Google, Microsoft, or Facebook: Who Dropped The Ball With Your Online Privacy?

    February 21, 2012
    Drew Bowling
    Comments are off for this post.

Google, Microsoft, and Facebook are locked in a precarious blame game about who failed with your online privacy. First, Google gets caught bypassing a security feature in Safari that allowed the company to track users despite the no-tracking settings in Safari. Then yesterday, Microsoft charged Google for doing a similar thing with Internet Explorer users. Lots of smoke so far, but is there a fire?

Google responded today to Microsoft’s accusation that the search engine company was not acting unscrupulously by tracking IE users and, instead, said that it’s Microsoft’s fault for not addressing a known flaw in their browser. To strengthen their argument, Google cited Facebook’s ubiquitous “Like” button found on websites and said that feature uses the same method to track user info so, therefore, this isn’t a Google problem but a Microsoft problem. Facebook basically shrugged at Google’s attempt to drag it into the mix because the social networking site insouciantly confirmed today that it is in fact using the same bypass as Google.

Consider this: Is it okay for companies like Google and Facebook to be aggressively looking for ways to exploit browsers in order to continue raking in browsing information from users as long as it falls into the fuzzy parameters of legality? Or does Microsoft have a responsibility to protect Internet Explorer users by updating their privacy protections to block aggressive info-vampires like Google and Facebook? Have your say below in the comments.

As mentioned above, Microsoft revealed that Google’s been sidestepping a privacy setting in Internet Explorer in order to continue tracking users’ browsing habits despite the users selecting a feature to block websites from collecting data on them. Basically, the exploit that Google found involved a P3P policy statement that checks the intent of websites like Google. While the P3P policy should reject cookies from sites that don’t clearly express their purpose, Google intentionally used a vaguely defined cookie in order to bypass the P3P policy and still track the browsing habits of Internet Explorer users. Microsoft vilified Google after the revelation and, as you can imagine, Google was quick to defend itself.

But Google’s defense is basically to point the fault back at Microsoft for using outdated security settings. In a response provided to WebProNews, Google’s Senior Vice President of Communications and Policy, Rachel Whetstone, shared the following:

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide,
and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don’t use valid P3P policies….

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own live.com and msn.com websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google’s provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”

Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy

So here’s one thing I’m still unclear on. That last bit from Chris Soghoian that asserts Facebook and Amazon have previously “exploited” the same P3P loophole and yet Microsoft did nothing to fix it. While I agree with the gist that Microsoft should have fixed the flaw in order to protect Internet Explorer users, that doesn’t make what Google and Facebook have done okay to do.

Incredibly, Facebook entered the fray today and sided with Google by confirming, yes, they bypass the same P3P policy to track Internet Explorer users. In a statement to ZDNet, Facebook claimed, “Our P3P policy is not intended to enable us to set additional cookies or to track users. While we would like to be able to express our cookie policy in a format that a browser could read, P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform.” The statement goes on to explain how Facebook reached out to Microsoft to develop additional solutions but no resolution was given.

Facebook’s response is coy but make no mistake: these are companies led and maintained by highly intelligent people that didn’t get to where they are by happenstance. It wasn’t an accident that Facebook and Google just happened to be running loops around Microsoft’s privacy settings.

Consider this: Suppose two of my friends both get away with stealing cars from an auto dealer. My larcenous pals say they took the cars because the dealer left the keys in the them. My friends don’t get in trouble, fine, but the auto dealer continues the practice of leaving the keys in the cars. So does that make it okay for me to come around and steal a car just because the dealer didn’t change their policies and then defend myself by saying, “Well, my friends did it and you didn’t do anything about it.” Who’s at fault in this scenario?

Honestly, it doesn’t matter because all companies are at fault for something in this hot potato-blame game. Google and Facebook definitely knew of the Internet Explorer exploit and, even though they shouldn’t have taken advantage of a possible flaw in IE, they did it anyways. Microsoft also knew of the possible exploit in Internet Explorer and, whether naively or stubbornly, did nothing about it to protect IE users from sites like Google and Facebook.

Regardless of who ends up wearing the blame, it’s the people who use these services that are going to lose. Google and Facebook don’t respect your privacy enough to politely acknowledge you probably don’t want them to become your online shadow; if there’s a way for them to stab their digital proboscis into the vein of your browsing info, they’ll do it. Alternately, Microsoft doesn’t prioritize the protection of Internet Explorer users high enough to update the browser in order to prevent the Facebooks and Googles of the world from stalking people across the Internet.

To paraphrase a quote from a movie I saw recently: It’s all there, black and white, clear as crystal. You lose, internet users.

So who should take the fall for this snafu? Microsoft for sitting on their hands about a problem with Internet Explorer security, or Google and Facebook for having no qualms about exploiting a known privacy problem in Internet Explorer in order to continue tracking users? What improvements to online privacy would you like to see come from this debacle? Take your comments to the discussion below.

  • Kris

    Google and Facebook have “intent” to go against the wishes of their users and exploit a vulnerability to gain information about individual users. They do this without user permission and directly against the user’s already declared rejection of their tracking. They rejected invasion of their privacy when they set the browser settings. To knowingly go about to circumvent the privacy decisions of users wrong and I sincerely hope that both organisations have severe legal penalties. As for blaming Microsoft, well thats what narcissistic personalities do. They put the focus on another and are incapable of deeing their own faults. Google, and facebbok, have become narcissistic corporations operating without concern for anything other than their own empires.

  • http://www.canadaseopro.ca Todd

    This is a no brainer!

    Microsoft needs the responsibility to protect Internet Explorer users by updating their privacy protections to block aggressive info-vampires like Google and Facebook. Period. Fire Fox should do the same to!

  • Ray

    Greed is not new. To such companies, the bottom line always matters much more than decency or any thought of the public.

  • http://www.epalmspringsrealestate.com Abraham Baghbodorian

    The pressing issue here is how to stop all of them from keeping on secretly violating our privacy and our lives. The blame game is not going to resolve anything. This should be STOPPED and be classified as illegal.

  • http://www.epalmspringsrealestate.com Abraham Baghbodorian

    Anyone knows if Apple addressed the Safari problem ?

  • http://peshtera.org/ ART Gallery Stefan Angelov 2011

    Галерия картини на българският художник Стефан Ангелов: маслена живопис, пейзаж от околностите на град Пещера.Съвременно българско изкуство ART Gallery Stefan Angelov Родопски пейзажи.

  • http://peshtera.org/ ART Gallery Stefan Angelov 2011

    Gallery pictures of Bulgarian artist Stefan Angelov: oil painting, landscape, still life.Contemporary Bulgarian Art ART Gallery Stefan Angelov Rhodope landscapes.

  • Dick Smith

    Microsoft ABSOLUTELY HAS a responsibility to protect IE users by updating their privacy protections to block aggressive info-vampires like Google and Facebook? Otherwise they are just another rapest like their peers, harming us all. I also agree with Abraham above i.e. codified not classified with multimillion dollar penalties and jail time for the EXECUTIVES including all the wonderkids.

  • Patrick Delaplace

    I’ll put equally the burden on all three companies, but I would approve and applause if Apple go to trial and see Google/Facebook fined some tens of millions dollars for non respecting individual privacy datas.

  • http://www.jamaicaoceanviewvilla.com cavel

    Google and Face book should not use the flaws in the system to exploit its customers.

    If I left my car door open and someone went in and stole something, then who is responsible, for theft the thieves or I.

  • Ste

    Funny, when the big players spy on us using criminal tools others like MS or Apple have to protect us!?

  • http://nucco.org afanen01

    The issue would be straightforward if Apple and Microsoft were neutral parties in the matter.

    The problem arises because they are both competitors to Google. They would very much like to keep Google out, and use all that data for themselves. Apple does own an advertising firm, not quite sure about Microsoft, but I know they are trying to build a similar ecosystem as Apple’s.

    It is quite coy of them to pretend to care about user privacy, when it is obvious they merely want to keep outsiders out.

    We do not live in a perfect world, and it is quite naive to think that if you tick one box in your browser, then your browsing habits are private. There are far too many parties involved in every action you perform on the internet. Your ISP, you may or may not be using your ISP’s DNS servers, so that is a potential other party.

    Your browser vendor, yes, even your web browser does things to the search queries so that they can get some referral revenues. Then the parties you interact with. Do you shop with a resonably sophisticated store? They can and do track you.

    Do you use a free email service such as Hotmail, Gmail, Yahoo? How do you think they manage to provide the services to you free of charge?

    Even in paid for services, the providers have an incentive to track you, even if it is merely to provide you better service, some simply promise not to bombard you with ads.

    What I am getting at is the fact that you cannot expect to get privacy for cheap, just by ticking a box and going to sleep. You have to actively pursue it, if you think it is valuable. Spread your shoping around a number of stores. Get a paid-for email account with agreeable policies, empty your cookies often, use more than one browser (I never sign into facebook with my primary browser, because everyother website on the net has a facebook button nowadays), and if you use a free email service, well, use more than one, and spread your information around.

