On the opt-out page, they gave instructions for how other browsers could opt-out, but told Safari users to leave it on the default Safari behavior and they would already be opted out.
Interview With Stanford Student Who Caught Google Spying on Safari Users
- Thread starter Pristine_Condition
- Start date
- Status
On the opt-out page, they gave instructions for how other browsers could opt-out, but told Safari users to leave it on the default Safari behavior and they would already be opted out.
Subterranean
Member
Good Job Bob
Member
Gotta love that Google Defense Force!
Fusion Pizza
Member
Google should change from "Don't Be Evil" to, "Come on, you would too"
If it wasn't a known bug, what's the WSJ going on about here then?
wsj said:
http://blogs.wsj.com/digits/2012/02/16/how-google-tracked-safari-users/
Whether it's a bug or not, it was certainly known, 7 months at least.
And if it isn't a bug, then it's ... a feature? Then what's everyone getting mad at Google about?
There is a difference between a bug and an exploit.
A bug is an issue with the software.
An exploit is when one takes advantage of a bug to do things that are normally not permitted.
Finally, Google lied. They provided a capability for other browsers to opt-out, but told Safari users that if they maintained the default preferences, they would not receive these tracking cookies. They told Safari users that they weren't going to provide an opt-out mechanism because Safari already opts you out by default.
But it doesn't really update.
There is Comodo Dragon, which is based on Chromium, but it requires admin rights to update and install.
https://www.comodo.com/home/browsers-toolbars/browser.php
Pristine_Condition
Member
Yeah. And I was pulling my hair out getting a degree in Photography. I thought Senior Portfolio was a big fucking deal. Fuck me x2.
The Faceless Master
Member
how is a security issue where they can invisibly submit a form in an iframe to set cross domain cookies in a browser that supposedly doesn't allow it by default not a bug?
They probably figured that since it was on an Apple device, the wall gardened forces would protect them.
POWERSPHERE
Member
I'm sure this is now stricken from their files.
Pristine_Condition
Member
The plot thickens... Microsoft's IE team says Google was doing the same shit to them:
Full story here:
http://blogs.msdn.com/b/ie/archive/2012/02/20/google-bypassing-user-privacy-settings.aspx
I'm sure Google will claim this was "unintentional" too?
LOL
Google Bypassing User Privacy Settings
Monday, February 20, 2012 12:31 PM
When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.
We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.
...
What Happens in IE
By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.
P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions.
It’s worth noting that users cannot easily access P3P policies. Web sites send these policies directly to Web browsers using HTTP headers. The only people who see P3P descriptions are technically skilled and use special tools, like the Cookie inspector in the Fiddler tool. For example, here is the P3P Compact Policy (CP) statement from Microsoft.com:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web browser. For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ The details of privacy are complex, and the P3P standard is complex as well. You can read more about P3P here.
Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to “read”:
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”
Similarly, it’s worth noting section “3.2 Policies” from the P3P specification:
3.2 Policies
In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.
P3P is designed to support sites that convey their privacy intentions. Google’s use of P3P does not convey those intentions in a manner consistent with the technology.
Full story here:
http://blogs.msdn.com/b/ie/archive/2012/02/20/google-bypassing-user-privacy-settings.aspx
I'm sure Google will claim this was "unintentional" too?
LOL
The exploit has been know about for at least 2 years now, and Facebook (a company that MS holds a stake in) does this as well, but they chose not call them out on it.
http://www.neogaf.com/forum/showthread.php?t=463877
Pristine_Condition
Member
PigSpeakers
Member
Soo... They were spying on nobody?
Edit: Apparently people actually do use Safari.
Edit: Apparently people actually do use Safari.
It's not an excuse. Tthe exploit has been written about, documented on, and exposed for at least two years. MS and Webkit didn't care about it. So much so that people started considering it a "feature" to allow sign in processes to be more transparent.
Two years, in internet time that's like....40 million ipads.
Pristine_Condition
Member
Yeah. Probably around 300 million devices.
Well I don't know if you are insinuating it (probably not) but what Google did isn't actually illegal.
Secondly, the situation is - the protocols that IE uses in this instance impede 'web 2.0' functionality, and while this was known for years to be an issue, the protocol has since been abandoned so there is no one to update it to accept what has become standard fare on other browsers - so instead, companies circumvent it - in this instance Microsoft is cashing in on an opportunity to besmirch a competitor, so they point the finger at Google - but avoid mentioning that business partners of their own (Facebook) do the same thing, because of the same impediments, among thousands of other websites.
Basically put, Google is the patsy for a non-issue.
bigtroyjon
Member
It's not an excuse, just your usual weak attempt at trying to deflect the shitty things that Google does.
"Ignore the guy taking money out of your pocket, some guy is jay walking across the street!"
If you're under an FTC consent decree for not misleading users about privacy, this is not a non-issue. They offered a mechanism for other browsers to opt-out of these cookies, but lied to Safari users and told them to not to worry, since Safari already defaults to not accepting the cookies (and then used an exploit to get around it).
I love how the most pertinent part of this whole story is lost. The part where this only affects users who are signed into google services in the first place. You know, services that explicitly state that Google doesn't follow p3p standards and may deliver cookies form 3rd party sites. The one where you click "agree".
Stop signing into Google services and your anonymous browsing habits won't be anonymously tied to your personal account.
The most hilarious thing about people calling me on Google shit, is that I don't even browse while I'm signed in while I use opera and half of the shit people cry and bitch about doesn't affect users who don't user their products.
I'm not talking about the Safari situation in this quote, but the IE situation - in all honesty I've done next to no reading on the Safari incident, only heard about it 10minutes ago with this thread being pulled back to the front page.
But if what Google did with Safari is intentionally mislead users about privacy, then that is absolutely reprehensible - I just think it's important to give criticism when it is due, not throw every non issue underneath Google like it's kindling while you conduct your witch trial.
Pristine_Condition
Member
I felt it was a pertinent metaphor to describe the wave after wave of non issues being lobbed at Google specifically, for the entire purpose of defaming them, if people don't see the obvious connections, and the almost grass root movement to 'cut out the Google' because of some perceived new threat to their privacy (how anything in the last year has made Google suddenly some peeping tom, I have no idea) - then I don't know what to say.
Criticize Google for real issues, one that always comes to mind is their colluding with competitors to keep the wages of developers down, but don't feed into this bullshit.
Facebook has 700+ billion users, doesn't acknowledge p3p standards(while doing the same thing google is doing), they're about to go IPO and MS doesn't mention a single thing about it while talking about Google in the same breath, and you don't think this isn't anything more than Microsoft's aggressive marketing that they've been running for about a year now?
gmailman!
Pristine_Condition
Member
This isn't a non-issue...and your "witch hunt" metaphor is idiotic. "witch hunts" are done to individuals who are ultimately powerless in the face of a mob. Google is a multi-Billion dollar corporation with an army of Washington lobbyists...
http://www.huffingtonpost.com/2011/09/25/google-antitrust-microsoft-war_n_976804.html
They hardly qualify as the Rebecca Nurse here...
OK...
and
http://www.pcworld.com/article/250311/will_the_ftc_investigate_googles_safari_gaffe.html
Is that real enough for ya?
Like I said in an earlier quote, I don't know enough about the Safari issue to comment on it directly, but from what I've seen in the thread, if all is accurate it is very much reprehensible. Obviously it's being looked into, and I'll make the time to read up on it right now.
Again, do you think I am defending Google blindly here? I specifically mentioned the IE case because of the inanity of it all, and the sheer amount of people (including yourself) willing to jump on any reason to further the campaign of condemnation for Google - it would be awesome if you could reply to the comment I made on the IE case, and I would be super duper interested to know where you stand with all the new information presented.
You're really going to focus on an off the cuff metaphor, as apposed to the meat of my comment, aren't you.
You know...i'm torn on this issue.
On one hand, so what? I don't care if someone knows what webpage I visit. Just like I don't care if people see me walk into a store. The internet is public.
On the other hand, Google deceptively pulling this stunt is wrong. Why not just be up front about it? Have a disclaimer saying, if you want to use the internet, there will be cookies. End of story. Internet isn't a a God given right, if you don't want to use it and agree to it's terms then don't.
I mean like it or not, Ads are a fundamental part of the internet. It's how websites make their money to stay in business. As long as the cookie isn't giving a company my social security/address/bank account info, then i don't care. Personally if it's just a "Google ID ***** went to your site and liked this ad!" then oh well. Not that big of a deal.
On one hand, so what? I don't care if someone knows what webpage I visit. Just like I don't care if people see me walk into a store. The internet is public.
On the other hand, Google deceptively pulling this stunt is wrong. Why not just be up front about it? Have a disclaimer saying, if you want to use the internet, there will be cookies. End of story. Internet isn't a a God given right, if you don't want to use it and agree to it's terms then don't.
I mean like it or not, Ads are a fundamental part of the internet. It's how websites make their money to stay in business. As long as the cookie isn't giving a company my social security/address/bank account info, then i don't care. Personally if it's just a "Google ID ***** went to your site and liked this ad!" then oh well. Not that big of a deal.
Pristine_Condition
Member
Wait, not ten minutes ago you said "I felt it was a pertinent metaphor to describe the wave after wave of non issues being lobbed at Google specifically, for the entire purpose of defaming them..."
...now you are saying it was just "an off the cuff metaphor?"
Which was it, a pertinent metaphor for describing this this apparently vast conspiracy you perceive as being formed against Google by mysterious online agents (I guess including me) or just something off-the-cuff?
And what is the "meat" of your comment, anyway?
Is it the nutty conspiracy theory?
I don't know if they just put this up like ten minutes ago or not but:
http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657
What the fuck are you going on about, something can't be pertinent and off the cuff?
And conspiracy theory? Bro, there is an organization founded out there - with partners like microsoft, that's entire purpose is to advertise against Google. Are you doing that thing where you make my argument into some ridiculous statement, and then argue against that? There's a fallacy for that.
The -meat- is simple, the P3P protocols are outdated and abandoned for two years, and they conflict with web 2.0 functionality, so companies work around it when dealing with IE - and it is being used by Microsoft in this instance, specifically to defame Google, and Microsoft is acting like this was some crazy discovery they just made that points to some trend of shenannigans by Google, but the truth is they were fully aware of it. Everyone was, it was on Googles policy page, AND Facebooks, and probably quite a few other companies.
Basically, it's a non issue being propped up for the purpose of smearing and you don't want to admit it.
Pristine_Condition
Member
Back to reality...
Class action lawsuits incoming.
http://www.eweek.com/c/a/Security/Google-Sued-Over-Safari-Privacy-Snafu-395296/
Class action lawsuits incoming.
http://www.eweek.com/c/a/Security/Google-Sued-Over-Safari-Privacy-Snafu-395296/
- Status