Microsoft claims Google bypassed its browser privacy too Microsoft has released data showing that Google has been bypassing the user-defined privacy settings in Internet Explorer by using incorrect P3P identification terms. “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy …
Not to justify Google but Microsoft forces the sale of IE upon all of their customers illegally.
Yes, slow learners, it is illegal to commingle the code between the OS and IE yet Microsoft continues to do so in order to force the sale of IE upon you and prevent you from removing the application.
As long as you accept outright illegal practices from Microsoft you can hardly speak at all about what anyone else may do.
wholly inexhaustive and spur-of-the-moment testing prompted by your query indicates that Bing does indeed honour P3P codes although I can't test live.com services without actually logging into them (and thus using Passport, which pretty much ruins any test).
So, MS apparently honour privacy, Gioogle don't and MS are pathetic and desperate scumbags? What an odd world you live in.
Google use big loophole in our browsers wail Apple and Microsoft.
"We wanted to tell our users that their privacy was safe if they used our browsers and big bad Google has shown we've been making hollow promises. They must be hackers or something."
If its something Google can do then its something any mean and nasty problem site can do too.
So is this a bug or a feature guys.
You are amusingly naive if you think that Google did this to show up flaws in Apple's & Microsoft's software. They did this because they wanted the data and because they could. And they did it *despite* it being against the wishes of the end-user.
The fact that Safari and IE allowed it to occur does not negate Google's responsibility for doing it. Saying everyone else could do it too is not the point. Google claim to be better than that.
I'm not being naive nor am I being an apologist for Google, I'm not trying to defend them in anyway. I'm just pointing out that a privacy protection scheme that allows Google to act in anyway they feel like is about as much use a chocolate tea pot.
Now if someone draws up a laws that says website must follow a set of rules then the chances are that Google after a lot of bitching would probably follow, but if you think many of the sites on the web would you are naive.
A privacy scheme that works by having website decide whether they want to track you or not is not a privacy scheme at all. Its a pipe dream. And it just as much a market scheme as Google's tracking you where ever you breath on the net. Now you are probably well enough informed to understand that any claim made about these tools is just wishful thinking. But most users won't be, and will believe that when they click the box saying don't track me, they'll believe the marketing bs that they are now protected, when they're no more protected than wearing a white shirt will protect you from a rifle bullet.
Sending an "Ooh please don't rape me" code out was always going to be ignored anyway. Trusting marketing types to abide by an honour system is a fucking risible idea...always has been. The only way to be sure -apart from nuking them from orbit (and I wouldn't stand in anyone's way there)- is for the browser to not emit the information and to not store the cookies.
Too damned right. It's the same philosophy as that daft Do Not Track proposal. Anyone who really wants to track you will find a way to ignore it. Anyone who doesn't mind doing the odd bit of Evil will just ignore it, omitting the bit where they find a semi-legitimate reason to do so.
Advertisers are greedy, immoral bastards. Who knew?
They need to come up with clear rules and clear way of disabling tracking. I do not wished to be tracked. I do not wish to see ads all over the sites. I pay for my broadband and I want to control what goes down the pipe to my browser. If they want to share with me their revenue from ads, fine, I can live with them, but they don't share it.
Well, anyway, I live w/o adverts, adBlock and DNP Plus do the job.
Never mind all that - you don't need a single cookie to track someone. You just use the unique code(s) their browser sends. Oh, sure, it doesn't send a UUID - but the average browser does allow javascript to detect what fonts a user has, and obviously sends a list of plugins, screen size, and so on. That's enough to uniquely identify almost anyone. And that's without using geolocation, zombie cookies, or any calculations like clock speeds, response time, etc.
Chances are, even in "private" mode, your browser still sends uniquely identifying information.
See http://panopticlick.eff.org/ for more info.
On Panopticlick... http://www.secretagent.co.uk may help.
On Geolocation... https://www.dephormation.org.uk?page=73 may help.
And on unwanted Google cookies? Wouldn't it be nice if someone wrote a browser add on that selectively purged Google/Google Syndication/Google Analytics cookies, or even wrote other more interesting values over them instead for Google to digest?
Perhaps I might review my (ever growing) 'todo' list.
I've always felt the answer here is to go on the war path. Deleting cookies doesn't discourage the bastards from doing it. What I've always wanted was a tool/option that just wrote random data into the unwanted cookies. If enough people did that then they'd stop doing it because the data would be useless to them, and certainly in the early days of the counter attack would probably cause all sorts of their crap SW to crash.
I'm just too much of an idle git to bother actually writing it.
Of course you'd have to track down all the other ways they follow you too.
Hi, if you read it again you can see that I'm not being tracked. What I said is that they need to come up with easy to understand way how to opt-out from this BS, nice clear form, well explained with examples so users can decide what they want to do. We know how to deal with this but average users don't.
"If they want to share with me their revenue from ads, fine, I can live with them, but they don't share it."
You say that, but they do. You are paid in content. Take the very fine The Register as an example. The adverts on this site pay for the operation of the site and (I hope) compensation for the authors of the articles. When you read the articles, you are receiving a share of that payment.
After you have made a mess of things so badly and for so long, it would be nice if you just sat down and shut up. IE has been a menace pretty much from its inception until maybe a year or two ago. Its too early to go pointing fingers.
"Yes, we remember. We remember the past and its lessons, the past and its misfortunes, the past and its glories". Oh, and scratch the last bit.
So several browsers completely ignore privacy protection when strange input is received.... and somehow google is to blame? how many sites have been doing this maliciously already?
Come on, put the blame where its deserved. Security is useless when the default behaviour is to bypass that security at the slightest sign of trouble.
Didn't Microsoft just say:
"Windows Internet Explorer is the browser that respects your privacy. Through unique built in features like Tracking Protection and other privacy features in IE9, you are in control of who is tracking your actions online. Not Google. Not advertisers. Just you."
And all the while they knew that their browser's default behavior was to pass undefined privacy codes as if they were valid?
And they want to blame Google for their two-faced BS!?
[No, I don't think Google is blameless. This reminds me a little too much of Google's use of BHOs to install stuff in violation of IE's administrative settings. My thoughts on that here: http://forums.theregister.co.uk/post/1098266 ]
Playing the script kiddies games. Got to love that. Well, I'll be waiting for the games to begin. We be needing a good boxing match between the Apple, Google goo and The MS. May the best liar win!
I will need tons of popcorn for this one! :- )
Oh dear, someone made a specification whereby websites are trusted to communicate their privacy policy correctly to the user agent? What sort of idiots would come up with such an idea, it's no wonder it never got any traction.
http://www.w3.org/2002/p3p-ws/registrants.html
Were I a shareholder in Google I would be calling them idiots for not making use of this to enable 3rd party cookies in IE and Safari with default settings (every other browser allows them).
Probably also worth a mention - how to disable third party cookies in most browsers:
http://www.bobulous.org.uk/misc/third-party-cookies.html
Personally I think Microsoft are the fools in this for including half baked browser privacy protections and then blaming other people for bypassing them.
Blaming Microsoft / Apple for this is a bit like blaming you for getting your house burgled (by Google) because you did not have bars on your windows and doors. Sure they could (and probably will) improve security of their browsers further but Google should not have been trying to intentionally circumvent their security for their own financial gain.
This is like having an electronic lock on the door to your house which, when you enter only letters, opens the door because it expects digits and letters.
So Google are evil, we knew that .... Apple and Microsoft are evil, too, though and for them to point at Google for being evil is ridiculous ... Let's not forget, repeat after me:
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Apple and MS are in no way little angels, BUT people here really need to get a grip. Google have done wrong here!
Why are people trying to put a different slant on things by spreading blame to other parties? Why come up with these excuses and attempts to justify and lessen Google's culpability?
Only brainwashed fans react in this way. I get the Register doesn't like MS or Apple, but this article doesn't warrant any MS/Apple bashing. It's all about Google here...
I'm not saying Google aren't evil... I'm not saying they don't already know too much about what we do, where we go, who we talk to, what we like and what we don't but seriously... Seriously of all of the things... P3P?? Who give's a shit?!
It's not protecting your privacy it's just a way of providing information on how cookies will be used... Browsers are meant to be your first line of defence for protecting your privacy, websites should be treated as the enemy by any browser... Any website can send back any old garbage and do something completely different. If IE just drops its pants and gives access to the cookie jar at any old junk passed through as a P3P message... What's the point? It's not security, it's merely informative. Other browsers and website thought this, hence why IE is the only one to implement this as a PR exercise and websites with vested interest in IE are the only ones to provide a P3P message. Google's fault was providing a P3P message at all.
There probably is a solution to cookie privacy, security, certification, recourse for abuse but P3P it ain't. Browsers should enable the user to nuke any storage mechanisms attached to the browser and err on the side of safety with privacy. Best solution for now is to disable cookies by default, add exceptions for sites you trust and monitor your cookie situation.
Perhaps it's because Google shouldn't have been able to bypass privacy settings if the browsers did what they claimed to do.
Let's put it simply: MS and Apple both told people their browser was secure. Now it turns out the browser isn't. That's their fault, not Google's. That does not excuse Google for what they've done. It does not lessen what they have done. Rather, it highlights that MS and Apple have holes in their browser security and in MS's case, the hole is trivial to exploit.
So it's not an excuse for what Google's done: It's that what Google did doesn't excuse the lax security in IE and Safari.
First Google is obviously at fault here for violating standards. As many others already said; the times of "do no evil" are long behind us; now all that's left is hollow marketing talk.
However; IMO one has to wonder as well why MS allowed this to happen in the first place? If you require a code and the code turns out to be invalid doesn't it sound a bit peculiar to accept it anyway? Worse; provide "admin like" access on top of that ?
Still; the main blame sits with Google here IMO. Think about it this way: Would you have believed Microsoft if they claimed that you could no longer access Google's website with MSIE due to a code violation at the hands of Google themselves?
More importantly: could that have triggered a move from MSIE to Chrome because "At least Chrome allows me to access Google's websites without hassle" ?
You really think the coders at the chocolate factory would stop 30% of internet users from using their service? I think they would have done so already, if they thought it would be good practice .... remember all the Microsoft -only shops out there, I know, their sys admins are idiots, but still, they would not even be allowed to install Chrome ...
A better way would be to pop up one of those cute little IE messages.
Something along the lines of:
This web site is ignoring your browser's current security settings and attempting to bypass them.
Allow this Report this Cancel
Might keep everyone a bit more honest.
"It is well known ... that it is impractical to [represent their privacy practices in machine-readable form] while providing modern web functionality."
That is a technical statement. What are they saying about moder web functionality?
(Please don't bother replying just to say they are lying. If there is no technical explanation you can save time by just not posting)
Microsoft is neatly ignoring the fact that it's P3P implementation is flawed at best, and causes web developers issues between different IE browser versions ( no surprises there ).
Specifically, IE will refuse third party cookies within iframes, and will show a warning message regardless of your privacy settings.
This makes it a pain for social application or widget developers - the workaround being to invalidate the P3P string entirely forcing IE to accept all cookies from your domain.
Facebook do the same thing as google, setting their P3P header to:
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
No doubt google and facebook are mainly concerned about protecting their metrics and ad tracking business.
You know what? The locks on the doors of my house may be trivially bypassed (a serious boot or drilling out the cylinder would probably do the trick) but if someone were to break in to my house it would most definitely be their problem, as they are the ones in the wrong.
Even for you with your track record of defending everything Google does or says, this is should draw your criticism - Google have been caught out here, to say that the effective victims are to blame because they aren't secure enough doesn't change the fact that Google a breaking the rules (possibly even the law) in a premeditated manner.
"However, if the code is not recognized, Internet Explorer will accept it anyway and allow the requester full access to the user for third-party cookie purposes"
If google knew this, so did every other marketing site - and I bet most if not all of them are still doing it.
MS need to fix their bug, not flap around blaming others.
Or despite their customers' privacy settings, Google finds a way to get the data they want anyway using questionable code targeted for each browser. Just because it can be done, it doesn't mean it should.
Ignore that, their customers are the advertising industry, the idiot behind the keyboard is the product being sold.
I always enjoy the cretins in their Google defence mode, it makes Appletards look positively enlightened.
I wonder if their equivalence argument applies elsewhere, like women inviting rape because of what they're wearing?
Some of us are a bit smarter than that sort of level, evidently a lot associated with IT are the awkward stereotype. Shame.
"like women inviting rape because of what they're wearing?"
..followed by..
"Some of us are a bit smarter than that sort of level, evidently a lot associated with IT are the awkward stereotype."
So, you are so smart that you think this is equivalent of raping a user.
