Microsoft Accuses Google of Bypassing IE Privacy Settings
Microsoft has accused Google of bypassing IE privacy settings but Google has defended its actions, calling IE's cookie technology "widely non-operational."
Late last week the Wall Street Journal made quite a splash when it accused Google of tracking Safari users' activities without their knowledge. This past weekend Dean Hachamovitch, corporate vice president for Internet Explorer at Microsoft, penned a blog post that claims Google also circumvented the privacy settings of IE users.
Hachomovitch says that by default, Internet Explorer blocks third-party cookies unless the site presents a P3P Compact Policy Statement that describes how the site will use the cookie and that it will not use it to track a user. P3P, an official recommendation of the World Wide Web Consortium, is a technology that all browsers and websites can support and sites use P3P to indicate how they intend to use cookies and user information. Hachomovitch says that by supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions. However, according to Microsoft, Google approaches things a bit different.
"Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to "read":
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Google has responded to Hachomovitch's lengthy post with its own statement that dubs Microsoft's P3P cookie technology "widely non-operational" and highlights the fact that it is not alone in its tactics to attempt to get around this technology. Google says that P3P didn’t have a huge impact when it was introduced in 2002 when P3P, but these days, it actually breaks cookie-based features, such as Facebook's 'Like' feature (incidentally, Facebook is another company that doesn't comply with P3P).
"Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure," said Rachel Whetstone, Senior Vice President of Communications and Policy at Google. "A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft. In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.
What's more, Whetstone goes on to say that the reason all of these websites have decided against issuing valid P3P policies is because Microsoft said it was okay not to. Apparently that same Carnegie Mellon research paper from two years ago found that "Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE."
Microsoft has yet to respond to Google's lengthy statement but Google seems pretty adamant that it's not doing anything wrong. Or at least, if it is, it's not alone. This is the second time in the space of a few weeks that Microsoft has targeted Google publicly over privacy issues. Earlier this month, the company highlighted Google's controversial changes to its privacy policy with an ad campaign in several of the country's biggest newspapers. Redmond encouraged users unhappy with Google's actions to jump ship and try competing Microsoft products such as IE and Hotmail.
Further Reading
- Tom's Guide: WSJ: Safari Loophole Allowed Google to Track Users via Ads
- Microsoft: Google Bypassing User Privacy Settings
- Parislemon: Google's complete statement on the issue.
- Microsoft Extends Support Lifecycle for Windows 7 and Vista
- Photo Shows Possible iPad 3 CPU/GPU as 'A5X' System on Chip
- Researchers Create Single-Atom Transistor
- Scientist Finds Way To Control DNA-based Computations
- DRAM Manufacturers Ramp Up Production
- Google Says Faster Chromebooks On The Way
- OnLive Weekend Sale Sees DNF, AvP Reduced to $5, More
- Nvidia Promises Tegra 3 Smartphones Before End of March
- Microsoft Unveils a Brand New Windows Logo
- Ubuntu For Android to be Shown Next Week at MWC 2012
- Intel Reveals More Details of Ivy Bridge Variants at ISSCC
- Nvidia, ZTE Intros Tegra 2 + Icera Smartphone
- Microsoft Nukes Recent Office for iPad Rumor
- Samsung Unveils Two New Galaxy Phones Headed for Europe
- Court Ruling Could See Pirate Bay Blocked in the UK
- AMD Radeon HD 7800 Series Specs Revealed in Leak
- Intel Readies New 313 Series Caching SSDs for Ivy Bridge
- HSPA+ Multiflow Lets Your Phone Talk to Two Towers at Once
Another view from the Atlantic Wire: It's Not Just Google: Everyone Tracks Everyone on the Internet
2 problems here. Microsoft says its OK to bypass this stupid feature then goes out to attack Google for doing just that. More of a marketing pitch in my opinion. Next, Google defends itself when they are in the right as Microsoft said its OK. If they want to defend themselves, there are proper avenues to do this. They got lawyers for this exact reason. Makes for much more interesting news on Tom's.
