Print 35 comment(s) - last by watcha10.. on Feb 23 at 11:56 AM

Google was also able to bypass privacy settings on mobile Safari, which normally blocks cookies as well

Google was recently caught bypassing user privacy settings on Apple's browser, Safari, and also on Microsoft's Internet Explorer. But Google claims that it was just trying to get its +1 buttons to work on Safari, and that Internet Explorer's cookie policy was "widely non-operational."

The Wall Street Journal recently outed Google for finding a way to bypass default privacy settings and place ad-tracking cookies on Safari users. These third-party cookies are used to track what users are doing on the Internet, which in turn helps Web giants like Google target users with suitable advertisements.

Google was able to successfully get past Safari's browser settings for privacy, which attempts to block certain types of cookies. Safari accepts first-party cookies (the Web site the user is on) or second-party cookies (the user's browser), but blocks third-party cookies, which links the browser to an entirely different Web site. The mobile version of Safari, which can be found on iOS devices, has the ability to block all cookies or none at all. 

Despite a user's privacy settings, Google and ad networks from Vibrant Media, PointRoll and Media Innovation Group were able to bypass this. They did so by making it look like the user visiting a Web site filled out a form of some sort (even if no form was presented to the user) and the companies would then get their cookies accepted. Google was also tracking user activity on the mobile version of Safari, meaning that iPhone, iPad and iPod touch users were being watched as well.

After The Wall Street Journal broke the story, Microsoft's Windows Internet Explorer Engineering Team wondered if Google was doing the same thing to Internet Explorer's users. As it turns out, it was.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," said the Windows Internet Explorer Engineering Team Blog. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent."

Microsoft suggested that users utilize the Tracking Protection feature in Internet Explorer 9, which doesn't allow Google to bypass security settings.

Google defended itself against the claims, saying that it never intended to track users on Safari or Internet Explorer. As far as Safari goes, it was just trying to get its +1 buttons to work. Browsers like FireFox, Chrome and Internet Explorer don't block third-party cookies by default, but Safari does. Therefore, Google bypassed the privacy settings to allow its +1 buttons on advertisements to be distributed through the AdSense network to other sites. Google also said it wasn't tracking iPhones, just what some people are doing in the Safari browser.

On the Internet Explorer side of things, Google argued that Internet Explorer's P3P cookie technology is "widely non-operational." Google also mentioned Facebook and Amazon's use of P3P bypass, and that P3P doesn't support Google's modern Web services. The P3P standard is now out of date, said Google.

"Microsoft omitted important information from its blog post today," said Google. "Microsoft uses a 'self-declaration' protocol (known as P3P) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites."

Sources: Windows Internet Explorer Engineering Team Blog, Marketing Land, The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Uh
By Strunf on 2/22/2012 7:47:17 AM , Rating: 4
That's bull... it's like saying that it's not the the hacker fault when it hacks a site but the website administrator for not making 100% safe.

The fact is that Google bypassed a security feature, that this security is "outdated" or not is besides the point!

The P3P is a web standard it is not a MS feature, if your website says that it complies with P3P it must complies with P3P, it's in no way any different than if you set your browser to not accept any cookie and a website finds a way to still do it...

In a day and age where any of your information is worth something, Google and others will do whatever they can to bypass your restrictions!

RE: Uh
By quiksilvr on 2/22/2012 8:27:16 AM , Rating: 1
That is an over the top analogy. That's like saying slapping someone in the face = running over with car.

A better analogy would be being able to log in with someone else's username and being able to log in without the need for a password. That's not hacking. That's a crazy security hole, which is what this is.

RE: Uh
By nafhan on 2/22/2012 9:58:24 AM , Rating: 3
Apple may have a point in regards to bypassing Safari's cookie blocking, but:
--P3P is a web standard that's all but been abandoned as unworkable
--MS is the only browser vendor to currently implement it
--most major websites bypass it

To me, it sounds like MS is jumping on the anti-Google bandwagon. Really, the de facto "standard" in regards to P3P is to ignore it altogether, which is what Google is doing. Remember, too, web standards are effectively more like guidelines than legal documents.

In regards to this:
That's bull... it's like saying that it's not the the hacker fault when it hacks a site but the website administrator for not making 100% safe.
A "hacker" will always be at fault for his actions, but an admin who leaves an obvious opening or flaw will probably lose his job - or worse.

RE: Uh
By Strunf on 2/22/2012 11:42:33 AM , Rating: 3
Only Google is not ignoring it... if they wanted to ignore it they could make the web page without the P3P key, they are in fact exploiting a bug. They do this cause IE unlike any other web browser blocks 3rd party cookies that do not have a certificate, in other words it doesn't fit on their modus operandi of getting as much information out of you as possible.

Webstandars are guidelines? sure but I for one want the standards enforced, I don't have any problem if the standard keeps "evolving" or that some browser don't support it, but if I make a xtml 1.1 page I sure hope it will be the same on every browser that supports it.

RE: Uh
By nafhan on 2/22/2012 12:36:21 PM , Rating: 3
They're ignoring the intent of an outdated and generally un-utilized privacy setting that's only present on IE, and Google's not the only one ignoring it. FB, Amazon, and others are ignoring it as well.

RE: Uh
By watcha10 on 2/23/2012 11:56:09 AM , Rating: 2
Yep, I agree

RE: Uh
By JediJeb on 2/22/2012 3:55:16 PM , Rating: 2
Remember, too, web standards are effectively more like guidelines than legal documents.

I invoke the right of Parlay against those who bypass my privacy settings.

"So if you want to save the planet, feel free to drive your Hummer. Just avoid the drive thru line at McDonalds." -- Michael Asher

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki