Security Experts:

Google Defends Itself After Microsoft Plays 'Me Too!' on Privacy Controls

Google has had a rough week so far, and it’s only Wednesday. The problems started last Friday, when the Wall Street Journal reported on the findings of Stanford researcher Jonathan Mayer, who discovered the search giant was circumventing Apple’s privacy settings in Safari. Days later, Microsoft accused Google of cheating protections on its own browser, but is Redmond crying wolf?

Micrsoft and Google Battle Over Tracking and CookiesThe long and short of the original story is that Google used code in its advertising platforms that allowed Google to track users, regardless of the privacy setting configuration within Apple’s Safari on the Mac or iPhone. According to his research, Mayer discovered Google tracking code on a computer with privacy restrictions in place after visiting 22 of the top 100 websites, and the code was discovered on an iPhone after visiting 23 websites from the same group.

“The technique reaches far beyond those websites, however, because once the coding was activated, it could enable Google tracking across the vast majority of websites. Three other online-ad companies were found using similar techniques: Vibrant Media Inc., WPP PLC's Media Innovation Group LLC, and Gannett Co.'s PointRoll Inc,” the Journal reported.

Reacting to the Journal’s notification, Google said they mischaracterized the Stanford findings as to what happened and why.

“We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.”

For its part, Apple said it is working on a solution that would prevent the noted security bypass. However, they did not say when such a fix would be made available. For the curious, the Stanford research is here.

On Tuesday Microsoft entered the Safari news cycle and accused Google of circumventing Internet Explorer’s privacy settings as well. Dean Hachamovitch, Microsoft’s VP of Internet Explorer, said that the mechanism used is different, but the results are the same, as they bypass the P3P feature in IE.

“By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent," he said.

The catch, as pointed out by Google and other privacy experts, is that everyone bypasses the P3P policy. Google does it, but other noted portals – Facebook for example – have been bypassing P3P for years.

Google noted that Microsoft omitted the fact that other Web giants are ignoring P3P, and the fact that it is “impractical” for many portals to implement the policy while offering modern Web functionality.

“Today the Microsoft policy is widely non-operational,” Google said in a statement.

Tracking Codes PrivacyCarnegie Mellon University did a study in 2012, checking the figures when it came to determining the number of sites that were not implementing P3P. What they discovered is that “11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites” were either ignoring them or improperly implementing them.

“Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under its default cookie settings.”

Google is the most recognized brand among the list of sites, so it will naturally get pushed to the center stage, but they’re far from alone in the practice. As for Microsoft’s claim and Google’s response to it, CMU’s Lorrie Faith Cranor, who wrote the book on P3P, says it best.

“...I will be the first to admit that P3P is on life support at best right now. But despite that, Microsoft is still using it as part of their default cookie settings that the vast majority of IE users depend on. So, if you don't like P3P, how about asking Microsoft to take P3P out of their browser? Or how about going back to the W3C (the organization that standardized P3P) and asking them to declare it dead? I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy.”

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.