
From the IE Team: Google Bypassing User Privacy Settings - ecaron
http://blogs.msdn.com/b/ie/archive/2012/02/20/google-bypassing-user-privacy-settings.aspx
======
gyardley
Google really should have the cojones to stand up and state their actual
position plainly, which as far as I can tell is this:

"If you haven't taken an active, positive step to block our +1 buttons, we're
going to assume you don't _really_ care and we'll do whatever we can to show
them to you, no matter what your browser's default settings are. Why? Well,
because we think the default settings are bullshit, and 99 times out of 100
they're only that way because they're the default. They don't reflect actual
user preferences, they reflect other browsers messing with our business
plans."

Not only is that an intellectually honest position, it's a lot more accurate
than assuming all IE users who haven't changed their settings don't want +1
buttons.

~~~
Tyrannosaurs
And you know for a fact that it's set to that because it's the default and
that I haven't reviewed it and decided that I'm ok with how it's set out of
the box do you?

I review pretty much every browser setting but change only about 5%. You have
no way of telling how the setting ended up with its current value and without
that that position is bullshit.

~~~
gyardley
First, don't confuse me with Google. I'm talking about the argument Google's
implicitly making here through their actions, which I wish they'd just say out
loud so we could have a real and proper discussion about these issues.

Of course Google doesn't know your preferences for a fact. Of course Google
has no way of knowing. But based on their behavior, it seems they just don't
care.

An intellectually honest Google would argue 'Look, the default behavior of
your browser is badly broken, because they've made it impossible to
distinguish between the small number of people who care about this third-party
cookie stuff and the rest of the world, who doesn't care an iota. You care
about it? So sorry, take it up with your browser manufacturer and their goofy
choice of defaults.'

They don't have the guts to make this argument with words, of course, but this
is exactly the argument they're making with their actions.

~~~
Tyrannosaurs
To which I'd reply that my browser maker made at worst an honest mistake
implementing a bad standard.

Google on the other hand cynically exploited it knowing full well what the
intention was and not giving a shit.

I know which one I'm taking it up with and which one I'm not using any more.

But there is no honest debate to be had on this as if they openly stated their
model was "fuck your privacy" they'd have a far smaller business as that would
simply be unacceptable for most people. A position like that can only work if
it's not public (ironically).

------
nostromo
This seems to be a problem with the design of P3P more than anything.

Browsers: "3rd-party cookies are blocked unless you add a P3P header..."

Websites: "Ok. What should be in the header?"

Browsers: "Anything... it doesn't matter. Just add the header then 3rd-party
cookies are fine"

Websites: "Ok, we'll just add a P3P header saying 'Ceci n'est pas une P3P
header' then. Problem solved."

~~~
pak
This is not a reply to your comment! See
<http://pastebin.com/raw.php?i=qV5bkCjG> for more info.

~~~
nostromo
clever :)

Btw, I'm not defending Google, they're clearly not acting perfectly here. I'm
simply pointing out that this is a clear case of, "what did you expect to
happen?" Any spec that still sets a cookie that is declared as not being used
for any purpose seems deeply flawed.

I also found it interesting that Microsoft called out Google and not Facebook,
which gives the article a political overtone.

~~~
pak
Hindsight is always 20/20 and norms change quickly on the internet; we could
say equally critical things about Telnet and FTP.

I agree that P3P clearly needs some rethinking to stay relevant. Especially
now that the cat's out of the bag on how to bypass it. (Microsoft's immediate
response is to set up yet another blacklist system... some cultures just never
change.)

For everyone's entertainment, the OP's comments linked to an amusing satire of
P3P called P5P, or the "Pretty Please Platform for Participating Publishers."
This is possibly the best collection of protocol tokens I have seen since RFC
2324.

<http://pastebin.com/ijjRKvUB>

~~~
josephcooney
It is interesting that your response to google seemingly doing something that
is, at the least disingeneous, is to criticize microsoft. Also re: culture -
were to you think google got all those engineers from? A significant number
are ex-MSFT. There is a reason GOOG built a campus in bellevue.

