Tuesday, February 21, 2012

Microsoft finds Google bypassed Internet Explorer's privacy settings too, but it's not alone, Google responds

If you were watching the streams a few days ago, you would have seen that Google was exploiting the way Safari blocks third party ad cookies. You won't find the coverage here, because I myself missed the post. Click here to view the coverage from Engadget, but basically it says that Google used its +1 ad technology to exploit how Safari handles ad cookies, because it makes it look like a user submitted the forms intentionally.

But the news this time is that Google is exploiting IE's P3P technology. That technology/standard is old by the way, dating back to 2002. It is a way for web pages to tell Internet Explorer what the privacy policy is for that site. These days privacy policies are displayed as a link, and brings you to a human readable policy. As Microsoft explains at some length, Google took advantage of what it describes as a "nuance" in the P3P specification, which effectively allowed it to bypass a user's privacy settings and track them using cookies -- a different method than that used in the case of Safari, but one that ultimately has the same goal.

Microsoft has stated that it has contacted on the matter, and Google's Senior Vice President of Communications and Policy, Rachel Whetstone said:

Microsoft omitted important information from its blog post today.

Microsoft uses a "self-declaration" protocol (known as "P3P") dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

As ZDNet's Mary Jo Foley notes, however, Google isn't the only company that was discovered to be taking advantage of the P3P loophole. Researchers from Carnegie Mellon University's CyLab say they alerted Microsoft to the vulnerability in 2010, and just two days ago the director of the lab, Lorrie Faith Cranor, wrote about about the issue again on the TAP blog (sponsored by Microsoft, incidentally), detailing how Facebook and others also skirt IE's ability to block cookies. Indeed, Facebook readily admits on its site that it does not have a P3P policy, explaining that the standard is "out of date and does not reflect technologies that are currently in use on the web," and that "most websites" also don't currently have P3P policies. On that matter, Microsoft said in a statement to Foley that the "IE team is looking into the reports about Facebook," but that it has "no additional information to share at this time."

No comments:

Post a Comment

Note: This is Blogger's comment system. This system is a backup for when Disqus can't be reached by your computer, such as when your network blocks connections to disqus.com. The comment policy still applies regardless.