The Browser Bruisers


The Rupert Murdoch owned WSJ recently came out with an article alleging that Google had been violating the privacy of millions of users using Apple’s browser, Safari. The full article can be read here.

WSJ: Google’s iPhone Tracking

Even before the dust had settled on this one, Microsoft came out swinging, alleging that Google may have been doing the same for their browser, Internet Explorer also. Dean Hachamovitch, Corporate VP, IE, came out with this blog post.

Google Bypassing User Privacy Settings

The hard facts, as so well compiled & expressed by Anthony Fawcett  are as follows:

Safari doesn’t provide an interface to set a site by site exception for cookies, you’re faced with either having a broken service because cookies required for operation cannot be set, or completely turning off all cookie restrictions. Those are the two options for users. Google cleverly came up with a legitimate way to get the necessary cookies stored, but as a result some other cookies were also getting transmitted. Google altered the implementation to only send the necessary cookies for the opt-in cross domain services to operate.

For a start, no, they didn’t violate privacy law. None of what they did has any effect for users that do not opt in for the cross domain services, which require cookies to operate – which is what this is all about. The cookies expire in 24 hours or when the browser is closed. The cookies contain no personal identifiable data, nothing more than an authentication state and a session ID. So let’s stop with the whole “privacy abuse” thing. Let’s also stop with the whole “tracking me” thing, a 24 hour/session cookie cannot be used for any kind of effective tracking – which was never the intent.

The only browser in the world that still cares about P3P policies is IE. Every other browser manufacturer dropped support for this years ago. It’s buggy, badly designed,  poorly implemented, and does nothing to provide actual privacy protection but like “affiliate signing” allows sites to lie about the purposes of cookies and to bypass your regular cookie settings and get special treatment. No one uses P3P except where you need cross domain services and you need to support IE6 with them (since literally, it’s pretty much the only way to get IE6 to consistently store cookies when working cross domain).

Google services give IE a compact P3P policy header which tells the browser to ignore P3P settings for cookie restriction. This lets Google do cross domain services on Microsoft’s broken and bug ridden browser suite.

If Google didn’t do this you would not be able to use cross domain G+ services without lowering your overall privacy setting or adding a cookie rule exception for every service.

IE – as the only browser that implements P3P – is the only browser that requires a doctored P3P policy to do this. Even Facebook does exactly the same thing!

MS Edge BrowserNow if you want to talk Safari, it’s the same situation – only there isn’t even the option to use a P3P policy. Safari’s cookie settings are a joke and a usability/privacy protection nightmare.

Do you know that Facebook does EXACTLY the same thing so that people can “Like” other sites? The only real difference is that for Google you OPT-IN to having these features on, whereas Facebook just does it anyway.

So you want to know exactly what data they collected? NONE.  Because they weren’t trying to collect data. They were trying to establish a cross domain authentication check so when you like something on the web it registers on your profile. That’s it. No big conspiracy theory. No stealing of the datas. No rifling your private information and transferring it behind your back. Simply working with broken browser implementations to accomplish what the USER actually ASKED them to do.

At what point does one conflate security and privacy? The two are entirely separate and dealt with by entirely separate bodies of law.

P3P is not a security technology, it is not even a privacy technology.

Did you know that no browser other than IE implements support for P3P and that it was actively removed from Mozilla, and never added to Opera, Chrome, Firefox, or Safari (no Safari does not support P3P either). In fact, it’s been recognized as a bad, privacy breaking technology since IE6 first debuted support and broke a slew of web-sites.  EPIC calls it “Pretty Poor Policy” ; that’s right the Electronic Privacy Information Centre calls it a really bad policy.

Do you know what it is and why it was invented? It’s a technology that inverts the “trusted network” paradigm to allow affiliate advertises for Microsoft’s networks to place cookies on your computer for tracking purposes even though you’ve disabled 3rd party cookies as a general rule. That’s why it was invented, and why it was implemented in IE. The same reason Microsoft gave priority passage to your inbox for spam email from their marketing affiliates in Hotmail.

A cookie is not a program that uploads datas on you, it is not like Path transmitting your entire iPhone address book to remote servers without your knowledge and beyond your control. It’s a text file. It contains text. It usually contains less than 50 characters of text. It’s used to persist information on your computer, not take it away. For instance, it allows application developers to record the fact that you are logged in, and an id to reference your session, which is what Google uses it for. This is necessary because HTTP itself is what we call a “stateless” protocol. It has no memory between requests. To get around this and make applications, developers use a server side construct called a ‘session’ that acts as a bag to hold information in between requests. The ‘bags’ are labelled with securely (on good implementations) generated IDs, so they can be told apart. Only, because HTTP itself is stateless, the server cannot tell which ‘bag’ is yours, it needs to know your ID. The HTTP protocol provides a mechanism to send a cookie with each request, and developers store the needed ID in just such a cookie. When the server receives it, it can identify your bag.  Bingo, session-based activities are now possible such as playing games, shopping with a shopping cart and so on.

There is only one problem though. The security implementation around cookies to prevent people stealing them and using them for impersonation and session hijacking (getting access to your ‘bag’) means that only cookies from the same server you are visiting can be read and written. This throws a spanner in the works when two services hosted on different domains need to work together. The server you are accessing gets what is called “first party” permissions. It can read and write cookies at will provided you don’t have cookies disabled completely. The second server though cannot write cookies unless you allow third party cookies in your browser settings. Without that permission, the script that runs on the page that provides Facebook’s ‘Like’ button let’s Facebook know that you liked the page. Without that, they can’t update their opengraph records without which they can’t tell Facebook who you are when you click that link.

Nothing Google has done has stolen or has the potential to steal any information from you.

Do YOU have “allow me to +1 sites on the Internet” turned on in your G+ profile (it’s off by default)?

If not, then NO, you were completely unaffected by this.  If yes, then YOU EXPLICITLY TOLD Google to do this

If you turned that feature on, in Safari, you have 2 ways for it to work,

1. You disable all cookie protection

This may be a bad option if you believe that cookie restriction is a measure for enhancing privacy?

2. You open a new frame and send the information you need directly to your own server. Since you are first party where your own server is concerned, this is how it is INTENDED to work. Google can still only read Google’s own cookies containing nothing but what Google wrote there. Google didn’t break anything in the HTTP protocol or any standard to do this.

So why the concern over tracking? Because people don’t understand how this works. If you have 3rd party cookies turned off in Safari you should not have any other Google cookies, so nothing extra would have been sent. The only way you could even have sent your Ad Sense cookie ID is if you had one to start with. And even if you did, and it did get sent, the code that handles the G+ +1 action would not have the slightest interest in it, and would simply discard it. Ad Sense IDs are only any use to the Ad Sense network. And even if it made it as far as the Ad Sense network, it contributes no information because there is no page view information associated with it.

So nothing was stolen, you were not violated, your privacy was not breached. Google simply changed the way they did something to comply with the browser security requirements.

Not doing so, and requiring users to disable all cookie protection to Like or +1 or do any of the plethora of cross domain activities you do without even realizing it when you utilise any of the most popular web applications, would be the only real wrong that could have been perpetrated here.

Here’s a simpler, easier-to-understand explanation for what has been stated above.

Safari as a browser isn’t buggy. However their policy choices are flawed and specifically bad from a security and privacy standpoint.

Someone compared this ‘intrusion’ to a burglar entering your home because he finds the lock to your front door broken. This is a flawed analogy.  P3P is optional, and is something the web server elects to participate in or not as the case may be. Very few do at all.  However, this isn’t at all like entering someone’s home and making away with his stuff.

It’s more akin  to someone coming to my business and saying “Hello, yes, I’d like to make use of your custom service”. I say “Sure, just sign here, okay, I’ll give you a special ID card that will enable you to access the service, but you’ll need to show it to the agent who will be doing the work for you so that he knows you are authorized for it.” Only, your wallet is shut and latched in such a way that you can’t actually add cards to it, so you have to go to Microsoft and have them add the card for you.  Being helpful, I am giving you a new card and putting it in your shirt pocket for you and reminding you to show it to the agent whenever you ask for the service.

For Safari it’s slightly different. The lock on your wallet is enchanted so that you can only put and take out ID cards for the address you are currently standing at.  You don’t have any control over the wallet except to bust the lock on it and let any and all cards be put in by everyone.  So, instead I say “Tell you what, instead of putting the card in your wallet, I’ll make an exception and when you get there just give me a call and I’ll give the number to the agent over the phone, and he can write it on a card for you there and then.

[ Hat tip: Anthony Fawcett  for the explanatory content ]

Why do you think the WSJ & Microsoft launched on the finger-pointings and the muttered accusations? I am sure you would be able to come up with a couple of good guesses at least.

(Note: Neither I nor the person whose explanatory content figures here has any professional association with or happens to be an employee of Microsoft, Google, Apple or Wall Street Journal )


, , , , , , , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: