Google responds to Microsoft's IE9 privacy claims

On Monday, Microsoft accused Google of trying to bypass Internet Explorer 9's privacy code. Microsoft says that Google created "a nuance in the P3P specification that has the effect of bypassing user preferences about cookies."  The company added, "Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy."

Today, Google sent Neowin an email response to Microsoft's claims, written by Rachel Whetstone, Google's Senior Vice President of Communications and Policy. In the company's response, Whetstone said:

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites. Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Google sent some examples of what web sites that no longer use the P3P approach. Whetstone states:

These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services.  It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.

Google also claims that Microsoft has known about this issue for some time and that other outside researchers have pointed it out.  Whetstone's statement quotes one of them, Lauren Weinstein, as saying, "In any case, Microsoft's posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Report a problem with article
Previous Story

Trivia Tuesday: The many waves of Wi-Fi

Next Story

Blackberry Playbook 2.0 OS released

45 Comments

Commenting is disabled on this article.

US Citizens have right! That must be observed!! Archive or library, Researcher or Collector, Distributer and bradcasters! Remember my friend human rights above all! Freedom for all!!
http://www.google.com/url?sa=t...6bFvRK_O8iwt-LpwcCyzWYY8doQ

http://www.google.com/url?sa=t...xe3b-Gka9CQhXTjPWR6N7XWlsAw

http://www.google.com/url?sa=t...6fv8HxtjXk9oV31vCYO3tatg3_A


Remember your freedoms. My people were slaves I know right from rong and most of these gredy basterds are wrong. LOL seven dollar and hour mall workers wake up!

Hell-In-A-Handbasket said,
Soo, the short reason is " were doing it because others are doing it " ?

Well no, it's more "nobody is doing it, not even Microsoft itself, so we won't either"

"That 2010 research even calls out Microsoft's own msn.com and live.com for providing invalid P3P policy statements"

"Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE"

http://arstechnica.com/tech-po...ookies-microsoft-claims.ars

that it is impractical to comply with Microsoft's request while providing modern web functionality

Having implemented P3P myself, I know for sure that Google's response is bull crap.
There is no relation between specifying a proper policy and 'implementing modern web functionality'.

Gist of it is that Google wants to continue bypassing the third party cookie blocking functionality in IE and not accept the blame like they did with the similar issue in Safari.

figgy said,

Having implemented P3P myself, I know for sure that Google's response is bull crap.

Ah and of course we should just believe you (without any proof whatsoever) over Google! .... rrrright

quintesse said,

Ah and of course we should just believe you (without any proof whatsoever) over Google! .... rrrright

i would even believe the preverbial guy who shouted wolf over Google in a minute considering their history of lies and arrogancy when it comes to privacy concerns

Morden said,

i would even believe the preverbial guy who shouted wolf over Google in a minute considering their history of lies and arrogancy when it comes to privacy concerns

And what history is that, exactly?

ichi said,

And what history is that, exactly?

Chrome's EULA, Buzz privacy setting, Streetview hooplas in EU and USA, patent infringements across the Android ecosystem and so on

Morden said,

Chrome's EULA, Buzz privacy setting, Streetview hooplas in EU and USA, patent infringements across the Android ecosystem and so on

So were are the lies and arrogancy you talk about, exactly?

ichi said,

So were are the lies and arrogancy you talk about, exactly?

well i find quite distasteful to make a "free" mobile OS wich is free because the *******s behind it just use licence-liable patents then bitch about it... another thing is to popularize a product by entering customers by default and a nice example for google arrogancy is the way they handled the streetview case in Europe - like they some kind of supranational entity - this cookie-hoopla is another example of how they want to profit from even those who does not want to use their services

yeah, and they can't even do a mobile os without ripping off the competitors they bash in every possible way - i never thought i can find a company with more disgusting PR stlye then Apple's but Google did it

Morden said,

well i find quite distasteful to make a "free" mobile OS wich is free because the *******s behind it just use licence-liable patents then bitch about it...

Those OEMs that found merit or convenience in licensing the patents are doing so.
Of course Google complains about their OS being hit with accusations of patent infringement... have you seen any patent trial where the defendant didn't complain about it?

I fail to see what's distateful there. If anything it would be the OEMs who could complain since they don't have patent protection from Google, but they knew that from the moment they first got Android in their devices.

Morden said,

another thing is to popularize a product by entering customers by default

Which is common practice anyway, have you checked the small note about the services you get in when creating a LiveID?

Morden said,

and a nice example for google arrogancy is the way they handled the streetview case in Europe - like they some kind of supranational entity

I give you that one, if they don't feel like complying with European data retention laws they should be fined.

Morden said,
this cookie-hoopla is another example of how they want to profit from even those who does not want to use their services

Which again is common practice. It's annoying, but that's a gripe with the ad industry in general, not a Google specific.


Google is an advertising company and as such it's annoying by definition, but out of the common annoyance we've unfortunately come to expect from those companies I haven't seen Google outright lying. I don't have any reason to trust the word of some random individual in some internet forums or of some rival company over theirs without further proof. Nor do I take the word of Google over anyone else's without evidence, for that matter.

ichi said,

So were are the lies and arrogancy you talk about, exactly?

Today, you are going to defend google no matter what I am not complaining but I also don't think you are doing justice. Google does have questionable policies and has done things in the past that is borderline gray. period.

psreloaded said,

Today, you are going to defend google no matter what I am not complaining but I also don't think you are doing justice. Google does have questionable policies and has done things in the past that is borderline gray. period.

I'm not talking about whether you should trust your data to Google, but about why would someone automatically take Google statements as lies.

Please correct me if I'm wrong, but to my knowledge Google has always been open about their policies, questionable or not.

ichi said,

I'm not talking about whether you should trust your data to Google, but about why would someone automatically take Google statements as lies.

Please correct me if I'm wrong, but to my knowledge Google has always been open about their policies, questionable or not.

Not very open though. Exploiting browser flaws like they did in safari is definitely not in their policies and definitely not expected of such a big company.

ichi said,

I'm not talking about whether you should trust your data to Google, but about why would someone automatically take Google statements as lies.

Please correct me if I'm wrong, but to my knowledge Google has always been open about their policies, questionable or not.

untrue: the Chrome EULA change was discovered by users, the browser flaw exploit has been discovered by 3rd party, the Buzz settings calamity was discovered by users... so no, they're anything but open

greenwizard88 said,
Google: "Other people do it too, so it must be right"

Considering Microsoft does that and also suggest doing that to third parties through their support page to avoid IE issues, and also considering that IE is pretty much the only browser using P3P, I don't see how you wouldn't take those workarounds as the defacto intended usage for use cases were features are not supported.

It would suck if P3P was a widely adopted and relied uppon standard and we just found out that it didn't really work but, you know, that's not the case here at all.

ichi said,
Considering Microsoft does that and also suggest doing that to third parties through their support page to avoid IE issues, and also considering that IE is pretty much the only browser using P3P, I don't see how you wouldn't take those workarounds as the defacto intended usage for use cases were features are not supported.

It would suck if P3P was a widely adopted and relied uppon standard and we just found out that it didn't really work but, you know, that's not the case here at all.

I just looked at the results from a few Microsoft sites:
Bing.com
P3P:CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
Microsoft.com
P3P:CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
msdn.microsoft.com
P3P:CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
live.com
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
That is quite the opposite of "Microsoft does that."

See no evil, hear no evil.

Compared to:
Google
This is not a P3P policy! See http://www.google.com/support/....py?hl=en&answer=151657 for more info.

I'd say it's leaps and bounds closer to valid; you found one token that was invalid (although used in examples across the internet, suggesting that it actually means something to someone). The spec allows for unknown tokens being used with a fallback situation. The spec did not allow for English sentences taking their place to actively and permanently bypass checks.

https://www.google.com/search?q=CUSo+P3P

There is a significant difference (hell, Microsoft even shows CUSo in their example while complaining about Google's). You're comparing a token that is widely used, but has no meaning in a document that predated it to an intentional breaking of the header.

pickypg said,
Compared to:
I'd say it's leaps and bounds closer to valid; you found one token that was invalid (although used in examples across the internet, suggesting that it actually means something to someone). The spec allows for unknown tokens being used with a fallback situation. The spec did not allow for English sentences taking their place to actively and permanently bypass checks.

https://www.google.com/search?q=CUSo+P3P

There is a significant difference (hell, Microsoft even shows CUSo in their example while complaining about Google's). You're comparing a token that is widely used, but has no meaning in a document that predated it to an intentional breaking of the header.

It's indeed leaps and bounds closer to be valid, but still isn't. If you have to go adding invalid tokens to get your funcionality through, what's the frigging point of P3P?

Anyway, going by the W3C standard if you pass Google's P3P policy it should be treated as if there was no policy at all, since it fails to meet the criteria of being a complete policy (section 6.4 of the specification):

P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.

It's not a requirement but a clear recomendation (with capitals and everything) which Microsoft decided to not follow.

As such, even though Google's P3P policy gets IE to install the cookie it's not actually "bastardizing the standard" since the P3P policy SHOULD have been ignored.

Ironically, it could turn out that Google is more compliant with the actual W3C P3P specification than Microsoft, since they crafted an incomplete policy that should have been ignored (and hence the cookie treated as if there was no policy at all) in order to announce that they don't have a P3P policy.

Edited by ichi, Feb 22 2012, 1:40am :

"the ability to sign-in to websites using your Google account"

wow, it was an intelligent act to build something like that AGAINST an actual policy... these are even more stupid than they look like

"other outside researchers have pointed it out"

nice twist, so it's not only Microsoft who pointed out that Google is actually a data thief; please provide the complete list to maximize the size of poo you're in

Sounds like Google is trying to twist things once again. I would love for them to just fess up to ONE thing that they do... It can't ALWAYS be everyone else's fault. It just can't. LOL

M_Lyons10 said,
Sounds like Google is trying to twist things once again. I would love for them to just fess up to ONE thing that they do... It can't ALWAYS be everyone else's fault. It just can't. LOL

The Chrome website exploiting web rankings about a month and a half ago?

M_Lyons10 said,
Sounds like Google is trying to twist things once again. I would love for them to just fess up to ONE thing that they do... It can't ALWAYS be everyone else's fault. It just can't. LOL

I completely understand that you would rather prefer a "got us there, we are evil mwahahaha" instead of a "P3P is an obsolete POS that no one honors: not Microsoft (the only browser vendor with a P3P implementation), not Facebook and hence certainly not us either".

Such is life, you can't have everything

You are misinterpreting the suggestions of Microsoft to work around a bug, and the implementation as done by Google.

Microsoft suggests using a very specific set of tokens (from article "CP: CAO P SA OUR") to work around an issue where cookies embedded in frames have issues even when they should be first party cookies. Also, it's acceptable to have invalid (non-existant) tokens that were not foreseen by the standard. Admittedly that makes it somewhat of a weak standard if it falls back due to a lack of understanding, but that's how it was written.

Google is completely bastardizing the standard by using human syntax to guarantee that even if Microsoft fixes the frame issue, then their code will still fall through to allow tracking.

Furthermore, if you look at the article itself, you will notice that Microsoft sites still follow the standard, but they do not necessarily have all tokens provided. That is far different from simply ignoring it and supplying a link where one would never be expected in order to track users.

Even from the article, MSN supplies the invalid token "BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" while Google supplies "This is not a P3P policy! See http://www.google.com/support/....py?hl=en&answer=151657 for more info." (the period is part of the message) in the same place; that is clarly not meant to parsed as tokens--whether valid or invalid. Facebook even supplies "DSP LAW" (or it did at the time of the article; it appears that they have stripped P3P from their homepage).

Which one is going out of their way to break the standard versus supply heretofore unknown tokens (both tokens from Facebook appear in other P3P headers, suggesting that they at least have some meaning)? I won't suggest that Facebook isn't trying to track its users (as that's clearly the purpose of the Like button regardless of what they say), but there is a clear case against Google here going a step beyond.

pickypg said,
You are misinterpreting the suggestions of Microsoft to work around a bug, and the implementation as done by Google.

Microsoft suggests using a very specific set of tokens (from article "CP: CAO P SA OUR") to work around an issue where cookies embedded in frames have issues even when they should be first party cookies. Also, it's acceptable to have invalid (non-existant) tokens that were not foreseen by the standard. Admittedly that makes it somewhat of a weak standard if it falls back due to a lack of understanding, but that's how it was written.

Google is completely bastardizing the standard by using human syntax to guarantee that even if Microsoft fixes the frame issue, then their code will still fall through to allow tracking.

Furthermore, if you look at the article itself, you will notice that Microsoft sites still follow the standard, but they do not necessarily have all tokens provided. That is far different from simply ignoring it and supplying a link where one would never be expected in order to track users.

If Microsoft sites followed the standard they would pass the W3C validator, yet they don't.
You could argue that it still makes Microsoft's approach more compliant even while not actually complying, but the result is the same. Google decided to replace the invalid token workaround with an invalid string explaining why they don't have a valid P3P.

Heck, if they whole point was bypassing IE they could have copy/pasted a valid P3P policy, get the cookie installed and call it a day. Now that would be something shady everyone would agree to criticize Google about.

pickypg said,

Even from the article, MSN supplies the invalid token "BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" while Google supplies "This is not a P3P policy! See http://www.google.com/support/....py?hl=en&answer=151657 for more info." (the period is part of the message) in the same place; that is clarly not meant to parsed as tokens--whether valid or invalid. Facebook even supplies "DSP LAW" (or it did at the time of the article; it appears that they have stripped P3P from their homepage).

Which one is going out of their way to break the standard versus supply heretofore unknown tokens (both tokens from Facebook appear in other P3P headers, suggesting that they at least have some meaning)? I won't suggest that Facebook isn't trying to track its users (as that's clearly the purpose of the Like button regardless of what they say), but there is a clear case against Google here going a step beyond.

Facebook has this P3P CP:
P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p";

Edited by ichi, Feb 22 2012, 1:13am :

ichi said,
If Microsoft sites followed the standard they would pass the W3C validator, yet they don't.
They are following the standard, but they are using a compact policy that is not recognized by the spec. That is acceptable and it was even expected given that they cannot predict the future; the browser is simply expected to ignore the given policy.
P3P Specification
If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.
Having extra "invalid" tokens, while not known to the spec, therefore does not invalidate the rest of the P3P tokens. Having no tokens with a string and a link does, because it completely bypasses P3P in order to get tracking cookies on the user's machine.
ichi said,

Facebook has this P3P CP:
P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p";
Ah, that's changed from the CMU article, and when I passed it to the W3C, it came back that it did not have one at all (I just tried the raw facebook.com through the service as I did not have access to Facebook to check the headers myself).

Of course, this does not justify Google, rather it puts Facebook on par with them trying to track their users.

pickypg said,
They are following the standard, but they are using a compact policy that is not recognized by the spec.

So do Facebook and Google, then (more on this below).

pickypg said,

That is acceptable and it was even expected given that they cannot predict the future; the browser is simply expected to ignore the given policy.

The browser would also be expected to ignore obviously erroneous or incomplete compact policies such as Facebook's and Google's.

pickypg said,

Having extra "invalid" tokens, while not known to the spec, therefore does not invalidate the rest of the P3P tokens. Having no tokens with a string and a link does, because it completely bypasses P3P in order to get tracking cookies on the user's machine.

It bypasses IE's P3P because of Microsoft's specific implementation, but it's compliant with the spec. They aren't lying to the P3P user agent with wrong or misleading tokens, nor do they actually provide a complete policy at all, which is a situation that's covered in the specification:

P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.

If MS wants to block third party cookies without a valid P3P policy they just have to follow the W3C recomendations, although that would also block their partner so I don't think they'll feel like going that way.

pickypg said,
Of course, this does not justify Google, rather it puts Facebook on par with them trying to track their users.

It makes you wonder, though, why MS is jumping on Google but shutting up about Facebook, being such a "terrible offense" and everything.

pickypg said,
Which one is going out of their way to break the standard versus supply heretofore unknown tokens (both tokens from Facebook appear in other P3P headers, suggesting that they at least have some meaning)? I won't suggest that Facebook isn't trying to track its users (as that's clearly the purpose of the Like button regardless of what they say), but there is a clear case against Google here going a step beyond.

By the way, the previous Facebook P3P policy was way more offending than their current approach: they used a valid policy that hid the traking purpose of the cookie.

This CP simply states that any privacy dispute
will be resolved according to a law referenced in their pri-
vacy policy, and implies that the site collects no data associ-
ated with the cookie. When doing preliminary work for this
study in 2009, the facebook:com compact policy contained
only the single invalid token HONK: Both of these CPs are
useless for communicating with user agents and users. It is
likely that facebook:com is using their CP to avoid being
blocked by IE.

They're not exactly giving users the option to opt out either, forcing us to use add ons such as Facebook Disconnect to prevent the 3rd party site tracking.

chAos972 said,
They're not exactly giving users the option to opt out either, forcing us to use add ons such as Facebook Disconnect to prevent the 3rd party site tracking.

there is an opt out feature... you don't knowing it doesn't mean they are not providing it...

still1 said,

there is an opt out feature... you don't knowing it doesn't mean they are not providing it...

There's a way to disable G+ buttons completely without it ever making a request to Google's servers with the URL?

still1 said,

there is an opt out feature... you don't knowing it doesn't mean they are not providing it...

Nobody gives a **** about opt-out because it's arcane information. These things should be opt-in.

Jebadiah said,

Nobody gives a **** about opt-out because it's arcane information. These things should be opt-in.

Well, it's opt-in for webmasters to add the "like", "+1" or "login with google/facebook" stuff to their webs.