

Posted by timothy on from the like-a-landmine-with-redial dept.

itwbennett writes "In response to Microsoft's claim that Google circumvented Internet Explorer privacy protections (following the discovery that Google also worked around Safari's privacy settings), Google on Monday said that IE's privacy protection, called P3P, is impractical to comply with."

32 of 258 comments (clear)

  1. Impractical to who? by scruffy · · Score: 5, Insightful

    I suppose privacy is impractical to those who want to sell our personal information.

    1. Re:Impractical to who? by Anonymous Coward · · Score: 4, Informative

      actually, they would be quite stupid to sell ... because when I consider how much time I spend with google services compared to anything else, they must know about five times as much about me as the next best competitor ... so selling stuff that helps their competition would be really not a good idea ;)

    2. Re:Impractical to who? by alphatel · · Score: 5, Funny

      Why would the need to sell our demographic information to advertisers? They are a company that offers free profile pages to plus one enthusiasts.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    3. Re:Impractical to who? by egamma · · Score: 5, Interesting

      "but the data they use to do so never leaves their own servers."

      I guess you believe everything you hear/read....

      Why would the data leave their servers? They don't need to sell the information to advertisers--they simply tell advertisers, "We know everything about everyone. We will put your ad in front of the 1 million people most likely to respond. You don't need us to sell their information to you--they will provide it when they buy your product."

      --
      Battlemaster--Game with friends in medival realms
    4. Re:Impractical to who? by Anonymous Coward · · Score: 4, Funny

      Dude - get your monopolies straight! It's Girl Scouts with the cookies, Boy Scouts with the popcorn, and Congress with the assholes!

      It's that last one which doesn't leave many unfilled niches for world dominating companies like Google.

    5. Re:Impractical to who? by gorzek · · Score: 4, Insightful

      Selling that demographic information is how they provide all the free services they do. Their ability to target ads effectively is what makes them attractive to advertisers.

      I get that Slashdotters are deeply paranoid about anyone knowing anything about them, but at the same time, you aren't entitled to free services like those that Google provides. If you really don't want anything to do with Google, modify your hosts file so all requests to *.google.com (and related domains) are sent nowhere. That's "voting with your wallet," so to speak.

      But I can't say I have much patience for people who want to use Google's services and then complain about Google using the information they gather about you as part of their advertising system. There's room to argue about what they should or shouldn't be allowed to do with it, but to presume they shouldn't have any information about you at all is a bit silly.

      --
      Check out my world simulator thingy.
    6. Re:Impractical to who? by honkycat · · Score: 4, Insightful

      Are we entitled to something for nothing? No, of course not.

      However, it doesn't follow that Google is therefore entitled to disregard an unambiguous request from a user not to collect personal data. If they feel that a user is granting them too little information in exchange for their service, they are free to deny that user access. Making an end run around security settings is sleazy, no matter how you dice it.

      I'd have a lot more sympathy for Google if the first story to break was this public complaint, together with a statement of how they were working around it and a warning to affected users that their privacy settings were being circumvented. To make a statement like this /after/ being caught with their corporate hand in the proverbial cookie jar doesn't make a very good defense.

    7. Re:Impractical to who? by madmark1 · · Score: 5, Informative

      No, they aren't. In the Safari case, the default setting in Safari is to block third party cookies. No one made that choice, unless it was to go in and unblock them. Seeing as how Safari is the only browser that blocks them by default, most people probably don't even realize they ARE blocked. And in this specific case, the 'work-around' was to provide tracking cookies to people logged in to G+ who specifically opted in to targeted ads. How this can possibly be spun into Google doing evil is really amazing to me. They did exactly what their customers asked for, and got thrashed for it. Lets not forget also that the cookies in question were non-specific, and had no personally identifiable information in them. Did anyone even read the article on that?

      In the IE case, Microsoft is relying on an optional, trust based system deprecated 5 years ago as a method of protecting your privacy. Once again, Google used a perfectly legitimate part of that standard to bypass it, for the express purpose of giving users who were logged in to G+ and opted in to targeted ads, those targeted ads. Explain the evil here, if you would?

    8. Re:Impractical to who? by Col.+Klink+(retired) · · Score: 4, Interesting
      Wait, you're cheering for the company that told google (and some 11,000 other websites) how to work around their broken P3P implementation?

      The 2010 research paper "discovered that Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE." This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

      --

      -- Don't Tase me, bro!

  2. Google by Dexter+Herbivore · · Score: 4, Funny

    Do No... errr, nevermind.

  3. Wer're safe! by accessbob · · Score: 5, Funny

    Thank goodness they're not an evil company. It could have been M$ breaking the Web standard...

  4. Microsoft Quality by darkfeline · · Score: 4, Funny

    IE privacy protections were "circumvented" by Google sending a string stating, "This is not a P3P policy." Typical Microsoft quality product, that's like getting conned by a guy wearing a shirt that says "I don't guarantee I won't run off with your money" and then sueing them.

    1. Re:Microsoft Quality by betterunixthanunix · · Score: 5, Insightful

      Frankly, as an approach to a security engineering problem, P3P is pretty bad. You are basically allowing your adversary to declare what the security policy will be, then leaving it up to your adversary to follow that policy.

      If browser makers were serious about protecting their users' privacy, they would make adblocking the default, they would have stricter cookies policies, and they would not let a company like Google decide what sort of privacy people will have.

      --
      Palm trees and 8
    2. Re:Microsoft Quality by SaroDarksbane · · Score: 5, Funny

      Future News: For Windows 8, Microsoft has replaced the traditional log on screen with a text field. Users will now have to simply enter a reason why they should be allowed to log onto the system. The system will accept all answers.

    3. Re:Microsoft Quality by SJHillman · · Score: 4, Funny

      Or if you have a webcam, it will accept sincere looking smiles.

    4. Re:Microsoft Quality by msauve · · Score: 5, Funny

      Plus, P3P is faulty, it has a loophole which one can take advantage of. Much better to simply follow a properly designed spec for this sort of thing, like RFC 3514.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:Microsoft Quality by Xest · · Score: 4, Insightful

      I remember thinking the same when I was forced to study it academically some time ago, and thought at the time what the fuck is the point in it exactly?

      Well at least now I have my answer, it makes for good headlines when you want to troll your competitors with it if nothing else.

  5. FTFY by elrous0 · · Score: 5, Funny

    Google on Monday said that IE's privacy protection, called P3P, is unprofitable to comply with."

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  6. Old and Busted by uigrad_2000 · · Score: 5, Interesting

    P3P has been Old and Busted since Slashdot first covered it in 2002.

    Microsoft would never bring it up, if they weren't already in panic mode. This seems to indicate that MS is in far worse shape than we know.

    --
    Free unix account: freeshell.org
  7. Not impractical, ridiculous! by sugarmotor · · Score: 5, Interesting

    I think Google is being polite, as do people who quote a "lack of value"

    From http://en.wikipedia.org/wiki/P3P

    The main content of a privacy policy is the following:

            which information the server stores:
                    which kind of information is collected (identifying or not);
                    which particular information is collected (IP address, email address, name, etc.);

    Kind of information??? As if the AI problems were all solved. IP Address? Of course it is collected. Email address? Yes if there is an input box that says email address then the address is collected.

    --
    http://stephan.sugarmotor.org
  8. misleading/wrong question by poetmatt · · Score: 5, Insightful

    The question that should be asked is: Why does IE have some part of their framework in place which can be simply ignored/violated?

    1. Re:misleading/wrong question by Desler · · Score: 5, Insightful

      Yeah how dare they implement the P3P standard as it tells them to! Google is using a loophole in the standard to bypass the privacy protection.

    2. Re:misleading/wrong question by timeOday · · Score: 4, Insightful

      I disagree. A culture of, "if you are able to do it, it must be fine" is flawed at a very basic level. It's a failure to recognize anything above the law of the jungle. Property law gives us the freedom to have windows in our homes, even though, technically, they're easy to smash. Envelopes are easy to open an copper pairs are easy to tap, yet the laws that preclude this have been very effective - not totally, but far better than nothing. With the level of automated tracking of all kinds available these days, there simply cannot be any privacy unless there is a collective commitment to creating preserving such rights.

    3. Re:misleading/wrong question by arkhan_jg · · Score: 4, Insightful

      Because P3P was a pile of crap to begin with, is drastically out of date and long since abandoned by everyone except microsoft?

      From wikipedia:

      "The Platform for Privacy Preferences Project (P3P) is a protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. Microsoft Internet Explorer is the only major browser to support P3P. The president of TRUSTe has stated that P3P has not been implemented widely due to the difficulty and lack of value."

      "P3P manages information through privacy policies. When a website uses P3P, they set up a set of policies that allows them to state their intended uses of personal information that may be gathered from their site visitors. When a user decides to use P3P, they set their own set of policies and state what personal information they will allow to be seen by the sites that they visit. Then when a user visits a site, P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P will inform the user and ask if he/she is willing to proceed to the site, and risk giving up more personal information."

