Google: IE Privacy Policy Is Impractical 258
itwbennett writes "In response to Microsoft's claim that Google circumvented Internet Explorer privacy protections (following the discovery that Google also worked around Safari's privacy settings), Google on Monday said that IE's privacy protection, called P3P, is impractical to comply with."
Impractical to who? (Score:5, Insightful)
Re: (Score:2, Insightful)
When has Google ever stated, or even indicated, that as a goal? They serve personalized ads, but the data they use to do so never leaves their own servers.
Re: (Score:3, Insightful)
Re:Impractical to who? (Score:5, Funny)
Re:Impractical to who? (Score:5, Insightful)
Selling that demographic information is how they provide all the free services they do. Their ability to target ads effectively is what makes them attractive to advertisers.
I get that Slashdotters are deeply paranoid about anyone knowing anything about them, but at the same time, you aren't entitled to free services like those that Google provides. If you really don't want anything to do with Google, modify your hosts file so all requests to *.google.com (and related domains) are sent nowhere. That's "voting with your wallet," so to speak.
But I can't say I have much patience for people who want to use Google's services and then complain about Google using the information they gather about you as part of their advertising system. There's room to argue about what they should or shouldn't be allowed to do with it, but to presume they shouldn't have any information about you at all is a bit silly.
Re:Impractical to who? (Score:5, Insightful)
Are we entitled to something for nothing? No, of course not.
However, it doesn't follow that Google is therefore entitled to disregard an unambiguous request from a user not to collect personal data. If they feel that a user is granting them too little information in exchange for their service, they are free to deny that user access. Making an end run around security settings is sleazy, no matter how you dice it.
I'd have a lot more sympathy for Google if the first story to break was this public complaint, together with a statement of how they were working around it and a warning to affected users that their privacy settings were being circumvented. To make a statement like this /after/ being caught with their corporate hand in the proverbial cookie jar doesn't make a very good defense.
Re:Impractical to who? (Score:4, Insightful)
If you don't like what Google does with your information, do not use their services and therefore avoid providing any information at all.
I agree that Google has every right to block access to people who don't allow Google to collect the information they want. That's the price you pay for their services, after all.
I think that's entirely separate from Google working around IE's security settings, which I agree is pretty fucking shady and not something they have any right to do.
Re:Impractical to who? (Score:5, Informative)
No, they aren't. In the Safari case, the default setting in Safari is to block third party cookies. No one made that choice, unless it was to go in and unblock them. Seeing as how Safari is the only browser that blocks them by default, most people probably don't even realize they ARE blocked. And in this specific case, the 'work-around' was to provide tracking cookies to people logged in to G+ who specifically opted in to targeted ads. How this can possibly be spun into Google doing evil is really amazing to me. They did exactly what their customers asked for, and got thrashed for it. Lets not forget also that the cookies in question were non-specific, and had no personally identifiable information in them. Did anyone even read the article on that?
In the IE case, Microsoft is relying on an optional, trust based system deprecated 5 years ago as a method of protecting your privacy. Once again, Google used a perfectly legitimate part of that standard to bypass it, for the express purpose of giving users who were logged in to G+ and opted in to targeted ads, those targeted ads. Explain the evil here, if you would?
Re:Impractical to who? (Score:4, Informative)
I like it, anyone who has a valid argument must be a 'fanboi' because you can't figure out the logic.
If you were not signed in to G+, and hadn't opted in to targeted ads, then no, Google did not go around your express privacy choices. See how it works, genius? If you weren't opted in, then you got no cookie, put there against your wishes or not. Why is that so hard to figure out?
Second, the IE thing, it is a trust based system that was deprecated 5 years ago, and only implemented by IE anyway. Why is Google wrong for not paying attention to a lapsed system? And again, it was done to allow people who had opted in to get exactly what they asked for, so where is the privacy problem? If you weren't a G+ member, and didn't opt in to ads, then you didn't get a damn cookie, they didn't 'exploit' anything, and you have no horse in this race at all.
I'm still waiting for someone to explain to me how bypassing ANYTHING to allow users what they opted in to once already, but were blocked by specific browser implementations from getting, is wrong or evil?
Regardless of whether the users were savvy enough to know they opted in to ads or not is a separate question, and really has no bearing whatsoever on whether they opted in or not. If they left it at the default,but signed in to G+, they are getting targeted ads. If they didn't read the agreement, that is hardly Google's fault, no? Nor is it their fault if they provide those ads. They can opt out at any time, and the 'privacy violations' stop. It really is that simple.
No, I don't own Google stock, nor Apple, nor Microsoft. I believe ALL corporations are amoral and not to be trusted. I just believe we should be mad at them for the things they actually do, rather than manufacturing bullshit anger over something that doesn't even exist. They do enough bad on their own, we don't have to go looking for BS reasons to be pissed. I also happen to dislike misinformation, no matter who it's directed toward. If you couldn't bother to read about the issue, why are you even commenting? To show how little you know?
Maybe Google did not circumvent Safari privacy (Score:3)
I like the way this poster from reddit put it:
Wow... Experienced web developer here... They tried so hard to make that article accessible for non web developers that it was almost harder for me to understand that way.
My "OMG nefarious" meter isn't even going off at all.
This is a misleading headline.
Google is circumventing
"is" implies "still is" - which they are not.
"circumventing" implies intentionally skirting around a bug - which NOTHING in this article says they are or were.
Cross domain security should be built in to all browsers, and all Google was doing was passing cookies when people hit a button in an iFrame, and google's normal tracking activities if you're logged in to google continued.
All that happened here was that a bug in Safari meant that google's stuff kept working even when it wasn't supposed to. There's no indication that this code was specially geared toward Safari. It sounds like their tracking was meant to automatically continue on as usual, and Safari failed to prevent 3rd party cookies from being sent.
This headline is sensationalist bullshit.
If you want to argue that google does too much tracking in general that's a different story. But there is not one tiny iota of information in this article that suggests google was "exploiting a bug in Safari" -- these iFrame based buttons and the cookies that follow them are standard operating procedure for ad networks. /u/powerje, who points out that it was 2 google engineers who fixed the problem in webkit/Safari
EDIT: Also credit to
http://www.reddit.com/r/apple/comments/ptoez/google_is_circumventing_safari_privacy_settings/
Re: (Score:3)
modify your hosts file
Oh no!!! You have summoned APK!!!
Re: (Score:2)
But the person I responded to wasn't even expressing a specific concern about privacy. They were concerned about "selling our demographic information to advertisers." Whether Google sells the information directly or merely sells tools that rely upon it, this is how Google makes their money. Since when did the definition of "privacy" extend to "aggregate data that may or may not represent characteristics of myself within the statistics"?
Re: (Score:3)
When the starting value is $0, Google doesn't really care if you'd prefer things differently.
Now if you paid $1 per search they most certainly would listen to your feedback and try and 'increase the value to you'.
Re:Impractical to who? (Score:4, Informative)
actually, they would be quite stupid to sell ... because when I consider how much time I spend with google services compared to anything else, they must know about five times as much about me as the next best competitor ... so selling stuff that helps their competition would be really not a good idea ;)
Re: (Score:2)
The data never needs to leave their servers. They sell access to their servers so companies can run queries against the data. The 'Results of the query' go with the company. Never the data.
Re: (Score:2, Funny)
...never leaves their own servers.
I have great assurances that Google cannot be hacked, and that their contractors and affiliates use the excellent resources and high standards of Fleishman Hillard to protect data integrity from all possible hacking and cracking attempts.
not sold, but perhaps rented (Score:2)
So they merely rent our personal information instead of selling it. That's a pretty small distinction.
Re:Impractical to who? (Score:5, Interesting)
"but the data they use to do so never leaves their own servers."
I guess you believe everything you hear/read....
Why would the data leave their servers? They don't need to sell the information to advertisers--they simply tell advertisers, "We know everything about everyone. We will put your ad in front of the 1 million people most likely to respond. You don't need us to sell their information to you--they will provide it when they buy your product."
Re: (Score:2)
Re:Impractical to who? (Score:4, Interesting)
That's for internet advertising. Google does no print advertising, which loads every mailbox in the nation with tons of shit. Considering the amount of people that use their real names, you don't think they'll sell all that data they collect on you to print advertisers for targeted mailing?
What's a mailbox? I don't have a single bill that shows up in my mailbox. It's all paid online. Anything that shows up in the USPS box just gets chucked into the burn barrel. (Unless it's a package shipped by one of the few companies that charges $1 to ship via USPS from clear across the US--but that's rare.)
To save myself time, I've been thinking about replacing my mailbox with an always-on burn barrel--maybe using a propane barbecue bottle to supply it. Maybe the USPS would finally get the hint. Anything 'important' needs a signature and the mail carrier knocks on the door.
Re: (Score:2)
Re: (Score:2)
And how is that any different from a spam folder on Gmail, Yahoo, Hotmail, etc? Or using Adblock? Or any other measure that accomplishes the same thing?
I didn't imply it was different. I ignore both equally. You seemed to be implying that loading every mailbox in the nation with 'tons of shit' was a bad thing. Not if you ignore it.
Re: (Score:2)
Re: (Score:2)
You seem to be implying that ignoring it means that my original statement doesn't/can't/won't happen. I never said it was bad, just substituted spam with shit. See no evil, eh?
I prefer 'hear no evil', that's why I read Slashdot. ;)
Single point of failure (Score:2)
You better pray like hell nothing ever goes wrong, Mr Buttle http://en.wikipedia.org/wiki/Brazil_(film) [wikipedia.org]
Re: (Score:2)
Your grandma never sends you a birthday card with a check in it? Personally I'd rather pay for the fifty cent stamp than the buck fifty fee to pay my gas bill online.
But I agree, snail junk mail is worthless. But you (and I, even if I do still use the USPO) aren't normal people. We're nerds. Most people actually do still use the mail, or the Springfield Advertiser would have gone out of business long ago.
Re:Impractical to who? (Score:4, Funny)
Dude - get your monopolies straight! It's Girl Scouts with the cookies, Boy Scouts with the popcorn, and Congress with the assholes!
It's that last one which doesn't leave many unfilled niches for world dominating companies like Google.
Re: (Score:2, Redundant)
Impractical to those who want to spy on everything users do, anyway.
misleading/wrong question (Score:5, Insightful)
The question that should be asked is: Why does IE have some part of their framework in place which can be simply ignored/violated?
Re: (Score:2)
Where are my mod points, damnit!?
This is the FIRST thing I thought of.
Re:misleading/wrong question (Score:5, Insightful)
Re: (Score:2)
I disagree. A culture of "sloppy and permissive software" is flawed at a very basic level. It's a failure to recognize the fact that the virtual window of your analogy will be smashed EVERY time. Eventually, actual bars are put over actual windows, to prevent break-ins if they are persistent.
With the level of automated tracking of all kinds available these days, there simply cannot be any forgiveness for a vendor who feels that the best response to a broken window is to, simply, leave it open.
Re: (Score:2)
I'm not excusing exploits that can be fixed; they should be. But I don't think individual exploits are the main issue. There will always be some available.
The kind of mass profiling now possible to the police, and google, and facebook, is not open to just anybody. That's why google and facebook are valued at billions of dollars - because they're so pervasive they can create the Total Profile. And
Re: (Score:2)
Really?
Why don't you take a look at where this P3P comes form.
https://plus.google.com/u/0/114753028665775786510/posts/fuLZoEkJZNs [google.com]
Hint: Microsoft. So they created the issue and raised the flag about it.
So your focus on "ohhhh, the privacy!" is a false focus in comparison.
Re: (Score:3)
Re: (Score:2, Insightful)
Yeah! Why are they bothering to follow the P3P standard that they didn't invent?
(rolling eyes)
Re: (Score:3)
If P3P is being violated, then they should be making sure P3P is enforced, not calling into question google
Isn't that what they're doing? Google is essentially violating the standard by claiming their cookies have no privacy implications, and Microsoft is trying to call them out on it.
Re: (Score:3, Informative)
Please.
Microsoft created the standard *AND* implemented it. It's their own fault if they allow loopholes.
see: https://plus.google.com/u/0/114753028665775786510/posts/fuLZoEkJZNs [google.com]
and NYT criticism of basically creating security loopholes: http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/ [nytimes.com]
google's fault? none, really.
title: "If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that stra
Re: (Score:3)
Bullshit. You know where P3P actually comes from? The World Wide Web Consortium [w3.org] (W3C). The people who brought us HTML, and CSS. Where does it not come from? Microsoft. In fact, Microsoft isn't even one of the contributors (AT&T, IBM, ETH, MIT and the University of Venice are though). Funnily enough, the author didn't even imply in that G+ post you link to that Microsoft invented P3P.
Re:misleading/wrong question (Score:5, Insightful)
Yeah how dare they implement the P3P standard as it tells them to! Google is using a loophole in the standard to bypass the privacy protection.
Re: (Score:3)
They aren't implementing the P3P standard as it tells them to, because the standard says if the P3P statement can't be parsed, it should assume the worst, not allow it through. Did you even read the standard?
Re:misleading/wrong question (Score:5, Insightful)
Because P3P was a pile of crap to begin with, is drastically out of date and long since abandoned by everyone except microsoft?
From wikipedia:
"The Platform for Privacy Preferences Project (P3P) is a protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. Microsoft Internet Explorer is the only major browser to support P3P. The president of TRUSTe has stated that P3P has not been implemented widely due to the difficulty and lack of value."
"P3P manages information through privacy policies. When a website uses P3P, they set up a set of policies that allows them to state their intended uses of personal information that may be gathered from their site visitors. When a user decides to use P3P, they set their own set of policies and state what personal information they will allow to be seen by the sites that they visit. Then when a user visits a site, P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P will inform the user and ask if he/she is willing to proceed to the site, and risk giving up more personal information."
P3P can't handle 'legit' cookies not being associated with the domain you're actually viewing. IE requires a P3P policy to exist for 3rd party cookies to be saved when that setting is turned on; google's exists, but just says "this is not a p3p policy", and points you to their privacy policy. IE then goes 'alrighty then, you've got a P3P policy that's utter garbage even though I'm the one that asked for it, but here, go ahead and set that cookie anyway'.
Frankly, Google not respecting Mozilla's DoNotTrack header is a much worse case of ignoring expressed user privacy than this crappy old IE only 'standard' having a loophole you could ride an elephant through.
Impractical to Microsoft, MS also send invalid P3P (Score:4, Interesting)
I find it interesting that Microsoft also sends an invalid privacy header, just as they are complaining about Google doing.
I also find it interesting that MS is blaming Google for IE's failed handling on invalid P3P headers rather than fixing their product.
Re:Impractical to Microsoft, MS also send invalid (Score:5, Informative)
As I understand it, Microsoft is following the spec properly. Google is exploiting a loophole in the spec. [slashdot.org]
Re:Impractical to Microsoft, MS also send invalid (Score:4, Insightful)
Which is another way of saying: Google is also following the spec. The problem is, the spec is faulty, and doesn't provide what it's intended to.
Re:Impractical to Microsoft, MS also send invalid (Score:5, Insightful)
User: "I don't wish to be tracked. I've opted out using this P3P setting."
Google: "Haha there's a loophole that we're gonna use to track you anyway. Blame Microsoft if you don't like it, sucker!"
Yep, Google has done nothing wrong here whatsoever. They're completely right to exploit a known loophole which allows them to disregard the wishes of the users accessing their services, if those wishes would make Google's services less profitable.
If this is "Do no evil," I shudder to think about the damage Google could do if they decided one day to deliberately engage in evil.
Re: (Score:2)
cf. Hank Scorpio, Globex Corporation.
Re: I shudder to think about the damage (Score:3)
Obligatory!
Don't make Google angry. You wouldn't like it if it became angry.
Re: (Score:3)
So are you telling me you actually opted out using P3P? If so, you must be one of the 10 people on earth who actually knew what this was before the story broke. P3P is a broken system, has been a broken system forever, and has been deprecated as a standard since 2007. This is the privacy protection you are relying on? A system that even Microsoft exploits in EXACTLY THE SAME WAY as Google did?
Re: (Score:2, Interesting)
If it's something that can be exploited then it's a bug. Any security/privacy feature of the browser should be in the control of the user not at the mercy of the http server.
If it was something like a buffer overflow would microsoft still complain how that bad guys should stop sending invalid data packets to the browser?
I don't like googles extensive tracking either, but complaining that it's not using some unpopular protocol is just silly. If you are going to implement privacy control then make it work reg
Re:Impractical to Microsoft, MS also send invalid (Score:4, Informative)
what the text SHOULD look like (assme angle brackets here; sorry for having to reformat to get around slash filters)
[META xmlns="http://www.w3.org/2002/01/P3Pv1"]
[POLICY-REFERENCES]
[POLICY-REF about="/P3P/Policies.xml#first"]
[COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/]
[COOKIE-EXCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[POLICY-REF about="/P3P/Policies.xml#second"]
[COOKIE-INCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[/POLICY-REFERENCES]
[/META]
and what googles looks like:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 [google.com] [google.com] for more info.
now, without even having a compsci101 level course, anyone here see which is the more correct parseable string and which is weasel bullshit?
Re: (Score:3)
IE should try to parse the P3P according to the spec. If that fails, then display the contents to a user, with buttons: "Accept cookie", "Reject cookie", and "never allow visits to this site again".
Re: (Score:3)
Re: (Score:3)
what the text SHOULD look like (assme angle brackets here; sorry for having to reformat to get around slash filters)
[META xmlns="http://www.w3.org/2002/01/P3Pv1"]
[POLICY-REFERENCES]
[POLICY-REF about="/P3P/Policies.xml#first"]
[COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/]
[COOKIE-EXCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[POLICY-REF about="/P3P/Policies.xml#second"]
[COOKIE-INCLUDE name="obnoxious-cookie" value="*" domain=".example.com" path="/"/]
[/POLICY-REF]
[/POLICY-REFERENCES]
[/META]
And what the P3P header at www.microsoft.com looks like:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
now, without even having a compsci101 level course, anyone here see which is the more correct parseable string and which is weasel bullshit?
I guess the first is correct, and the second is bullshit?
Re: (Score:3)
Angle brackets: for the "less than" bracket, < will produce <
The greater than bracket just works as is, just hit the key.
Re:Impractical to Microsoft, MS also send invalid (Score:5, Informative)
Consider the following (from http://www.w3.org/TR/P3P11/#ua_compact [w3.org];
6.4 Compact Policy Processing
P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies.
As I understand this, IE should actually search the Google P3P header for a valid statement of what Google intends to do with regard to tracking cookies. If it does not find those, it should apply the default behaviour for web sites without any P3P header. As described by Dean Hachamovitch (the author of the blog post):
By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the sites use does not include tracking the user.
Fine. So your browser sees a Google P3P header without any valid policies. At this point, the clause "unless the site presents..." should kick in and cookies should be blocked. To me this looks like a bug in IE, as they failed to implement the default behavior in this case. It would be appropriate for Microsoft to fix this bug, send the fix as update on next patch day and otherwise be very humble about their error.
Instead, Dean Hachamovitch tries to paint this as conspiracy by Google to circumvent IE's security protection. FAIL.
Re: (Score:2)
Yes, it probably is. Except Google doesn't sell personal information at all. They sell aggregated information, and more specifically, targeted ads based on aggregate information, and targeted ads based on personal information they hold. At no point is that data sold to others.
I'm still trying to figure out how a broken implementation of P3P in IE is Google's fault. Of course, I'm also still trying to figure out why basing your 'privacy protection' on a system that was deprecated almost 5 years ago is co
Re:Impractical to who? (Score:5, Interesting)
No it isn't. (Score:2, Insightful)
Stop including P3P header data if all you're going to put is "this is not a P3P policy" in it. How impractical is that?
Google (Score:5, Funny)
Wer're safe! (Score:5, Funny)
Re: (Score:3)
Well it's not like they have a contract with facebook as Microsoft does, to do what google does to IE anyway, right? Right?
Too soon?
Re: (Score:3)
The flaw has been known since at least 2010 and in fact when it was pointed out that even Microsoft was passing invalid codes on their own support site. Some people get such a hard-on for ripping on Google that they're willing to defend MS as the good guy despite implementing something that was completely broken and never offered any protection.
http://bits.blogs.nytimes. [nytimes.com]
Microsoft Quality (Score:4, Funny)
Re:Microsoft Quality (Score:5, Insightful)
If browser makers were serious about protecting their users' privacy, they would make adblocking the default, they would have stricter cookies policies, and they would not let a company like Google decide what sort of privacy people will have.
Re:Microsoft Quality (Score:5, Funny)
Re: (Score:2)
Re:Microsoft Quality (Score:5, Insightful)
I remember thinking the same when I was forced to study it academically some time ago, and thought at the time what the fuck is the point in it exactly?
Well at least now I have my answer, it makes for good headlines when you want to troll your competitors with it if nothing else.
Re: (Score:2)
A good second-order use is when someone wants to stoke the flames of anti-Google hysteria, as seen with this article and many of the posters.
Re: (Score:2)
Thing is, P3P isn't a security solution. It's a legal/social solution: make the site declare what it promises to do, and then the user has a solid basis for complaints through the usual channels for breach of that promise. The courts may not understand the technicalities of P3P and the Internet and such, but "He made a written promise to not do X (which promise I have a copy of), I relied on that promise, he went ahead and did X anyway and I've suffered these damages because of it." is something the courts
Re: (Score:2)
Re: (Score:2)
The ironic thing is that you are calling people "moron" while pushing the claim that protecting privacy has nothing to do with security.
Re:Microsoft Quality (Score:5, Funny)
Re:Microsoft Quality (Score:5, Funny)
Or if you have a webcam, it will accept sincere looking smiles.
FTFY (Score:5, Funny)
Google on Monday said that IE's privacy protection, called P3P, is unprofitable to comply with."
Re:FTFY (Score:4, Informative)
MS is a private company, not a legislative body.
As the situation is presented, Google is under no legal requirement to comply with any 3rd party browser "privacy requirements" outside of any existing legal agreements with manufacturers of said browsers. Was any such agreement in place?
tl;dr - MS can go get stuffed.
Re: (Score:2)
Re: (Score:3, Interesting)
Google is under no legal requirement, but remember, they're the "Do No Evil!" crowd. Deliberately circumventing a system which allows browser USERS to say "I don't want to allow cookies from sites which will do X, Y, or Z with my data," would seem to fly in the face of that policy, wouldn't it?
What you're saying is, "Since Microsoft didn't create a hermetically sealed box that's unable to be bypassed, it's okay for Google to simply disrespect the wishes of the user - as expressed by the web browser setting
Re: (Score:3, Interesting)
If Google sent nothing, and simply said "We refuse to support P3P," then the P3P system would have stopped them setting the tracking cookie. So Google had to expend the effort to:
1) Find a loophole that would allow them to track users even if this P3P system was in place;
2) Implement & test their workaround;
So yes, they had to deliberately develop and implement a workaround to allow them to plant the tracking cookie on IE users. Because not planting that cookie would be ever-so-inconvenient and unpr
Re:FTFY (Score:4, Insightful)
No, everyone is framing it correctly as a Google vs. Microsoft issue, since Microsoft intended it that way, using the 'user' as a convenient damsel in distress. The fact is, Google is following the standard as written. IE is not handling the invalid P3P statement as it should, as laid out in their own specification. Any malformed statement should be treated as having no statement, and the cookies blocked. Instead, IE happily accepts the malformed response and allows the cookies anyway. They brought this up now because of the Safari thing, they are playing piggyback-the-bad-press here.
You know who else 'circumvents' P3P policies? Microsoft. Oh, and some outfit they have a contract with, called uhm... Facebook, or something.
Re: (Score:2)
> Google is under no legal requirement to comply with any 3rd party browser "privacy requirements"
Maybe in the US, but not in the rest of the world, where privacy laws exist. Time and time again Google has argued that the consent of the user can be presumed, because cookies are enabled. Only with this presumed consent are they allowed to track users.
However, cookies are enabled by default, so this argument is pretty weak. And it collapses as soon as the user takes any action to discourage tracking, wheth
Dear Google (Score:4, Interesting)
So you're telling me it's impractical to send nothing or to NOT SEND BS in the field?
Congratulations for being as evil as MS
Re: (Score:2)
Re: (Score:2)
They send a valid P3P header that says 'we're not complying with your privacy request'
IE says 'Thanks for complying! with our policy!'
How exactly is that googles fault?
Re: (Score:2)
No, it is an invalid content for a machine readable field
Legalese is not a valid P3P header content
Re:Dear Google (Score:5, Insightful)
I find it amusing that you are twisting and squirming to rationalize how Google explicitly disregarding the wishes of the user and exploiting a well-known loophole in the P3P spec in order to do something against that user's wishes is "not evil."
Even in the best "Microsoft should have prevented this" light, it makes them no better than the used car dealer who tries to convince you that the rust on that El Camino is a special limited-edition two-tone finish that the manufacturer tested out, and the noise from that busted exhaust system is just evidence that the car has a special glasspack muffler. It's bottom-feeding behavior of the worst sort, and blatant hypocrisy from a company that carries on about its "do no evil" policy.
Re:Dear Google (Score:4, Interesting)
Right. They exploited a bug in Internet Explorer so they could track users against their wishes. On is own maybe more naughty than evil, but following on their very purposeful and sneaky bypassing of anti-tracking measures in Safari, it's just a continuation of a pattern of sneaky disregard for users' wishes.
Don't be evil had to go out the window the second Google became an advertising company. If you didn't realize before, it should have become obvious when they bought doubleclick, the evilest company on the web.
Re: (Score:3)
You are wrong on both counts. In both cases, the tracking cookies were placed for users logged in to G+, who had opted in to targeted ads. How again is that exploiting a bug so they could track users against their wishes? How is it again that having something on by default represents a users wishes anyway?
Old and Busted (Score:5, Interesting)
P3P has been Old and Busted [epic.org] since Slashdot first covered it [slashdot.org] in 2002.
Microsoft would never bring it up, if they weren't already in panic mode. This seems to indicate that MS is in far worse shape than we know.
Not impractical, ridiculous! (Score:5, Interesting)
I think Google is being polite, as do people who quote a "lack of value"
From http://en.wikipedia.org/wiki/P3P [wikipedia.org]
The main content of a privacy policy is the following:
which information the server stores:
which kind of information is collected (identifying or not);
which particular information is collected (IP address, email address, name, etc.);
Kind of information??? As if the AI problems were all solved. IP Address? Of course it is collected. Email address? Yes if there is an input box that says email address then the address is collected.
Re: (Score:2)
Let's put it the other way around. If you were to tell your browser you only want to visit websites that do not store your IP address, how far would you get?
Or, how tired would you get of pop-up's saying " This site stores your IP address. Continue viewing?"
Re: (Score:2)
The file may be machine readable, but someone has to configure the other side, the client's preferences.
Here you will run into an overwhelming list of options that an average user is simply not going to bother with ---> Ridiculous waste of time.
One question never answered (Score:4, Interesting)
How does Facebook do it (the Like button)? Does Facebook also circumvent it this way? Either Facebook found a way to do it better, or they are both doing the same thing.
Can we stop the Google/Microsoft bashing and focus on the techniques please?
Re:One question never answered (Score:5, Informative)
Not only does Facebook do it but Microsoft also does it. The standard they are accusing Google of violating is so out of date that W3 doesn't even try to update it anymore, because no one follows it and most browsers don't even implement it fully. This is a non-story in every direction.
Re:One question never answered (Score:4, Informative)
Check the ARS story with 2 updates:
http://arstechnica.com/tech-policy/news/2012/02/google-tricks-internet-explorer-into-accepting-tracking-cookies-microsoft-claims.ars
Yes Facebook is doing it as well as msn.com and live.com
Re: (Score:2)
How does Facebook do it (the Like button)? Does Facebook also circumvent it this way? Either Facebook found a way to do it better, or they are both doing the same thing.
Can we stop the Google/Microsoft bashing and focus on the techniques please?
Firefox with Ghostery is your friend. Forget "do not track" and P3P. They rely on fair play of web sites - which is unreasonable to expect.
Irony. (Score:2)
Thy name is Corporate.
I don't get the outrage. (Score:3)
As much as I hate the facebook +1 button, logging in with facebook, the google variants, and other such functionality that is appearing on pretty much every website, I just can't fault Google that hard for this. The P3P spec is old. Ancient. No one follows it. The standards body who created it doesn't even want anything to do with it. The only reason Microsoft is even bringing this up as to take a shot at Google while Apple is taking a shot at Google for their Safari stuff.
Re: (Score:3)
Re: (Score:2)
[Citation Needed]