Google garnered a lot of attention last week -- not in a good way. But does it really deserve the shellacking for its tracking cookie practices? On the one hand -- when it comes to circumventing cookie blocking in Safari -- Google's clearly out of line. On the other hand -- when it comes to tricking Internet Explorer's P3P squasher so that it will allow cookies -- the line's not at all well defined.
The ball started rollling late last week when the Wall Street Journal published a front-page story about Google and three other online ad companies (Vibrant Media, Media Innovation Group, and PointRoll) bypassing the third-party cookie security default built into Apple's Safari Web browser. Jonathan Mayer, a grad student at Stanford, discovered the technique and has a thorough description on the Webpolicy blog of how Google and other advertising companies do the dirty deed. The WSJ has a good infographic, complete with cookie contents.
Safari is unique among the major browsers in that it blocks third party cookies by default. Google and the others found a way to wiggle around the default setting and plant its third-party cookies on computers running Safari.
Shocking? No. Reprehensible? Sure. The Electronic Frontier Foundation explains why in its article "Google Circumvents Safari Privacy Protections -- This is Why We Need Do Not Track." Google's given us yet another reason to believe that it's entered the post-"Don't be evil" era.
Over the long weekend, another Google privacy slip came to light. In a blog post dated 1:30 a.m. on Tuesday, Dean Hachamovitch, Microsoft corporate vice president of Internet Explorer, declared Google was bypassing user privacy settings in Internet Explorer. "We've found that Google bypasses the P3P Privacy Protection feature in IE," Hachamovitch says. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different."
Well, no. That's not true at all.
In spite of its blustering, Microsoft knows all about the bypass method Google used, has known about it for years, and hasn't plugged the hole that lets Google, Facebook, and 10,000 other websites into the IE third-party cookie jar despite the straitjacket known as P3P. What's more, Microsoft once published details (since taken down) on how to make the bypass work.
P3P, the Platform for Privacy Preferences, developed in the late 1990s by the W3C and officially promulgated in 2002, defines a collection of three- and four-character codes, called compact policies (CPs), that describe a Web page's cookie policy. For example, "NON ADM DEV PSD" means that the website will use non-user-identificable cookies, for website administration and research and development, and that the cookies can be used for pseudonymous (non-user-identifiable but unique) analysis. Compact policies can have dozens of entries. Each page on a website can have a different compact policy.