Google reportedly breached the privacy of millions of Apple Safari users by fooling the web browser into accepting tracking cookies it normally wouldn’t take. Google, however, says this is an unhappy accident and that Google never intended to track its users in this manner.
It’s a classic case of he said, she said. Here’s what’s going on.
Apple’s Safari is more aggressive by default than many browsers about blocking cookies that do not originate from the site you’re visiting, such as cookies served by online advertising firms. These are referred to as third-party cookies and are used by most online advertising companies and common on major websites. Google got around Safari’s privacy restrictions by exploiting a loophole that allowed the search giant to install a temporary cookie if a user clicked a +1 button embedded in online advertising, according to a report in The Wall Street Journal.
The matter primarily affects users of iOS and OS X devices where Safari is the default browser, but it potentially affects any system running Safari, which is also available for Windows.
How Google Did it
The trick, according to the Journal’s report, involves sticking a hidden web form inside an online ad with a +1 button, similar to Facebook “likes,” on it. If the user clicks on the +1 button, the web form tells Safari that the user filled out the phony form when in fact she or he had not, which allowed Google to install the cookie.
When a user appears to have explicitly interacted with content on a Website, Safari allows the site to install temporary cookies that are supposed to expire after 12 to 24 hours. As a result of this workaround, Google could then catalog a user’s browsing habits for its DoubleClick advertising business, according to research by Johnathan Mayer, a graduate student at Stanford University who first discovered Google’s tracking behavior.
For its part, Google says it wasn’t tracking people on purpose and only wanted to ascertain when a user was logged into a Google account. “We used known Safari functionality to provide features that signed-in Google users had enabled,” says Rachel Whetstone, Google’s senior vice president of communications and public policy, in a statement to PCWorld. If you were logged in, Google could then deliver personalized advertising and perform other functions, such as sending +1’s back to a user’s Google+ social networking profile.
“However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser,” Whetstone says. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.” Google also emphasizes that its advertising cookies do not collect any personal information.
The text on the page used to read: “While we don’t have a Safari version of the Google advertising cookie opt-out plugin, Safari is set to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie.” Google has since removed that language from its site, but PCWorld was able to find the language in a cached version of the page dated February 14.
Common Practice by Default
Installing third-party tracking cookies on your browser is common practice for online advertising companies. Your browsing information is then mined so the sites serve up targeted advertising that, in theory, you are more likely to click on. Given that Safari is one of the most popular mobile browsers owing to the success of iOS devices such as the iPhone and iPad, Google and other firms were handicapped by Apple’s policies of disallowing third-party cookies by default. So Google, along with advertising firms such as Vibrant Media, Media Innovation Group, and PointRoll, used this workaround — Google called it “known functionality.”
It’s not clear when this Safari loophole that enables advertising to circumvent a browser’s privacy settings will be closed. Apple is reportedly working to stop this kind of activity, and the loophole has already been closed in WebKit, the open source version of Apple’s Safari. The patch was created in August, and the Journal says in a blog post that the fix was made, ironically enough, by two Google engineers.