Tuesday, February 21, 2012

Google, Microsoft, or Facebook: Who Dropped The Ball With Your Online Privacy?

The latest round in the Who's Doing Internet Worse roulette

Google, Microsoft, and Facebook are locked in a precarious blame game about who failed with your online privacy. First, Google gets caught bypassing a security feature in Safari that allowed the company to track users despite the no-tracking settings in Safari. Then yesterday, Microsoft charged Google for doing a similar thing with Internet Explorer users. Lots of smoke so far, but is there a fire?

Google responded today to Microsoft's accusation that the search engine company was not acting unscrupulously by tracking IE users and, instead, said that it's Microsoft's fault for not addressing a known flaw in their browser. To strengthen their argument, Google cited Facebook's ubiquitous "Like" button found on websites and said that feature uses the same method to track user info so, therefore, this isn't a Google problem but a Microsoft problem. Facebook basically shrugged at Google's attempt to drag it into the mix because the social networking site insouciantly confirmed today that it is in fact using the same bypass as Google.

As mentioned above, Microsoft revealed that Google's been sidestepping a privacy setting in Internet Explorer in order to continue tracking users' browsing habits despite the users selecting a feature to block websites from collecting data on them. Basically, the exploit that Google found involved a P3P policy statement that checks the intent of websites like Google. While the P3P policy should reject cookies from sites that don't clearly express their purpose, Google intentionally used a vaguely defined cookie in order to bypass the P3P policy and still track the browsing habits of Internet Explorer users. Microsoft vilified Google after the revelation and, as you can imagine, Google was quick to defend itself.

But Google's defense is basically to point the fault back at Microsoft for using outdated security settings. In a response provided to WebProNews, Google's Senior Vice President of Communications and Policy, Rachel Whetstone, shared the following:

Microsoft omitted important information from its blog post today.

Microsoft uses a "self-declaration" protocol (known as "P3P") dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known - including by Microsoft - that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Here is some more information.

Issue has been around since 2002

For many years, Microsoft's browser has requested every website to "self-declare" its cookies and privacy policies in machine readable form, using particular "P3P" three-letter policies.

Essentially, Microsoft's Internet Explorer browser requests of websites, "Tell us what sort of functionality your cookies provide, and we'll decide whether to allow them." This didn't have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft's request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook "Like" buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft's request while providing this web functionality.

Today the Microsoft policy is widely non-operational.

In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site's compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.....

Thousands of sites don't use valid P3P policies....

A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

RSS Feeds

No comments: