Google: IE Privacy Policy Is Impractical 258
itwbennett writes "In response to Microsoft's claim that Google circumvented Internet Explorer privacy protections (following the discovery that Google also worked around Safari's privacy settings), Google on Monday said that IE's privacy protection, called P3P, is impractical to comply with."
Re:Impractical to who? (Score:4, Informative)
actually, they would be quite stupid to sell ... because when I consider how much time I spend with google services compared to anything else, they must know about five times as much about me as the next best competitor ... so selling stuff that helps their competition would be really not a good idea ;)
Why is there a lack of outrage? (Score:0, Informative)
If it was the other way around, there would be a pile of MS hating nitwits here already.
Re:FTFY (Score:4, Informative)
MS is a private company, not a legislative body.
As the situation is presented, Google is under no legal requirement to comply with any 3rd party browser "privacy requirements" outside of any existing legal agreements with manufacturers of said browsers. Was any such agreement in place?
tl;dr - MS can go get stuffed.
Re:Impractical to Microsoft, MS also send invalid (Score:5, Informative)
As I understand it, Microsoft is following the spec properly. Google is exploiting a loophole in the spec. [slashdot.org]
Re:Impractical to Microsoft, MS also send invalid (Score:4, Informative)
what the text SHOULD look like (assme angle brackets here; sorry for having to reformat to get around slash filters)
[META xmlns="http://www.w3.org/2002/01/P3Pv1"]
[POLICY-REFERENCES]
[POLICY-REF about="/P3P/Policies.xml#first"]
[COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/]
[COOKIE-EXCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[POLICY-REF about="/P3P/Policies.xml#second"]
[COOKIE-INCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[/POLICY-REFERENCES]
[/META]
and what googles looks like:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 [google.com] [google.com] for more info.
now, without even having a compsci101 level course, anyone here see which is the more correct parseable string and which is weasel bullshit?
Re:One question never answered (Score:5, Informative)
Not only does Facebook do it but Microsoft also does it. The standard they are accusing Google of violating is so out of date that W3 doesn't even try to update it anymore, because no one follows it and most browsers don't even implement it fully. This is a non-story in every direction.
Re:Impractical to Microsoft, MS also send invalid (Score:5, Informative)
Consider the following (from http://www.w3.org/TR/P3P11/#ua_compact [w3.org];
6.4 Compact Policy Processing
P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies.
As I understand this, IE should actually search the Google P3P header for a valid statement of what Google intends to do with regard to tracking cookies. If it does not find those, it should apply the default behaviour for web sites without any P3P header. As described by Dean Hachamovitch (the author of the blog post):
By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the sites use does not include tracking the user.
Fine. So your browser sees a Google P3P header without any valid policies. At this point, the clause "unless the site presents..." should kick in and cookies should be blocked. To me this looks like a bug in IE, as they failed to implement the default behavior in this case. It would be appropriate for Microsoft to fix this bug, send the fix as update on next patch day and otherwise be very humble about their error.
Instead, Dean Hachamovitch tries to paint this as conspiracy by Google to circumvent IE's security protection. FAIL.
Re:One question never answered (Score:4, Informative)
Check the ARS story with 2 updates:
http://arstechnica.com/tech-policy/news/2012/02/google-tricks-internet-explorer-into-accepting-tracking-cookies-microsoft-claims.ars
Yes Facebook is doing it as well as msn.com and live.com
Re:misleading/wrong question (Score:3, Informative)
Please.
Microsoft created the standard *AND* implemented it. It's their own fault if they allow loopholes.
see: https://plus.google.com/u/0/114753028665775786510/posts/fuLZoEkJZNs [google.com]
and NYT criticism of basically creating security loopholes: http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/ [nytimes.com]
google's fault? none, really.
title: "If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy."
Re:Impractical to who? (Score:5, Informative)
No, they aren't. In the Safari case, the default setting in Safari is to block third party cookies. No one made that choice, unless it was to go in and unblock them. Seeing as how Safari is the only browser that blocks them by default, most people probably don't even realize they ARE blocked. And in this specific case, the 'work-around' was to provide tracking cookies to people logged in to G+ who specifically opted in to targeted ads. How this can possibly be spun into Google doing evil is really amazing to me. They did exactly what their customers asked for, and got thrashed for it. Lets not forget also that the cookies in question were non-specific, and had no personally identifiable information in them. Did anyone even read the article on that?
In the IE case, Microsoft is relying on an optional, trust based system deprecated 5 years ago as a method of protecting your privacy. Once again, Google used a perfectly legitimate part of that standard to bypass it, for the express purpose of giving users who were logged in to G+ and opted in to targeted ads, those targeted ads. Explain the evil here, if you would?
Re:Impractical to who? (Score:4, Informative)
I like it, anyone who has a valid argument must be a 'fanboi' because you can't figure out the logic.
If you were not signed in to G+, and hadn't opted in to targeted ads, then no, Google did not go around your express privacy choices. See how it works, genius? If you weren't opted in, then you got no cookie, put there against your wishes or not. Why is that so hard to figure out?
Second, the IE thing, it is a trust based system that was deprecated 5 years ago, and only implemented by IE anyway. Why is Google wrong for not paying attention to a lapsed system? And again, it was done to allow people who had opted in to get exactly what they asked for, so where is the privacy problem? If you weren't a G+ member, and didn't opt in to ads, then you didn't get a damn cookie, they didn't 'exploit' anything, and you have no horse in this race at all.
I'm still waiting for someone to explain to me how bypassing ANYTHING to allow users what they opted in to once already, but were blocked by specific browser implementations from getting, is wrong or evil?
Regardless of whether the users were savvy enough to know they opted in to ads or not is a separate question, and really has no bearing whatsoever on whether they opted in or not. If they left it at the default,but signed in to G+, they are getting targeted ads. If they didn't read the agreement, that is hardly Google's fault, no? Nor is it their fault if they provide those ads. They can opt out at any time, and the 'privacy violations' stop. It really is that simple.
No, I don't own Google stock, nor Apple, nor Microsoft. I believe ALL corporations are amoral and not to be trusted. I just believe we should be mad at them for the things they actually do, rather than manufacturing bullshit anger over something that doesn't even exist. They do enough bad on their own, we don't have to go looking for BS reasons to be pissed. I also happen to dislike misinformation, no matter who it's directed toward. If you couldn't bother to read about the issue, why are you even commenting? To show how little you know?