Microsoft: Google Breaches P3P Policy, But They Let Facebook "Do It"

Update: See statement from Google at the end of the post

There has been a lot of hoopla about Google breaching privacy and circumnavigating settings in Safari. They have definitely been circumspect at what they are doing but a new report from Microsoft which says that Google did similar things with IE9 as well. Well, here’s the catch, there is nothing illegal Google did and Microsoft just let off the hook with it.

Let’s get to the start of where Microsoft is accusing Google:

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.

Well for starters, P3P is outdated and no longer under development. It is a age old policy which many websites including both Google and Facebook choose to ignore or not follow at all and mind you there is nothing legally wrong with it.

Google and Facebook authentication both have fake P3P policies in the HTTP headers that link to a webpage that explains why they don’t support it:

As you can see from the above, Facebook does not have a P3P policy and Google chooses to ignore it altogether. Now, both these approaches are different but they do the same thing; allow these websites to access third-party cookies because they don’t follow the P3P policies.

P3P also known as Platform for Privacy Preferences was started out by W3C in 2006 and the final draft was published in 2007. However, after P3P 1.1, W3C also effectively suspended all work on P3P as is evident from This means that the technology in question Microsoft has been using to gather information against Google was no longer developed for 5 years or more.

After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.

The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.

On the other hand, P3P keeps being the basis of a number of research directions in the area of privacy world wide. One might cite the PRIME Project as well as the Policy aware Web. Many other approaches also follow the descriptive metadata approach started by P3P. Such projects are invited to send email to <[email protected]> to be listed here.

This puts a big question mark, because Microsoft provided evidence against Google using this outdated technology which several companies and browser no longer honor.

So all in all, Microsoft is more than happy to give the same information to Facebook (because they are their partners) while dishing out hate to Google? This is definitely not the best way for a company which hardly follows W3C standards for web coding and CSS to accuse others of circumnavigating things which are outdated.

Google’s Statement Regards to Microsoft Accusations by Rachel Whetstone, Senior Vice President of Communications and Policy, Google

Microsoft omitted important information from its blog post today.

Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.

Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.

Google also goes on to suggest that this has been around since 2002. You’ll find the entire statement from Google below:

For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.
Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide, and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.
Today the Microsoft policy is widely non-operational.
In 2010 it was reported:

Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..

Thousands of sites don’t use valid P3P policies….
A firm that helps companies implement privacy standards, TRUSTe, confirmed in 2010 that most of the websites it certifies were not using valid P3P policies as requested by Microsoft:

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.

A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.
In the research paper, among the websites that were most frequently providing different code to that requested by Microsoft: Microsoft’s own and websites.
Microsoft support website
The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.
Google’s provided a link that explained our practice.
Microsoft could change this today
As others are noting today, this has been well known for years.

  • Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiences in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
  • Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited …MS did nothing. Now they complain after Google uses it.”
  • Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy researchers….”

Path, Hipster, and Several Other Mobile Apps Caught Uploading Contact List without Permission

Last year, Facebook’s mobile apps received flak for uploading numbers of cell phone contacts without intimating the user. Unfortunately, it now appears that this practise is a lot more prevalent than most of us could have anticipated.

Earlier today, Arun Thampi discovered that the new social network Path is also doing pretty much the same thing. He made this startling discovery by snooping on the API requests made by Path’s iOS app with the help of a man-in-the-middle proxy tool. Thampi found that as soon as you create a new account or log into Path’s iOS app, your entire contact list is uploaded to its servers. Everything including your contacts’ name, email address, and phone number is silently uploaded over HTTPS, and there is nothing you can do about it.

Soon after, Mark Chang uncovered that location sharing social network Hipster also grabs your contact list. However, Hipster is even more callous with your personal data. It transmits email addresses from your phone’s address book to its servers without even bothering to encrypt them.

Path uploading user’s address book

After the news broke, Path’s CEO Dave Morin apologized to users and offered the following statement.

We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

As Morin explains, social networking apps like Path have a valid reason for requiring access to your address book. However, there is simply no excuse for failing to intimate the user about the same. Heck, Path and Hipster doesn’t even mention this in their FAQ, which most services use for covering their back while performing shady activities. The good thing is that Path has already rectified its mistake. In the latest version of its Android app, contact upload is opt-in, and the iPhone users will also get the same treatment as soon as Apple approves the latest update. Meanwhile, if you don’t want Path to have a copy of your phone book, you can request the deletion of data from its servers by sending a mail to [email protected]

Update: Path 2.0.6 for iOS is now available in the App Store.

As I mentioned upfront, this practice is way more widespread than any of us could have imagined. Hacker News readers have already identified the same behavior in Beluga and Kik Messenger. Earlier today, Aurora Feint got delisted from the App Store for transmitting address book as plain text. However, with Feint, at least this is strictly opt-in.

Address book is something most users treat as extremely sensitive information, and it’s high time that the industry realizes that. Android does notify the user during installation, if the app accesses the address book. However, most users simply don’t have the habit of paying attention to the “Permissions” screen while installing apps. Moreover, there is no reason to conclude that if an app is reading contact data, it is uploading the same to its servers without permission. On the other hand, Apple, which often positions its App Store as more secure, gives apps full access to the address book without even requiring any additional permission.

One thing that Morin is right about is that this is an extremely important conversation. Hopefully, people will not just move on after expressing their knee-jerk reaction. An iOS app called MobileSubstrate that will alert users every time an app tries to access the phonebook is already under development for jailbroken devices. Ideally though, Apple and Google should take responsibility, and do a better job at protecting the user’s privacy. Perhaps, they should even consider changing their APIs to force apps into explicitly seeking permission before accessing the address book.

Google Guesses Age and Gender Based on Websites You Visit

Quite recently, Google made several changes to their privacy policy to simplify it and merge several privacy policies into one. One of the changes Google made was to allow users to change their ads preferences easily across the board.

However, one interesting thing that Google has now disclosed through their Ad Preferences Manager is that, Google has been guessing a user’s age and gender based on the websites they have visited.

Google Demographics Guess

Google says that the gender and age are determined by the websites a user visits. In my case both the Age as well as the Gender were correct. Google does not say as to how they are coming up with that assumption but their algorithm looks pretty accurate for most users and might include data from as well. Of course, this information may not be right always and Google provides users with an option to correct it as well.

Google uses this age and gender information along with other preferences to display personalize ads for the users. If you are not comfortable with Google collecting this information, you can easily Opt out by visiting this page.

You can view your own Age and Gender information by visiting Google Ad Preferences Manager page, however, you will have to be logged in with a Google account to view this information. Do let us know if Google was correctly able to guess it for you or not.

W3C Proposes a Standard for “Do Not Track”

In wake of privacy concerns, the W3C has recognized “Do Not Track” as a standard and has proposed the first bill, which lays the foundation of “Do Not Track” a.k.a DNT. This bill will prevent websites like Google and Facebook from selling user data to advertisers. While some users like to see personalized ads, others do not want any of their data to be used to serve ads. This can create a tricky situation and “Do not track” is the way to go.


This Monday, the W3C proposed the first draft of its standard for implementing DNT. The proposed bill works for both site owners and users. The  Tracking Preference Expression  or DNT is explained as:

The  DNT  header field is hereby defined as the means for expressing a user’s tracking preference via HTTP [HTTP11]. A user agent  must  send the  DNT  header field on all HTTP requests if (and only if) DNT is  enabled. A user agent  must not  send the  DNT  header field if DNT is  not enabled.

DNT-field-name   = “DNT”                                                   ; case-insensitive

DNT-field-value = ( “0” / “1” ) *DNT-extension     ; case-sensitive

DNT-extension     = %x21-2B / %x2D-7E                           ; visible ASCII except “,”

The draft will be published in the summer of 2012. A large part of this work is derived from Mozilla’s work with the DNT header.  Aleecia M. McDonald, a privacy researcher for the Mozilla Foundation is the co-chairman of the Tracking Protection working group, which is working on the DNT standard.

While the bill creates a reasonable protective barrier for privacy-concerned users, it also has the potential to hamper millions of online business that rely on advertisement revenue. In a way, this bill might break the Advertising industry at its present state. The advertising industry needs to reform itself and keep up with the bill to reach a reasonable balance between the world of publishers, consumers and advertisers.

(Image via)

U.S Congressman Demands Amazon Answer Privacy Questions Concerning Kindle Fire

Worried about privacy? Well you’re not alone. U.S Congressman Edward Markey has published an open letter to Amazon’s CEO, Jeff Bezos, demanding an answer to privacy issues.

With the recent announcement of the Amazon Kindle Fire, an Android tablet powering Amazon’s content store, the Silk browser came to the forefront as a great leap in browsing. While ‘proxy-browsing’ is nothing new, Skyfire and Opera Mini have been doing it for ages, Silk will be the primary way all Kindle Fire users browse the web. This allows for Amazon to collect a HUGE amount of data that can be used for advertising or other means of monetizing personal information. Imagine that, a company making money off your personal online habits.

What is the Congressman after? Answers about what Amazon is collecting, how they are collecting it and what they plan on doing with it. Markey specifically poses the questions and demands an answer within 3 weeks.

  • What information does Amazon plan to collect about users of the Kindle Fire?
  • Does Amazon plan to sell, rent or otherwise make available this customer information to outside companies?
  • How does Amazon plan to disclose its privacy policy to Fire and Silk users
  • If Amazon plans to collect information about its users’ Internet browsing habits, will customers be able to affirmatively opt in to participate in the data sharing program?
Thank you for your attention to this important matter. Please provide the responses to these questions no later than November 4, 2011.

Amazon has built a huge network of infrastructure to leverage “server-side browsing” and make it completely invisible to the user. Browsing data and purchasing information is constantly being sent to Amazon and there is no known way to opt-out.  You could, of course, purchase one of the 30 other Android tablets on the market, that have unfettered access to the Amazon Kindle service.

While the Congressman does have his heart in the right place with these questions, especially considering he is Co-Chairman of the Congressional Bi-Partisan Privacy Caucus, this seems like a play using a very well known product to raise awareness for his ‘Do Not Track Kids’ legislation which attempts to protect online privacy for children. Won’t somebody think of the children?!

Do you really care if Amazon knows what you’re browsing the internet for? You probably already give that information to numerous other companies like Google or Facebook — what does one more Big Brother matter when you already have 6 looking over your shoulder?

Facebook Introduces Sweeping Sharing and Privacy Changes

It seems like we hear horror stories about Facebook every day. There are writers who spend all their time at Techie Buzz warning you about Facebook scams. Joel just did a great write up on how to not get hacked on the worlds largest social network. Now, it looks like Facebook is ready to help you control your sharing and privacy setting.

Announced today on their official blog, Facebook is introducing a slew of changes to their privacy and sharing settings. These are some seriously good changes for Facebook, which hasn’t always been known for giving users control over their sharing. There are a large number of smaller changes, but they can be broken down into two big categories. Let’s take a look at each one.

Tagging Changes


The first tagging related change is the ability to control when tagged photos appear on your profile. In the past, when someone tagged you in a photo, it would appear on your profile automatically. That lead to many spam tags appearing on profiles, and that was a huge problem for users. Now, you can choose to approve or reject each tagged photo posting individually, giving you more control over what appears on your Facbook profile.


The next major tagging change is an old feature brought back. In the old days of Facebook, you had the ability to approve or reject tags people added to your photos or posts. Facebook has brought that back for users, which is good news. Now random people tagging your photos without your knowledge won’t be a big deal anymore.

The next tagging change revolves around the tagging of non-friends and locations. Previously, Facebook only allowed you to tag people you are friends with in your posts. That meant that if you were with someone who you weren’t friends with, you couldn’t tag them. Now, you can, with their approval.


In addition to that, you can now tag locations without checking into them, which makes locations much more useful. Interestingly enough, this change means that Facebook is now phasing out the mobile-only version of Places. That means that all settings associated with that will be removed, and will need to be replaced in the new location settings.


The final tagging change revolves around the removal of tags and content on Facebook. In the past, the process of untagging and removing of content was unclear for many users. Now, Facebook will prompt you for a reason, which will allow you to take one of a set of actions against a piece on content. This marks a new phase for controlling your persona via Facebook, giving you the ability to request the takedown of a photo or even block a user based on a tag.

Sharing Changes


The next big set of changes from Facebook revolves around sharing controls. Many of us (myself included) are enthralled by Google’s sharing system on Google+. Facebook now has something very similar with its Inline Sharing Controls. When you make a post on Facebook going forward, you will have the ability to select who gets to see it. Options include Public, Friends, and Custom, and will grow to include Facebook Lists in the near future.

In the past, once a post was posted you could not change the sharing settings. Now, you are given the option to change those settings after you hit ‘Post.’ This will allow you to stop that secret message for your best friends going out to everyone on the internet.


The last change Facebook announced is a change in the way you handle your profile visibility. In the past, if you wanted to see what your profile looked like to the public, it was hard to do. Now, you will have a button on your Facebook profile to access these previews. This button is labeled ‘View Profile As…’, and will do just what I described.

Facebook: Now More Privacy Friendly

There you have it. Facebook is now working very hard to help users get more control over their content. These changes are, together, the most sweeping sharing and privacy changes Facebook has ever released. These new features will be released to all users over the next few days, starting today. When you receive them, you will get a walkthrough to see all the new changes.

What do you think of Facebook’s changes? Are you happy to see this kind of user privacy become a priority at Facebook? Is there a change you were hoping to see sometime soon? Let us know what you think in comment section below.

Name-Tagging People Exposes Picasa Web Albums on Google+

Google+ recently caused privacy concerns with its unique idea of tagging and sharing. Name-tagging people in a Picasa Web Albums exposes the entire album to the public in Google+ quite badly. Once you name-tag someone in a Picasa Web Album, your entire album becomes publicly visible to people tagged in the album. Not only this, people can also reshare all other photographs from those albums in which they are tagged.

In its Picasa help document, Google claims “Tagging is sharing”. Since when is that? Well, that is since Google+ came to be.
Google has recently taken interest in this problem. Their reply at the help forum says,

The Google+ project is currently in Field Trial and we’re making rapid iterations on feedback we’ve received. We’re aware of the requests for more control over who can share albums and we’re working to address this.

That does not give an assurance for a fix but it echoes the fact that Google+ is open for change at the moment. Google+ has also listed a few dubious  suggestions like deleting your Picasa Web album or downgrading to move out of Google Plus. Either way, the solution to a problem cannot be another bigger problem, which is exactly what is being suggested here.

Google+ has a nice networking site going on. People love the concept of circles. They appreciate huddles and are intrigued by how simple, yet how elegant the entire Google+ system is. Fresh out of the incubator and that too half-baked, Google+ needs some more honing before it can go mainstream. Bugs keep springing up every now and then. However, bugs with a privacy concerns edge are dangerous. They attract a lot of negative press.

Google should work fast to resolve this issue and nip it in the bud. The issues can be seen on the Google Picasa Support forum at  this link.

Nissan LEAF In-Car Computer Leaks Location Information

The Nissan LEAF (Leading, Environmentally friendly, Affordable, Family) car is currently being put through the paces in the hands of Casey Halverson, a network engineer at InfoSpace. At the heart of the LEAF is CARWINGS, a “telematics system” used for plotting and displaying various internal functions such as energy consumption, charge status as well as the ability to display content pulled from the internet.  Nissan has taken the technology of the car and is attempting to empower users with it by providing information about the car instantly through iPhone apps and an always-connected web app. Unfortunate for many LEAF owners, it would seem that Nissan may have overlooked customer privacy when developing the system.

