Windows 8 and 8.1 Forums

Google Bypassing User Privacy Settings

  1. #1

    Google Bypassing User Privacy Settings

    When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.
    We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.
    Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page.
    Background: Google Bypassing Apple’s Privacy Settings

    A recent front page Wall Street Journal article described how Google “bypassed Apple browser settings for guarding privacy.” The editor and CEO of Business Insider, a business news and analysis site, summarized the situation:
    Google secretly developed a way to circumvent default privacy settings established by a… competitor, Apple… [and] Google then used the workaround to drop ad-tracking cookies on the Safari users, which is exactly the sort of practice that Apple was trying to prevent.
    Third-party cookies are a common mechanism used to track what people do online. Safari protects its users from being tracked this way by a default user setting that blocks third-party cookies. Here’s Business Insider’s summary:
    What Safari does NOT allow, by default, is for third-party … cookies on users' computers without their permission. It is these ad-tracking cookies that cause lots of Internet users to freak out that their privacy is being violated, so it's understandable that Apple decided to block them by default.
    But these default settings have created a problem for Google, at least with respect to its goals for its advertising business.
    Google’s approach to third-party cookies seems to have the side effect of Safari believing they are first-party cookies.
    What Happens in IE

    By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.
    P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions.
    It’s worth noting that users cannot easily access P3P policies. Web sites send these policies directly to Web browsers using HTTP headers. The only people who see P3P descriptions are technically skilled and use special tools, like the Cookie inspector in the Fiddler tool. For example, here is the P3P Compact Policy (CP) statement from
    Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web browser. For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ The details of privacy are complex, and the P3P standard is complex as well. You can read more about P3P here.
    Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to “read”:
    P3P: CP="This is not a P3P policy! See for more info."
    P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”) calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”
    Similarly, it’s worth noting section “3.2 Policies” from the P3P specification:
    3.2 Policies

    In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.
    P3P is designed to support sites that convey their privacy intentions. Google’s use of P3P does not convey those intentions in a manner consistent with the technology.
    Because of the issues noted above, and the ongoing development of new mechanisms to track users that do not involve cookies, our focus is on the new Tracking Protection technology.
    Next Steps

    After investigating what Google sends to IE, we confirmed what we describe above. We have made a Tracking Protection List available that IE9 users can add by clicking here as a protection in the event that Google continues this practice. Customers can find additional lists and information on this page.
    The premise of Tracking Protection in IE9 is that tracking servers never have the opportunity to use cookies or any other mechanism to track the user if the user never sends anything to a tracking server. This logic underlies why Tracking Protection blocks network requests entirely. This new technology approach is currently undergoing the standardization process at the W3C.
    This blog post has additional information about IE’s cookie controls, and shows how you can block all cookies from a given site (e.g. * regardless of whether they are first- or third-party. This method of blocking cookies would not be subject to the methods Google used. We recommend that users not yet running IE9 take steps described in this post.
    Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.

      My System SpecsSystem Spec

  2. #2

    Tropical Island Pair a Dice
    Posts : 3,030
    Windows 8.1 Pro x64/ Windows 7 Ult x64

    That is definitely too aggressive, everyone has the right to block any tracking by any one.
    Just going around your settings is not acceptable.
      My System SpecsSystem Spec

  3. #3

    I may consider not using Google and their products.
      My System SpecsSystem Spec

  4. #4

    Google has some major bugs with this new build anyway. I just got rid of it.
      My System SpecsSystem Spec

  5. #5

    Am I int the right place?
    Posts : 340
    Windows 7 x64 Home Premium / Commodore OS Vision / Windows 8 Release preview

    Here is something what you might want to do:

    1. goto this adderss (you can use your local google site (eg.

    2. Log in to your google account (if you don't have one, please don't even get one)

    3. click the button that says: clear data (or something like that)

    I'm completely not sure if it will really stop spying, but this is an outrage!
      My System SpecsSystem Spec

Google Bypassing User Privacy Settings

Similar Threads
Thread Forum
Bypassing User Account Control entirely
In my Win 8.1 system, I disabled UAC and I'm an Admin. Still, I'm prompted to confirm certain actions, such as writes to Program File (x86). Sometimes, it seems that the prompt appears when I want to copy a file from a network share to a protected location. Is there a way to prevent this? How...
System Security
Transfer User Account Settings & Files To Another User
I have two admin accounts on my Windows 8 computer, I want to transfer everything from one of the admin accounts, to the other so I can make it my primary account. Is there anyone who can suggest the best way to do this? Thanks.
User Accounts and Family Safety
Log On bypassing
Windows 8.1 log on is very annoying.How do I stop it? I have the box for use password unchecked,but it still comes up every time I restart the computer.I am the only user but I do have my 2 computers linked by homegroup. I don't want to lose that,it took too many tries to get it up and running.
User Accounts and Family Safety
Bypassing log in at boot
How do I get rid of the start and log in screens when 8.1 boots? I would like to go straight to my desktop. Also, can I get rid of the Windows start button and use Classic Shell instead?
User Accounts and Family Safety
Google's Terms of Service changes boil down privacy & secu
Read more at: Google's Terms of Service changes boil down to privacy, security | ZDNet
Windows 8 News
Google Chrome Display Problem in Settings Menu and Right
Chrome Version - 26.0.1410.43 (Official Build 189671) Operating System - Windows 8 Extensions - Adblock Plus, Alexa Traffic Rank, Google Docs, IDM Integration, PageRank Fast Yesterday onwards i found that my chrome have problem in display right click menu, settings menu, Bookmark folder menu...
Browsers & Mail

Eight Forums Android App Eight Forums IOS App Follow us on Facebook