One of the most interesting and frustrating aspects of writing about technology is that it’s always in flux. This is one of the reasons books and magazines often do a poor job of reflecting the current state of information systems security: they’re trying to hit a moving target.
This was on display as Google’s very public browser override issue erupted over the past few weeks, rapidly changing the privacy debate and causing finger pointing and repositioning at multiple companies.
First, Stanford researcher Jonathan Mayer’s comprehensive blog post found that Google and other companies have been bypassing user-defined Safari privacy settings. Mayer’s February 17 blog post “identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code.”
Although implementations vary, almost every Web browser implements a third-party cookie blocking privacy feature. This allows the user to limit the access of cookies that originate from a source other than the “first-party domain,” that is, the primary site visited. Safari’s cookie handling process is stricter than other browsers in that it blocks such third-party cookies by default, as does every mobile device using Apple’s iOS platform.
What Mayer discovered was that Google is presenting specific third-party cookies to the browser as first-party, thereby overriding the browser preference. This enables Google and partners to track the Web browsing habits of millions of people on their iPhones and computers, even if those people specifically intended that monitoring to be blocked.
When the Wall Street Journal first reported this issue, Google denied the claim. Google then responded that it has since disabled this code, and that it never collected personal information anyway.
Microsoft, looking for ammunition to criticize Google, jumped on the Wall Street Journal report and pointed out that the compromised browser was Safari, not its Internet Explorer. But a week later, Microsoft said IE privacy policies were also bypassed by Google.
Evidently this is achieved by a very simple, odd process. IE, by default, blocks third-party cookies unless a site presents a P3P Compact Policy Statement to the browser describing how the site will use the cookie and pledging not to track the user.
But all a company has to do to bypass IE cookie blocking is send text that states the cookie won't be used for tracking (as Google does), or state that it doesn’t have a P3P policy, which is what Facebook does. Sending an invalid P3P privacy statement also turns off IE cookie blocking.
Microsoft has said that this issue does not impact users of a new privacy feature called “Tracking Protection” implemented in IE 9.
I’ll have more on this issue in another post, including how to delete your Google history and de-personalize your Google experience.