Forgot your password?
typodupeerror
Google Internet Explorer Microsoft Privacy

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings 197

Posted by Soulskill
from the capitalizing-on-bad-publicity dept.
New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."
This discussion has been archived. No new comments can be posted.

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

Comments Filter:
  • by tepples (727027) <tepples@nOSpAM.gmail.com> on Monday February 20, 2012 @06:29PM (#39104337) Homepage Journal

    According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. [In such a case,] how should a website fill use the P3P header?

    The article answers this question by quoting a section from the P3P spec [w3.org]:

    In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

  • Re:IE's fault? (Score:5, Informative)

    by OverlordQ (264228) on Monday February 20, 2012 @06:31PM (#39104351) Journal

    It looks to me that Google is doing exactly what their p3p policy says they will do.

    No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

  • Re:So... (Score:4, Informative)

    by recoiledsnake (879048) on Monday February 20, 2012 @06:54PM (#39104611)

    Gmail doesn't need third party cookies. This is about sites with +1 buttons. They allow Google to track all users across all sites that have them.

  • by irregular_hero (444800) on Monday February 20, 2012 @07:04PM (#39104715)

    The article answers this question by quoting a section from the P3P spec [w3.org]:

    In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

    This is correct. However, as stated further down in the same section, the effect of such policies is to be positive and declarative (meaning the policy should state what the site DOES do, not what it DOES NOT do), and be informative to the user. The standard allows for user agents to then use the P3P policy to make it the basis for "authorization" but then goes on to state that implementers of user-agents can make their own decisions as to what the declarations mean in the context of the connection.

    This has led to situations where browsers that implement P3P and tie it to certain "security features" end up with a browser implementation that works dramatically different than other browsers for the very same privacy declaraion. In most cases, browsers do not even IMPLEMENT a user-readable informational dialog for P3P -- it is by standard the browser implementers' decision.

    If you're keeping score at home, that's bad.

  • Re:So... (Score:5, Informative)

    by cheater512 (783349) <nick@nickstallman.net> on Monday February 20, 2012 @07:07PM (#39104755) Homepage

    Course it is deliberate. Question: So what?

    It doesn't do anything to IE and is ignored by every other browser.
    P3P is deprecated and has been for years - no other browser pays any attention to it.
    All it does is make Google's products work properly with IE (not just ad tracking).

    If I needed to add gibberish to one of my sites like that P3P policy to make it work, I would.

  • Re:So... (Score:2, Informative)

    by Anonymous Coward on Monday February 20, 2012 @07:10PM (#39104801)
    Exactly. And I don't want those buttons anyway. Most people don't want them. What this kerfluffle made me realize is that Chrome allows third-party cookies by default. It makes sense that an advertising company would do this I guess. But IE and Safari obviously don't allow them by default. Firefox I am not sure. I used to use FF a lot, but may have customized my settings. Right now it is set to allow the 3rd party cookies but treat them as session cookies and delete them when FF is closed. Chrome was just allowing them all. I went in and cleaned out a lot of cookies from sites I never had visited (advertising cookies) and told Chrome to quit accepting 3rd party cookies. So it at least shed light on which browser vendors are at least attempting to help users not be tracked.
  • Re:So... (Score:5, Informative)

    by irregular_hero (444800) on Monday February 20, 2012 @07:12PM (#39104817)

    You're splitting hairs here.

    P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.

    A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.

    The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.

  • Re:So... (Score:2, Informative)

    by wireloose (759042) on Monday February 20, 2012 @07:17PM (#39104885)
    from OP:

    The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

    Also can't give Microsoft a pass, especially if they're truly supposed to be ignoring undefined policies. It's not like Microsoft has ever been particularly supportive of standards they didn't develop, or like they've ever really developed a secure browser.

  • Re:So... (Score:4, Informative)

    by CowTipperGore (1081903) on Monday February 20, 2012 @07:28PM (#39104975)

    Not even Microsoft supports your argument. From their blog post:

    Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

    Rather than ignoring it, IE is assuming that Google told them something positive.

Programmers do it bit by bit.

Working...