  • http://howtobecomeanaffiliatemarketer.com Andre daniel rice

    I had enough of Facebook personally. I deleted my account a couple of days ago.

  • http://cass-hacks.com Craig

    People are missing what is important.

    The point is not that Google, Facebook or anyone else is collecting data they haven’t already been collecting for some time.

    The point is that Microsoft, in their infinite ability to not get anything right, decided to add some ineffectual code which ends up causing more problems than it solves.

    One has to use work-arounds just to do in IE what one can do in any other browser.

    It never ceases to amaze me how so many people think there is anything in their lives worth ‘spying on’.

    Better be careful the next time you buy something at Walmart, the cashier might make note of it and sell the information on the black market.

  • http://ephedrinewheretobuy.com Mike Budd

    Of course your personal data mean a lot to these companies, targeting is the essence of marketing and a big part of their revenue.

    By the way, who said “Don’t be evil”? 😉

  • http://www.studioartistx..nl Alexander

    I guess they all dropped it a little + ourself, we do it too of course.

  • http://www.puamanawebdesign.com Sharon Spilman

    Like many, I’m taking the steps to shore up my privacy. I’m looking for an alternative to gmail, I switched from Google to start page (serves google results without the cookies or tracking). I have not used IE in years except to test development on websites. I have switched to Opera and Firefox for browsing and installed security alert plugins. I have to maintain a facebook account to access my customer’s ‘fan pages’ but I no longer go there, or do anything meaningful there. I have switched Diaspora*, an open source, apha, non-commercial social network with organization based on ‘interests’ and curiosity, and therefore a much more stimulating activity. I’m considering making a move to ALL open source software (Ubuntu/Linux for OS) and perhaps even changing to Tor for browsing, which offers ‘anonymous’ surfing and privacy protection. Since a large portion of the databases being gathered by corporations like google and facebook are being opened for access not only to major marketing corporations but to the Homeland Security Department for purposes of surveillance of the population online, it only makes sense.

    A reasonable expectation of privacy is part of “life, liberty and the pursuit of happiness” …

  • http://wbpersonalsecurityproducts.com william

    Too much data tracking reduces available spectrum for paying subscribers….a lousy 1% error in tracking ruins all the data anyway….give privacy back to the people before they give up on web benefits and let internet and social sites die….

  • http://www.puamanawebdesign.com Sharon Spilman

    Note: try installing “Ghostery” plugin to Opera and Firefox to get an idea just how many folks are tracking you …

    • Andreas Krokene

      Sharon, Thanks for the Ghostery tip. I installed it.

    • Vio

      I am using Ghostery for few weeks, very nice addon!
      About the privacy issue, i think Google and Facebook did it wrong.
      Anyway, I closed my accounts on Facebook and Plus…

  • Spamexterminator

    I’ve been aware of this security breach for a long time. To answer your question “Who should take the fall” Look at it this way; If a person forgets to lock their back door in their home and someone enters and robs them blind or vandalizes who is the guilty culprit in court? But here was a simple way I was getting around that issue I have 6 different internet browsers on my computer and I do certain things with each one (I also change the temporary internet folder location in each browser to keep them completely segregated). For instance I check my E-Mail and play games on FaceBook with FireFox where I’m logged into both FaceBook and Google. Then I use Opera Business and Dragon For Shopping so even if they are tracking what I’m looking at they don’t know who I am and that makes their tracking information pretty much useless.

    • greg

      the person who breaks the law (and who goes counter to social norms regarding privacy) is at fault…not the person who did not lock the door. not locking your door is not on par with an illegal act like trespassing. *rolls eyes* even a kid has learned this by the time they are 4 years old.

  • http://www.captaincyberzone.com Captain Cyberzone

    Start-ups become companies then become corporations and like Governments that get “too big” (the U.S. comes to mind) they get autocratic and bureaucratic and with that comes corruption.

  • Jesse

    Is it me or does this seem like the equivalent of the burglar that is caught breaking into a house saying “I’m not doing anything wrong cause this person over here is doing it too!” ???

    It seems to me that there was a clear & malicious intent on both Google & Facebook’s part to circumvent settings placed to protect people.

  • XtremeMaC

    I am sorry to inform all of you that anything you do these days can and is tracked. This is mostly done to give you a better service. someone said walmart in the comments. you get a walmart discover cc card any it gets swiped on your purchases to give you a bonus.. they know what you’re buying…Credit card companies. They know where you were and shopped at a store.. cell phone companies: they track you everywhere! navigation softwares track you everywhere. you share your location on foursquare, twitter, etc.. you pin point favorite locations on google maps, etc.. you share your facebook wall with the public and you announce that you are going to xxx abroad for vacation, anyone who puts a bit of interest in your wall knows that you house is now vacant. there are many other ways you’re tracked everyday but I am cutting it short…
    So to those of you who are *trying* in their own way to *protect* their privacy I am sorry but you are all failing miserably…

    • Spamexterminator

      Not everyone. I don’t use plastic, I don’t have a cell phone or GPS, I never post that I’m going on vacation online, where I have been, or I’m going in general, and I use methods that prevent the conglomerates from putting a face or name to the data collected from my online browsing rendering it useless. All of which minimize the possibility of tracking me. Unfortunately to have internet access you can still be tracked by your ISP and depending on how trust worthy your ISP is, solely determines your online privacy and you can never tell who is completely trustworthy. There are some very untrusted ISP’s for instance NetZero, AOL and Microsoft which uses their own software to keep tabs on everything you do. So with exception to my ISP I can control what information will be tracked by whom.

  • http://blog.jorodrigues.com/ Jo

    Ordinarily I would probably side with Google on these issues. This is an exception. Just because Microsoft has sloppy coding in its browser doesn’t make it ok to violate people’s determined cookie consumption for the day.

    Both Facebook and Google are beginning to treat their members as numbers and not people. This always marks the start of a downfall. Any person or company that believes it can/will do as it pleases will face the repercussions.

    I already wrote about the future of Facebook if they don’t catch a wake-up to these sorts of matters. I sincerely hope Google doesn’t go the same route.

    No one needs another Microsoft example of how to treat your customers

    • Spamexterminator

      So what your saying is if you left your back door unlocked and a burglar enter your home a stole everything of value that it’s your fault and the criminal shouldn’t be punished.

  • Beny

    Friend, is this a secret that the Internet giants are using our private data to make money ? I felt uncomfortable reading some articles from http://www.anti-socnet.com .

  • Jay

    Uh.. Yeah.. I am not in shock over the fact that facebook and google exploited your browsers. I am shocked that you people are finally realizing that they have been doing this for years. No matter what, Everyone will complain and point fingers all over the place. Oh, Microsoft sucks and shouldn’t have such a poor codebase. Whatever. How many times have you been to facebook? That place is a java-based nightmare! It’s code is much less stable than Microsoft. Besides, don’t forget that Safari has a bug in their browser allowing this activity too. That means that Apple must have sloppy coding too right? Let’s look at this logically. The 2 big computer giants were found to be vulnerable once again. Yes, Apple has vulnerabilities too. 2 comanies whose primary revenues come from marketing were caught taking advantage of these 2 software giants shortcomings in order to collect more data from users in order to provide advertising that fits their needs and wants in order to get more money from their advertisements. This only keeps those people in business longer and provides more revenues for further development and new products. Besides google and facebook, you have much bigger things out there with all your info too. To worry about this is just ridiculous. Anyway, bottom line is that if you do not want to be tracked, just throw your computer away because that is the only way you will stop it. This is not the fault of google and facebook either. In fact, if you don’t want tracked, close all your accounts, cancel your utilities, get rid of your car and whatever other belonging you have purchased and had to provide any tidbit of information. Then, sell off your firearms too and don’t forget to completely detatch yourself from society altogether. Now, go in the mountains and live off the land, and you will have your privacy back as long as you don’t own the mountain…

  • http://www.theresammoore.com Theresa

    I was spammed once by a Chinese consortium which wanted to sell me my own site url. When I issued a very public press release about it they went away. I have known for years that what you put up on the internet is public no matter what you do. If you don’t want it stolen or exploited, JUST DON’T PUT IT UP THERE. For example, Google wants to track my personal life, my family, my friends, etc. across all media. I just leave those spaces blank. It wants to track my phone. I just put in zeroes. It’s none of Google’s or Facebook’s business what I do or say, so I’ll say or not say when I want to. When it comes to excercise of first amendment rights I know who is responsible. Me. Google and Facebook can’t do squat about it.

  • http://vapeiq.com VapeIQ

    Who Dropped The Ball With Our Online Privacy?

    All 3. And they continue to undisputed because our country is run by greedy corporations who own the politicians.

  • http://www.cmymails.com Steeven Paullas-Gutt

    The blame goes to all three Google, Microsoft and Facebook. We’re in 2012 and the Internet has never been so expanding. As company’s grow and gains more power, most huge corporations won’t hesitate going over our human rights. The system has huge corporation fighting for world domination and not for the sake of humanity.

    It’s up to you and I, as humans as citizens and as our Gods giving rights to ask these major corporation ad governments to respect our privacy and if needed to improve the laws already there to protect us enforce…