Microsoft - FEATURED ARTICLES
February 22, 2012
Microsoft News - Google Bypasses Internet Explorer Privacy Measures
By Miguel Leiva-Gomez, TMCnet Contributor
It seems that Google (News - Alert) has made another pass at Microsoft's (News - Alert) Internet Explorer, bypassing its default privacy settings using some coded client-side workarounds in the browser that could expose information about the visitor to the website that would otherwise have been kept a secret. Head of Internet Explorer Dean Hacharnovich comments that Microsoft has already been keeping its eye on the problem since last week, especially since news has already arrived that Google was working around default privacy configurations found in the Safari browser, popularly used in the iPhone (News - Alert) and iPad.
The Wall Street Journal has previously caught Google attempting to bypass settings found in the Safari browser implemented in Apple's iOS, but the whole story wasn't revealed at that time. Google's intentions involved enabling things that would have otherwise been unavailable with the privacy settings, such as certain advertisements and the Google +1 button that the company uses for its social networking platform. Still, the intentions may be white, but methods to achieve it were gray, at best.
Just like how Google went around Safari's security settings, it seems like Google used some cookies to get around IE9. Cookies are little pieces of data that your Web browser stores by request of a website you visit. The cookies that the browser stores often don't relay any harmful data about you, but are able able to keep tabs on where you go, particularly within the site that stored the cookie in your browser. This kind of tracking is often what allows you to come back to Facebook (News - Alert) logged in even after you left the website.
That's where privacy issues kick in.
Microsoft's Internet Explorer 9 blocks cookies by default coming from a site that doesn't use the P3P standard. This standard obliges a website to tell IE9 exactly what it'll be using the tracking cookie for. Since Google doesn't use the P3P standard with its cookies, those cookies go back in their jar and don't get stored by the browser.
And of course, Google has wormed its way around the P3P "legislation" and delivered a message to the browser saying "This is not a P3P policy!" It also contains a link describing the reasons why Google doesn't use P3P. Google's explanation is that P3P protocol doesn't consider the unique situation of Google's +1 button and tailored advertising.
Google gets away with the P3P policy requirement because IE9's policy parsing just accepts any cookie that doesn't contain an understandable policy message. "This is not a P3P policy" isn't an understandable message to Web browsers and often times; they'd accept such a cookie.
Edited by Jamie Epstein