Microsoft: Google bypasses IE9 privacy preferences

Last week, Microsoft blasted Google after a researcher discovered that Google created special codes that kept tabs on the activities of users of Apple's Safari browser via a tracking cookie. Google said that it has now disabled the code but tried to downplay the incident, saying that the news reports misinterpreted their intentions.

Now Microsoft is slamming Google again and this time it hits closer to home. In a new post on the Internet Explorer developer blog site, Microsoft claims that Google " .... bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different."

Microsoft executive Dean Hachamovitch wrote in the blog post:

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy.

The blog site does say that Internet Explorer 9's Tracking Protection list feature is not affected by Google's code and recommends that IE9 users sign up for a Tracking Protection list. So far Google has yet to respond to Microsoft's accusations.

Report a problem with article
Previous Story

Iran's internal Internet launch postponed until June

Next Story

Apple's Mountain Lion: more control for you or over you?

61 Comments

Commenting is disabled on this article.

Update: Google has posted a statement

Statement: Attributable to Rachel Whetstone, Senior Vice President of Communications and Policy, Google

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft's browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.

Essentially, Microsoft's Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we'll decide whether to allow them.” This didn't have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft's request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft's request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site's compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don't use valid P3P policies….

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It's worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don't, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.

In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft's own live.com and msn.com websites.

Microsoft support website

The 2010 research paper “discovered that Microsoft's support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.

Google's provided a link that explained our practice.

Microsoft could change this today

As others are noting today, this has been well known for years.

Privacy researcher Lauren Weinstein states: “In any case, Microsoft's posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”

Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”

Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”

The P3P standard or rather it's implementation in IE is broken. It's not enforced in any way, it just expects sites to follow good behavior. IE should at least prompt or notify the user if the site violates the privacy policy. IE does nothing of that sort. Plus, IE9 makes it harder to see blocked cookies. It *removed* IE8's cookie blocked icon which appeared on the status bar whenever a cookie for blocked. The cookie icon also doubled up as the button to see the web page's privacy policy. I would be dubious normally of Google's data collection policies but in this case Microsoft is just crying fowl by jumping on the "Google is evil because it tracked Safari users" bandwagon. Fix the P3P implementation first. Lastly, Facebook also does but MS is their partner and don't object to them doing it.

It's a pretty simple difference - With Microsoft, you are their customer, with Google? You are their product. Pick which you like being more.

Spencer R said,
It's a pretty simple difference - With Microsoft, you are their customer, with Google? You are their product. Pick which you like being more.

Here was I thinking that MS also ran an advertising network with "audience targeted ad solutions" (sic).

Silly me.

ichi said,

Here was I thinking that MS also ran an advertising network with "audience targeted ad solutions" (sic).

Silly me.


+1
Isn't Bing on Facebook reading posts to target audience ?

It's all great but everyone bypass privacy. It's called flash cookies.

Doesn't make the action of Google right. But as long as things like flash cookies and hidden device drivers that are not device drivers are accepted by users then companies will use tactics like those to gather informations and install cookies or apps that are hidden to the users and hard to remove for M Joe Blow.

And still no one has mentioned Facebook.

Google is at fault here, no doubt about it. Even though work on the P3P specification was suspended years ago and it has become kinda obsolete and implemented in pretty much only IE, largely because of it's overcomplexity and shortcomings (http://www.truste.com/blog/2010/09/13/lets-talk-p3p/) Google should have found a more compliant way to get the functionality.

Thing is, if you check the post linked above, about 1/3 of TRUSTe certified websites (out of the 12% of them that actually use P3P) have invalid CPs.

Even Facebook is working around CPs on IE, yet over here (and at the MS blog, unsurprisingly) mud is being slang at one single target.

Oh well...

I see what MS did here, they first mentioned Safari attacking Google so they can later mentioned the same with IE and attack Google as well instead of taking blame for bugs in IE privacy ... not nice MS, not nice, better fix your browser, if not Google someone else will take it.

(And shame on you Google)

And you should read the very same article you posted.

It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies.

Thing is, MS or Apple cannot correct the issue (tracking lists can) since it isn't really a flaw in the way the browsers work. As I understand it, the P3P flaw is because of the incomplete specification so any website can pretty much override it if they want or ignore it completely.

So what Google is doing may not be 100% illegal (its a gray area I think but don't hold me to that) but it is morally wrong and that's what MS is pointing out.

And MS has done something to protect IE users with the tracking lists since Google (and other companies) cannot get around that.

/- Razorfold said,
And you should read the very same article you posted.
So what Google is doing may not be 100% illegal (its a gray area I think but don't hold me to that) but it is morally wrong and that's what MS is pointing out.

While it's certainly a gray area, if Google's whole intention was deceiving the P3P implementation they could just have set a syntactically valid CP that didn't actually represent the cookie intentions, instead of setting a syntactially incorrect string that points to an explanation of the issue.

The morality of Google's implementation is arguable, but technically it's at the same level as the IE6 quirks.

Facebook doesn't even have a P3P policy and does the same thing as Google. Yet MS has yet to publicly denounce Facebook.


From Facebook's Site. Here is part of their P3P Policy.
"The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies. "

vacs said,
So Microsoft is blaming Google that the IE9's privacy protection is not working... interesting

no...try reading the article again, past the first few lines, then comment

vacs said,
So Microsoft is blaming Google that the IE9's privacy protection is not working... interesting

Please read the article first...

McoreD said,
IE settings are for IE. Chrome settings are for Chrome. Are they not?
This has nothing to do with Chrome. Rather, it is the result of Google's web servers sending intentionally malformed HTTP headers in a way that guarantees that their tracking cookies should be accepted based on the specification because the privacy policy saying otherwise is ignored because of the malformed headers.

Just to be a clearer, the Microsoft article makes a quick point of them problem. Microsoft shows an example of what the header should look like from their own site (Microsoft.com)

Microsoft said,
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
That is certainly not human readable, but browsers know how to parse each token and interpret them. On the other hand, Google sends this, which intentionally goes against the above approach to disable P3P:
Microsoft said,
P3P: CP="This is not a P3P policy! See http://www.google.com/support/....py?hl=en&answer=151657 for more info."

Meh! I'm over it. It's not like Microsoft doesn't do any tracking of their own. What website/browser doesn't.

Personally, I'm getting sick of Microsoft bashing other companies, regardless of who they are or what products/services they offer, at every chance they get in an attempt to further them selves in the industry - making themselves look like the good guys that have never put a foot wrong. Microsoft would have to be one of the biggest, if not the biggest, data harvesters in the world.

Nucleotide said,
Meh! I'm over it. It's not like Microsoft doesn't do any tracking of their own. What website/browser doesn't.

Personally, I'm getting sick of Microsoft bashing other companies, regardless of who they are or what products/services they offer, at every chance they get in an attempt to further them selves in the industry - making themselves look like the good guys that have never put a foot wrong. Microsoft would have to be one of the biggest, if not the biggest, data harvesters in the world.

I suppose you have proof to back that up, do you?

Nucleotide said,
Meh! I'm over it. It's not like Microsoft doesn't do any tracking of their own. What website/browser doesn't.

Personally, I'm getting sick of Microsoft bashing other companies, regardless of who they are or what products/services they offer, at every chance they get in an attempt to further them selves in the industry - making themselves look like the good guys that have never put a foot wrong. Microsoft would have to be one of the biggest, if not the biggest, data harvesters in the world.

Google makes most its money from advertising and user info. Microsoft makes his by licensing software and programs. I'm not saying Microsoft doesn't harvest data (pretty sure they do), but I do believe they are less data mongers. Also, considering that Microsoft was heavily under scrutiny the past decade by government agencies, I bet they were extra careful with their every move.

Nucleotide said,
Meh! I'm over it. It's not like Microsoft doesn't do any tracking of their own. What website/browser doesn't.

Personally, I'm getting sick of Microsoft bashing other companies, regardless of who they are or what products/services they offer, at every chance they get in an attempt to further them selves in the industry - making themselves look like the good guys that have never put a foot wrong. Microsoft would have to be one of the biggest, if not the biggest, data harvesters in the world.

Funnily enough, the first poster said


So it was Apple's fault Google did this to Safari, guessing people will Blame MS now. instead of blaming Google.

Nucleotide said,
Personally, I'm getting sick of Microsoft bashing other companies, regardless of who they are or what products/services they offer, at every chance they get in an attempt to further them selves in the industry - making themselves look like the good guys that have never put a foot wrong. Microsoft would have to be one of the biggest, if not the biggest, data harvesters in the world.
This is exactly the kind of behavior that got Microsoft in trouble: the abuse of its position in the market (e.g., these cookies like come from Google Analytics and their ads, which are extremely prevalent). More importantly, it's exactly the kind of behavior that should have gotten Microsoft in trouble.

There's tracking, which I allow Google to do of me when I am logging in and using their services, and then there's underhanded approaches to following me around the web to creepily keep an eye on me when I have no reason to believe that they are.

In recent years, Microsoft seems to have turned a new leaf, which is what has actually brought me back to Microsoft from both Apple and Google. People and companies can change, and, right now, Microsoft is currently on the side of good.

I like google but surely they should've turned off all their tracking cookies when they disabled the one for Safari...? Why are they not thinking straight?

MS are really going for Google with privacy concerns. All well and good but there is many more companies out there that do similar things. Not hard to imagine them not calling out Facebook since they are partners for example and the smaller companies as they aren't big competitors. Still, good to see Google to get burnt for being shady, just like the rest.

oceanmotion said,
MS are really going for Google with privacy concerns. All well and good but there is many more companies out there that do similar things. Not hard to imagine them not calling out Facebook since they are partners for example and the smaller companies as they aren't big competitors. Still, good to see Google to get burnt for being shady, just like the rest.

1) Microsoft isn't doing the crap Google does
2) Facebook isn't either. Facebook only targets ads to users, and have clamped down their security to keep user information from Facebook Apps.
3) As for other companies, check the headlines, Microsoft has shutdown and been vocal about groups and companies that violate privacy and are behind malware and Spam. They have even shut down a group that was behind Android malware.

Kill the messenger much?

thenetavenger said,

1) Microsoft isn't doing the crap Google does

True, they do their own.

thenetavenger said,

2) Facebook isn't either. Facebook only targets ads to users, and have clamped down their security to keep user information from Facebook Apps.

Facebook's ad network is limited to their own site. That is, they show their ads in there, but their "like" button works exactly the same as the "+1" button from Google, which is what the whole article is about.

thenetavenger said,

3) As for other companies, check the headlines, Microsoft has shutdown and been vocal about groups and companies that violate privacy and are behind malware and Spam. They have even shut down a group that was behind Android malware.

Which is all good, but MS is also running their own ad network with the whole traking, profiling and targeted ads infrastructure.

We are talking about two companies competing in the same ad business, not about a privacy concerned group fighting the traking ad industry in behalf of users.

tracking protection list update done
i really hope that now this ****** of a company gone too far and the legal and public relation consequences will be too much for them

actually, i wouldn't miss one bit of Google

Morden said,
tracking protection list update done
i really hope that now this ****** of a company gone too far and the legal and public relation consequences will be too much for them

actually, i wouldn't miss one bit of Google

Please post a tutorial

Anthonyd said,
Please post a tutorial

Open this page in IE, then click the link above where it says "...recommends that IE9 users sign up for a Tracking Protection list."

A box will appear asking if you want to block the offending code!

Morden said,
tracking protection list update done
i really hope that now this ****** of a company gone too far and the legal and public relation consequences will be too much for them

actually, i wouldn't miss one bit of Google

TPLs work to block *known* creeps. What if one day the domain google.com does this for each search query you want to make? Would you take it out of the TPL list because you want to do a search?

Jebadiah said,

TPLs work to block *known* creeps. What if one day the domain google.com does this for each search query you want to make? Would you take it out of the TPL list because you want to do a search?

i dont use google search

I hate google. they are data whores. it's business, business, business. I have nothing against making money but until you try to gain an inch in the shady corners, you're out in my book!

Mouettus said,
I hate google. they are data whores. it's business, business, business. I have nothing against making money but until you try to gain an inch in the shady corners, you're out in my book!

Oh how quickly people forget... http://en.wikipedia.org/wiki/United_States_v._Microsoft

I'm not excusing Google for this if it's true (just like I don't for the Safari bug exploit), but let's not be so naive as to think that their competitors aren't doing the exact same thing. Historically tech companies have do anything they can to get ahead, be it vendor lock-in, shady OEM deals, patent whoring, and so on.

This is why people need to quit falling head over heels for companies. I'm glad you enjoy the product you purchased, but that's no excuse for not keeping them in check.

You give any company extra leeway, and they will take advantage of you in a heartbeat.

Majesticmerc said,

Oh how quickly people forget... http://en.wikipedia.org/wiki/United_States_v._Microsoft

I'm not excusing Google for this if it's true (just like I don't for the Safari bug exploit), but let's not be so naive as to think that their competitors aren't doing the exact same thing. Historically tech companies have do anything they can to get ahead, be it vendor lock-in, shady OEM deals, patent whoring, and so on.

Yes there are companies doing the same crap Google is doing; however, citing the US vs Microsoft is quite misleading, as Microsoft is not one of these companies.

Microsoft is one of the few companies fighting against 'tracking' and 'spam' and 'malware' at an very high level. That is why we have the headlines, "Microsoft stop Malware group in xxxx" "Microsoft stops SPAM group in xxxx"

thenetavenger said,

Yes there are companies doing the same crap Google is doing; however, citing the US vs Microsoft is quite misleading, as Microsoft is not one of these companies.

Microsoft is one of the few companies fighting against 'tracking' and 'spam' and 'malware' at an very high level. That is why we have the headlines, "Microsoft stop Malware group in xxxx" "Microsoft stops SPAM group in xxxx"

They are fighting against tracking and spam, as long as it's not theirs. If you think otherwise, you're naive.

thenetavenger said,

Yes there are companies doing the same crap Google is doing; however, citing the US vs Microsoft is quite misleading, as Microsoft is not one of these companies.

Microsoft is one of the few companies fighting against 'tracking' and 'spam' and 'malware' at an very high level. That is why we have the headlines, "Microsoft stop Malware group in xxxx" "Microsoft stops SPAM group in xxxx"

My point is that all the major tech companies, in their respective domains, have been caught with their hand in the cookie jar at some point. Be it Microsoft and it's shady bundling deals a la the link, Google and it's cookie hacking, or Apple and it's (ab)use of the patent system.

Aligning oneself to a single company from a moral standpoint is a pointless exercise because when it comes down to it, they're all as bad as each other. They're all out to make the biggest buck they can, and if that means bending the rules to get ahead, then we better believe that they'll do it.

Hell-In-A-Handbasket said,
So it was Apple's fault Google did this to Safari, guessing people will Blame MS now. instead of blaming Google.

nobody ever blames Google. remember, they can do no wrong

/s

Hell-In-A-Handbasket said,
So it was Apple's fault Google did this to Safari, guessing people will Blame MS now. instead of blaming Google.
Huh? I blame Google.

Hell-In-A-Handbasket said,
So it was Apple's fault Google did this to Safari, guessing people will Blame MS now. instead of blaming Google.

It depends - I don't know much about what happened with Safari, but from what I heard it was a bug, one that has been fixed in WebKit but has not been yet integrated into Safari. The problem in IE, from the way I read it, is a potential flaw in the P3P spec. Now if Microsoft were to fix it, then we would have people complaining that they are not following the standards.

This could be the case that Safari and IE have the same P3P "problem" with the spec. Again, I am not sure of the issue with Safari. But if they are different, then what we have is willful attempt on Google's part to circumvent privacy. Google claimed ooops, it was an accident with Safari, a developer unknowingly included that code. But if Google is doing it with IE in addition to Safari, then they are writing code targeting specific browsers. That is not a bug or an "oops," that is maliciously trying to get data from users in a way that is not inline with what the user wants.

Google has shown over the years that they will go to any means necessary to get user data in a way that if it were anybody else, it would be considered hacking. They said Wi-fi info collection was an accident caused by an unknowning developer. The code for Safari was an accident caused by an unknowning developer. What will their excuse with IE be? A developer does not know what they are doing? Either they have an intent to gather personal information at any means possible, or they have some really bad developers.

Hell-In-A-Handbasket said,
So it was Apple's fault Google did this to Safari, guessing people will Blame MS now. instead of blaming Google.

If I make a web browser and advertise that it will "prevent web servers from logging your page accesses", it's my responsibility to ensure that feature actually works.

Chugworth said,

If I make a web browser and advertise that it will "prevent web servers from logging your page accesses", it's my responsibility to ensure that feature actually works.

True, but if somebody finds an exploit and doesnt tell you and exploits it for personal gain. whos fault? Not a single program can be or is problem free.

Spyware/Viri do the same thing, exploit holes in programs for personal gain, nobody is " aww poor viri spyware coders "

Hell-In-A-Handbasket said,

True, but if somebody finds an exploit and doesnt tell you and exploits it for personal gain. whos fault? Not a single program can be or is problem free.

Spyware/Viri do the same thing, exploit holes in programs for personal gain, nobody is " aww poor viri spyware coders "


Well I don't place cookies on the same level as malware.

Chugworth said,

If I make a web browser and advertise that it will "prevent web servers from logging your page accesses", it's my responsibility to ensure that feature actually works.

And it does work. This is not a flaw, but a standard javascript feature which Google is exploiting. A browser that follows standards would not block this from happening because obviously the advertisement is acting like it is 1st party.

What you are asking for is to block a standard feature, which is probably going to happen now because idiots like Google are exploiting it.

Hell-In-A-Handbasket said,

True, but if somebody finds an exploit and doesnt tell you and exploits it for personal gain. whos fault?

True, but if someone finds an exploit, releases a fix, and 7 months later when your browser still hasn't implemented the fix from upstream Webkit they are found using a workaround to get their product features working on yours, whos fault?

ichi said,

truth on that, but i wasnt removing blame from apple. it IS their fault they are using i think multiple revisions behind recent webkit. more talking about the people that arent giving Google any blame at all

Hell-In-A-Handbasket said,

True, but if somebody finds an exploit and doesnt tell you and exploits it for personal gain. whos fault? Not a single program can be or is problem free.

Spyware/Viri do the same thing, exploit holes in programs for personal gain, nobody is " aww poor viri spyware coders "

It's still undetermined whether this was exploited for personal gain. Wait for an official response from Google. And besides, exploitation is important, it reveals weaknesses and flaws. The longer a weakness goes unknown, the more humiliated the creators will be. It's possible, yet unlikely that Google is doing this, in some small part or full, to humiliate Microsoft. Both parties are to blame here, Google is to blame for either purposely or inadvertently bypassing IE's privacy protection, and Microsoft is to blame for either purposely or inadvertently leaving a weakness in their privacy protection.

The simple response to this is, everyone stop crying foul and wait for these big entities to resolve their issues. Microsoft is a competitor to Google and will try anything to dethrone Google, even if it means taking cheap shots. Google may not be the evil you all claim it to be, the same as Microsoft. They're both companies struggling for dominance and occasionally will break rules on purpose or by accident. Shaming them for two unconfirmed misdeeds in a short period of time is not very open minded. I'm speaking to everyone, not just you.

Besides, Privacy is an illusion. When you have it, you feel good. When you don't have it, you don't feel good. If you don't know whether you have it or not, you feel neutral. The truth is, nobody has privacy, and any allusions declaring otherwise are false. Get over it.

But then again, Neowin is full of Microsoft fanboys. I may be wasting my time here.

Edited by Captain Peasant, Feb 21 2012, 12:17pm :

Tim Dawg said,
Huh? I blame Google.

I blame Google + Apple. Both kill 'em with FIRE. ;S

That's why no chance to leave Fx with ABP + NoScript. Simply there isn't as effective as this combination yet. Fortunately due to Chrome's progress, Fx becomes extremely good too. They woke up.