There's a spat going on between Google and Microsoft at the moment because Google has evidently found a way to circumvent Microsoft's privacy controls in Internet Explorer and continue tracking users without their permission. Microsoft has of course taken the opportunity to be for once The Good Guy, and is roundly berating Google for ignoring users' preferences.


Dean Hachamovitch is the Microsoft executive in charge of Internet Explorer, and has written a blog post, "Google Bypassing User Privacy Settings" in which he says that

"Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies"


According to the Computerworld article about this,

P3P, for "Platform for Privacy Preferences," is a 10-year-old Web standard that websites can use to describe how they use cookies and user information. By default, IE blocks all tracking cookies from sites that do not present a valid P3P compact policy (CP), a string of codes sent to browsers as part of the HTTP header.


Google, said Hachamovitch, was gaming P3P to trick IE into accepting tracking cookies, even though Google's Compact Policy Statement does not spell out the search giant's intent. "Google bypasses the cookie protection [in IE] and enables its third-party cookies to be allowed rather than blocked,"  (Dean) Hachamovitch (who leads the IE team) charged.


P3P is said to be a better solution to the problem of cookie-tracking than "Do Not Track", which is backed by the FTC and Microsoft, but is not the perfect answer :

"It's more readily enforced than Do Not Track, because it forces a website to declare its privacy policies. But it's really important for regulators to enforce the policies," Cranor said.


And that's not happened.


"Once people saw that there were bugs in P3P that could be used to circumvent privacy policies, and that when they did, nothing happened, then all bets were off," said Cranor.


Enter the Knight In Shining Armour : Sir Microsoft de Redmond, valiantly doing battle with the Cookie Dragon.

After investigating what Google sends to IE, we confirmed what we describe above. We have made a Tracking Protection List available that IE9 users can add by clicking here as a protection in the event that Google continues this practice. Customers can find additional lists and information on this page.


The premise of Tracking Protection in IE9 is that tracking servers never have the opportunity to use cookies or any other mechanism to track the user if the user never sends anything to a tracking server. This logic underlies why Tracking Protection blocks network requests entirely. This new technology approach is currently undergoing the standardization process at the W3C.


This blog post has additional information about IE’s cookie controls, and shows how you can block all cookies from a given site (e.g. *.google.com) regardless of whether they are first- or third-party. This method of blocking cookies would not be subject to the methods Google used. We recommend that users not yet running IE9 take steps described in this post.


The most interesting part of this is, for users with versions of Internet Explorer prior to IE9, the how-to tutorial in that blog post. It lets slip nuggets of information that you won't find in the officially-sanctioned Help files, such as this one -

Interestingly, when IE7 reconfigured the Trusted Zone to use the Medium Security Settings template, the default for the URLAction in this zone was changed from Allow (0) to Evaluate P3P Policy (1). Unfortunately, there's no UI for configuring the P3P Policy for the Trusted Zone (oops!), so you may find that cookies are blocked for Trusted Sites by IE7 and later unless you change the Trusted Zone to use the Medium-Low template[2] which will Allow all cookies for the Trusted Site.


Best of all, it shows you how to import Privacy Import Files into Internet Explorer, and explains what they do :

The Import button[3] on the Privacy tab allows you to import a Privacy Import File. Privacy Import Files expose a rich set of XML tags that allow fine-grained specification of the cookie policies desired; you can author your own or import one provided by someone else.


One very cool thing about the Privacy Import Files is that you can specify preferences which aren't available via the UI. For instance:

  • P3P-Medium, except any non-blocked 3rd-party Persistent cookies are downgraded to Session cookies (right-click and Save-Target-As Medium+Downgrade3rdParty.xml)
  • P3P-Medium for 1st-party cookies; all 3rd-party cookies are permitted but downgraded to Session cookies (right-click and Save-Target-As Allow3rdPartyButDowngrade.xml)

You can play around with the impact of these settings using a little test page which sets first-party and third-party session and persistent cookies; open and close the browser to see how the downgraded 3rd party cookies are cleared.


All in all, a very useful blog. Especially if, like many users who post to this Community, you're concerned about tracking cookies - and how not to end with them on your system in the first place. Which is now doubly important since McAfee has taken the decision that cookies are, after all, No Big Deal and no longer blocks them automatically. I advise anyone interested in this to read the Computerworld article and the Microsoft blog posts. The subject of cookies is not, I think, going to go away any time soon.


If you want to see what effect your current cookie-handling settings actually have on cookies, go to http://www.enhanceie.com/test/cookie/ where you will see this page illustrating cookies that are currently set : they will all be new ones.

Cookie Test Page.png


Then reload the page. Try it in different browsers. The two examples below are, respectively, from Internet Explorer and Chrome.

Cookie Test Page 2 (IE).png


Cookie Test Page 2 (Chrome).png

I bet you never knew cookies could be such fun.


More fun with cookies : http://www.popularcookierecipes.com/

A while ago I wrote a short blog post to spread the word about a Microsoft freebie ("Free - Windows 7 Users Guide e-book from Microsoft"). That was not, strictly speaking, from Microsoft itself, but it came from Microsoft Technet UK so it clearly had the company's blessing.


Now for some reason I am receiving newsletters from Microsoft Ireland but not the UK (no idea why) and the latest one is impressively generous. Microsoft are falling over themselves to give stuff away - books, posters, training, competitions, software, security tools, Memory keys, Books, T-Shirts, Jackets (maybe). Even a Windows Phone every month.  I had no idea they had all this spare cash they didn't know what to do with ...


Free Stuff

Learn Along With Dave

I’ve managed to source enough “goodies” to offer a few prizes every week from now until the Summer (nothing spectacular: Memory keys, Books, T-Shirts or Jackets maybe).  I’ve nearly closed out on getting funding to offer a monthly Windows Phone giveaway (hopefully the Nokia Lumia 800).


What do you have to do to win them?  Simply Learn Along With Dave!  Which just means avail of some free training on the Microsoft Virtual Academy and prove to me that you’ve passed a particular exam/test.


Free eBooks and Posters

Big thanks to Gerry Forde for pointing this out: http://blogs.technet.com/b/yungchou/archive/2011/12/06/free-ebooks.aspx


Free Trial Software

A good starting point to find all our free trial software is here (the Download Centre).  If you’re interested in building your own Private Cloud, then look no further than here.


FREE Security Tools

I shared these FREE Security Tools last month – they’re still worth sharing.


The free e-books include several titles which might be of interest. All of these are Microsoft Technet publications and are available through the link above but, if you want to shortcut straight to the download pages, just click on the titles below. The default format is a PDF file.


- "Deploying Windows 7"

Microsoft’s eBook Deploying Windows® 7 Essential Guidance from the Windows 7 Resource Kit and TechNet Magazine combine selected chapters written by industry experts Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 Team with select Windows 7 articles from TechNet Magazine. Sample topics include: Deployment Platform, Planning Deployment, Testing Application Compatability, and 8 Common Issues in Windows 7 Migrations.


- Office 365"


- "Introducing Windows Server 2008 R2"


- "Programming Windows Phone 7 Series"


There are other titles, plus some posters (I quite like the "SharePoint 2010: SharePoint Developer Platform Wall Poster"). They are available (once again) from http://blogs.technet.com/b/yungchou/archive/2011/12/06/free-ebooks.aspx