Microsoft Says Google Bypassing Users’ IE Privacy Settings

The relations among Microsoft, Apple and Google, which are testy in the best of circumstances, are being pressured even more of late as the controversy surrounding Google’s actions with cookies and user tracking grows. In the latest installment, Microsoft has said that it has found that Google “is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

IE Google cookiesThe relations among Microsoft, Apple and Google, which are testy in the best of circumstances, are being pressured even more of late as the controversy surrounding Google’s actions with cookies and user tracking grows. In the latest installment, Microsoft has said that it has found that Google “is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

The controversy stems from the way that browsers handle third-party cookies and whether they allow third-party sites to track users through the use of those cookies. Many browsers, including Apple Safari and Microsoft Internet Explorer, block third-party cookies by default, but Microsoft officials say that Google is using a small loophole in the P3P privacy specification to allow sites to set third-party cookies without users’ knowledge.

“By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent,” Dean Hachamovitch, corporate vice president for Internet Explorer at Microsoft, said in a blog post

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked.

Microsoft’s issues with Google follow findings by researchers at Stanford University that Google was bypassing the default privacy settings in Safari. That was being done through the addition of some code to ads that mimicked a user interacting with those ads, which would override the default cookie-blocking policy.

Microsoft officials said they’re looking at what they should do in response to what they’ve found.

“Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action,” Hachamovitch wrote.


Suggested articles

Drupal.org Resets Passwords After Data Breach

The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords. Sites that run on Drupal do not appear to be impacted, though the organization stressed an ongoing forensic review may reveal more details and victims. […]

Discussion

  • Anonymous on

    Microsoft shouldn't cry foul just b/c their browser security is inadequate.  IE is safe only for enterprise, intranet apps which requirie IE.

  • Anonymous on

    Google and others was submitting a tiny form which allows a cookie to be placed, thus circumventing the privacy controls. IMMO, one should just install a hosts file addition from mvps dot org.
  • Emily on

    Go Ogle:  Google.

     

    Both Sam Walton's Wal-Mart and Google started out with this goody-goody image.  Companies that protest their innocence are usually the most evil, same as people.  Campbell soup in the Twenties or before had Chinese slaves working for them in a compound; it was quite the scandal.  At that time, the Campbell Kids were the advertising logo.

    Insurance companies with the most goody-goody images are also the worst ones.  I could go on.

  • Anonymous on

    The free Do Not Track Plus from abine.com is a useful thing for blocking third party elements on a web page. It works with all the browsers (so they say). I use IE9. It certainly cleans up a web page, much less crap on display.

  • Cesar Figueiredo on

    I am very disappointed with Google.

    I think Microsoft, for the users' sake, must ignore the P3P specification and block cookies with unrecognized tokens.

    If Google is betraying users, the latter should consider Google products unsafe, uninstall and replace them with non-Google ones. Google's sites should also be boycotted.

    All antivirus and internet security programs must block such cookies too.

    User tracking without permission is absolutely unacceptable. Everyone doing that ought to pay high fines, be thrown in jail and have his products prohibited.

  • Anonymous on

    Hey Mr Google,  and especially Mr Facebook, Absolute power, corrupts absolutely.

    You don't fool me.

  • Jan on

    Why doesn't Microsoft just fix the bug, and stop whining? Perhaps there is everything to be gained by whining, and nothing to be gained by trying to fix an intractable problem.
  • Anonymous on

    So genius Jan, Google is the one that is specifically taking the action to use technology in a way that it was not intended with the specific intentions of getting around user privacy setting, thus proving that they will do whatever it takes to ignore the wishes of the people so that they can make another buck...and this is Microsoft's fault????  Get real!!!  Microsoft is not the one committing the action!!!  Microsoft should not be expected to forsee every shady thing that every criminal and shady organization (Google in this case) will ever try.

    Hold the ACTOR accountable, and quit protecting theives like Google.

  • DustyTrigger on

    Work around: IE Properties Custom Privacy Settings

    Set Internet ExplorerPropertiesPrivacy tabSettingsAdvanced to Override automatic cookie handling, Third-party Cookies to Block, and First-party Cookies to Accept. (note: Alternately set First-party Cookies to Prompt and deal with cookies as they arrive endlessly.) 

    or

    Set Internet ExplorerPropertiesPrivacy tabSettings to Block All Cookies. (note: Websites may not function as desired.)

    (Setup: IE 8 on Win XP SP3)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.