Microsoft has claimed that Google has been serving third-party cookies capable of tracking users' online behaviour even when those users have adjusted settings in the Internet Explorer browser to prevent it happening. Dean Hachamovitch, corporate vice president of Internet Explorer (IE) at the software giant, said Google had " …
"It's important to stress that these advertising cookies do not collect personal information."
This sounds rather like choice wording. Le me fix that:
"The cookes dont collect personal information per se, they just uniquely identify you to us and allow us to cross reference your browsing habits and store these in a huge database we keep of your visited webpages."
It goes beyond that...
"Google has argued that Microsoft's reliance on outdated technology had forced thousands of websites to circumvent the 'Platform for Privacy Preferences' (P3P) system it uses in IE in order to deliver "functionality" to web users."
What exactly does 'functionality' mean in that sentence ?
By using ambiguous terms, Google can admit to violating the law(s) of several countries and still claim innocence.
The irony is that Google has taken yet another play from Bill Gates' play book. It's profitable to lie until caught and only then pay the fine...
= Not Fit For Purpose
Don't expect anything to come of this and you won't be disappointed.
Never thought the day woud come
But, I trust Microsoft a lot more than I trust google!
Not quite sure
Why it's Google's fault that IE and Safari have shit security policies and are using known flawed security systems to "protect" their users...
Perhaps ICO should look into Microsoft and Apple whilst they are at it. (or are they in Microsoft's pocket?)
Re: Not quite sure
That's a grossly uninformed, quite frankly silly, comment.
I suggest you start understanding the problem a bit more. This is a good read to get going:
Re: Re: Not quite sure
"I suggest you start understanding the problem a bit more. This is a good read to get going:
Well, while you're there you could also look at
..which also references the CMU P3P CP study. The end of the article sums up the Google/Microsoft part of this saga quite nicely IMO.
"In the 2010 report Whetstone speaks of, Cranor and fellow researchers found that of 33,139 CPs collected and evaluated, 11,176 had errors, including 174 TRUST e-certified sites and 21 of the top 100 most visited websites. They found and reported at that time that they had found thousands of websites using identical, invalid CPs that had been recommended for getting around IE’s cookie blocking."
[many of which were the CP token string recommended by Microsoft as it happens]
"While Microsoft’s lengthy post is certainly technical and will blow the mind of the average user, it completely disregards the fact that Google is one of tens of thousands of websites using this workaround. The whole situation around P3P points to massive and well-known problems with CPs, almost a dead requirement that is regularly gamed, making Microsoft’s marching it out in the war against Google more than a little disingenuous."
Re: Not quite sure
Under EU law the settings have to be respected. Google did not comply with the law.
It's pretty simple to comply with the law, software shouldn't need to use brute force to enforce the law. They used tricks they thought would never get discovered to maintain their revenue stream of providing data to advertisers.
Re: Re: Not quite sure
"Under EU law the settings have to be respected. Google did not comply with the law."
I'd expect that Google could argue they did, and that the user agent (e.g. Internet Explorer) is the application or service that should abide by it's only policies.
"It's pretty simple to comply with the law, software shouldn't need to use brute force to enforce the law."
Yes indeed - but unless the user agent communicates _it's_ privacy policies with the website during the session, then the website cannot know what to do (I do not know enough about the details of cookie hand-shaking to comment further, perhaps someone who does could elucidate). P3P is for service providers, e.g. websites, to communicate what their privacy / data collection intentions and policies are to the user agent, e.g. web browser - it is up to the user agent to allow or deny data, such as cookies, to be set based on that information and it's own policies. As has been pointed out before, the P3P specification says you should ignore invalid policies, NOT that you should suddenly forget your own. In this case a particular user agent (IE) drops it's own privacy policies with regard to 3rd party cookies when presented with an invalid policy - and and one of the reasons (perhaps the only reason) this persisted is because of a frame-set handling bug in the user agent.
"They used tricks they thought would never get discovered to maintain their revenue stream of providing data to advertisers."
No they didn't - they used work-arounds that are widely known, and have been for years, and used by such people as Microsoft themselves. That they are doing this for their own benefit is neither here nor there with regards to legality - although obviously raises ethical questions. I waive no flag for Google, but your analysis doesn't hold water.
Re: Not quite sure
As an example. Say you have locks on your house with a known weakness. A burglar comes along, exploits that weakness to break and and steals something.
Who is at fault? The lock manufacturer? You? The burglar? If we follow the logic of what you say above, we'd be blaming the lock manufacturer and not the burglar.
Re: Re: Not quite sure
"As an example. Say you have locks on your house with a known weakness. A burglar comes along, exploits that weakness to break and and steals something."
In this case the lock works as long as you use the right key, and refuses to open if you use the wrong key. So far so good, but if you try and unlock it with, say, a banana then it unlocks, opens the front door and most of the other locked doors in the house.
"Who is at fault? The lock manufacturer? You? The burglar? If we follow the logic of what you say above, we'd be blaming the lock manufacturer and not the burglar."
I'd say "both of them" in both cases, as our erstwhile lock manufacturer has not only sold a fatally flawed product that is demonstrably not fit for purpose but they've actually told people how to open it with anything.
The P3P specification says that browsers should ignore unknown tokens
Nothing wrong with this. If you ignore the token you should then fall back to the browser settings.
What Microsoft seams to have done is read ignore as 'ignore all cookie settings' not 'ignore this token'. Silly Microsoft.
Re: The P3P specification says that browsers should ignore unknown tokens
"Nothing wrong with this. If you ignore the token you should then fall back to the browser settings."
I agree absolutely - i'm not holding up Google as a paragon of virtue, but this is the main problem IMO, and the fact that it doesn't default to the browser settings was used, against other things, to avoid an issue with cookie and frames in IE (i.e. it might be viewed as a deliberately implemented security flaw to patch up an old browser bug). The work around is widely used, according to a 2010 study of P3P CP tokens
- a common form of which was suggested by MIcrosoft themselves, originally under KB article Q323752. An excerpt from the paper also gives an overview
"We discovered that Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE. Speci cally, a FRAMESET or parent window that references another site inside a FRAME considers the referenced site as a third-party, even if it is rst-party content located on the same server"
Lots of companies still use it, including the privacy-loving Facebook, and there is a highly readable article on this (rather old) news here
I recommend reading that article as well as the CMU study - it might put some of the nonsense being peddled on the internet in perspective. Were Google using the loop-hole so they could set their user info cookies, which could be used by others for other purposes - well yes, they say as much. Were they not as wide-eyed innocent as they make out, almost certainly. Was Microsoft really un-aware of this, doubtful, but if so that strikes me as, at best, borderline incompetent - everybody else seems to know and that mechanism was also used by the microsoft.com and windows.com domains. Were Microsoft using the Safari press as a convenient spring board to announce this "news" - almost certainly.
Re: Re: The P3P specification says that browsers should ignore unknown tokens
"Google claims to have made "Don't Be Evil" a central pillar of their identity, and part of their self-proclaimed core values"
This seems completely incompatible with this behaviour, where they just copy the shit everyone else is doing.
If Google had any actual integrity they would have either respected Microsoft's implementation or simply not set third party cookies on IE even if it broke their crappy social toys.
Microsoft accuse Google of privacy breaches.
Next week :- Paris Hilton accuses Kim Kardashian of being shallow.
Re: Microsoft accuse Google of privacy breaches.
There you go - Paris Hilton and both the Kardashians read El Reg!
If Microsoft is relying on outdated technology that makes it impractical for other companies to follow EU rules then maybe the EU should just ban Internet Explorer, making its use illegal, until such time they can make a browser that responsibily allow other companies to follow the rules!
At the end of the day if IE just allows the sites to bypass user preferences just because it does not recognise the command, then that is Microsofts fault, not Googles. Microsoft make the damn shoddy browser so they should fix it and only a ban will get them to do this.
Google should have brought this to Microsofts attention but the fault lies with Microsoft. If it is true that Microsoft know their technology is preventing other companies to follow EU rules then Microsoft should also be prosecuted.
Maybe I read this wrong, but my reading is Microsoft isnt preventing other companies obeying EU rules.
Other companies are choosing to ignore the technical step put in to ensure those rules were inforced.
Law breaking doesnt become right because the lawbreaker finds it both convenient and doesnt see a cop on the beat. Google are doing the wrong thing by ignoring a users request not to collect this information, that the browser doesnt enforce it, whilst regrettable, isnt the key problem.
It is the action, not the lack of enforcement, that is the primary wrong action here.
When that google spokes woman said
"it is impractical to comply with Microsoft’s request while providing modern web functionality"
What she meant was unprofitable.
I don't understand that statement - you either implement a P3P (it's only an XML file, there are plenty of generators that can create one for you) to make IE happy ... or you don't. Worst case scenario you need to tell users that they need to accept cookies - that's it. How does that break "modern web functionality"?
To be honest, apart from tracking for advertisers/analytics, I can see no real benefit from using anything other than session cookies, virtually all "modern web functionality" relies on the user logging in - and if they're logging in you've got all their relevant history in the database anyway.
In that case...
"EU privacy rules that came into force last May state that storing and accessing information on users' computers is only lawful...."
In that case, 99.9% of websites are probably in breach of this law. Cookies are served out by most web sites (certainly the more popular ones) like they're going out of fashion.
Re: In that case...
Yes, but do any of those get more traffic/hits than Google?
No? Well then it sounds like the perfect place to start.
There's a get-out clause; it's perfectly fine to place cookies, without consent, if those cookies are essential to the functioning of the site. So session or user authentication cookies are absolutely fine - Google Analytics cookies, not so much.
What this law actually breaks is web analytics, affiliate schemes and advertising referral programs... in short, it will really only hurt small businesses/bloggers who might rely on that income and advertising companies like Google.
Re: In that case...
It might be prudent to also remember, cookies are absolutely essential for delivering any website with a login / account / basket or anything where you actually need to be remembered from one page to the next. Such as posting a message on El Reg. P3P is a dead specification gathering dust because it just does not work, Microsoft know this but they needed to fling some shit at Google as part of their typical bashing efforts as of late. Google is no saint and your details are not safe with them but the absolute worst case scenario to come out of this would be to revitalise P3P... Simply it does not work, practically or logically. The best solution for now is disable cookies by default, add exceptions for sites you trust and monitor your cookie situation.
Is he the same Anon. Coward who jumps down my throat every time I suggest Google might be just a smidgen evil, using the logic that other large companies are equally shit to cover for Google and their gross, repeated illegal happenings.
Not to mention
The corrupt regulators, like ICO, who accept any old waffle as an assurance that being evil was never Google's intention.
When it clearly is.
google.com ain't the problem
A lot of ppl seem to be of the opinion that they don't mind Google tracking their search habits. That's fine, but it totally misunderstands the problem. Google can and will track your browsing habits even if you never visit google.com (or whichever TLD you prefer).
Millions of sites run Google Analytics which enables Google to track your browsing without ever visiting a Google site. Therein lies the problem - most ppl don't have a clue that this is happening. It's like wearing an RFID tag when you go into town, and each time you go into a shop, pub, restuarant, etc Google record which ones you went in, what you looked at, how long you spent there etc. Kinda scary....
Re: google.com ain't the problem
I have been told that using No Script in Mozilla and blocking 'google analytics' enables you to avoid this tracking - would be interested to know if anyone else knows better