According to Microsoft, Google is circumventing the P3P third party cookie standard. P3P is kind of an odd standard (complex, not user-friendly, and it requires some serious computer knowledge to know what the heck it actually does and means), but hey, what the heck. Of course, Microsoft rides on the coattails of what happened over the weekend, and it’s clear PR because not only has this been known for years, Google is – again – not the only one doing this; Facebook, for instance, does the same thing (and heck, Microsoft’s own sites were found guilty). Still, this is not acceptable, and even if it takes Microsoft PR to get there, let’s hope this forces Google and Facebook to better their ways.
Google, Facebook circumvent P3P standard
About The Author
Follow me on Twitter @thomholwerda
2012-02-21 7:42 amcyrilleberger
According to google (see http://arstechnica.com/tech-policy/news/2012/02/google-tricks-inter…) it is the only way to implement the “+1” button. If they are right, it is unlikely they will change their practice… until a better solution is found to that problem.
2012-02-21 8:31 amarpan
ummm… if they were using it only for the +1 button and not for tracking, could they not have used the P3P standard to specify that, and then IE would have accepted that and allowed them to set a cookie?
Not sure if it is possible, but it seems like it ought to be.
2012-02-21 10:59 amichi
According Facebook’s statement about P3P they apparently don’t even bother with it because they consider it obsolete and not worth caring about. I guess Google are on the same boat.
Going by the posts in the TRUSTe blog, webs that implement some kind of P3P do so for the same reasons they had to add specific js conditions back in the day: so IE doesn’t break on their site.
2012-02-21 6:12 pmBill Shooter of Bul
I did have to do something similar with P3P years ago to get IE to work. Don’t remember what it was specifically ( something with cookies to keep a user logged in when moving between two obviously closely related virtual hosts on the same box), but I wasn’t doing anything to violate anyone’s privacy. The site didn’t track anyone doing anything.
“[…] and even if it takes Microsoft PR to get there, let’s hope this forces Google and Facebook to better their ways.”
Well, I got a different idea, which I gladly introduce myself into the places I have control of:
“let’s not trust them a bit. Let’s block the shit out of them, block their nosy asses and don’t let them track us online. We ought not trust only one technology, like “do-not-track-me”. We should introduce many technologies, spoofing techniques to make their job effortles”.
“What about their services?” – you would probobly ask. It may be free because you don’t pay them a dime, but it’s not free as long as you pay them with your soul [your data, privacy, to be precise].
There are plentora of other services, but – apparently – people like to let others to lock-down their butts.
Open your mind and start to act proactively.
Freedom is not something to be granted. You need to fight for it.
It only goes to show that given enough time Google will eventually turn into another big corporation shareholder driven like Microsoft and many other big companies.
The “don’t be evil” only works as a kind of good PR, but this is eventually go away.
Apparently Google’s P3P policy should have been ignored by IE, and the cookie treated as if there was no P3P policy at all:
P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.
So while it’s obvious that the single reason Google and Facebook set an imcomplete P3P policy is to get their services working on IE, their P3P policy (or rather their lack of P3P policy) is actually compliant with the W3C specification as (was it not because MS decided to not follow W3C suggestions) the expected behaviour would have been the policy being ignored and the cookie not being installed.
I don’t think MS can even claim that they didn’t expect such workarounds when their own partners are using them for the same exact purpose.
Translation of the IE VP’s blog posting: Hey, look at big bad evil Google… (That should keep them distracted long enough for us to fix this security hole in our product that we allowed to happen by trusting a third party to circumvent the end-user’s privacy settings on a good faith basis!)
No, I’m not excusing Google, Facebook or any other entity for exploiting this hole, just pointing out what I really read when I saw this latest stunt by Google popping up in the internet news today.
A company that relies on tracking habits to target advertising to users, trying to avoid tracking protection? Well I never!
They are all just as bad one another these days, I’m sure people would be more outraged if they even knew what this actually mean’t.
Look! A kitty picture!