Microsoft Accuses Google of Violating Internet Explorer's Privacy Settings

New submitter Dupple writes with a followup to Friday's news that Google was bypassing Safari's privacy settings. Now, Microsoft's Internet Explorer blog has a post accusing Google of doing the same thing (in a different way) to Internet Explorer. Quoting: "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent. P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. ... Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy."

So...

[The MAZZTer]

In other words, if your server delivers a garbage or blank P3P header, the browser assumes there are no privacy implications? Sounds like a hole in the standard to me, such headers should be ignored IMO. Though Google really should have tested this properly with all browsers before deploying it in production it sounds to me like an oopsie, not at all like the Safari thing.

Remember DoubleClick?

[SSpade]

Remember DoubleClick? The sleazy advertising company that everyone loved to hate? Remember when they merged with Abacus Direct, creating a merged company that would mine and combine everything from web cookies to physical addresses, names and phone numbers? Remember when this privacy issue was such an obvious risk that the FTC launched investigations into it? Or when they were widely categorized as malware purveyors, or when they were caught serving drive-by malware infections?

Remember when they merged with a search company, changed their name to Google and kept doing all the same things?

No? Thought not.

Re:So...

[recoiledsnake]

P3P sounds like a stupid idea anyway. How does it protect user privacy if something as trivial as the attack described above totally defeats it?

If the IE or Safari teams really cared about user privacy, they would be more strict about allowing sites to set or read cookies. This is just an excuse for Microsoft and Apple to publicly bash one of their competitors while continuing to not give two hoots about their users.

Reading your Gmail emails should very trivial for Google employees. That doesn't make it okay does it? One would expect Google to have higher standards.

You'd expect shady sites to "attack" a gentleman's agreement, not Google. If you think they're the same, would you be okay with hosting your mail on warez-email.com ? After all, they're both on the big bad internet.

Re:Dear Microsoft Iexplore team

[maxwell demon]

The problem is that, according to the standard, the browser should ignore any policy it cannot understand. Ignoring a policy means acting as if it wouldn't exist. If no policy exists, IE's behaviour with default settings is to not allow the cookie. Therefore by the standard, it shouldn't accept cookies when it doesn't understand the policy. If IE doesn't do that, it's the browser's fault.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:So...

[Anonymous Coward]

It does matter Microsoft is lying about this being a new revelation. Microsoft knew Facebook and Amazon do the same thing back in 2010 - so they obviously knew Google is doing this too. The timing of this is just cheap PR which is typical for Microsoft. Why don't they spend this time and effort in building a better standard and a better product?

Re:So...

[AngryDeuce]

If you're using Chrome, I highly recommend ScriptNo [google.com]. It took a while, but they've finally got a decent analogue of NoScript for Firefox. With it's most restricted settings, it pretty much blocks everything you don't whitelist yourself, and has a special "antisocial" mode that automatically blocks all the social networking bullshit every fucking site in the world has now.

ScriptNo and Adblock Plus are pretty much a necessity for web browsing these days, in my opinion.

Re:So...

[davester666]

Actually, I would say it's worse in Microsoft's case because:

1) msn.com and live.com BOTH use the described technique to 'work around' P3P in IE 9
2) Microsoft's web site recommends doing this to work around an IE 9 'bug'.