      P3P can't handle 'legit' cookies not being associated with the domain you're actually viewing. IE requires a P3P policy to exist for 3rd party cookies to be saved when that setting is turned on; google's exists, but just says "this is not a p3p policy", and points you to their privacy policy. IE then goes 'alrighty then, you've got a P3P policy that's utter garbage even though I'm the one that asked for it, but here, go ahead and set that cookie anyway'.

      Frankly, Google not respecting Mozilla's DoNotTrack header is a much worse case of ignoring expressed user privacy than this crappy old IE only 'standard' having a loophole you could ride an elephant through.

      --
      Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  9. Impractical to Microsoft, MS also send invalid P3P by Anonymous Coward · · Score: 4, Interesting

    I find it interesting that Microsoft also sends an invalid privacy header, just as they are complaining about Google doing.
    I also find it interesting that MS is blaming Google for IE's failed handling on invalid P3P headers rather than fixing their product.

  10. Re:Impractical to Microsoft, MS also send invalid by 0racle · · Score: 4, Informative

    I also find it interesting that MS is blaming Google for IE's failed handling on invalid P3P headers rather than fixing their product.

    As I understand it, Microsoft is following the spec properly. Google is exploiting a loophole in the spec.

    --
    "I use a Mac because I'm just better than you are."
  11. Re:Impractical to Microsoft, MS also send invalid by msauve · · Score: 4, Insightful

    " Google is exploiting a loophole in the spec."

    Which is another way of saying: Google is also following the spec. The problem is, the spec is faulty, and doesn't provide what it's intended to.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  12. Re:Dear Google by Americano · · Score: 4, Insightful

    I find it amusing that you are twisting and squirming to rationalize how Google explicitly disregarding the wishes of the user and exploiting a well-known loophole in the P3P spec in order to do something against that user's wishes is "not evil."

    Even in the best "Microsoft should have prevented this" light, it makes them no better than the used car dealer who tries to convince you that the rust on that El Camino is a special limited-edition two-tone finish that the manufacturer tested out, and the noise from that busted exhaust system is just evidence that the car has a special glasspack muffler. It's bottom-feeding behavior of the worst sort, and blatant hypocrisy from a company that carries on about its "do no evil" policy.

  13. Re:Impractical to Microsoft, MS also send invalid by Americano · · Score: 5, Insightful

    User: "I don't wish to be tracked. I've opted out using this P3P setting."
    Google: "Haha there's a loophole that we're gonna use to track you anyway. Blame Microsoft if you don't like it, sucker!"

    Yep, Google has done nothing wrong here whatsoever. They're completely right to exploit a known loophole which allows them to disregard the wishes of the users accessing their services, if those wishes would make Google's services less profitable.

    If this is "Do no evil," I shudder to think about the damage Google could do if they decided one day to deliberately engage in evil.

  14. Re:One question never answered by MozeeToby · · Score: 5, Informative

    Not only does Facebook do it but Microsoft also does it. The standard they are accusing Google of violating is so out of date that W3 doesn't even try to update it anymore, because no one follows it and most browsers don't even implement it fully. This is a non-story in every direction.

  15. Re:Impractical to Microsoft, MS also send invalid by Lonewolf666 · · Score: 5, Informative

    Consider the following (from http://www.w3.org/TR/P3P11/#ua_compact;

    6.4 Compact Policy Processing

    P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies.

    As I understand this, IE should actually search the Google P3P header for a valid statement of what Google intends to do with regard to tracking cookies. If it does not find those, it should apply the default behaviour for web sites without any P3P header. As described by Dean Hachamovitch (the author of the blog post):

    By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the sites use does not include tracking the user.

    Fine. So your browser sees a Google P3P header without any valid policies. At this point, the clause "unless the site presents..." should kick in and cookies should be blocked. To me this looks like a bug in IE, as they failed to implement the default behavior in this case. It would be appropriate for Microsoft to fix this bug, send the fix as update on next patch day and otherwise be very humble about their error.

      Instead, Dean Hachamovitch tries to paint this as conspiracy by Google to circumvent IE's security protection. FAIL.

    --
    C - the footgun of programming languages
  16. Re:One question never answered by Anonymous Coward · · Score: 4, Informative

    Check the ARS story with 2 updates:

    http://arstechnica.com/tech-policy/news/2012/02/google-tricks-internet-explorer-into-accepting-tracking-cookies-microsoft-claims.ars

    Yes Facebook is doing it as well as msn.com and live.com