Microsoft claims Google bypassed its browser privacy too

P3P policy flaw gave automatic access


Updated Microsoft has released data showing that Google has been bypassing the user-defined privacy settings in Internet Explorer by using incorrect P3P identification terms.

“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” Dean Hachamovitch, VP of Internet Explorer wrote in a blog post. “We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Redmond had been rather pleased about the fact that it hadn’t suffered the same kind of problems as Apple against Google’s quest for information on users. But now it claims Google has got to its users, too, by circumventing protections guaranteed by the Platform for Privacy Preferences (P3P) system its browser supports.

The P3P system uses three or four character code chunks to describe the privacy policy of the requester. As an example, Hachamovitch used “TAI,” which indicates “Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.”

However, if the code is not recognized, Internet Explorer will accept it anyway and allow the requester full access to the user for third-party cookie purposes. Google didn’t do this “in a manner consistent with the technology,” Microsoft suggests, as it used the following message:

“P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Microsoft described being able to bypass its browser’s privacy settings in this way as “a nuance in the P3P specification,” but as was pointed out by El Reg last year and in academic papers in 2010, it’s a tactic that’s been widely used to circumvent the privacy wishes of the browser user. Microsoft is one of a dwindling band of companies still using P3P, and this latest admission will increase the decay in support.

The news will also come as a fillip to last week’s bipartisan calls for investigations into how Google is bypassing privacy protections on Safari. There’s no word from Google as yet on this, but you can bet it’s not a pretty President’s Day at the Chocolate Factory. ®

Update

"Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," Rachel Whetstone, VP of communications and policy at Google, told El Reg in an emailed statement.

"It is well known - including by Microsoft - that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites."

Similar topics


Other stories you might like

  • Amazon warehouse staff granted second chance to vote for unionization

    US labor watchdog tosses previous failed result in the trash

    America's labor watchdog has given workers at Amazon’s warehouse in Bessemer, Alabama, another crack at voting for unionization after their first attempt failed earlier this year.

    “It is ordered that the election that commenced on February 8 is set aside, and a new election shall be conducted,” Lisa Henderson, regional director at the National Labor Relations Board, ruled [PDF] on Tuesday.

    “The National Labor Relations Board will conduct a second secret ballot election among the unit employees. Employees will vote whether they wish to be represented for purposes of collective bargaining by the Retail, Wholesale and Department Store Union.”

    Continue reading
  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading

Biting the hand that feeds IT © 1998–2021