~~~
rbanffy
I think he is criticizing Microsoft for pointing their fingers to their arch-
enemy while failing to mention their partner.

------
jtchang
P3P is a load of garbage as it is implemented/written.

There is no real enforcement behind it and it just causes lots of confusion.
Seriously I have to go lookup what each of these acronyms are in order to
figure out how my privacy is being violated? What guarantees do I even have
that you are obeying P3P and not simply sending it to make me feel good.

Hell while we are at it we should implement P3P for phone apps. I'm sure Path
(and others) will stop uploading your address book if the P3P says
"ADDRBKNOUP"

~~~
powertower
> There is no real enforcement behind it

You could say the same thing about robots.txt.

~~~
sequoia
...and you would be correct.

------
capocani
[http://support.google.com/accounts/bin/answer.py?hl=en&a...](http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657)

 _In some situations, the cookies we use to secure and authenticate your
Google Account and store your preferences may be served from a different
domain than the website you're visiting. This may happen, for example, if you
visit websites with Google +1 buttons, or if you sign into a Google gadget on
iGoogle.

Some browsers require third party cookies to use the P3P protocol to state
their privacy practices. However, the P3P protocol was not designed with
situations like these in mind. As a result, we've inserted a link into our
cookies that directs users to a page where they can learn more about the
privacy practices associated with these cookies.

Information that Google collects in association with these cookies is subject
to our Privacy Policy._

Doesn't seem nefarious.

~~~
mbetter
Someone instructs their browser to not accept third party cookies, full stop.
Google then does something, mumbles a bit, and then sets a third party cookie.

How isn't this nefarious?

~~~
mattmcknight
The nefarious bit is in IE- which, although it pretends to allow you to
"instruct the browser not to accept 3rd party cookies, full stop," actually
accepts third party cookies from any site with a P3P code it doesn't
understand.

~~~
recoiledsnake
>The nefarious bit is in IE- which, although it pretends to allow you to
"instruct the browser not to accept 3rd party cookies, full stop," actually
accepts third party cookies from any site with a P3P code it doesn't
understand.

No, if you select that option, it actually blocks all third party cookies.

~~~
mattmcknight
No, it actually doesn't (or this discussion wouldn't be happening).

------
emu
It's a little disingenuous for the IE team to "discover" this just now. I'm
pretty sure Google has been doing this for years, and it's well-known. (I
certainly talked about it as part of a wider discussion about P3P policies
with colleagues a year or so ago, and this isn't even my area of expertise.)

I also don't much mind what companies do with tracking cookies --- I recommend
using the Vanilla Cookie extension to Chrome to create a whitelist of
persistent cookies. It rather nicely avoids the problem.

------
kylemaxwell
I've been a Google fanboi for years and defended them in the public square
when they've been accused of nefariousness. But these revelations of
intentionally ignoring users' privacy settings have shaken me. Maybe it's time
to put them into the Facebook category, where I removed my account years ago.

~~~
tensor
It's not so much that they are intentionally ignoring users privacy as they
preferring the privacy settings their users have directly given them rather
than those set in the browser. I've long been opted out from all of Google's
ad tracking, on their site and elsewhere:

<http://www.google.com/privacy/ads/> <http://www.google.com/ads/preferences>

Privacy is something that few of these companies truly respects. Does Google
really respect it? Probably not as much as they'd like you to believe, but at
least they are willing to discuss it and provide opt out solutions.

