Google's cookie runaround in IE? Not a big deal

FOR IMMEDIATE RELEASE
(Free-Press-Release.com) February 25, 2012 -- Condemnation of Google for bypassing user privacy settings in Safari is justified, but Microsoft's IE bluster is just hot air Google garnered a lot of attention last week -- not in a good way. But does it really deserve the shellacking for its tracking cookie practices? On the one hand -- when it comes to circumventing cookie blocking in Safari -- Google's clearly out of line. On the other hand -- when it comes to tricking Internet Explorer's P3P squashed so that it will allow cookies -- the line's not at all well defined.

Safari is unique among the major browsers in that it blocks third party cookies by default. Google and the others found a way to wiggle around the default setting and plant its third-party cookies on computers running Safari.

Over the long weekend, another Google privacy slip came to light. In a blog post dated 1:30 a.m. on Tuesday, Dean Hachamovitch, Microsoft corporate vice president of Internet Explorer, declared Google was bypassing user privacy settings in Internet Explorer. "We've found that Google bypasses the P3P Privacy Protection feature in IE," Hachamovitch says. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different."

Well, no. That's not true at all.

In spite of its blustering, Microsoft knows all about the bypass method Google used, has known about it for years, and hasn't plugged the hole that lets Google, Face book, and 10,000 other websites into the IE third-party cookie jar despite the straitjacket known as P3P. What's more, Microsoft once published details (since taken down) on how to make the bypass work.

P3P, the Platform for Privacy Preferences, developed in the late 1990s by the W3C and officially promulgated in 2002, defines a collection of three- and four-character codes, called compact policies (CPs), that describe a Web page's cookie policy. For example, "NON ADM DEV PSD" means that the website will use non-user-identifiable cookies, for website administration and research and development, and that the cookies can be used for pseudonymous (non-user-identifiable but unique) analysis. Compact policies can have dozens of entries. Each page on a website can have a different compact policy.

Acceptance of the P3P spec has been, ahem, slow at best. Of all the major browsers, only Internet Explorer (versions 6, 7, 8, 9, and 10) recognizes P3P policies. Firefox used to enforce P3P policies, but now it's an obscure option.

When Internet Explorer encounters an invalid compact policy, it simply accepts all cookies. Microsoft says that's in conformance with the W3C spec. Here's what the spec says, in Section 6.4: "P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies." You may read that as saying, "if the CP is invalid, accepts all cookies." I don't.

In Internet Explorer 9 or 10, the slider that controls IE's behavior with CPs (found in Tools, Options, Privacy) starts at "Medium: Blocks third-party cookies that do not have a compact privacy policy." There's no admonition about invalid CPs -- and certainly no indication that invalid CPs are accepted. Many people consider this a bug in IE.

Want to check it yourself? Fire up IE 9 or 10. If you've changed your IE Privacy setting, put it back at Medium, the default. Go to google.com. Click the gear-shaped icon on the right, then choose Safety, Webpage Privacy Policy. See how the Privacy Report says that cookies on Google.com have been accepted? Now click once on http://www.google.com, and click Summary. IE will gladly tell you that it just accepted cookies even though it "Could not find a privacy policy for http://www.google.com. To view this site's privacy policy, contact the website directly."

That's a bug, and it's existed since Internet Explorer 6. Should Google be penalized for taking advantage of IE's bug? What about Face book and Amazon and 11,000 others?

Who knows? Maybe Google and Face book and Amazon just followed Microsoft's old instructions to circumvent third-party cookie blocking.


For more information: http://www.electrocomputerwarehouse.com

cheap computers     Refurbished C