Google really should have the cojones to stand up and state their actual position plainly, which as far as I can tell is this:
"If you haven't taken an active, positive step to block our +1 buttons, we're going to assume you don't really care and we'll do whatever we can to show them to you, no matter what your browser's default settings are. Why? Well, because we think the default settings are bullshit, and 99 times out of 100 they're only that way because they're the default. They don't reflect actual user preferences, they reflect other browsers messing with our business plans."
Not only is that an intellectually honest position, it's a lot more accurate than assuming all IE users who haven't changed their settings don't want +1 buttons.
And you know for a fact that it's set to that because it's the default and that I haven't reviewed it and decided that I'm ok with how it's set out of the box do you?
I review pretty much every browser setting but change only about 5%. You have no way of telling how the setting ended up with its current value and without that that position is bullshit.
First, don't confuse me with Google. I'm talking about the argument Google's implicitly making here through their actions, which I wish they'd just say out loud so we could have a real and proper discussion about these issues.
Of course Google doesn't know your preferences for a fact. Of course Google has no way of knowing. But based on their behavior, it seems they just don't care.
An intellectually honest Google would argue 'Look, the default behavior of your browser is badly broken, because they've made it impossible to distinguish between the small number of people who care about this third-party cookie stuff and the rest of the world, who doesn't care an iota. You care about it? So sorry, take it up with your browser manufacturer and their goofy choice of defaults.'
They don't have the guts to make this argument with words, of course, but this is exactly the argument they're making with their actions.
To which I'd reply that my browser maker made at worst an honest mistake implementing a bad standard.
Google on the other hand cynically exploited it knowing full well what the intention was and not giving a shit.
I know which one I'm taking it up with and which one I'm not using any more.
But there is no honest debate to be had on this as if they openly stated their model was "fuck your privacy" they'd have a far smaller business as that would simply be unacceptable for most people. A position like that can only work if it's not public (ironically).
And once Google and Facebook find a workaround for that setting, they can add a fifth option: really really block all third-party cookies.
Seriously, the answer here is that if a browser wants to block third-party cookies by default, it should go all the way and do so, no exceptions. If social networks want to plaster the entire web with their buttons they can try asking browser users to change the setting back.
The need to justify it like that just screams how wrong it is. They want to exploit users and will do anything to achieve that. The default settings hindered them so they worked around it. Privacy shouldn't be "opt-in". Your statement sounds like a thief justifying his crime by claiming that since Mrs Smith didn't install a $20,000 security system in her house she really didn't care enough about her property and that makes his "business model" of burglary okay.
If you read more closely, it's not enough to _have_ a header; the header must also indicate that cookies are not used for tracking.
The problem is, that indication is made with _lack_ of a particular token; and google includes a fake P3P header with no tokens in it. Thus, according to the protocol, google's header indicates that it does not use cookies for anything at all.
It's just plain wrong. The cookies can be used for tracking. You just need to tell what kind of tracking and what you do with that information.
http://news.ycombinator.com/item?id=3615381
Btw, I'm not defending Google, they're clearly not acting perfectly here. I'm simply pointing out that this is a clear case of, "what did you expect to happen?" Any spec that still sets a cookie that is declared as not being used for any purpose seems deeply flawed.
I also found it interesting that Microsoft called out Google and not Facebook, which gives the article a political overtone.
Hindsight is always 20/20 and norms change quickly on the internet; we could say equally critical things about Telnet and FTP.
I agree that P3P clearly needs some rethinking to stay relevant. Especially now that the cat's out of the bag on how to bypass it. (Microsoft's immediate response is to set up yet another blacklist system... some cultures just never change.)
For everyone's entertainment, the OP's comments linked to an amusing satire of P3P called P5P, or the "Pretty Please Platform for Participating Publishers." This is possibly the best collection of protocol tokens I have seen since RFC 2324.
It is interesting that your response to google seemingly doing something that is, at the least disingeneous, is to criticize microsoft. Also re: culture - were to you think google got all those engineers from? A significant number are ex-MSFT. There is a reason GOOG built a campus in bellevue.
A blacklist seems like a pretty effective strategy and allows them to deal with offenders simply. I'd imagine you're not advocating for them to add proprietary extensions to P3P. What would you suggest they do otherwise, out of curiosity?
The problem is, blacklists need to be maintained, create a single point of failure (in terms of both access and trust), and rapidly grow out of control. See virus scanners, spam filtering, CRL checking for SSL, MSIE Phishing Filter, etc. all of which work either sporadically or at the unrelenting expense and pain of some central party.
I think MS probably needs to acknowledge that P3P is broken, and change the default so it doesn't affect third party cookie acceptance. Administrators for Windows environments that think otherwise can override the default by deploying a group policy.
I would expect every site to be extremely liberal with what they request, since, in this case, there is little to no indication to the user as to what's being sent to whom. Developers are going to add the header to get the data because that's what's necessary to get their stuff working.
Ultimately, P3P comes down to the honor system. Unfortunately, that doesn't work on the internet.
I fail to see why Google is being compared to every other site on the internet.
You would not be surprised if a warez program installed a keylogger on your computer, but you hold Google Chrome to a higher standard. Isn't that true for the internet too? Why equate Google to any other site on the internet?
>Ultimately, P3P comes down to the honor system. Unfortunately, that doesn't work on the internet.
Would you say the same thing if you came to know that Google employees are reading your email for fun and profit?
> This seems to be a problem with the design of P3P more than anything.
Granted, the standard is written to be abused. On the other hand, Google's behavior is basically "well if you don't say no it's not rape. What, you were bound and gagged at the time? Well nothing I can do about that".
P3P is a load of garbage as it is implemented/written.
There is no real enforcement behind it and it just causes lots of confusion. Seriously I have to go lookup what each of these acronyms are in order to figure out how my privacy is being violated? What guarantees do I even have that you are obeying P3P and not simply sending it to make me feel good.
Hell while we are at it we should implement P3P for phone apps. I'm sure Path (and others) will stop uploading your address book if the P3P says "ADDRBKNOUP"
I came to the comments to say pretty much the same thing. While it's a good idea in theory, P3P is a terrible standard. It's hard to implement because there are so many acronyms and no easy reference for them.
As mentioned in the article, IE has had the basic implementation of blocking 3rd party cookies if you don't use P3P for a while. I've always wanted to use honest P3P headers but it's such a PITA to generate them correctly site-by-site. Many frameworks include a generic P3P header by default with little or no mention in documentation so that's what I end up using.
I spent many hours read specs, tutorials, and trying out P3P generators to no avail. Finally I decided it's not worth my time and just used default framework P3P headers.
In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons, or if you sign into a Google gadget on iGoogle.
Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
Information that Google collects in association with these cookies is subject to our Privacy Policy.
The dishonesty of this statement is stunning. IE is designed to only accept the cookie if Google promises not to use it for tracking. Google wants to use the cookie for tracking so they provide a dishonesty promise and then explain they're lying because IE didn't have them in mind -- when this is exactly what IE had in mind.
99% of people leave their settings at the default and don't give a damn and just want it to work. When it doesn't work it's broken. Period, end of story. They will say: "Shut up with your geeky explanation" when you explain to them your options. There may be a really long complicated answer as to why it doesn't work but 99% of users don't gives a crap. If you are a smart guy you can just use ad block. There, done.
Microsoft is very well aware of the fact that users never change the default settings and IMHO would love to use this to break Google by default and destroy their business model. This fits in well with the usual MS tactics of spreading paranoia, incompatibility, legal threats, obfuscation and confusion.
IMHO, Microsoft would love to exploit privacy fears to remove features from the web and break it so everyone just goes back to the desktop. In my opinion, if they could get away with breaking an ajax call, because hey they might be tracking you, they would in order to kill usability of web software in favor of the desktop software model. They will try anything they possibly can to win.
Did you ever see the list of IE6 features that got canned (e.g "Smart Tags") because of the antitrust investigation? It makes me shudder what the web would be like with these jerks in control.
According to the article, Google has done it in a way that indicates (according to the P3P protocol) "that the cookie will not be used for any tracking purpose or any purpose at all."
Basically they are abusing the standard to force P3P browsers to override the user's choice to block 3rd party cookies, by telling the browser that the cookie isn't intended for tracking, but Google is using it to track users.
That's kinda of appalling privacy-wise.
Maybe it isn't maliciously intended, which is what you mean, but it is an intentional misuse of a browser feature to force user tracking.
That's why it's a brilliant piece of passive-aggressive engineering!
It undermines both the letter and intent of P3P, while ostensibly informing the user. The exact same string is a lie to the protocol, but the truth when read by a person outside of the protocol-context!
It's kind of like a file that's both a legal and harmless GIF and a malicious executable Java JAR. (Look up [GIFAR vulnerability] for more details.)
So if someone goes to Mashable and clicks a "like" button, it won't work unless they specifically allow 3rd party tracking on Mashable? And then again on the WSJ, and again on Youtube? Or is it that they need to allow Facebook tracking once and then it works on all sites that have a "like" button?
If it's the former, then I'd say P3P is horribly broken and bypassing it for "like" buttons would be the only way to make things work.
And even if it's the latter, giving a site carte blanche tracking rights seems too coarse for comfort (unless you could grant permission ONLY for "like" buttons and nothing else).
Someone instructs their browser to not accept third party cookies, full stop. Google then does something, mumbles a bit, and then sets a third party cookie.
The nefarious bit is in IE- which, although it pretends to allow you to "instruct the browser not to accept 3rd party cookies, full stop," actually accepts third party cookies from any site with a P3P code it doesn't understand.
>The nefarious bit is in IE- which, although it pretends to allow you to "instruct the browser not to accept 3rd party cookies, full stop," actually accepts third party cookies from any site with a P3P code it doesn't understand.
No, if you select that option, it actually blocks all third party cookies.
So do you work at Google or are you just a fanboy? IE is not being nefarious in this case. IE is following a standard that Google is actively abusing. Not sure why you have such an infatuation with Google, but I dare say: Everything in moderation.
Not exactly. The user setting is inaccurate, as it actually should have said "Do not allow 3rd party cookies, except for those from sites which have a code that indicates they aren't tracking cookies or a code we don't understand."
Instead it says "Third Party Cookies" with choices of Accept, Block, or Prompt.
>Not exactly. The user setting is inaccurate, as it actually should have said "Do not allow 3rd party cookies, except for those from sites which have a code that indicates they aren't tracking cookies or a code we don't understand."
That's exactly what they do.
>Instead it says "Third Party Cookies" with choices of Accept, Block, or Prompt.
No, it doesn't.
You sound as if you have researched it, but you seem to be trying to mislead folks by spreading nonsense.
Google is intentionally using the loophole. They are intentionally circumventing users’ wishes. That’s nefarious. It’s first and foremost a moral failing. That’s exactly the problem. Just because it’s possible doesn’t mean it’s right.
That the loophole exists is a separate issue that also has to be remedied – but it doesn’t make Google’s behavior any less evil.
If by "mumbles a bit" you mean not supporting an unsupported and defunct proposed "standard" that doesn't work in practice and is only implemented in IE, then yeah.
It's a W3C recommendation. Scare quotes around the word standard are unnecessary, since a vast number of current web standards came out of W3C processes.
Or is it not 'standards-compliant' when WebKit implements features that only WebKit has, even if they're from W3C standards?
It's not really much of a standard if no one references it in the real world.
And the W3C standards are most successful when they document how technology is already being used in the wild. Proscriptive web standards handed down from on high have historically not fared well. Plenty of W3C standards are duds.
Why does everyone always assume quotes are used as scare quotes? I quoted "standard" because it's not a standard. If the standards body no longer exists and no one follows the standard, it's not a standard.
"Scare quotes are quotation marks placed around a word or phrase to indicate that it does not signify its literal or conventional meaning."
"If scare quotes are enclosing a word or phrase that does not represent a quotation from another source they may simply serve to alert the reader that the word or phrase is used in an unusual, special, or non-standard way or should be understood to include caveats to the conventional meaning."
I would have thought the "proposed" and "defunct" clauses would indicate that "standard" was in name only. The term "scare quotes" indicates to the reader that the writer is intending to mislead or persuade. I don't agree that my usage constitutes what is generally accepted as scare quotes, but even if you disagree, the point still stands. IE is stomping its feet complaining that Google isn't supporting a standard that only IE supports (when even the standards body doesn't support it anymore).
Come up with a better standard, then complain when Google breaks it. Otherwise it's just another example of Google being "evil" (that's scare quotes).
After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.
The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.
This is the last update from the group that was posted in 2006. It's never been pushed by the W3C, and the browser creators never implemented it.
I have absolutely no opinion on the standard, so I'm not sure why you keep telling me extraneous shit. Read what I typed; don't get upset when people accuse you of using scare quotes when you're using scare quotes.
edit: sorry, I was wrestling with a stubborn CPU fan, and you seemed like that CPU fan. Turns out the CPU fan was not stubborn, but well-designed, and I probably wasn't communicating well.
This reply was misposted, it was supposed to be in response to someone else. I've copied and pasted it to the correct person, but cannot delete this one.
I have no idea what your edit means, but I'm going to take is as a compliment and believe we were both mistaken on each others arguments. Because I like to keep things cool, like a CPU fan.
After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state. The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.
This is the last update from the group that was posted in 2006. It's never been pushed by the W3C, and the browser creators never implemented it.
It's a little disingenuous for the IE team to "discover" this just now. I'm pretty sure Google has been doing this for years, and it's well-known. (I certainly talked about it as part of a wider discussion about P3P policies with colleagues a year or so ago, and this isn't even my area of expertise.)
I also don't much mind what companies do with tracking cookies --- I recommend using the Vanilla Cookie extension to Chrome to create a whitelist of persistent cookies. It rather nicely avoids the problem.
I've been a Google fanboi for years and defended them in the public square when they've been accused of nefariousness. But these revelations of intentionally ignoring users' privacy settings have shaken me. Maybe it's time to put them into the Facebook category, where I removed my account years ago.
It's not so much that they are intentionally ignoring users privacy as they preferring the privacy settings their users have directly given them rather than those set in the browser. I've long been opted out from all of Google's ad tracking, on their site and elsewhere:
Privacy is something that few of these companies truly respects. Does Google really respect it? Probably not as much as they'd like you to believe, but at least they are willing to discuss it and provide opt out solutions.
And before you know it, you will need to opt out of tracking of GoogleDrone[1]. The whole privacy controversies would go away if tracking is opt-in rather than opt-out.
I'm not really happy with preferring their opt-out setting when I've already made an opt-out setting in my browser. I don't believe for a moment that Apple or Microsoft care about my privacy any more than Google does, but if I've made a choice and communicated that via browser settings, I expect information providers to respect that choice and not try to exploit the browser in an attempt to bypass my choice.
If you truly care about your privacy rather than simply making a political statement, use something like Ghostery (http://www.ghostery.com/). Even if some of the big companies care enough to respect a request like this, I assure you that the majority of tracking services will not.
If you are making a political statement, then that's fine, I agree that all companies, Google included, should do far better on privacy grounds than they already are.
Why not actually follow the P3P standard and then have a flag in the Ad preferences page to enable 3rd party cookies?
>...as they preferring the privacy settings their users have directly given them rather than those set in the browser.
That's extremely misleading. That's a default as well and not something that the user have "directly given them". I seriously doubt more than 0.1% of Google users have ever visited that page.
"I've been a Google fanboi for years and defended them in the public square when they've been accused of nefariousness. But these revelations of intentionally ignoring users' privacy settings have shaken me. Maybe it's time to put them into the Facebook category, where I removed my account years ago."
Okay, wait. There's multiple problems here.
The first one is this: that you are only now objecting, and not upset at all about Google handing over dissidents to the Chinese govt to torture and/or kill.
Human fucking life fucking has no fucking value to you? Priorities???
Secondly, they haven't been accussed of nefariousness, they have been caught red-handed, bald faced lied about it in public, only back-pedalled when presented with irrefutable evidence, and then convicted in court. Now, you can try to spin that as "accused", but you're going to need to set the spin cycle longer than normal, because that doesn't wash (sic) with the rest of the world.
Lastly, the problem with replacing Google is finding a good replacement. Bing is useless. The only thing close to gmail for free email (and it's barely in the same ballpark) is yahoo.
Please don't make assumptions about what I've said in the past. I've been very vocal about their involvement in China, including emailing them, blogging, and telling everyone I know about it. However, since they changed their handling of China, I thought it wasn't relevant to this particular discussion.
I agree with your intensity, though perhaps not its specific mode of expression.
The first one is this: that you are only now objecting, and not upset at all about Google handing over dissidents to the Chinese govt to torture and/or kill. Human fucking life fucking has no fucking value to you? Priorities???
How is that different from Google/ISPs handling over persons of interest to any other government, including yours? Or you think what is allowed in that case shouldn't be allowed for China's case? Are dissidents of China better than dissidents of any other country, to deserve special treatment?
The stackexchange community is all about forking. Clearly Healthcare IT, IT Security, and Database Administrators could all be tagged questions in serverfault. But apparently serverfault.com/questions/tagged/heathcare didn't sit well with the 298 people who committed to the beta. Separating power-users from IT professionals (superuser vs serverfault)is certainly reasonable even though there is a large overlap of knowledge there.
Of course, without the forks, as an IT person there might be a question if your cryptography related question should go in cryptography.SE or serverfault. With a dedicated site the "correct" location for those questions is easier to determine.
But if we're going to talk about overlapping stackexchanges we have to look at those populated predominantly by programmers, because... well, they are the master forkers.
I left out the language specific ones like Mathematica and TeX. I also omitted Software QA and Cryptography.
Apparently theoretical physicists and applied? physicists are unable to co-exist on one stackexchange.
Anyway, clearly the stackexchange community thinks that forking is the answer. I think tagging is superior and I think fragmenting the community gets fewer able eyes focused on questions. Forking doesn't really hurt google users trying to find answers to questions that have already been answered.
Even while not being a professional developer I would stick Code golf, code review, and Programmers into one stack exchange. I'd also put Signal Processing, Mathematica, Tex, and Compuational Science back in Stack Overflow and let the theoretical CS folks stay separate.
This is like teams of foxes selling chicken coops and accusing the other teams of the improper placement of "No Foxes Allowed" signs. If third party cookies are bad, disallowing them should be the default, regardless of some policy header no user ever heard of or can decipher.
If they really cared, they'd include a way to disallow any third party resource without having to install a plugin like RequestPolicy. That would go a long way towards fighting tracking (and multiple exploits).
It is not in Googles or Microsofts interest to do that with their browsers. They both have a very large commercial interest in people using browsers that make it easy to track them.
This is the main reason I stick with Firefox. I don't want to use a browser built by an advertising company.
Spitting in the face of user intent like this is really crossing the line of what is acceptable in my opinion. I'm not really concerned about my privacy but I do need to have some faith that the settings I am choosing are being respected. If I allow Google+ to use my webcam should I expect Google to turn it on and watch me all the time? That's not too far removed from what they are doing here.
I can't say I would side with either party in this case. P3P sounds about as robust a protocol as RFC 3514 (the evil bit), and Google could just as easily display a warning to any user whose browser rejects third-party cookies.
I see this as a predominantly moral issue. Google seems to expose itself as the people whom I don’t want to be tracked by by engaging in shady behavior. That is exactly the problem.
Yes, anyone who wants to can circumvent it anyway, but that doesn’t stop us from judging those who do so negatively†. Google can be held accountable in this case (by, for example, complaining loudly about what they do) and there is nothing wrong with doing so. Just because it’s possible doesn’t mean it’s right.
That the protocol sucks is in that context a separate and unrelated issue. It may be security theater, but that doesn’t make Google’s behavior any more moral†.
—
† Insert clever analogy here. I’m too lazy to think about one, though.
I was going to post a comment with details of what the microsoft's P3P CP policy means. But it got so damn long that I had to write a blog post.
http://news.ycombinator.com/item?id=3615381
P3P was standardized but it never got traction due to various practical problems. For example, privacy policies vary in many, sometimes-subtle, ways and nobody could figure out how to build simple software to decide automatically how to respond to these policies on behalf of users. Don't take Google's word for it, see what facebook says: http://www.facebook.com/help/?page=219494461411349. epic.org doesn't use it either.
There are some appealing ideas in P3P but in real life it doesn't actually help users protect their privacy, even on sites that actually implement it (such as Bing). The P3P working group shut down long go (http://www.w3.org/P3P/).
This is article is just cheap shot at a competitor.
I'd wager that very few P3P headers used in the wild are an accurate and complete representation of the privacy policy of the site. Most are either deliberately confusing IE (as you put it) or copied from a tutorial by a developer who just needed to fix the damn login button for stupid IE users.
Creating an accurate P3P header that captures the nuances of different ways data can be used is somewhere between difficult and impossible (I've tried).
Why are you giving Google, of all companies, a pass because they just "copied from a tutorial"? Google is probably the least deserving company in the entire world of the engineering ignorance defense.
Think about it: Google knows enough about the inner workings of IE to create Chrome Frame. How in the world is not knowing enough about how P3P works in IE an excuse?
Google said it isn't possible to create an accurate P3P header that describes how they use cookies. Having previously tried to parse the standard document, I'm inclined to believe them.
If that's the case, the responsible course of action is not to send a P3P header at all. Sending a deliberately false one to circumvent third-party cookie restrictions is simply not cool.
If they can convince people to install Chrome Frame, I'm sure they can figure out how to tell people to enable 3rd party cookies. My guess is they'd have a lot harder time explaining why the user should do that.
And yet they spent all that time doing it ... Seriously, who is Chrome Frame for if not the average user? And they inform you about it as soon as you visit google.com in IE.
I suspect you're right and the uptake isn't what they wanted, but that's not really a valid reason for them to work against the browser settings designed to protect a user's privacy.
They can't provide a P3P header saying that won't let 3rd parties track you with it? That would "Break" their +1 functionality? I'd like an explanation of that.
Broken implementations are different from intentionally subverted ones. If FB is doing this, they deserve blame too.
The argument I was responding to seems to be that P3P is a gentleman's agreement and thus is doomed to fail. However, I expect more from Google than I would from random sites on the internet.
So Google flouting a gentleman's agreement is very different from a warez site doing it. After all, you don't expect Google to read your mail in Gmail versus the site admins of warez-mail.com reading your email. Or do you?
But it's a gentleman's agreement between Microsoft and... no one. The user didn't ask to have their cookies blocked and Google certainly didn't ask to be a part of this scheme. It's not really an agreement when only one party has agreed to it.
P3P as a solution to protecting privacy on the Internet is an utter failure. The whole approach is bogus. I realize this is a judgement call, but I don't view sending bogus P3P headers as bogus. You want your site to work the same in a default Firefox install as in a default IE install and the only way to do that in this case is sending the bogus header.
So the fact that P3P doesn't solve all the problems it set out to solve justifies Google intentionally using it to compromise visitors' privacy in a way that directly contradicts the purpose of the header? And this is okay because it's an MSIE feature they're circumventing?
The functionality being "broken" is functionality that users DO NOT WANT and have EXPLICITLY OPTED OUT OF by configuring their browser to reject tracking cookies. If they weren't tracking cookies, you could send a VALID P3P header and your app would work.
Actually it's the default in IE, not a feature people opted into. I'd be a lot less sympathetic to Google if it was a feature people opted into rather than one that IE users were unaware of.
XP SP2 made the firewall default and enabled. If Chrome disabled it for themselves and started uploading user files when the computer was idle, will that make it okay since it was Microsoft who installed the firewall by default and not the user?
MS tries to market their browser as safer and with more privacy features. Presumably some users trust MS to go with safe defaults. And Google tries to break that by intentionally breaking the standard for their profit by recording the users' browsing habits on their tracking servers and you are sympathetic to Google because they would make less profit if they didn't do this?
I recognize it's a judgement call, but I'm sympathetic to breaking P3P because P3P is a crappy standard that doesn't actually do much to protect your privacy. In 2012, P3P is best known as the thing that breaks your single sign-on solution in IE.
That third one is accept that you lost 99% of IE users, since almost no IE users can actually understand something like P3P and who is asserting what and why that claim should be trusted, and thus leave that scary looking setting at the default level.
I made the point in another post that it was a "standard" and my post was immediately made invisible. Sometimes you can never win when people insist on ignoring the point for the strawmen.
He didn't say it's an "IE-only standard", he said it was an IE-only feature. It may be standardized, but that doesn't mean that it's implemented in other browsers.
Lets not get lost in semantics. True it's a documented standard, but only Microsoft supports it and given its many drawbacks no one else is likely to add support any time soon. It might as well be proprietary.
Not even slightly. That does a huge disservice to any standardisation process. In fact, how "only Microsoft supports it" ends up being Microsoft's problem baffles me.
It was created by a standards body. The other browser manufacturers did not implement it. Therefore, it's all Microsoft's fault?
It is Microsoft's problem that they have IE default to rely on what nearly everyone agrees is a crap solution to protecting privacy on the Internet.
To web developers and certainly to web users there is zero difference between a standard that only Microsoft supports and a documented, but non-standard extension that only Microsoft supports.
It is Microsoft's problem that they have IE default to rely on what nearly everyone agrees is a crap solution
Do they? Then what's the point in the standardisation process? The whole point is that everyone agreed on a solution in P3P. Maybe it wasn't ideal, but it was the standard. So, faithfully, MS implemented it.
So, MS is to blame when they go alone and make their own standards, but they are now also to blame when they follow the standardisation process to the letter and other people don't?
You don't get a free pass because you're following a W3C standard. The way P3P is implemented in IE made web developers lives harder in exchange for virtually no additional privacy protections to users.
The point of the standards process is so that we don't have multiple competing/incompatible/ambiguous header-based privacy policies. But that's not the problem here. There aren't any notable competing privacy headers because the whole approach is flawed.
Are you going to say the same thing about the FileSystem API, Dart, and NaCl? Google is probably the worst browser vendor when it comes to having competing implementations of their proprietary features.
There was a standardization process, then the committee in charge of it gave up on it because it wasn't going anywhere except IE. See the home page of the working group (http://www.w3.org/P3P/). It's time IE woke up to that reality.
Keeping Google's blunders aside, the P3P policy as described seem to be a joke. Do they really expect third party sites to be honest with a browser ? At least they had to do some magic on Safari.. this seems too straight forward and begging to be abused...
There are some comments here that say: P3P is garbage as implemented, so it is ok for Google to invest some time and engineering effort to trick P3P and track users via cookies.
Not sure if that the valid answer but it has some merits if everybody is doing that (like downloading adress book from iPhone).
Now, I have the following question: if a random website is catch doing this, is it going to marked as un-safe by security scanners?
I flagged this because it's just Microsoft trying to flame war with Google. These headers have been an annoyance every time I have had to consider them.
This is a clear example of Microsoft's 'extend' and 'embrace' strategy that destroyed so many platforms. The MS series of browsers were the only ones to adopt this before being recommended as a spec. The spec was never adopted.
Of course it does. The question is, does it still do that even if the browser explicitly told it not to.
If you have some evidence that it does, I am looking forward to seeing it. But more likely, I think you just read the headline and jumped in to comment.
There are countless tracking mechanisms besides cookies, for example flash cookies and so on. They have been used for years. I would be surprised if any ad network would opt to not use them (I don't like it, but still).
So the WSJ publishes another one of it’s alarmist articles about Google and Safari during the weekend and Microsoft wants to capitalize by pretending it just now discovered that P3P (a defunct and shitty protocol) is useless and no one uses it.
NYT September 17, 2010:
http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enou...If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy.
Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents I.E.’s ability to block cookies, according to researchers at CyLab at the Carnegie Mellon University School of Engineering.
A technical paper published by the researchers says that a third of the more than 33,000 sites they studied have technical errors that cause I.E. to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu.
Google doesn’t support a broken feature that is exclusive to IE somehow it’s their fault. If anyone ever doubted Microsoft's PR sleaziness and propaganda tactics that blog post is proof.
I don't side with Google on this one but here is an interesting tidbit: Microsoft support site advocated the same trick... a reference to this can be found on page 6 of this PDF
This is a totally disingenuous comment. From the linked PDF (note: this also occurs on page 7, not page 6, for those who wish to verify):
"We discovered that Microsoft’s support website recommends the use of invalid CPs as a work-around for a problem in IE. Specifically, a FRAMESET or parent window that references another site inside a FRAME considers the referenced site as a third-party, even if it is first-party content located on the same server [10]. Microsoft suggests the following invalid CP: CAO PSA OUR. This CP is clearly invalid since it does not contain any RETENTION or CATEGORIES tokens. Even if the CP were valid, Microsoft’s recommendation undermines the purpose of P3P since it encourages web administrators to use CPs that do not represent their actual data practices. We found several technical blogs recommending similar solutions [11], [19]."
So yes, a Microsoft support site did recommend a set of invalid CPs, but this is clearly not the same trick. This is a legitimate set of CP tokens that is used to workaround an issue where 1st party content appears to IE as 3rd party content. This token set is invalid because RETENTION/CATEGORIES tokens are missing, but the web author's intent here is (theoretically) honest.
Google, on the other hand, is providing no tokens whatsoever. Instead, in their P3P header they provide a human-readable string and a link to their privacy policy. This is not an invalid but intellectually honest set of tokens that is designed to comply with the spirit of the standard, if not the letter. This is an attempt to bypass the standard in order to allow 3rd party cookies, regardless of user settings.
The fact that you are equating these two practices is completely dishonest. Even a cursory glance through this document makes it clear that the Microsoft support site is advocating something completely different and is doing so in order to enable a fairly legitimate scenario.
>So Google doesn’t support an IE exclusive broken feature
I am tired of this constant meme in the comments. It's one thing not to support a standard, it's another to actually go to the effort of actively subverting it.
They are supporting it by sending out (fake) P3P headers.
If they didn't support it, they wouldn't send P3P headers. As simple as that.
You can't argue in defense of Google from an "it's nonstandard" angle, because Google is all about nonstandard Web extensions these days -- to a much larger extent than Microsoft.
You can't argue in defense of Google from a "they didn't know enough about how IE works" angle. They're Google. They created Chrome Frame, people. They know enough to solve this engineering problem.
There is no pro-Google bias. What is observable is passionate people who downvote any comment they disagree with, sometimes downvoting comments from the same author.
>They created Chrome Frame, people. They know enough to solve this engineering problem.
I would rather say the creation of Chrome Frame marked the point when they threw up their hands in frustration, deciding that they were never going to solve this engineering problem.
I can imagine how exact same commenters here supporting Google would react if Bing Ads did this to Chrome. I am sure hell would break loose with the "OMG EVIL M$" shouts.
My concern now is that this post may disappear soon thanks to inevitable flagging of any negative news about Google. This has happened to many submissions in the past.
That was an article about Microsoft posting an anti-Gmail video, but the pro-Google folks didn't want people to even see the video for themselves and judge it for what it's worth.
Yeah, this isn't quite the same level as the Safari one, which was a bit of a tempest in a teacup to begin with. In both cases you can partially blame the browser, though more so in this case.
After Microsoft introduced cookie-blocking features in IE they've been dancing around how to get users to block ads without telling users to install the blockers directly.
"If you haven't taken an active, positive step to block our +1 buttons, we're going to assume you don't really care and we'll do whatever we can to show them to you, no matter what your browser's default settings are. Why? Well, because we think the default settings are bullshit, and 99 times out of 100 they're only that way because they're the default. They don't reflect actual user preferences, they reflect other browsers messing with our business plans."
Not only is that an intellectually honest position, it's a lot more accurate than assuming all IE users who haven't changed their settings don't want +1 buttons.