~~~
kylemaxwell
I'm not really happy with preferring their opt-out setting when I've already
made an opt-out setting in my browser. I don't believe for a moment that Apple
or Microsoft care about my privacy any more than Google does, but if I've made
a choice and communicated that via browser settings, I expect information
providers to respect that choice and not try to exploit the browser in an
attempt to bypass my choice.

~~~
tensor
If you truly care about your privacy rather than simply making a political
statement, use something like Ghostery (<http://www.ghostery.com/>). Even if
some of the big companies care enough to respect a request like this, I assure
you that the majority of tracking services will not.

If you are making a political statement, then that's fine, I agree that all
companies, Google included, should do far better on privacy grounds than they
already are.

------
luser001
I saw this header a few days ago in curl, and I wondered why Google would send
something like this. Now I know.

    
    
        P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

------
slig
It's been a while. And fb does it too.

[http://security.stackexchange.com/questions/8489/should-
anyo...](http://security.stackexchange.com/questions/8489/should-anyone-
support-implement-p3p-policies-do-they-matter-are-they-legally)

~~~
mjs
There's an "IT Security" stackexchange?! WTF?! How many almost identical
communities does stackexchange need?

~~~
tylerritchie
There aren't very many almost identical, but there are a lot of communities
that have significant overlap.

    
    
      - Superuser
      - Serverfault
      - Database Administrators - 8.9 questions/day
      - IT Security - 6.9 questions/day
      - Healthcare IT - 1.1 questions/day
    

The stackexchange community is all about forking. Clearly Healthcare IT, IT
Security, and Database Administrators _could_ all be tagged questions in
serverfault. But apparently serverfault.com/questions/tagged/heathcare didn't
sit well with the 298 people who committed to the beta. Separating power-users
from IT professionals (superuser vs serverfault)is certainly reasonable even
though there is a large overlap of knowledge there.

Of course, without the forks, as an IT person there might be a question if
your cryptography related question should go in cryptography.SE or
serverfault. With a dedicated site the "correct" location for those questions
is easier to determine.

But if we're going to talk about overlapping stackexchanges we have to look at
those populated predominantly by programmers, because... well, they are the
master forkers.

    
    
      - stackoverflow
      - Programmers
      - Code review
      - Theoretical Computer Science
      - Code Golf
      - Signal Processing 
      - Computational Science
    

I left out the language specific ones like Mathematica and TeX. I also omitted
Software QA and Cryptography.

Apparently theoretical physicists and applied? physicists are unable to co-
exist on one stackexchange.

Anyway, clearly the stackexchange community thinks that forking is the answer.
I think tagging is superior and I think fragmenting the community gets fewer
able eyes focused on questions. Forking doesn't really hurt google users
trying to find answers to questions that have already been answered.

Even while not being a professional developer I would stick Code golf, code
review, and Programmers into one stack exchange. I'd also put Signal
Processing, Mathematica, Tex, and Compuational Science back in Stack Overflow
and let the theoretical CS folks stay separate.

------
jackalope
This is like teams of foxes selling chicken coops and accusing the other teams
of the improper placement of "No Foxes Allowed" signs. If third party cookies
are bad, disallowing them should be the default, regardless of some policy
header no user ever heard of or can decipher.

If they really cared, they'd include a way to disallow _any_ third party
resource without having to install a plugin like RequestPolicy. That would go
a long way towards fighting tracking (and multiple exploits).

~~~
mike-cardwell
It is not in Googles or Microsofts interest to do that with their browsers.
They both have a very large commercial interest in people using browsers that
make it easy to track them.

This is the main reason I stick with Firefox. I don't want to use a browser
built by an advertising company.

~~~
ceejayoz
The vast majority of Mozilla's revenue comes from a search deal with Google.

~~~
mike-cardwell
Yes. And I have already heard the conspiracy theories.

------
jsz0
Spitting in the face of user intent like this is really crossing the line of
what is acceptable in my opinion. I'm not really concerned about my privacy
but I do need to have some faith that the settings I am choosing are being
respected. If I allow Google+ to use my webcam should I expect Google to turn
it on and watch me all the time? That's not too far removed from what they are
doing here.

------
lawnchair_larry
Privacy violations should be opt-in. That's what is wrong with privacy on the
web.

------
shtylman
Can someone explain to me why it isn't the browsers responsibility to enforce
this instead of relying on websites to "do the right thing"?

------
voidr
What about IE tracking what users are searching for?

