Linked by Thom Holwerda on Fri 17th Feb 2012 15:36 UTC, submitted by bowkota
Privacy, Security, Encryption Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn't allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.
Order by: Score:
huh.
by MasterSplinter on Fri 17th Feb 2012 15:48 UTC
MasterSplinter
Member since:
2012-01-05

...who'da thunk.

Reply Score: 1

RE: huh.
by fran on Fri 17th Feb 2012 17:29 UTC in reply to "huh."
fran Member since:
2010-08-06

yeah, look what Apple has made us do

Reply Score: 4

RE[2]: huh.
by Tony Swash on Fri 17th Feb 2012 18:15 UTC in reply to "RE: huh."
Tony Swash Member since:
2009-08-22

yeah, look what Apple has made us do


OK - you got me: what Apple has made us do?

Reply Score: 2

RE[3]: huh.
by fran on Fri 17th Feb 2012 18:24 UTC in reply to "RE[2]: huh."
fran Member since:
2010-08-06

Apple did'nt did not do anything.
I probably should have put a ;-) after that one.
Just parodying

Edited 2012-02-17 18:25 UTC

Reply Score: 1

RE[2]: huh.
by Carewolf on Sat 18th Feb 2012 22:28 UTC in reply to "RE: huh."
Carewolf Member since:
2005-09-08

Apple didn't do anything. The feature in question is so old it is inherited from the KHTML code which was quite paranoid about cookies (which were considered a new and dangerous feature at the time).

Reply Score: 3

People just don't care enough about privacy
by jgagnon on Fri 17th Feb 2012 16:24 UTC
jgagnon
Member since:
2008-06-24

It is a shame that "invasion of privacy" is a feature, but we have ourselves to blame.

Please, people of the world, take it upon yourself to observe, pursue, and ultimately lean as much about the world around you as you can. Your ignorance is not helping anyone, least of all yourself.

Edited 2012-02-17 16:25 UTC

Reply Score: 3

Browser Insider Member since:
2009-06-16

True.

Money > Privacy.

People don't care about privacy if you ask around you and they forgive Google any time. I don't see many users closing their Gmail account any time soon.

Reply Score: 1

umccullough Member since:
2006-01-26

True.

Money > Privacy.

People don't care about privacy if you ask around you and they forgive Google any time. I don't see many users closing their Gmail account any time soon.


That's because, for many people:

Convenience > Privacy

Reply Score: 4

KrustyVader Member since:
2006-10-28

I'm thinking on closing my GMail account, not for this but for the sum of all things. I will miss googlecheck, because i already close my Paypal account.

Reply Score: 2

re_re Member since:
2005-07-06

I never oepned one for this exact reason. Well, I did once because of android apps, but i only access it on an anonymous proxy and gave out bs info to open it.

Reply Score: 2

Tony Swash
Member since:
2009-08-22

I know one can get too paranoid and see patterns and intent in a simple fuck up, I am not generally a conspiracy theorist, but episodes like this one with Google circumventing user privacy settings can reflect deeper truths about a company's core dynamic. I do think this episode reveals something about Google and privacy and what the core dynamic of Google's business is, about what drives Google. I don't mean what are it's professed ideals but rather what are the central dynamics and drives of its core business model.

The way Google makes money, the only way it makes money, it's almost sole source of income, is to sell advertising. And Google can sell that advertising because it offers the buyers of the advertising the very special added benefit of targeting that advertising, of putting ads before people that are cleverly and effectively tailored to match the interests and concerns of the individual viewer. And Google does that by watching and recording what people do on the internet, what they search for, what they watch, what they read and receive and in their emails, who they network with, etc and then recording and storing that behaviour at the level of the individual so it can be interrogated by Google's advertising distribution algorithms. Being able to watch what people do and record it at the level of an individual is absolutely central to the very core of Google's corporate identity.

Without being able to watch and record what people do Google no longer has a product to sell. This means that Google will always view areas of activity on the internet which it cannot record and inspect and record as a threat, to be broken into or routed around. This is not about ethics or the simplistic and somewhat childish notions of good and bad, it is about basic business logic. For Google opening up, inspecting, recording information and behaviour is really just one big technical problem and all Google wants to do with this information is just make things better for the user, to make the search results and the advertising that each of us sees more relevant, better.

Google has to be able to watch enough of us enough of the time so that the adverts it places are accurately tailored to each of us. Then it has a product it can sell. If it cannot watch and record at the level of individuals Google has no business and nothing to sell.

Remember: if the product is free, You are the product.

Reply Score: 4

Nth_Man Member since:
2010-05-16

Remember: if a greedy one has your data, you are a product.

Whether it's a "gratis" service or not. :-|

Reply Score: 4

mantrik00 Member since:
2011-07-06

But every major web based service provider either already does or aspires to do the same. Google is only ahead in the game.

Free products need to be supported by ads (which are generally determined algorithmically) but that does not necessarily mean that users are not being tracked in case of paid products/services. The service providers still have the same kind of data about the activities of paid users'. Only, in case of paid services, ads aren't being served. But the user's usage behaviour remains in the custody of the service provider whether you are paid user or a free user and it is likely to be used for purposes other than serving ads.

Reply Score: 1

Tony Swash Member since:
2009-08-22

But every major web based service provider either already does or aspires to do the same. Google is only ahead in the game.

Free products need to be supported by ads (which are generally determined algorithmically) but that does not necessarily mean that users are not being tracked in case of paid products/services. The service providers still have the same kind of data about the activities of paid users'. Only, in case of paid services, ads aren't being served. But the user's usage behaviour remains in the custody of the service provider whether you are paid user or a free user and it is likely to be used for purposes other than serving ads.


Company's other than Google collect user data, often this is done as a way to add value (from the company's point of view) and generate additional income alongside income generated by products or services they sell. In the case of Google user date is a core product, a product absolutely central to Google's ability to make money. Collecting user data in order to target advertising is the basis on which Google makes all it's money. This means that the drive to collect user data (and to surmount any obstacle to collecting user data) is very, very strong and fundamental in Google and will always be very active.

Reply Score: 1

Where's The Editorial Bias Now?
by Pro-Competition on Fri 17th Feb 2012 18:50 UTC
Pro-Competition
Member since:
2007-08-20

I generally try to avoid troll-baiting, but I'm dying to know how the pro-Apple trolls are going to twist this article into their "Thom is anti-Apple, pro-Google" mindset. I'm waiting...

Anyway, I could not agree more with the conclusion of the article:


In case the point hasn't been driven home yet - companies need to be monitored at all times. ...

If we don't, we could end up in a world of hurt.

Reply Score: 4

v Apple is the issue
by SojoPhoto on Fri 17th Feb 2012 19:24 UTC
RE: Apple is the issue
by jackeebleu on Sat 18th Feb 2012 04:21 UTC in reply to "Apple is the issue"
jackeebleu Member since:
2006-01-26

Wait, so it's Apple's fault that Google and FB purposely and willfully circumvented controls in Safari and said "F U" to the millions of Safari users privacy concerns so that they could continue to make money? Really?

So I guess if someone breaks into your home, by circumventing your alarm/locking mechanism, eats your food, cooks in your kitchen, and rapes your mom....its your fault for having circumventable locks...right?

Reply Score: 3

RE[2]: Apple is the issue
by Neolander on Sat 18th Feb 2012 07:49 UTC in reply to "RE: Apple is the issue"
Neolander Member since:
2010-03-08

Actually, everyone is guilty ;)

Apple are guilty of keeping a known security hole in their browser opened for 7 months after it is fixed in the source. To follow your analogy : if you leave the key to your house under the doormat and your neighbour has publicly poked fun at the fact when he found out months ago, you should expect someone to break in and make copies of the embarrassing photos under your mattress at some point*.

Google and Facebook are guilty of violating standard security practices by not informing Apple in a direct way and giving them some time to fix the hole before beginning to exploit it. This kind of hacker ethics does not translate well to real-life situations, but it is the way things work in the realm of computer security.

* It seems we do not have the same view of what kind of offense online privacy violation represents.

Edited 2012-02-18 08:08 UTC

Reply Score: 2

RE[3]: Apple is the issue
by Neolander on Sat 18th Feb 2012 09:14 UTC in reply to "RE[2]: Apple is the issue"
Neolander Member since:
2010-03-08

Anyway, this is the day where I try to setup Adblock with a custom filter for "like", "share", and other "+1" buttons.

These things have polluted my sight long enough, and AFAIK they are of no financial benefit to website owners. So if they also start to invade my privacy, they are out.

Edited 2012-02-18 09:18 UTC

Reply Score: 3

RE[2]: Apple is the issue
by darknexus on Sat 18th Feb 2012 18:37 UTC in reply to "RE: Apple is the issue"
darknexus Member since:
2008-07-15

Wait, so it's Apple's fault that Google and FB purposely and willfully circumvented controls in Safari and said "F U" to the millions of Safari users privacy concerns so that they could continue to make money? Really?


No, but it is Apple's fault that this security hole still exists in Safari when it has been fixed in the Webkit source months ago. They're all pricks: Google and Facebook for giving us the finger where our privacy is concerned (though surely people aren't actually surprised by that), and Apple for failing to keep their version of Webkit patched and in better sync with the current source tree. The real question is, now that this is out in the open, will Apple patch it promptly?

Reply Score: 4

RE: Apple is the issue
by Tony Swash on Mon 20th Feb 2012 22:39 UTC in reply to "Apple is the issue"
Tony Swash Member since:
2009-08-22

Google the others did nothing wrong. Apple has been riding high on this, "We're Safer than everyone else" bus, that they can no longer create a secure product.

They left the loop hole available, and now the fanboys are going to blame everyone else? Whatever... Just shows how Apple has truly given up on Security.


Looks like Google has also systematically and secretly bypassing Internet Explorer as well so your 'it's all Apple's fault' idea doesn't work.

http://www.electronista.com/articles/12/02/20/microsoft.tries.to.pr...

An excerpt from the report

Microsoft's Corporate VP for Internet Explorer, Dean Hachamovitch, made allegations Monday that Google was bypassing Internet Explorer's privacy settings, not just Safari's measures. After checks, he claimed that Google's cookie text files, meant to allow +1 actions for those who were signed into Google, were skirting the P3P Privacy Protection standard as it was implemented in Internet Explorer 9. The technique supposedly made IE9 take third-party cookies that it would block by default while keeping the action a secret.

To honor P3P, Google was supposed to send a set of policy tokens indicating how the cookie's information would be shared. Google was supposedly exploiting a P3P clause that skipped users' preferences if the policies weren't defined. Any browser that used P3P interpreted the message that the token was "not a P3P policy" as a sign to allow the cookie, letting Google have its intended +1 effect but also possibly allowing third-party ads despite the usual blocking settings.

The executive implied this wasn't just a casual trick, since Google would have had to use "technically skilled" staff with "special tools" to see the P3P descriptions.


At some point Google saying 'oops - a mistake - we are sorry' is going to wear a bit thin.

Reply Score: 2

v ...
by Hiev on Fri 17th Feb 2012 20:52 UTC
RE: ...
by umccullough on Fri 17th Feb 2012 21:55 UTC in reply to "..."
umccullough Member since:
2006-01-26

The article is not metioning Facebook, why are you including it?


But it does... why are you insisting it doesn't?

Reply Score: 3

RE[2]: ...
by Hiev on Fri 17th Feb 2012 23:55 UTC in reply to "RE: ..."
Hiev Member since:
2005-09-27

So true, my bad, I confused the article.

Reply Score: 2

Clearing cookies
by ozonehole on Sat 18th Feb 2012 00:36 UTC
ozonehole
Member since:
2006-01-07

I don't know anything about Safari, I use Linux, but on both Google Chrome and Mozilla Firefox you can set it up so that all cookies are cleared when you exit the browser. You can also block all cookies all the time, but that probably isn't a good idea since a lot of web sites will simply not work at all if you do that.

How to:

Chrome: click on the little "wrench" (upper right corner), Preferences, Under the Hood, Content Settings, Cookies, Clear cookies and other site and plug-in data when I close my browser

Firefox: Edit, Preferences, Privacy, History, Use custom settings for history, Clear history when Firefox closes

If that's not sufficiently private enough, then Google Chrome lets you browse in "incognito mode." That's just a little inconvenient but if you're a privacy buff, it may be worth it. The details on how to do that:

http://support.google.com/chrome/bin/answer.py?hl=en&answer=95464

------------------------

Clearing cookies only protects you from such things as targeted advertising. You should realize that even if you turn off cookies, that doesn't stop governments from snooping on you. Absolutely everything you do online can be recorded by your ISP. Many governments require ISPs to keep such records of your online doings and turn that info over to the spooks. The USA is probably the worst offender with the Patriot Act.

Edited 2012-02-18 00:50 UTC

Reply Score: 3

RE: Clearing cookies
by Wannes on Sun 19th Feb 2012 08:29 UTC in reply to "Clearing cookies"
Wannes Member since:
2012-02-19

Samy Kamkar made a website where you can see the evercookie in action:
http://samy.pl/evercookie

Reply Score: 3

RE[2]: Clearing cookies
by Lennie on Sun 19th Feb 2012 11:43 UTC in reply to "RE: Clearing cookies"
Lennie Member since:
2007-09-22

Samy showed us there is no technical way to prevent every/the average user from being tracked.

Reply Score: 2

How do third party cookies in Firefox work?
by timalot on Sat 18th Feb 2012 02:43 UTC
timalot
Member since:
2006-07-17

In Firefox, under preferences->privacy->use custom settings for history->accept third party cookies, is on by default.

I read a bug report somewhere un-ticking this doesnt actually stop third party sites from setting cookies anyway. But it's interesting that is this case it seems Firefox is less privacy concerned than other browsers.

Reply Score: 2

Lennie Member since:
2007-09-22

As far as I know they have it enabled because otherwise it would breaks certain sites.

But this may be based on old information from years ago when third party cookies was enabled in every browser.

Edited 2012-02-19 11:46 UTC

Reply Score: 2

Comment by marcp
by marcp on Sat 18th Feb 2012 08:06 UTC
marcp
Member since:
2007-11-23

I don't trust them and that's why I block them with every tool I can. I carve "like" buttons from webpages, stop scripts, whole domains, I clean cachesz, etc.
I don't simply settle down on trusting "don't trace me" flag in browsers.
The bad advertisers will always try to spy on us in unethical way, that's why we should take every possible step to stop it.

I'd even suggest a fightback action where users would spy on corporate advertisers publishing their sensitive data, infos, etc.
LET THEM FEEL THE PAIN THEY'RE MAKING TO OTHERS.

Reply Score: 3

Privacy or total control?
by cmost on Sun 19th Feb 2012 18:49 UTC
cmost
Member since:
2006-07-16

The more I keep reading about Apple's death grip on its hardware, from its iPods and iPhones to it's Mac desktops long after they're sold, I can't help but wonder why anyone would own one? And I use the term "own" very loosely as it's obvious who really owns an Apple product. Apple! Moreover, Apple's aggressive assaults on Google, Samsung and other companies who attempt to bring an Apple-esque user experience to competing devices is yet another example of Apple's intentions to keep a tight control over what it considers to be computing nirvana to the exclusion of anyone else getting in the game. Personally I think it's a little scary.

Reply Score: 0

RE: Privacy or total control?
by darknexus on Sun 19th Feb 2012 21:25 UTC in reply to "Privacy or total control?"
darknexus Member since:
2008-07-15

While I agree with you, exactly what has this to do with the particular article under discussion?

Reply Score: 3