backtop


Print 35 comment(s) - last by watcha10.. on Feb 23 at 11:56 AM


  (Source: blogspot.com)
Google was also able to bypass privacy settings on mobile Safari, which normally blocks cookies as well

Google was recently caught bypassing user privacy settings on Apple's browser, Safari, and also on Microsoft's Internet Explorer. But Google claims that it was just trying to get its +1 buttons to work on Safari, and that Internet Explorer's cookie policy was "widely non-operational."

The Wall Street Journal recently outed Google for finding a way to bypass default privacy settings and place ad-tracking cookies on Safari users. These third-party cookies are used to track what users are doing on the Internet, which in turn helps Web giants like Google target users with suitable advertisements.

Google was able to successfully get past Safari's browser settings for privacy, which attempts to block certain types of cookies. Safari accepts first-party cookies (the Web site the user is on) or second-party cookies (the user's browser), but blocks third-party cookies, which links the browser to an entirely different Web site. The mobile version of Safari, which can be found on iOS devices, has the ability to block all cookies or none at all. 

Despite a user's privacy settings, Google and ad networks from Vibrant Media, PointRoll and Media Innovation Group were able to bypass this. They did so by making it look like the user visiting a Web site filled out a form of some sort (even if no form was presented to the user) and the companies would then get their cookies accepted. Google was also tracking user activity on the mobile version of Safari, meaning that iPhone, iPad and iPod touch users were being watched as well.

After The Wall Street Journal broke the story, Microsoft's Windows Internet Explorer Engineering Team wondered if Google was doing the same thing to Internet Explorer's users. As it turns out, it was.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," said the Windows Internet Explorer Engineering Team Blog. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent."

Microsoft suggested that users utilize the Tracking Protection feature in Internet Explorer 9, which doesn't allow Google to bypass security settings.

Google defended itself against the claims, saying that it never intended to track users on Safari or Internet Explorer. As far as Safari goes, it was just trying to get its +1 buttons to work. Browsers like FireFox, Chrome and Internet Explorer don't block third-party cookies by default, but Safari does. Therefore, Google bypassed the privacy settings to allow its +1 buttons on advertisements to be distributed through the AdSense network to other sites. Google also said it wasn't tracking iPhones, just what some people are doing in the Safari browser.

On the Internet Explorer side of things, Google argued that Internet Explorer's P3P cookie technology is "widely non-operational." Google also mentioned Facebook and Amazon's use of P3P bypass, and that P3P doesn't support Google's modern Web services. The P3P standard is now out of date, said Google.

"Microsoft omitted important information from its blog post today," said Google. "Microsoft uses a 'self-declaration' protocol (known as P3P) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites."

Sources: Windows Internet Explorer Engineering Team Blog, Marketing Land, The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Judging the significance
By Tony Swash on 2/22/2012 12:18:02 PM , Rating: 2
I believe that Google also exploited a loop hole in IE which doesn't use webkit.

Who is more guilty, the person who leaves their window open or the burglar who climbs in?

Obviously a tough call for some:)


RE: Judging the significance
By SkullOne on 2/22/2012 12:48:14 PM , Rating: 2
You still ignore the facts that were posted earlier in the thread so I'll post the URL again and pay attention to the date. IE has had this known issue since well...forever and they chose to ignore it. So it's Microsoft's fault.

http://bits.blogs.nytimes.com/2010/09/17/a-loophol...

You also (conveniently) didn't answer my question though. If Firefox and Chrome explicitly block 3rd party cookies no questions asked why do IE and Safari not do the same? That takes the issue and points is squarely at the web browsers, not at Google or the other websites out there that use this "loophole".


RE: Judging the significance
By Tony Swash on 2/22/2012 3:13:37 PM , Rating: 2
So I guess your answer is that the burglar is less guilty than the guy who leaves his window open.

Odd call in my opinion.


RE: Judging the significance
By SkullOne on 2/22/2012 3:40:49 PM , Rating: 2
lulz

I love how you can never answer a simple question when the answer makes your precious Apple look rotten. Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.


RE: Judging the significance
By Tony Swash on 2/22/2012 5:11:25 PM , Rating: 2
quote:
Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.


So Googles response was to exploit the hole. Nice. I blame the burglar not the victim no matter how careless they are. You obviously do the opposite.


RE: Judging the significance
By SkullOne on 2/23/2012 9:17:15 AM , Rating: 2
What about the fact that Microsoft's own support page recommended people do exactly what Google is doing? Which is also what Microsoft's site does, as does Facebook.

The only reason Microsoft came out with this information was to jump on the "I hate Google" bandwagon and make Google look bad. Instead all it's done is show that IE is still outdated and insecure as is Safari.

Why can't you ever lay blame where it belongs?


"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki