Do no evil?
Anyone else see a pattern?
Slurping all that WiFi info during street view was just an accident M'Lud!
Microsoft has released data showing that Google has been bypassing the user-defined privacy settings in Internet Explorer by using incorrect P3P identification terms. “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy …
Not to justify Google but Microsoft forces the sale of IE upon all of their customers illegally.
Yes, slow learners, it is illegal to commingle the code between the OS and IE yet Microsoft continues to do so in order to force the sale of IE upon you and prevent you from removing the application.
As long as you accept outright illegal practices from Microsoft you can hardly speak at all about what anyone else may do.
wholly inexhaustive and spur-of-the-moment testing prompted by your query indicates that Bing does indeed honour P3P codes although I can't test live.com services without actually logging into them (and thus using Passport, which pretty much ruins any test).
So, MS apparently honour privacy, Gioogle don't and MS are pathetic and desperate scumbags? What an odd world you live in.
Google use big loophole in our browsers wail Apple and Microsoft.
"We wanted to tell our users that their privacy was safe if they used our browsers and big bad Google has shown we've been making hollow promises. They must be hackers or something."
If its something Google can do then its something any mean and nasty problem site can do too.
So is this a bug or a feature guys.
You are amusingly naive if you think that Google did this to show up flaws in Apple's & Microsoft's software. They did this because they wanted the data and because they could. And they did it *despite* it being against the wishes of the end-user.
The fact that Safari and IE allowed it to occur does not negate Google's responsibility for doing it. Saying everyone else could do it too is not the point. Google claim to be better than that.
I'm not being naive nor am I being an apologist for Google, I'm not trying to defend them in anyway. I'm just pointing out that a privacy protection scheme that allows Google to act in anyway they feel like is about as much use a chocolate tea pot.
Now if someone draws up a laws that says website must follow a set of rules then the chances are that Google after a lot of bitching would probably follow, but if you think many of the sites on the web would you are naive.
A privacy scheme that works by having website decide whether they want to track you or not is not a privacy scheme at all. Its a pipe dream. And it just as much a market scheme as Google's tracking you where ever you breath on the net. Now you are probably well enough informed to understand that any claim made about these tools is just wishful thinking. But most users won't be, and will believe that when they click the box saying don't track me, they'll believe the marketing bs that they are now protected, when they're no more protected than wearing a white shirt will protect you from a rifle bullet.
Sending an "Ooh please don't rape me" code out was always going to be ignored anyway. Trusting marketing types to abide by an honour system is a fucking risible idea...always has been. The only way to be sure -apart from nuking them from orbit (and I wouldn't stand in anyone's way there)- is for the browser to not emit the information and to not store the cookies.
Too damned right. It's the same philosophy as that daft Do Not Track proposal. Anyone who really wants to track you will find a way to ignore it. Anyone who doesn't mind doing the odd bit of Evil will just ignore it, omitting the bit where they find a semi-legitimate reason to do so.
Advertisers are greedy, immoral bastards. Who knew?
They need to come up with clear rules and clear way of disabling tracking. I do not wished to be tracked. I do not wish to see ads all over the sites. I pay for my broadband and I want to control what goes down the pipe to my browser. If they want to share with me their revenue from ads, fine, I can live with them, but they don't share it.
Well, anyway, I live w/o adverts, adBlock and DNP Plus do the job.
Never mind all that - you don't need a single cookie to track someone. You just use the unique code(s) their browser sends. Oh, sure, it doesn't send a UUID - but the average browser does allow javascript to detect what fonts a user has, and obviously sends a list of plugins, screen size, and so on. That's enough to uniquely identify almost anyone. And that's without using geolocation, zombie cookies, or any calculations like clock speeds, response time, etc.
Chances are, even in "private" mode, your browser still sends uniquely identifying information.
See http://panopticlick.eff.org/ for more info.
On Panopticlick... http://www.secretagent.co.uk may help.
On Geolocation... https://www.dephormation.org.uk?page=73 may help.
And on unwanted Google cookies? Wouldn't it be nice if someone wrote a browser add on that selectively purged Google/Google Syndication/Google Analytics cookies, or even wrote other more interesting values over them instead for Google to digest?
Perhaps I might review my (ever growing) 'todo' list.
I've always felt the answer here is to go on the war path. Deleting cookies doesn't discourage the bastards from doing it. What I've always wanted was a tool/option that just wrote random data into the unwanted cookies. If enough people did that then they'd stop doing it because the data would be useless to them, and certainly in the early days of the counter attack would probably cause all sorts of their crap SW to crash.
I'm just too much of an idle git to bother actually writing it.
Of course you'd have to track down all the other ways they follow you too.
Hi, if you read it again you can see that I'm not being tracked. What I said is that they need to come up with easy to understand way how to opt-out from this BS, nice clear form, well explained with examples so users can decide what they want to do. We know how to deal with this but average users don't.
"If they want to share with me their revenue from ads, fine, I can live with them, but they don't share it."
You say that, but they do. You are paid in content. Take the very fine The Register as an example. The adverts on this site pay for the operation of the site and (I hope) compensation for the authors of the articles. When you read the articles, you are receiving a share of that payment.
After you have made a mess of things so badly and for so long, it would be nice if you just sat down and shut up. IE has been a menace pretty much from its inception until maybe a year or two ago. Its too early to go pointing fingers.
"Yes, we remember. We remember the past and its lessons, the past and its misfortunes, the past and its glories". Oh, and scratch the last bit.
So several browsers completely ignore privacy protection when strange input is received.... and somehow google is to blame? how many sites have been doing this maliciously already?
Come on, put the blame where its deserved. Security is useless when the default behaviour is to bypass that security at the slightest sign of trouble.
Didn't Microsoft just say:
"Windows Internet Explorer is the browser that respects your privacy. Through unique built in features like Tracking Protection and other privacy features in IE9, you are in control of who is tracking your actions online. Not Google. Not advertisers. Just you."
And all the while they knew that their browser's default behavior was to pass undefined privacy codes as if they were valid?
And they want to blame Google for their two-faced BS!?
[No, I don't think Google is blameless. This reminds me a little too much of Google's use of BHOs to install stuff in violation of IE's administrative settings. My thoughts on that here: http://forums.theregister.co.uk/post/1098266 ]
Playing the script kiddies games. Got to love that. Well, I'll be waiting for the games to begin. We be needing a good boxing match between the Apple, Google goo and The MS. May the best liar win!
I will need tons of popcorn for this one! :- )
Oh dear, someone made a specification whereby websites are trusted to communicate their privacy policy correctly to the user agent? What sort of idiots would come up with such an idea, it's no wonder it never got any traction.
http://www.w3.org/2002/p3p-ws/registrants.html
Were I a shareholder in Google I would be calling them idiots for not making use of this to enable 3rd party cookies in IE and Safari with default settings (every other browser allows them).
Probably also worth a mention - how to disable third party cookies in most browsers:
http://www.bobulous.org.uk/misc/third-party-cookies.html
Personally I think Microsoft are the fools in this for including half baked browser privacy protections and then blaming other people for bypassing them.
Blaming Microsoft / Apple for this is a bit like blaming you for getting your house burgled (by Google) because you did not have bars on your windows and doors. Sure they could (and probably will) improve security of their browsers further but Google should not have been trying to intentionally circumvent their security for their own financial gain.
This is like having an electronic lock on the door to your house which, when you enter only letters, opens the door because it expects digits and letters.
So Google are evil, we knew that .... Apple and Microsoft are evil, too, though and for them to point at Google for being evil is ridiculous ... Let's not forget, repeat after me:
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Google, Apple and Microsoft are evil
Apple and MS are in no way little angels, BUT people here really need to get a grip. Google have done wrong here!
Why are people trying to put a different slant on things by spreading blame to other parties? Why come up with these excuses and attempts to justify and lessen Google's culpability?
Only brainwashed fans react in this way. I get the Register doesn't like MS or Apple, but this article doesn't warrant any MS/Apple bashing. It's all about Google here...
I'm not saying Google aren't evil... I'm not saying they don't already know too much about what we do, where we go, who we talk to, what we like and what we don't but seriously... Seriously of all of the things... P3P?? Who give's a shit?!
It's not protecting your privacy it's just a way of providing information on how cookies will be used... Browsers are meant to be your first line of defence for protecting your privacy, websites should be treated as the enemy by any browser... Any website can send back any old garbage and do something completely different. If IE just drops its pants and gives access to the cookie jar at any old junk passed through as a P3P message... What's the point? It's not security, it's merely informative. Other browsers and website thought this, hence why IE is the only one to implement this as a PR exercise and websites with vested interest in IE are the only ones to provide a P3P message. Google's fault was providing a P3P message at all.
There probably is a solution to cookie privacy, security, certification, recourse for abuse but P3P it ain't. Browsers should enable the user to nuke any storage mechanisms attached to the browser and err on the side of safety with privacy. Best solution for now is to disable cookies by default, add exceptions for sites you trust and monitor your cookie situation.
Perhaps it's because Google shouldn't have been able to bypass privacy settings if the browsers did what they claimed to do.
Let's put it simply: MS and Apple both told people their browser was secure. Now it turns out the browser isn't. That's their fault, not Google's. That does not excuse Google for what they've done. It does not lessen what they have done. Rather, it highlights that MS and Apple have holes in their browser security and in MS's case, the hole is trivial to exploit.
So it's not an excuse for what Google's done: It's that what Google did doesn't excuse the lax security in IE and Safari.
First Google is obviously at fault here for violating standards. As many others already said; the times of "do no evil" are long behind us; now all that's left is hollow marketing talk.
However; IMO one has to wonder as well why MS allowed this to happen in the first place? If you require a code and the code turns out to be invalid doesn't it sound a bit peculiar to accept it anyway? Worse; provide "admin like" access on top of that ?
Still; the main blame sits with Google here IMO. Think about it this way: Would you have believed Microsoft if they claimed that you could no longer access Google's website with MSIE due to a code violation at the hands of Google themselves?
More importantly: could that have triggered a move from MSIE to Chrome because "At least Chrome allows me to access Google's websites without hassle" ?
You really think the coders at the chocolate factory would stop 30% of internet users from using their service? I think they would have done so already, if they thought it would be good practice .... remember all the Microsoft -only shops out there, I know, their sys admins are idiots, but still, they would not even be allowed to install Chrome ...
A better way would be to pop up one of those cute little IE messages.
Something along the lines of:
This web site is ignoring your browser's current security settings and attempting to bypass them.
Allow this Report this Cancel
Might keep everyone a bit more honest.
"It is well known ... that it is impractical to [represent their privacy practices in machine-readable form] while providing modern web functionality."
That is a technical statement. What are they saying about moder web functionality?
(Please don't bother replying just to say they are lying. If there is no technical explanation you can save time by just not posting)
Microsoft is neatly ignoring the fact that it's P3P implementation is flawed at best, and causes web developers issues between different IE browser versions ( no surprises there ).
Specifically, IE will refuse third party cookies within iframes, and will show a warning message regardless of your privacy settings.
This makes it a pain for social application or widget developers - the workaround being to invalidate the P3P string entirely forcing IE to accept all cookies from your domain.
Facebook do the same thing as google, setting their P3P header to:
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
No doubt google and facebook are mainly concerned about protecting their metrics and ad tracking business.
You know what? The locks on the doors of my house may be trivially bypassed (a serious boot or drilling out the cylinder would probably do the trick) but if someone were to break in to my house it would most definitely be their problem, as they are the ones in the wrong.
Even for you with your track record of defending everything Google does or says, this is should draw your criticism - Google have been caught out here, to say that the effective victims are to blame because they aren't secure enough doesn't change the fact that Google a breaking the rules (possibly even the law) in a premeditated manner.