Forgot your password?
typodupeerror
Google Internet Explorer Microsoft Privacy

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings 197

Posted by Soulskill
from the capitalizing-on-bad-publicity dept.
New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."
This discussion has been archived. No new comments can be posted.

Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

Comments Filter:
  • So... (Score:5, Interesting)

    by The MAZZTer (911996) <megazzt@NoSPAM.gmail.com> on Monday February 20, 2012 @06:02PM (#39104033) Homepage
    In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.
    • Re:So... (Score:5, Insightful)

      by samkass (174571) on Monday February 20, 2012 @06:07PM (#39104083) Homepage Journal

      In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

      Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 [google.com] for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

      • Re:So... (Score:5, Insightful)

        by TheGratefulNet (143330) on Monday February 20, 2012 @06:12PM (#39104147)

        funny: I'll have to remember this to rub their noses in it, next time I run into a googler.

        or, if they interview me, I'll ask THEM: "so, what is the proper response to a machine parsable field? TLV things or human-intended english? please support your answer."

        sigh. I cannot give google a pass. they act like god's gift to networking yet they make 'mistakes' like this? sorry, but I don't buy it.

        • Re:So... (Score:5, Insightful)

          by betterunixthanunix (980855) on Monday February 20, 2012 @06:18PM (#39104205)
          P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

          If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.
          • Re:So... (Score:5, Funny)

            by ganjadude (952775) on Monday February 20, 2012 @06:22PM (#39104243) Homepage
            P3P, Im still trying to master P2P!
          • Re:So... (Score:4, Insightful)

            by ArsenneLupin (766289) on Monday February 20, 2012 @06:23PM (#39104261)

            P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

            P3P is a honor system anyways. The same effect could be obtained by a syntactically well-formed promise not to abuse the 3rd party cookies, but which google would never intend to keep...

            • by thsths (31372)

              > P3P is a honor system anyways. The same effect could be obtained by a syntactically well-formed promise not to abuse the 3rd party cookies, but which google would never intend to keep...

              Yes, but that would not be legal. User tracking happens with the presumed consent of the user. Once a site known that the user does not want to be tracked and continues, or even tricks the browser into tracking despite a setting that demands the opposite, the tracking becomes illegal activity.

              I am not sure most tracking

              • Re:So... (Score:4, Insightful)

                by ArsenneLupin (766289) on Tuesday February 21, 2012 @05:17AM (#39108005)

                Yes, but that would not be legal.

                Exactly.

                And what we're trying to argue here is that google's subterfuge should not be legal either. What they did was say something to the computer in such a weird way that it means exactly the contrary to a human. This can't be right.

                It's as if a party A drafted a contract with a party B, and deliberately inserted some spelling errors in his promises to B, and later renegated on these promises under pretense that the text is just gobbledygook and thus not a legal commitment (all the while insisting that B should uphold his part of the deal). Very shady.

                A honor system works because of the implicit threat of shaming (or suing) a would-be infringer. Google infringed. So we are trying to shame them by pointing out what they did. If you take this away by saying "but the scheme is broken, it can be subverted by just making false promises, so Google is ok in doing what they did and Microsoft is stupid by behaving according to standard (ha!)", then you are indeed breaking it by helping Google out of a well-deserved public shame.

                It's the same as with robots.txt or similar schemes really. Trivially easy to ignore, but reputable spiders won't ignore it because they know that people will notice, and call them to it.

                I am not sure most tracking sites bother with such fine distinctions, but they cannot hide from the law forever.

                Only small sites need to hide. Big sites (apparently) don't need to, they're "too big to be considered rude" / "too big to be sued".

              • Genuinely curious here. What law exactly makes that illegal? I've never heard of such a law.

          • Re:So... (Score:5, Interesting)

            by recoiledsnake (879048) on Monday February 20, 2012 @06:42PM (#39104499)

            P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

            If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.

            Reading your Gmail emails should very trivial for Google employees. That doesn't make it okay does it? One would expect Google to have higher standards.

            You'd expect shady sites to "attack" a gentleman's agreement, not Google. If you think they're the same, would you be okay with hosting your mail on warez-email.com ? After all, they're both on the big bad internet.

          • Re:So... (Score:4, Interesting)

            by hairyfeet (841228) <bassbeast1968@ g m a i l.com> on Monday February 20, 2012 @06:50PM (#39104565) Journal
            Because then you have tens of millions of users screaming "My Gmail won't load!"? lets face it folks can "spin" all they want but Google ain't THAT dumb. they have some of the best engineers of the planet. So can we all just accept that "Do no evil" is nothing more than "Think different" aka marketing bullshit and realize that Google is only gonna do what is best for Google already?
            • Re:So... (Score:4, Informative)

              by recoiledsnake (879048) on Monday February 20, 2012 @06:54PM (#39104611)

              Gmail doesn't need third party cookies. This is about sites with +1 buttons. They allow Google to track all users across all sites that have them.

              • Re: (Score:2, Informative)

                by Anonymous Coward
                Exactly. And I don't want those buttons anyway. Most people don't want them. What this kerfluffle made me realize is that Chrome allows third-party cookies by default. It makes sense that an advertising company would do this I guess. But IE and Safari obviously don't allow them by default. Firefox I am not sure. I used to use FF a lot, but may have customized my settings. Right now it is set to allow the 3rd party cookies but treat them as session cookies and delete them when FF is closed. Chrome was just a
                • Re:So... (Score:5, Interesting)

                  by AngryDeuce (2205124) on Monday February 20, 2012 @09:21PM (#39105847)

                  If you're using Chrome, I highly recommend ScriptNo [google.com]. It took a while, but they've finally got a decent analogue of NoScript for Firefox. With it's most restricted settings, it pretty much blocks everything you don't whitelist yourself, and has a special "antisocial" mode that automatically blocks all the social networking bullshit every fucking site in the world has now.

                  ScriptNo and Adblock Plus are pretty much a necessity for web browsing these days, in my opinion.

                  • by hairyfeet (841228)
                    Hey thanks for the heads up, the one thing I missed when I switched from Firefox (which has gotten too bloated and slow) is my NoScript. It works perfectly in Comodo dragon BTW, and combined with Comodo Dragon's security features really works great. if you haven't tried the Dragon give it a spin, it has some really nice security options like SecureDNS for the browser only and site inspector.
                • Anyone know how to turn off the ones that pop up on slashdot? I can't moderate from my iPad since they came along - as they pop up when finger touches screen and steal the focus from the moderation drop down box.

                  I can't find any option in slashdot options, and there's no noscript for safari for iOS...

            • by MidGe (69308)

              :...they have some of the best engineers of the planet."

              That may be so, but the best engineers are still immersed in a corporate culture. A corporate culture that seems to have changed a lot since the pre-float days! It is quite different from the founders motto of those days!

              I used to evangelize for Google, well before the float, that is. I am currently moving as completely as I can from all their services. I don't like the new deal about combining their various services one bit.

              • by hairyfeet (841228)
                I think there is like a rule that once a company gets a certain size they just HAVE to turn evil, its like the greed of that many people combined just tips the scale. Hell look at MSFT, once upon a time they were just this small software and OS company that was undercutting the competition while Kildall was the more elitist of the two, but then one day they got to a certain size and it was like the little nerds grew Snidely Whiplash mustaches and doing Dr Evil laughs. Now Google has gone from a bunch of ner
          • Re:So... (Score:4, Insightful)

            by noh8rz2 (2538714) on Monday February 20, 2012 @06:53PM (#39104595)
            don't blame the abuser! it's the victim's fault. she should have known better than to try to talk to him when he was stinking drunk again. Look what she made him do!
          • Re:So... (Score:5, Insightful)

            by Richard_at_work (517087) <richardprice@noSPAM.gmail.com> on Monday February 20, 2012 @07:18PM (#39104899)

            Quite simply, it allows stories like this - which is a good thing.

            P3P allows a website to make a very obvious statement about their intentions, to a set specification - if the website specifically sets a P3P that they don't honour then it becomes a PR issue, as it has in this case.

            Google were breaking the spec here, in such a way that creates a valid P3P statement in the process which says "we won't be doing anything untoward with your cookies" - the field they use is not a text field and therefor the content they put into it is ignored, resulting in a zero length list of items they *will* do with the cookies...

            That definitely should get Google into the tech media at least.

            • by arose (644256)

              Google were breaking the spec here, in such a way that creates a valid P3P statement in the process which says "we won't be doing anything untoward with your cookies" - the field they use is not a text field and therefor the content they put into it is ignored, resulting in a zero length list of items they *will* do with the cookies...

              At which point any conforming client shouldn't let them do set or read cookies...

              • This is exactly what the problem is with the "Allow All" thinking. If everyone went with the "Deny All" and whitelist what is actually needed, we wouldn't have most of the damn problems we do as this shit wouldn't be possible to begin with

            • by makomk (752139)

              Actually, from what I can tell it doesn't say that they won't be doing anything untoward with the cookies. In order for them to make that statement they'd have to include one of the P3P policy tokens declaring that they didn't. In actual fact it's not a valid P3P policy at all precisely because it doesn't say anything about their privacy policies that's machine readable.

              For some reason, Internet Explorer just assumes that any P3P policy not containing one of a specific set of forbidden policies is saying th

          • by Tepic++ (221291)

            I believe the idea is that it is legally binding promise from the website operator to the user. It's not trying to be a technical fix.

          • Re:So... (Score:5, Interesting)

            by davester666 (731373) on Tuesday February 21, 2012 @12:18AM (#39106819) Journal

            Actually, I would say it's worse in Microsoft's case because:

            1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
            2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.

        • Re:So... (Score:5, Informative)

          by cheater512 (783349) <nick@nickstallman.net> on Monday February 20, 2012 @07:07PM (#39104755) Homepage

          Course it is deliberate. Question: So what?

          It doesn't do anything to IE and is ignored by every other browser.
          P3P is deprecated and has been for years - no other browser pays any attention to it.
          All it does is make Google's products work properly with IE (not just ad tracking).

          If I needed to add gibberish to one of my sites like that P3P policy to make it work, I would.

        • Re: (Score:2, Informative)

          by wireloose (759042)
          from OP:

          The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

          Also can't give Microsoft a pass, especially if they're truly supposed to be ignoring undefined policies. It's not like Microsoft has ever been particularly supportive of standards they didn't develop, or like they've ever really developed a secure browser.

          • Re:So... (Score:4, Insightful)

            by amicusNYCL (1538833) on Monday February 20, 2012 @07:59PM (#39105233)

            In this case, "ignoring undefined policies" means that there are no stated privacy implications. If the P3P policy is blank then the site is saying there are no privacy implications for its cookies.

            • by cynyr (703126)

              no, "no stated privacy implications" != "No privacy implications"... You have not been definitively told there are none, so the "safe" thing to do is to assume the worst and nuke it from orbit. TBH I'm not sure who wrote the spec the other way.

              • It definitely sounds backwards, and may be only like that so that when it was implemented that everything would continue to work like it already did. But, I disagree that an empty P3P header is the same as a missing P3P header, or "no stated privacy implications" != "No privacy implications". An empty P3P header implies that the server is responding to a request for P3P information, and has no implications to disclose (which is the correct response if that is true). A missing P3P header would mean that t

      • Re:So... (Score:5, Insightful)

        by irregular_hero (444800) on Monday February 20, 2012 @06:25PM (#39104281)

        Google has been claiming "oopsies" almost weekly over the last couple months. In this case they put this in their policy: 'P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 [google.com] for more info."' in what is meant to be a machine-readable field. Following the spec would have been easy-- omit the field altogether. Instead Google violates the spec in a way that benefits them. It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

        Can't say I really can fault Google for this. Explaining why would require an understanding of how P3P 1.0 objects are configured and how limited those types really are.

        P3P 1.1 work has stalled (albeit in provisionally final state) and is likely to not restart; in its absence is P3P 1.0 which exists firmly in the world-as-it-was of 2000/2001. It covers cookies and certain types of form transmission, but doesn't cover privacy aspects of other types of persistent data, new transmission protocols (like SPDY), advanced caching techniques, or HTML5 storage. Technology has advanced past the point that P3P 1.0 is useful -- and quite simply, it's doubtful it ever really was. If you visit the link Google supplies it explains some of their reasoning, and it's pretty dang valid for a post-2007 view of the Web.

        Those chucking bombs over this would be better served to focus their efforts on either modernizing or replacing P3P 1.0 -- or, better yet, trying something radically different like PRIME or Policy-Aware-Web tried to do.

        • Re:So... (Score:5, Insightful)

          by recoiledsnake (879048) on Monday February 20, 2012 @06:45PM (#39104521)

          Google is using +1 buttons to track visitors browsing on 3rd party sites to enhance their ad profiles for users. This is explicitly why P3P was even made as a standard. Circumventing the standard by sending invalid data while saying nothing exactly fits the definition is a cop-out.

          • Re:So... (Score:5, Informative)

            by irregular_hero (444800) on Monday February 20, 2012 @07:12PM (#39104817)

            You're splitting hairs here.

            P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.

            A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.

            The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.

          • So the offending part can all by itself circunvent the barriers the standar dictates against him. Isn't that alone enough reason to abandon the standard? Or we do expect the dishonet to act honestly on the web?

            I'm not defending Google, by the way. I just don't understand why Microsoft (or anybody else) is trusting the "evil bit" when it claims a package isn't evil.

      • You said,

        It's possible Google is just really incompetent over all these "oopsies", but they sure try to represent themselves as a company with above-average engineers. It has to be one or the other.

        I'll be an annoying Philosophy 101 kid and state right off the bat that's a false dichotomy.

        Anyway, anybody who's worked in the tech sector(or read enough Dilbert, or both) knows that even the "above-average" engineers are boneheads. I'll give you a few real-life examples I have encountered - an engineer who though it would be a good idea to couple zinc anodes to a titanium plate to be deployed under the sea, the engineer who didn't overdesign a power circuit which resulted in exploding power t

      • Re:So... (Score:5, Insightful)

        by CowTipperGore (1081903) on Monday February 20, 2012 @07:01PM (#39104699)

        From my reading of Microsoft's long blog post, Google didn't violate the spec. IE does not correctly implement the spec and Google is abusing that by using a legal but illogical header. If Google doesn't say what they are doing with the data, then IE shouldn't provide it. Instead, Google says "I'm not telling you anything about my intent" and IE says "Good enough. The key's under the mat. Lock up when you're done." The whole system is trust based. Google doesn't promise anything and IE doesn't care. Google is being shady and Microsoft is being incompetent.

        My biggest problem here is Microsoft releasing this now in a lengthy blog post and trying to tie it to the Safari dust up. They know that the blogs will not include their full release and will instead carry the headline like you see here. This is a PR move at least as dishonest as what Google appears to be doing with their P3P header.

        • > Google didn't violate the spec

          The list is supposed to be populated with the code(s) of what they're doing with the info. They're lying by not stating they're tracking users browsing habits when they visit pages with +1 buttons. Leaving it blank is not in the spec.

          • Re:So... (Score:4, Informative)

            by CowTipperGore (1081903) on Monday February 20, 2012 @07:28PM (#39104975)

            Not even Microsoft supports your argument. From their blog post:

            Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

            Rather than ignoring it, IE is assuming that Google told them something positive.

        • Re:So... (Score:5, Insightful)

          by GIL_Dude (850471) on Monday February 20, 2012 @07:17PM (#39104891) Homepage
          Well, it is certainly trust based and open for abuse (people can certainly lie in the header). However, what Google should be doing is not providing a P3P header at all. It is only someone who is openly abusing the trust system who would create a P3P header that doesn't contain any P3P information. It is fairly clear that it was done on purpose - to abuse the trust system. Is that system a crap design? Yes. Yes, it is. Should major companies be out there abusing it if they want us to trust them? No. No, they should not. It is pretty clear from this that:

          1) We need to call out companies that do this type of thing. Not just with P3P but anytime they abuse the system or game it. They need to be made to understand that a very vocal set of folks will make it known what they are doing and that it is bad for their business to be found gaming trust systems.
          2) We need better systems that don't just trust whatever a company says about their intentions with our data.
          • What Google is doing certainly is outside the spirit of the P3P system. They clearly are doing it on purpose.

            That said, P3P was an incomplete idea that has sat around a decade or so waiting to be finished. This issue has been documented and pretty well known for at least two years. It wouldn't be an issue if Microsoft correctly parsed the P3P header. Microsoft bringing this up now and trying to lay all the blame on Google is a calculated PR pile on.

            • by Ash-Fox (726320)

              What Google is doing certainly is outside the spirit of the P3P system. They clearly are doing it on purpose.

              I remember having to break P3P the EXACT same way Google did to make things embedded elements like iframes work properly from the same site, which should have worked properly to begin with according to the spec, but guess which browser failed at doing that...

              You'd think being the IE team, they'd know about some of the really bad workarounds created to deal with their browser.

      • To be fair, these are just technicalities. People with a grudge going over their practices with a fine-toothed comb. Remember the Wall Street Journal is owned Rupert Murdoch and that Microsoft is Microsoft. The people making the claims here have a bone to pick in both cases. Google is only doing with their +1 button what Facebook does with their like button--except that Facebook actually keeps tracking you when you log out.

        Yes, Google is violating the spec to make things work they way they want them to,

    • by billcopc (196330)

      Anything that relies on "voluntary" cooperation is flawed. Either you accept that 99% of the internet will ignore it and quityerbitchin', or... you create a privacy standard that is client-enforced and leaves no room for loose interpretation.

      Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will, nor any 3rd world fraudster, which means this whole P3P thing is a joke.

      • Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will

        I think Google owns Doubleclick. But you're right, privacy has to start with the client.

      • Anything that relies on "voluntary" cooperation is flawed. Either you accept that 99% of the internet will ignore it and quityerbitchin', or... you create a privacy standard that is client-enforced and leaves no room for loose interpretation.

        Just because people think they can shame Google into playing nice, doesn't mean those Doubleclick rat bastards will, nor any 3rd world fraudster, which means this whole P3P thing is a joke.

        I am sure you will say the same thing if Google employees starts reading your email for fun and profit.

        "Oh it's okay, it's your fault for trusting a site on the internet, stop demanding them to stop it, would warezemail.com stop?".

        • by Obfuscant (592200)

          I am sure you will say the same thing if Google employees starts reading your email for fun and profit.

          The ECPA doesn't call for voluntary compliance. Please stop using this silly analogy.

    • Re: (Score:3, Insightful)

      by sjames (1099)

      No. The browser is supposed to ignore the whole thing if it doesn't find anything it understands. Why MS doesn't make IE just go with the default of NO in those cases, I don't know.

      Of course, why Google sends such a non-statement is questionable as well.

    • In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO.

      And the standard agrees with you. Even Microsoft admits as much in their blog post:

      The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.

    • by Rich0 (548339)

      Yup. This sounds like the whole "GPL\0 is not the license this module is offered under. This module is proprietary." thing that was going on with some proprietary kernel modules a few years ago. In that case it really didn't have any negative impact to the end-user - just to kernel developers.

      While this is a bit of an exploit in P3P, I despise loopholes, so I'm not going to give Google a free pass here...

    • by Whuffo (1043790)

      Microsoft is just using the same kind of "logic" that my ex-wife did during our divorce. Accuse, accuse, accuse with all the bad information they can manufacture.

      It doesn't matter if you're innocent or not; most folks will only remember the accusation.

      Get the facts and you'll see what this is really all about; Microsoft trying to beat down a competitor using any and all tactics they can

  • by Spy Handler (822350) on Monday February 20, 2012 @06:06PM (#39104067) Homepage Journal
    telling us that Charles Manson does bad things...
    • by cupantae (1304123)

      No it's not. It's one company making a complaint about another.
      If this is the beginning of the big companies goading one another into following standards, it's great news for the user.
      But it probably isn't.

  • Sounds like you are asking the bad guys to cooperate with you. If you want to protect user privacy, do not allow sites to set arbitrary cookies, do not allow iframes to set or read cookies, and so forth. Does anyone really think that Google is going to voluntarily respect privacy, when their entire business is based on tracking people?

    We have see proposal after proposal based on the idea that either users should be forced to opt-out of invasions of their privacy, or that the people who want to violate
  • IE's fault? (Score:5, Insightful)

    by Todd Knarr (15451) on Monday February 20, 2012 @06:16PM (#39104187) Homepage

    When I was configuring P3P for Mozilla/Firefox, it distinguished between what exactly the P3P policy was stating. If the site didn't say in the P3P policy what it was doing with cookies, Firefox assumed the worst. It seems to me that if the IE devs were dumb enough to stop after seeing a P3P policy presented and didn't bother checking what it said, or if they assumed a lack of a statement indicated respect for privacy, that's a failure in IE. The code needs to start out assuming personal information is collected and used without consent, and then upgrade only if the P3P header specifically says something better. It's not like that's hard to implement.

    Then again, we've seen similar problems in Microsoft software time and time again: they assume the best (input's valid, doesn't contain special characters, etc.) until they detect otherwise, even though best practices say to do the opposite (assume input's invalid until analyzed and proven correct, list the known non-special characters and filter out or escape everything not in that list).

    • by rusty0101 (565565)

      It looks to me that Google is doing exactly what their p3p policy says they will do. It also looks to me like IE is assuming that simply because there is a reference to a p3p that it says whatever the developer thinks a pep should say, rather than whatever it actually says.

      I'm not saying that Google shouldn't be setting up a situation where 3rd party cookies may be accepted when they are not wanted. I don't know how the p3p in place was decided upon, but just because I have a valid drivers license, doesn't

      • Re:IE's fault? (Score:5, Informative)

        by OverlordQ (264228) on Monday February 20, 2012 @06:31PM (#39104351) Journal

        It looks to me that Google is doing exactly what their p3p policy says they will do.

        No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

        • Re: (Score:2, Insightful)

          by Todd Knarr (15451)

          Wrong. "P3P=" isn't saying they won't use it for anything, it's not saying anything about what they'll use it for. You're supposed to be able to trust anything said in the P3P header, but nothing in the P3P spec says they have to say anything. And if they don't say anything about a specific subject, best practice is to assume the same as if they hadn't included the P3P header at all (at least regarding whatever item you're looking at at the moment).

          If you need someone to drive a vehicle for you and they won

        • It looks to me that Google is doing exactly what their p3p policy says they will do.

          No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.

          Then, since Google's p3p policy is sent as just a URL, shouldn't IE be ignoring it since its not valid?

    • Google intentionally breaks a W3C standard for its profit and it's totally MS' fault and Google is the knight in shining armor that deserves no blame whatsoever. Wow, just wow.

  • by Twillerror (536681) on Monday February 20, 2012 @06:26PM (#39104301) Homepage Journal

    In IE iframes will block cookies if you don't have the right P3P policy. There where other bugs that would prevent your site's cookies from being read.

    I've "faked" a P3P header just so users of certain IE browser versions could use my site.

    At the end of the day the standard is a proposal and only MS thinks it's worth a hill of beans.

  • Just asking... I do not think we are talking about a tracking/advertising cookie here. I'm very certain google uses first-party cookies for tracking/advertising (meaning it's your site and not google that sets/owns the cookie). And first-party cookies needs no P3P. Or am I wrong?

    • As stated in the URL they send in the invalid P3P policy, they use third party cookies to make Google+ +1 buttons work and other unimportant things
  • Did we say evil? We mean Don't Get Caught.
  • by SSpade (549608) on Monday February 20, 2012 @06:40PM (#39104467) Homepage

    Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?

    Remember when they merged with a search company, changed their name to Google and kept doing all the same things?

    No? Thought not.

  • So, does running a truck through loopholes, bad specs, known bugs, etc.---when the intent is clear---constitute being evil?

  • Evil bit? (Score:4, Insightful)

    by mwvdlee (775178) on Monday February 20, 2012 @06:54PM (#39104613) Homepage

    This whole P3P thing just sounds like the evil bit all over again.
    How exactly is P3P supposed to protect users' privacy?

  • >Google’s P3P policy is actually a statement that it is not a P3P policy.

    As Rene Magritte would say: "Ceci n'est pas une politique P3P."
  • by idontgno (624372) on Monday February 20, 2012 @07:42PM (#39105089) Journal

    That's very surreal, Google.

    René Magritte would approve [wikipedia.org].

  • Never mind the protocol failure. If I'm reading this right, and it is right, then it seems the real problem is the W3C is attempting to create a standard designed to make web browsers accept third party cookies even though the user sets the browser to not accept any third party cookies. Now we'll need a setting to not accept third party cookies and another setting to really not accept third party cookies.
  • This is yet another story that boils down to: trust doesn't work, sand-boxing does.

  • Once or twice is a mistake, but google have been doing "evil" things repeatedly for a while now. I'm moving my stuff to iCloud (don't laugh). As a paid service (with mac purchase, subscription for additional data, etc) the payment is not my privacy.

    Blaming it on the browser is a cop out. if you're NOT evil, you wouldn't exploit it. I'm sure if the shoe was on the other foot (and someone was exploiting say, a hole in google's network to steal trade secrets) google would be mighty pissed.

  • by 0-9a-f (445046) <drhex0x06@poztiv.com> on Monday February 20, 2012 @11:58PM (#39106717) Homepage

    Everyone seems to be getting all het-up about Google abusing trust, being deceptive, yada yada... But it's a fact: Google get headlines worldwide.

    In a world of clouds, +1s, and Likes, people want to circumvent the 2001 P3P objectives because that's how they want the web to work in 2012. So if IE is quietly ignoring P3P for Google, what other unknown, untrusted, and non-headline-grabbing sites might have been doing the same thing for the last 10 years? It seems other browsers ignore P3P as pointless, but not IE.

    It may be that by Google risking a minor PR hit, they might encourage Microsoft to drop the charade of P3P protection, and just maybe get enough people interested in pursuing a real solution.

  • So can not Microsoft patch P3P in IE to identify these work arounds or simply reject Google cookies?

The clearest way into the Universe is through a forest wilderness. -- John Muir

Working...