In addition to requesting data through an RSS feed, CARWINGS takes it upon itself to pass along your current location in the form of  GPS co-ordinates, speed, direction and more. What’s worse, is that any configured feed is given the information and it can be harvested by third parties.

While there are many legitimate uses for providing these details, such as location-aware feeds for weather, driving directions or even traffic details – it would seem that at no time is this told to users and no option is available for opting out.

A video documentation shows off CARWINGS in use, set up with a simple feed that takes the information the LEAF has stored and provides it back to the user. Whether or not LEAF owners will consider this a gross invasion of privacy due to how such information can be leverage or if they find it a nice luxury that they don’t have to enter in their current location to see it’s raining will largely depend on how Nissan explains to the general customer why they share this information.

Via SeattleWireless

Mark Zuckerberg Wants Kids Under 13 To Use Facebook

Mark Zuckerberg, Facebook founder, wants kids under 13 years of age to be allowed to use social networking sites. Though there are millions of kids already using Facebook who are under 13, Zuckerberg wants to make it legal as Children’s Online Privacy Protection Act (COPPA)  restricts websites from collecting personal information of children under the age of 13.

Facebook For Kids

According to  Fortune, Zuckerberg said he wants younger kids to be allowed on social networking sites like Facebook. Currently, the Children’s Online Privacy Protection Act (COPPA) mandates websites that collect information about users aren’t allowed to sign on anyone under the age of 13. But Zuckerberg is determined to change this.

Zuckerberg’s philosophy is that for education, kids need to start learning at a very young age. Allowing kids onto social networking site, will help them learn new things quickly.

“Education is clearly the biggest thing that will drive how the economy improves over the long term,” Zuckerberg said.

Right or wrong, but I’m sure parents won’t like their kids using Facebook or any other social networking sites at a very young age because they might get addicted to it (You know, there are many useless games on Facebook). With a number of scams spreading on Facebook, I don’t think it’s safe for children to use it. Mark Zuckerberg should rather be concerned about on how he could prevent Facebook from scams.

Speculation: NSA Building Exaflop Supercomputer?

The United States Government’s National Security Agency (aka the where-privacy-goes-to-die agency) is apparently building a new supercomputer called the for its High Performance Computing Centre. The supercomputer will cost about $895.6 million, as revealed by unclassified documents. The supercomputer is to be built at the headquarters of the agency in Fort Meade, Md. and is slated for completion by 2015.


The NSA is a surveillance organization (to use a nonspecific and broad generalization) that has been operating since 1952 and is responsible for the decryption of foreign intelligence and the safeguarding and encryption of USA’s domestic signals. The agency has a history of using supercomputers, starting with the purchase and use of one of the first Cray supercomputers (The Cray X-MP/24) which is now decommissioned and is on display at the National Cryptologic Museum.

While exactly how large this computer that the NSA is building is unknown, it is very likely that the computer will be able to perform at 1 exaFLOP. A FLOP, or FLoating point OPerations per Second is a measure of how fast a computer is. It is basically the number of floating point calculations performed in unit time by the computer. A simple hand-held calculator is about 10 FLOPS on an average to show instantaneous results.

An exaFLOP is 10 followed by 18 zeroes (10^18)

In comparison, the combined computing power of the top 500 supercomputers in the world is about 32.4 petaFLOPS (32.4 x 10^15). That is, the new supercomputer being constructed by the NSA is about 31 times faster than the top 500 supercomputers in the world taken together.

However, all this is still speculation, garnered by the power requirements for the new computer about 60 megaWatts. The calculation is based on the Sequoia BlueGene/Q IBM supercomputer that is also under production that needs performs around 20 petaFLOPS and needs 6 megaWatts of power.

Of course, the NSA needs more computing power to sift through all the emails, phone calls and messages we send each day, right?