Microsoft: Google Bypasses Privacy Settings On Internet Explorer

    February 20, 2012
    Drew Bowling
    Comments are off for this post.

Lately you have to imagine that Larry Page and the rest of the Google leadership wake up every morning and, before the grogginess of the morning has even flaked off, make a wish that there will be no more privacy controversies concerning the search engine company that day.

Well, hate to break it to you Google, but today will not be one of those days because the people at Microsoft have sniffed you out and now it’s starting to look like a Google pile-on.

Similar to how Google was found to be tracking Safari users’ browsing habits, Microsoft revealed today that Google has also been bypassing privacy settings for users of Internet Explorer. Earlier today Dean Hachamovitch, Corporate Vice President of Internet Explorer, posted the big find on the official Internet Explorer blog describing how exactly Google’s been sneaking it’s hand into the IE cookie jar. Essentially, Google’s been bypassing the P3P Privacy Protection in Internet Explorer that, while the result is similar to how Google was tracking Safari users, uses a different process to rake the info from users.

As Hachamovitch explains, IE rejects third-party cookies unless the site that produced those cookies presents a P3P Compact Policy Statement that explains how they plan to use the cookie and pledges not to track the user. Google’s P3P policy, however, doesn’t exactly state its intentions clearly yet manages to slip past that protection.

It’s worth noting here for less tech-invested internet users that all of this cookie dispute/privacy violation/information tracking-and-exchange is happening almost exclusively without any of your knowledge or participation. It’s a cloak-and-dagger grab for user information that involves web sites, web browsers, and programmers that can use paladin-level tools like Fiddler. The average internet user participates in this affair about as actively as a pigeon dictates the flow of downtown car traffic. Decide for yourself if that makes the ordeal better or worse.

I’m also explaining it in lay terms because the following explanation might be the speed of escape velocity for some (I don’t entirely exclude myself from that lot, either).

Anyways. Hachamovitch details specifically how Google manages to track browsers despite the P3P protection:

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to “read”:

P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”

P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”) calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”

The World Wide Web Construm (W3C), the international organization that defines the standards of practice by which companies will use the internet, maintains that P3P policies “MUST NOT make false or misleading statements” (emphasis theirs). If what Hachamovitch asserts is true and Google intentionally confounding their P3P policy, then that doesn’t sound like any kind of news Google should want to be a part of.

There’s a growing debate in the comments attached to Hachamovitch’s post about whether Google has actually done anything wrong. Of course, it’s altogether damning when you hear statements juggling the words “Google privacy tracking info bad no-no” but, objectively, did Google actually violate privacy settings for IE users?

As of writing this, the majority of the responses seem to believe that what Google has done is very shady. One commenter opined that Google didn’t do anything wrong since it followed the W3C standard. However, that opinion was firmly rebuked when another commenter replied, “Yes, because sending a deliberately incorrect string with the explicit intent of bypassing the privacy settings system is totally OK.” In that respect, Google was following the standards set by W3C insofar you permit Google to pave the road as it goes along and thus simply create its own unique way to follow the W3C guidelines. Such a practice belies the purpose of having a standard in the first place.

Whether the issue at hand is the Molotov–Ribbentrop Pact, former President Clinton’s infamous triangulation of truth during the Lewinksy trials, or something as simple (or not?) as the classic “It’s not you, it’s me” breakup line – people usually have a reason for speaking obtusely, even when those people are corporations. In that regard, Google probably is in the wrong if for no other reason than using obscure language in announcing their intent to track internet users. Unless they can be specific, it’s hard not to imagine that such a practice isn’t an unprovoked defensive behavior to hide a smoking barrel.

The thing is, though, Google’s boss hog of the search engine trough and so any bad piggy acts they do is going to be amplified. You don’t skate by unnoticed when you’ve successfully made yourself omnipresent in people’s lives. Also, it tends to look bad when the same scandalous claim keeps popping up from different sources.

Last week Safari users got to have their say about Google’s tracking habits, so this week the mic passes to you, users of Internet Explorer (and everybody else, really): Do you think Google’s really as insidious with their tracking practices as it sounds? Is what Google is doing even that bad (as opposed to what Facebook or Apple do)? How do you think Google should respond now that this is potentially the second time they’ve been found to be stalking information from users? And, most importantly, how is this even surprising anymore? Add your two cents below.

One last thing: For those IE users who wish to throw Google off their browsing scent, Microsoft recommends users apply the Tracking Protection privacy feature in order to ensure that Google won’t be able to track them by bypassing the P3P Privacy Protection security. See Hachamovitch’s post for more details.

  • Mike

    Google’s privacy policy is totally reprehensible.

  • Ilya Geller

    Microsoft, Google and 100% of IT industry use SQL Industrial standard.

    SQL, Structured Query Language – SQL obtains patterns from queries and statistics on how often they are used; neither the queries, nor patterns, nor statistics have anything in common with data itself, they are EXTERNAL.

    I, however, discovered and patented how to structure any data without SQL, the queries – my INTERNAL Industrial standard: Language has its own INTERNAL parsing, indexing and statistics and can be structured INTERNALLY. (For more details please browse on my name ‘Ilya Geller’.)

    For instance, there are two sentences:
    a) ‘Sam!’
    b) ‘A loud ringing of one of the bells was followed by the appearance of a smart chambermaid in the upper sleeping gallery, who, after tapping at one of the doors, and receiving a request from within, called over the balustrades -‘Sam!’.’
    Evidently, that the ‘Sam’ has different importance into both sentences, in regard to extra information in both. This distinction is reflected as the phrases, which contain ‘Sam’, weights: the first has 1, the second – 0.08; the greater weight signifies stronger emotional ‘acuteness’; where the weight refers to the frequency that a phrase occurs in relation to other phrases.

    SQL cannot produce that statistics as the above – SQL is obsolete and out of business. Google, Oracle, IBM, Amazon – cannot.

    I – can.

    Being structured information searches for passive, invisible on Internet people itself, which guarantees the people 105% privacy. The people get the specifically tailored for them information, no spam!

    The New Era is coming! All IT Industry is obsolete and out of business.
    Microsoft and Google fight for nothing: nobody needs their EXTERNAL information.