Microsoft Says Google Secretly Planted Cookies In Internet Explorer Too

Fresh off the report that Google was bypassing the privacy settings of Safari users by installing cookies that could track browsing habits, Microsoft has discovered that Google has been doing the same thing on Internet Explorer. This is not good.

According to Microsoft VP Dean Hachamovitch, after the Safari Google cookies snafu hit, the Internet Explorer team discovered that Google was "employing similar methods to get around the default privacy protections in IE and track IE users with cookies" too. Microsoft has found that Google bypasses the P3P Privacy Protection feature in IE to track users. Google is breaking the rules, specifically:

Google utilises a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy. It's intended for humans to read even though P3P policies are designed for browsers to "read"

Basically, Google wrongfully bypasses the protection and enables its cookies to be allowed rather than blocked. Thus allowing Google to track the browsing habits of Internet Explorer users. In the mean time, Microsoft has made a Tracking Protection List to protect IE9 users from Google. The list can be found here. [IE Blog]


Comments

    Mountain from a molehill.

      I don't think the first two posters have quite grapsed the severity of the situation this is a massive breach of privacy and of trust.

      It would be like a random german guy putting a camera in your room and watching you sleep, and not having any connection to you what so ever.

        Not the best analogy. It would be closer to credit card companies tracking what you purchase and perhaps on-selling that information.

        Oh, wait. They do that already...

        Wow, way to exaggerate it to ridiculous proportions, are you sure you're not one of the journalists on this site?

        1. Google have now disabled the "problem" code
        2. They have already said it was just cookies ie DIDN'T COLLECT PERSONAL INFORMATION
        3. It's designed to show whether someone using other browsers is signed into Google's services (ie their google account), you are giving no more information to them than you would have by using your Google account in Chrome.

        This is clearly a case where they've shortcutted their code to be able to track Google ecosystem use in other browsers, quit blowing it out of proportion.

        How often do you clean your cookies?

        If you use the default browser, you deserve to have your privacy breached.

          Cookies ARE private information. They disclose what sites you've visited.

          It's outrageous that Google should deliberately bypass user privacy settings in this way.

          Frankly, for me at least, Google just jumped the shark on Don't Be Evil.

            It now emerges that Facebook has done exactly the same thing (a Microsoft Partner no less) using the exact same "exploit", furthermore this "exploit" was marked for Microsoft Attention back in 2010.

            Quit bitching at Google, there was a way to do what they needed to do and they did it, same as facebook and no doubt a lot more. If anyone's to blame it's Microsoft for not patching their browser, it's worth pointing out this weakness was patched in the webkit code by Google so Apple's safari fix as implemented by Google.

    WHAT!?!?

    Google didn't spend the time/money to properly optimise how their services work with browsers that they don't own? MADNESS!

    I think everybody should take a moment to go and read the comments on the original article.

    "Apple enthusiasts have vested interest in taking Google down"
    "Sad, How these types of articles get republished just to protect Apple."
    "it’s apples fault"

    It seems to me that it Google was clearly doing something wrong, even if the intent wasn't malicious.

    Would that bypassing of the IE security settings be a fault and will require a security patch from Microsoft to stop Google and other companies from doing this or using the bypass.

    Ok reading the IE9 blog post and the Google policy it mentions inside the P3P header here: http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657 , it sounds like P3P is a flawed system as any site can just say "hey, I won't do anything bad with this data, I promise!", and the browser just accepts that without any verification.

    A lot of Google's services couldn't function the way they currently do without those cookies, and as it's not really even a security system acting like it is is a problem.

    The only solution to tracking cookies is to develop a system that doesn't need them. I'd go for something similar to Facebook's application API where each app has to specifically request what data it wants access to, then the user needs to allow that before the data can have it.
    That way you could, for example, say 'disallow cookies from containing my URL' or 'make this cookie expire after 5 minutes'.

    P3P is totally broken anyway - it's a logical equivalent to the evil bit.

      But still, BOTH the people that still use IE while having a Google account are SUPER cheesed off right now.

        You don't have to be using either IE (firefox does or at least did support it and other browsers probably do too - not because it's useful, but because it's another "standards compliant" checkbox people seem so keen on benchmarking) or any Google sites letalone an account (it's their ads, not Google sites) for this to "matter".

    Microsoft has been fully aware of this problem for years. A report published in 2010 detailed how P3P privacy policies were being misrepresented in this exact way.

    It's now 2012 and until the highlighting of Google doing this, Microsoft cared little enough to do anything about it. Why did they do nothing about it? Listing a few sites that were doing the same thing will give you a good idea:

    Windows.com
    Live.com
    MSN.com

    This seems like an ugly smear campaign more than anything else.

    You can read the report yourself here: http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf

      So, Microsoft *allowed* Google to do the wrong thing, and did the wrong thing itself, and only now exposed that Google was doing the wrong thing.

      Two wrongs do not make a right. Smear campaign or not, their actions are still an outrageous circumvention of a user's specific privacy settings.

    i cant wait til the day google dies.

Join the discussion!

Trending Stories Right Now