Buaa Buaaa concentrate on other things Microsoft.
2 problems here. Microsoft says its OK to bypass this stupid feature then goes out to attack Google for doing just that. More of a marketing pitch in my opinion. Next, Google defends itself when they are in the right as Microsoft said its OK. If they want to defend themselves, there are proper avenues to do this. They got lawyers for this exact reason. Makes for much more interesting news on Tom's.
So because Microsoft breaks privacy that makes it Ok for Google to do it as well?
...
There's an old saying - two wrongs don't make a right - no-one should be tracking you without permission
We know neither play fair. How about the other 99% of the people who browse the internet daily?
"People seem to forget that Google isn't a search company that happens to sell advertising; it is an advertising company that happens to have a pretty good search engine.
It doesn't matter if it's Google, Twitter, Yahoo, or The Atlantic. If you're using a service and you aren't paying for it, you're not the customer: you are the product. "
As said by TheAnonymouse in the comments on the page linked by jhansonxi a few posts above me.
Online privacy is a myth. Not that that's a good thing, it's really horrible, but we would be hard-pressed to change this. The hoops you need to jump through to be more or less truly private are ridiculous. Just as a start, get Firefox with No-Script and Add-Block, TOR and/or Advanced Onion Router, good firewall, and don't forget to set each thing up to be the most secure.
Then you need to deal with performance degradation just to get that semblance of privacy. What we've come to in the online world is disgusting.
There's also more that you can do, but you're faced with ever-increasing performance overhead. Of course, you could stick with basics like Firefox + No-Script+Add-Block and enjoy increased performance, but everything else is probably going to decrease performance.
Any other ideas?
Another view from the Atlantic Wire: It's Not Just Google: Everyone Tracks Everyone on the Internet
Wait... people didn't know this? I figured out years ago that everyone will track everyone, it's human nature to want to know what others are doing and when you put that instinct combined with corporation sized power you get all this tracking and spying. I wonder how some people can stay so blind and think it doesn't happen at all.
So because Microsoft breaks privacy that makes it Ok for Google to do it as well?...There's an old saying - two wrongs don't make a right - no-one should be tracking you without permission
You live on the wrong world if you want no tracking without permission
I can imagine the internal conversations
High up Microsoft dude (HUMD) to his minions "Hey Minions!!! got anything we can slam google on?
Microsoft Minion "Hmmm, well, they got a bunk P3P cookie"
HUMD "Alright sweet!!!" /blog
High up Google Dude to his minions (HUGD) "Hey Minions!! MS is slamming our P3P cooki. WTF! are they right?"
Google Minions "Well sure, they told us we could! Plus, they're doin it too"
HUGD "Sweet!!!" /blog
HUMD to his Minions "Gdamnit Minions!!! why didn't you tell me this shit?!?"
Microsoft Minions "You didn't ask!! Stop acting like a teenager and let us do some useful work!!!"
Microsoft says that we should use IE9 to have privacy protection. Bunch of Hypocrites.
They should release a patch for all IE browsers, not advertise ie9 features and bashing other products for they own benefit.
lol. Was wondering when this was going to show up on Toms hardware. Saw this one right after the Safari incident.
No one should be surprised that Google is tracking people on the internet. Where do you think they get all those Petabytes of user data from.
No one should be surprised that Microsoft is tracking people on the internet. Where do you think they get all those Petabytes of user data from.
The only difference is that we know that Google is using it to sell advertising, build better products, and other nefarious evil things. We have no idea what Microsoft uses it for because, while they are eveil, it certainly isn't for building a better product.
"yo dawg i hurd yu leik circumventing privacy, so i put an NSA/CIA collaborative device in yo
ride so you can steal passwords while you google streetcar"
we love the internet.
we want it to be free.
if you dont want ads, and think google is going to analy probe you... start a pay for the internet foundation. make is so you have to pay money to every webpage you go to, and pay them for the bandwidth you use. go and do that... than lets also impose old email 10mb per account restrictions.
google funds websites by allowing ads, i dont care how they get the money.
we love the internet.we want it to be free.if you dont want ads, and think google is going to analy probe you... start a pay for the internet foundation. make is so you have to pay money to every webpage you go to, and pay them for the bandwidth you use. go and do that... than lets also impose old email 10mb per account restrictions. google funds websites by allowing ads, i dont care how they get the money.
Advertisements are okay when we aren't being watched constantly to supply us with more specialized advertisements. I have no problem with advertisements. The problem is that Google, Microsoft, Apple, the ISPs, etc. all steal private data (some of which can be used to identify you, most of it probably can't but still). The funny thing is that although some still deny it even though it's been proven time and time again that they do it by us geeks, we see more and more companies admitting that they have been stealing data from us for years.
I don't know for sure about you, but this worries me. Especially in light of the many hackers going into some of these companies and taking MBs and GBs of data, often posting it. How many times do we see thousands of people screwed over in some way because of credit card numbers and the like being leaked? Well, some of the data gathered may be able to be used to obtain such data, if it isn't already within the gathered data. I don't mind the ads too much, but I most certainly do mind the manner in which they are served. Especially since ads began using deplorable tricks to get you to click them, but that crap isn't not new anymore and has been going on for years.
Because they can.
You live on the wrong world if you want no tracking without permission
Most of the time I am lucky, if I am browsing at work behind our beefy corporate firewall
As a web designer, I'm inclined to believe this has more to do with IE's notoriously crappy interpretation of code than anything else.
I mean, make no mistake about it, Google has gotten to the point where it would anally probe its own mother if it could make a buck from it, but it's been doing the exact same kind of stuff as this for years. Do nothing evil, right.
Part of me wants to congratulate Google for finally joining the ranks of people who are sick of IE's buggy crap, and part of me wants to throw up on Google for being that way.
Oh well, I guess it's just Google being Google.
Microsoft is just qq'ing because their product sucks. People with a bit more knowledge about computerz and webz are more likely to install firefox/chrome on their pc's. It is just a few websites that doesn't allow you to do stuff if ur not using IE for that (e.g.: internet banking).
But this big corps are most likely to qq on the others if their product isn't the best or isn't selling as good as ... Microsoft won't starve if all people on earth don't use their web browser.
Most of the time I am lucky, if I am browsing at work behind our beefy corporate firewall
...where your workplace tracks EVERY page you visit.
Most of the time I am lucky, if I am browsing at work behind our beefy corporate firewall
What do you think those corporates are doing to you with that beefy corporate firewall? Besides, how many times have we been shown just how impaired the security of most companies and such really is? Furthermore, a firewall doesn't need to stop all of this anyway, so you're probably just as vulnerable as the rest of us with or without that firewall.
Keep in mind, P3P is just a recommended standard, it is not a law. No company is required to practice it. So if google, facebook, or even microsoft don't use it, it does not mean that they are not following the required legal guide lines for protecting our privacy.
Microsoft is just using this, and the lack of public understanding of the topic in the good old FUD tactics they are so well known for. The public will see this message and assume that Google (and others) are not protecting their data, and that by not using P3P correctly they are not following legal guidelines, were the truth is legal protecting and P3P are not connected in any way.
the act of the owner of the site posting the 3rd-party code on their page (html, javascript, whatever), they have taken responsibility for SHARING THE SITE'S TRAFFIC INFORMATION with the 3rd-party... so... this actually has NOTHING to do with microsoft OR google. this is between the user and the accessed site's privacy policy that *should* be presented to the user prior to site usage to state that they share traffic information with entity x so the user is given the choice to share their surfing habits. unfortunately there is no law out there that i know of that requires a site to present the privacy policy to the user prior to accessing the site where potential 3rd-party code resides.
i've always thought about using this cheap method in a site's terms of service and privacy policy... "by accessing this site, you agree to pay the site owner no less than 1,000,000 of american dollars for every second the site is used." ... take a few selected users to court and see if tos and privacy policies actually hold up in a court of law as being 'legal' documents.