Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings 197
New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting:
"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."
In cases where P3P is not precise enough (Score:5, Informative)
According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. [In such a case,] how should a website fill use the P3P header?
The article answers this question by quoting a section from the P3P spec [w3.org]:
Re:IE's fault? (Score:5, Informative)
It looks to me that Google is doing exactly what their p3p policy says they will do.
No, it's doing the exact opposite. P3P is a list of things you *WILL USE* the cookie data for, not what you *WILL NOT* do. Per the spec, if it's not a valid tag it gets ignore, remove all the invalid stuff and google is effectively sending P3P="", or in other words, they wont use it for anything.
Re:So... (Score:4, Informative)
Gmail doesn't need third party cookies. This is about sites with +1 buttons. They allow Google to track all users across all sites that have them.
Re:In cases where P3P is not precise enough (Score:5, Informative)
The article answers this question by quoting a section from the P3P spec [w3.org]:
This is correct. However, as stated further down in the same section, the effect of such policies is to be positive and declarative (meaning the policy should state what the site DOES do, not what it DOES NOT do), and be informative to the user. The standard allows for user agents to then use the P3P policy to make it the basis for "authorization" but then goes on to state that implementers of user-agents can make their own decisions as to what the declarations mean in the context of the connection.
This has led to situations where browsers that implement P3P and tie it to certain "security features" end up with a browser implementation that works dramatically different than other browsers for the very same privacy declaraion. In most cases, browsers do not even IMPLEMENT a user-readable informational dialog for P3P -- it is by standard the browser implementers' decision.
If you're keeping score at home, that's bad.
Re:So... (Score:5, Informative)
Course it is deliberate. Question: So what?
It doesn't do anything to IE and is ignored by every other browser.
P3P is deprecated and has been for years - no other browser pays any attention to it.
All it does is make Google's products work properly with IE (not just ad tracking).
If I needed to add gibberish to one of my sites like that P3P policy to make it work, I would.
Re:So... (Score:2, Informative)
Re:So... (Score:5, Informative)
You're splitting hairs here.
P3P 1.0 doesn't allow for multi-site delclarations, only "cross-site" declarations. There can be one -- and only one -- P3P policy; by the standard it doesn't allow but ONE policy and states that others, if present, should be ignored. This just isn't how the Web works these days. Cloud services have pretty much become a defacto standard, but P3P forces site administrators to take a P3P policy from the integrated service and mash it into their own policy (and hope the service policy never changes). This just isn't practical.
A site admin CHOOSES to use +1 buttons and FB like buttons. Inclusion of these objects would optimally prompt an admin to adjust their _own_ P3P policy, but it's just a plain 'ol administrative nightmare to manually take the respective organizations' policies and create a master policy out of all of them. It's fully manual; it has no concept of "merging" policies to present users with enough information to make informed choices on the multitude of SaaS services sites now use. That's the issue.
The darn thing is broken. Period. Hard to claim "cop-out" when dealing with a protocol that's stuck in 2001.
Re:So... (Score:2, Informative)
The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.
Also can't give Microsoft a pass, especially if they're truly supposed to be ignoring undefined policies. It's not like Microsoft has ever been particularly supportive of standards they didn't develop, or like they've ever really developed a secure browser.
Re:So... (Score:4, Informative)
Not even Microsoft supports your argument. From their blog post:
Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter.
Rather than ignoring it, IE is assuming that Google told them something positive.