Microsoft should admit that they only care about privacy when it's convenient
for them.

~~~
CurtHagenlocher
Microsoft, Google and Apple all agree that your privacy should not be
sacrificed for the sake of their competitors making a buck.

------
nitrogen
I can't say I would side with either party in this case. P3P sounds about as
robust a protocol as RFC 3514 (the evil bit), and Google could just as easily
display a warning to any user whose browser rejects third-party cookies.

<https://www.ietf.org/rfc/rfc3514.txt>

------
scotty79
How can you bypass something that is not a barrier? P3P is useless.

P3P means "we would never..." in computer speech which is unenforceable
therefore useless.

Google just make no promises via P3P and places link there explaining that it
doesn't and why it doesn't.

Fortunately implementations of the P3P do the right thing and fold.

~~~
recoiledsnake
>How can you bypass something that is not a barrier?

So if tomorrow Chrome uploads all your keystrokes to Google, will that be a
valid defense?

>P3P means "we would never..." in computer speech which is unenforceable
therefore useless.

Stopping Chrome from uploading your bank passwords with today's update is
unenforceable as well and hence thereby useless.

~~~
scotty79
Right. So if you are afraid of that then don't use Chrome.

And if you are afraid that cookies can be used for tracking then disable them
in your browser.

P3P imho is useless because people whom I don't want to be tracked by will
serve all the reassuring tokens in P3P and do whatever they want anyway.

I want my +1 buttons to work and if that means pulling curtain on some
security theater then so be it.

~~~
ugh
I see this as a predominantly moral issue. Google seems to expose itself as
the people whom I don’t want to be tracked by by engaging in shady behavior.
That is exactly the problem.

Yes, anyone who wants to can circumvent it anyway, but that doesn’t stop us
from judging those who do so negatively†. Google can be held accountable in
this case (by, for example, complaining loudly about what they do) and there
is nothing wrong with doing so. Just because it’s possible doesn’t mean it’s
right.

That the protocol sucks is in that context a separate and unrelated issue. It
may be security theater, but that doesn’t make Google’s behavior any more
moral†.

—

† Insert clever analogy here. I’m too lazy to think about one, though.

------
dudus
I was going to post a comment with details of what the microsoft's P3P CP
policy means. But it got so damn long that I had to write a blog post.
<http://news.ycombinator.com/item?id=3615381>

------
Volpe
Googles explanation (set inside the P3P cookie):

[http://support.google.com/accounts/bin/answer.py?hl=en&a...](http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657)

------
joshfraser
Having battled with P3P in the past, I sympathize with Google. I don't have a
problem breaking dumb rules. And P3P is dumb on multiple levels.

------
arebop
Oh look, Google fails to fully support features only MSIE has
[<http://en.wikipedia.org/wiki/P3P#Criticisms>]! Shame on them.

P3P was standardized but it never got traction due to various practical
problems. For example, privacy policies vary in many, sometimes-subtle, ways
and nobody could figure out how to build simple software to decide
automatically how to respond to these policies on behalf of users. Don't take
Google's word for it, see what facebook says:
<http://www.facebook.com/help/?page=219494461411349>. epic.org doesn't use it
either.

There are some appealing ideas in P3P but in real life it doesn't actually
help users protect their privacy, even on sites that actually implement it
(such as Bing). The P3P working group shut down long go
(<http://www.w3.org/P3P/>).

This is article is just cheap shot at a competitor.

~~~
untog
_Oh look, Google fails to fully support features only MSIE has_

 _P3P was standardized_

Then it's a little unfair to describe P3P as some IE-only standard then, no?
You make it sound like proprietary extension.

~~~
eli
Lets not get lost in semantics. True it's a documented standard, but only
Microsoft supports it and given its many drawbacks no one else is likely to
add support any time soon. It might as well be proprietary.

~~~
untog
_It might as well be proprietary._

Not even slightly. That does a huge disservice to any standardisation process.
In fact, how "only Microsoft supports it" ends up being _Microsoft's problem_
baffles me.

It was created by a standards body. The other browser manufacturers did not
implement it. Therefore, it's all Microsoft's fault?

~~~
eli
It is Microsoft's problem that they have IE default to rely on what nearly
everyone agrees is a crap solution to protecting privacy on the Internet.

To web developers and certainly to web users there is zero difference between
a standard that only Microsoft supports and a documented, but non-standard
extension that only Microsoft supports.

~~~
untog
_It is Microsoft's problem that they have IE default to rely on what nearly
everyone agrees is a crap solution_

Do they? Then what's the point in the standardisation process? The whole point
is that everyone agreed on a solution in P3P. Maybe it wasn't ideal, but it
was the standard. So, faithfully, MS implemented it.

So, MS is to blame when they go alone and make their own standards, but they
are now _also_ to blame when they follow the standardisation process to the
letter and other people don't?

~~~
eli
You don't get a free pass because you're following a W3C standard. The way P3P
is implemented in IE made web developers lives harder in exchange for
virtually no additional privacy protections to users.

The point of the standards process is so that we don't have multiple
competing/incompatible/ambiguous header-based privacy policies. But that's not
the problem here. There aren't any notable competing privacy headers because
the whole approach is flawed.

~~~
ootachi
Are you going to say the same thing about the FileSystem API, Dart, and NaCl?
Google is probably the worst browser vendor when it comes to having competing
implementations of their proprietary features.

~~~
marshray
Doesn't Dart compile to portable JavaScript?

------
meow
Keeping Google's blunders aside, the P3P policy as described seem to be a
joke. Do they really expect third party sites to be honest with a browser ? At
least they had to do some magic on Safari.. this seems too straight forward
and begging to be abused...

------
tete
Easy fix: use DuckDuckGo

<https://duckduckgo.com/>

Don't let them track and bubble you:

<http://donttrack.us/>

<http://dontbubble.us/>

------
prtamil
It reminds me of a quote from Dark Knight "You either die a hero or you live
long enough to see yourself become the villain" .

------
tlogan
There are some comments here that say: P3P is garbage as implemented, so it is
ok for Google to invest some time and engineering effort to trick P3P and
track users via cookies.

Not sure if that the valid answer but it has some merits if everybody is doing
that (like downloading adress book from iPhone).

Now, I have the following question: if a random website is catch doing this,
is it going to marked as un-safe by security scanners?

------
jdavid
I flagged this because it's just Microsoft trying to flame war with Google.
These headers have been an annoyance every time I have had to consider them.

This is a clear example of Microsoft's 'extend' and 'embrace' strategy that
destroyed so many platforms. The MS series of browsers were the only ones to
adopt this before being recommended as a spec. The spec was never adopted.

------
Stormbringer
Is "Google does evil shit and violates users privacy" even news-worthy
anymore? Isn't that the default?

Yeah you heard me Google-tards. Down-vote me like you always do, I got karma
to _burn baby burn_.

~~~
andersh
From your user page, I see that your IT company likes/dislikes conform to one
of the approved off-the-shelf opinionsets. [ticks box] Carry on.

------
Tichy
So I take it the MS ad network doesn't track users?

~~~
cooldeal
Of course it does. The question is, does it still do that even if the browser
explicitly told it not to.

If you have some evidence that it does, I am looking forward to seeing it. But
more likely, I think you just read the headline and jumped in to comment.

~~~
Tichy
There are countless tracking mechanisms besides cookies, for example flash
cookies and so on. They have been used for years. I would be surprised if any
ad network would opt to not use them (I don't like it, but still).

------
mrinterweb
For some reason, it feels too soon for the IE team to be calling foul on web
standards implementation.

------
justinlau
It's a new low for Microsoft to use MSDN as a corporate mudslinging soapbox.

------
yanw
So the WSJ publishes another one of it’s alarmist articles about Google and
Safari during the weekend and Microsoft wants to capitalize by pretending it
just _now_ discovered that P3P (a defunct and shitty protocol) is useless and
no one uses it.

NYT September 17, 2010:

[http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-
enou...](http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-
cookie-to-fit-through/) _If you rely on Microsoft’s Internet Explorer’s
privacy settings to control cookies on your computer, you may want to rethink
that strategy. Large numbers of Web sites, including giants like Facebook,
appear to be using a loophole that circumvents I.E.’s ability to block
cookies, according to researchers at CyLab at the Carnegie Mellon University
School of Engineering. A technical paper published by the researchers says
that a third of the more than 33,000 sites they studied have technical errors
that cause I.E. to allow cookies to install, even if the browser has been set
to reject them. Of the 100 most visited destinations on the Internet, 21 sites
had the errors, including Facebook, several of Microsoft’s own sites, Amazon,
IMDB, AOL, Mapquest, GoDaddy and Hulu._

Google doesn’t support a broken feature that is exclusive to IE somehow it’s
their fault. If anyone ever doubted Microsoft's PR sleaziness and propaganda
tactics that blog post is proof.

~~~
ABS
I don't side with Google on this one but here is an interesting tidbit:
Microsoft support site advocated the same trick... a reference to this can be
found on page 6 of this PDF

[http://www.ftc.gov/os/comments/privacyreportframework/00453-...](http://www.ftc.gov/os/comments/privacyreportframework/00453-58004.pdf)

~~~
DaveMebs
This is a totally disingenuous comment. From the linked PDF (note: this also
occurs on page 7, not page 6, for those who wish to verify):

"We discovered that Microsoft’s support website recommends the use of invalid
CPs as a work-around for a problem in IE. Specifically, a FRAMESET or parent
window that references another site inside a FRAME considers the referenced
site as a third-party, even if it is first-party content located on the same
server [10]. Microsoft suggests the following invalid CP: CAO PSA OUR. This CP
is clearly invalid since it does not contain any RETENTION or CATEGORIES
tokens. Even if the CP were valid, Microsoft’s recommendation undermines the
purpose of P3P since it encourages web administrators to use CPs that do not
represent their actual data practices. We found several technical blogs
recommending similar solutions [11], [19]."

So yes, a Microsoft support site did recommend a set of invalid CPs, but this
is clearly not the same trick. This is a legitimate set of CP tokens that is
used to workaround an issue where 1st party content appears to IE as 3rd party
content. This token set is invalid because RETENTION/CATEGORIES tokens are
missing, but the web author's intent here is (theoretically) honest.

Google, on the other hand, is providing no tokens whatsoever. Instead, in
their P3P header they provide a human-readable string and a link to their
privacy policy. This is not an invalid but intellectually honest set of tokens
that is designed to comply with the spirit of the standard, if not the letter.
This is an attempt to bypass the standard in order to allow 3rd party cookies,
regardless of user settings.

The fact that you are equating these two practices is completely dishonest.
Even a cursory glance through this document makes it clear that the Microsoft
support site is advocating something completely different and is doing so in
order to enable a fairly legitimate scenario.

------
oakgrove
Episode 32432432 in the pissing match between MS and anybody who dares make a
dollar in the computing industry. _Yawn_

------
devindotcom
Yeah, this isn't quite the same level as the Safari one, which was a bit of a
tempest in a teacup to begin with. In both cases you can partially blame the
browser, though more so in this case.

------
evmar
After Microsoft introduced cookie-blocking features in IE they've been dancing
around how to get users to block ads without telling users to install the
blockers directly.

Here's the blacklist they suggest in their post, which they recommend "as a
protection": <http://ie.microsoft.com/testdrive/browser/p3p/google.txt>

The "-d" lines block domains entirely, which I believe means this has the
consequence of blocking Google ads entirely.

~~~
recoiledsnake
>The "-d" lines block domains entirely, which I believe means this has the
accidental consequence of blocking Google ads entirely.

Err what? Why would disabling cookies disable displaying ads?

You seem to be overly concerned about Google being unable to track the
browsing habits of some people.

~~~
evmar
At least as best as I can gather from the TPL docs, they block "all third
party content", which includes iframes (the mechanism used for ads).

[http://ie.microsoft.com/testdrive/Browser/TrackingProtection...](http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/faq.html)

