Tuesday, February 21, 2012

As with Safari, Google bypasses IE9 privacy settings --- but so do many others

Microsoft and Google are certainly not BFFs, and with an "opening" big enough to drive a truck through, Microsoft certainly wouldn't pass it up, would it? After Google was found to be sidestepping the privacy policies on Safari --- both desktop and mobile versions --- using some trickery, Microsoft took a look at IE9, and discovered Google was doing much the same thing there.

Google isn't using the same "trick" to get by IE9's default privacy settings, but it is using a trick, nonetheless. IE9 blocks cookies from any site that does not honor a technology called P3P.

P3P is a protocol which allows websites to "declare their intended use" for information they collect about users browsing the site. Since Google doesn't use P3P, its cookies should be blocked, but Google tricks IE9 into accepting its cookies.

Google sidesteps the issue, so to speak, by using loophole in the P3P specification. The P3P spec says that browsers should ignore any undefined policies they encounter. In other words, if Google chose to insert garbage, the browser would assume that the code indicates that, more than just meaning that the cookie will not be used for any tracking purpose, the cookie will not be used at all.

Perhaps being snarky, Google doesn't insert garbage code. Instead Google inserts human-readable text that says "This is not a P3P policy!" along with a link that leads to a page explaining why Google eschews P3P.

It's a "score" for Microsoft, as they've managed to find a FUBAR by Google and will, by revealing it, embarrass the Internet giant. It's not as though tracking cookies "track your location," though. They are pretty benign as things go, tracking your browsing history and little else.

What Microsoft doesn't tell you, in their post about Google's faux pas, is that many other companies do the same thing: bypass IE9's privacy settings. Why? Because it's better to make Google look bad than to make the P3P specification look bad, meaning easily bypassed.

It's the same thing with the Safari sidestepping. Many other companies bypass Safari's privacy settings, too.

Still, if you use IE9 and want to block Google from using this loophole to track you, Microsoft has details about the Google loophole and a link to blocking instructions here.

No comments: