Microsoft: Google Bypasses Privacy Settings On Internet ExplorerBy: Drew Bowling - February 20, 2012
Lately you have to imagine that Larry Page and the rest of the Google leadership wake up every morning and, before the grogginess of the morning has even flaked off, make a wish that there will be no more privacy controversies concerning the search engine company that day.
Well, hate to break it to you Google, but today will not be one of those days because the people at Microsoft have sniffed you out and now it’s starting to look like a Google pile-on.
Similar to how Google was found to be tracking Safari users’ browsing habits, Microsoft revealed today that Google has also been bypassing privacy settings for users of Internet Explorer. Earlier today Dean Hachamovitch, Corporate Vice President of Internet Explorer, posted the big find on the official Internet Explorer blog describing how exactly Google’s been sneaking it’s hand into the IE cookie jar. Essentially, Google’s been bypassing the P3P Privacy Protection in Internet Explorer that, while the result is similar to how Google was tracking Safari users, uses a different process to rake the info from users.
As Hachamovitch explains, IE rejects third-party cookies unless the site that produced those cookies presents a P3P Compact Policy Statement that explains how they plan to use the cookie and pledges not to track the user. Google’s P3P policy, however, doesn’t exactly state its intentions clearly yet manages to slip past that protection.
It’s worth noting here for less tech-invested internet users that all of this cookie dispute/privacy violation/information tracking-and-exchange is happening
almost exclusively without any of your knowledge or participation. It’s a cloak-and-dagger grab for user information that involves web sites, web browsers, and programmers that can use paladin-level tools like Fiddler. The average internet user participates in this affair about as actively as a pigeon dictates the flow of downtown car traffic. Decide for yourself if that makes the ordeal better or worse.
I’m also explaining it in lay terms because the following explanation might be the speed of escape velocity for some (I don’t entirely exclude myself from that lot, either).
Anyways. Hachamovitch details specifically how Google manages to track browsers despite the P3P protection:
P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”
P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”) calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”
The World Wide Web Construm (W3C), the international organization that defines the standards of practice by which companies will use the internet, maintains that P3P policies “MUST NOT make false or misleading statements” (emphasis theirs). If what Hachamovitch asserts is true and Google intentionally confounding their P3P policy, then that doesn’t sound like any kind of news Google should want to be a part of.
There’s a growing debate in the comments attached to Hachamovitch’s post about whether Google has actually done anything wrong. Of course, it’s altogether damning when you hear statements juggling the words “Google privacy tracking info bad no-no” but, objectively, did Google actually violate privacy settings for IE users?
As of writing this, the majority of the responses seem to believe that what Google has done is very shady. One commenter opined that Google didn’t do anything wrong since it followed the W3C standard. However, that opinion was firmly rebuked when another commenter replied, “Yes, because sending a deliberately incorrect string with the explicit intent of bypassing the privacy settings system is totally OK.” In that respect, Google was following the standards set by W3C insofar you permit Google to pave the road as it goes along and thus simply create its own unique way to follow the W3C guidelines. Such a practice belies the purpose of having a standard in the first place.
Whether the issue at hand is the Molotov–Ribbentrop Pact, former President Clinton’s infamous triangulation of truth during the Lewinksy trials, or something as simple (or not?) as the classic “It’s not you, it’s me” breakup line – people usually have a reason for speaking obtusely, even when those people are corporations. In that regard, Google probably is in the wrong if for no other reason than using obscure language in announcing their intent to track internet users. Unless they can be specific, it’s hard not to imagine that such a practice isn’t an unprovoked defensive behavior to hide a smoking barrel.
The thing is, though, Google’s boss hog of the search engine trough and so any bad piggy acts they do is going to be amplified. You don’t skate by unnoticed when you’ve successfully made yourself omnipresent in people’s lives. Also, it tends to look bad when the same scandalous claim keeps popping up from different sources.
Last week Safari users got to have their say about Google’s tracking habits, so this week the mic passes to you, users of Internet Explorer (and everybody else, really): Do you think Google’s really as insidious with their tracking practices as it sounds? Is what Google is doing even that bad (as opposed to what Facebook or Apple do)? How do you think Google should respond now that this is potentially the second time they’ve been found to be stalking information from users? And, most importantly, how is this even surprising anymore? Add your two cents below.
One last thing: For those IE users who wish to throw Google off their browsing scent, Microsoft recommends users apply the Tracking Protection privacy feature in order to ensure that Google won’t be able to track them by bypassing the P3P Privacy Protection security. See Hachamovitch’s post for more details.