Being able to spot and call out BS + hyperbole does not imply awkwardness.
But falling for it does imply a certain lack of critical facility.
"Being able to spot and call out BS + hyperbole does not imply awkwardness.
But falling for it does imply a certain lack of critical facility."
Sounds like you are wrapped up in your own hubris.
BS+hyperbole? That's your opinion. Implying that it's a fact and criticising someone who thinks otherwise is arrogant beyond belief.
By and large, these type of people have a constitution which is generally 'closed'. The problem with this character flaw is that they are generally unimaginative and resistant to change; They latch onto something and are unable to let go no matter what!
In this case: - Google is now 'open source' - 'shiny key word, that attracts certain types' - Therefore take-up of Google ecosystem is justified - Leading to Google can do no wrong no matter what.
Which is ironic, since the IT world is a rapidly moving entity and Google's accumulating track record of naughtiness should be an obvious warning for people to jump ship - or at least latch onto something else (temporarily!)...
:0
It's there in the P3P string; I'm surprised nobody here seems to have read it:
http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657
This is terribly trivial, a non-malicious bypassing of a failed, obsolete, and rather silly proprietary privacy technology that was being pushed by MS and ignored by everybody else.
The only reason we are reading about it is that people who are loosing to Google commercially are pushing it as hard as possible. Yet again it's MS at the root of it all.
And, as needs to be continually mentioned, the UK government is accelerating plans to centralise the database with a record of -every- web transaction you make. You can block Google (it's easy; google for 'block Google'), but you cant block HMG.
I really need to remember that MS likes to embrace some technologies: P3P is not proprietary, far from it, it's a W3C standard. And, having read about it the basic principles seem sound, it's a shame it was not developed to keep it relevant as web technologies overtook it's capabilities.
Still, some Cludos to MS for being the only major Browser to widely implement this..
..followed by a big whack with a cluestick for disabling it when a site returned a invalid response.
This post has been deleted by its author
All sheople: please keep using Google. In fact use it a lot more. The more time and resources Google spends on those in line for a shearing, the less time they may have to look at me. Of course it helps to shitcan all things Google to get that lesser level of spying.
Yeah right ... do no evil.
This post has been deleted by its author
Google, M$ and Apple are just all behaving like school children in this instance! Playing dirty tricks on each other as if the rules don't matter. They all should just:
a) Keep prodding each others privacy settings, report them into the public domain and work to fix up the holes which is better for everyone.
b) Actually behave and stick to the standards.
Big corps as we know don't like to stick to the rules to get one over each other (or the innocent general public). Bets on for Apple/MS to be found out exploiting other privacy settings next week? Buy me some beer if that's the case.
P3P assumes that every website in the world will be 100% honest about how it uses cookies and tracking, and will also be 100% accurate in describing this using P3P codes. How is that going to work?
But the biggest WTF is to assume that a P3P policy that's invalid means that the website doesn't do any tracking: a massive hole for those websites that aren't 100% honest about tracking.
Are Google and Facebook maliciously sending invalid P3P codes, so their systems work in IE like other browsers, or are they merely working around a broken concept?
It doesn't say anywhere in the P3P spec that the compact privacy header should contain an error message which the client puts on the screen or a link to click on... it does however say that if the client can't parse a compact policy no attempt should be made by the client to fix it up and it should get the full policy instead. If there is no full policy then the default is not to break operation (i.e. not use P3P). Draw your own conclusions.
<blockquote>“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” Dean Hachamovitch, VP of Internet Explorer wrote in a blog post...
Redmond had been rather pleased about the fact that it hadn’t suffered the same kind of problems as Apple against Google’s quest for information on users.</blockquote>
Translation: We decided that competing by the technical merits of our product is far less important than getting a dig in at a competitor. So when we heard Apple got away with blaming Google for their crap browser, we decided to take advantage of the opportunity to blame Google for our crap browser too.
<blockquote>"However, if the code is not recognized, Internet Explorer will accept it anyway...</blockquote>
Umm...
<blockquote>Google didn’t do this “in a manner consistent with the technology,” Microsoft suggests..."</blockquote>
Actually, sounds like they did.
For those fond of the burglar analogy:- The burglar rocked up to your house, finds a combination lock on your door. He enters any old code and because the code he enters doesn't match the correct code in the combination, the lock opens and lets him in!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
