Google Exploited Loophole To Track Safari Users’ Browsing Habits

    February 18, 2012

Google has made plenty of news lately over concerns with how they handle user privacy. Now it looks like they may have been circumventing privacy settings in Apple’s Safari browser – on computers and iOS devices alike – in order to track users’ web browsing habits for the purposes of advertising.

Is real privacy even possible on the internet anymore? What do you do to protect yourself from online snooping from advertisers and marketers? Let us know in the comments.

According to a report by the Wall Street Journal Friday morning, Stanford researcher Jonathan Mayer discovered that Google and other advertising companies were employing a workaround that allowed third party cookies to be installed by tricking Safari into thinking that the user had submitted a form which allowed the advertisers to set a tracking cooking on the user’s browser. According to the Journal’s researchers, this behavior occurred in Safari both on iOS devices, and on computers (presumably both Windows and Mac versions of Safari). Here’s the Journal’s explanation of how the exploit works:

Google's iFrame Tracking Workaround

Here are the full results of Jonathan Mayer’s investigation.

Google, however, insists that the Wall Street Journal is blowing the situation out of proportion. They say that the code in question was designed to allow certain features such as “Like” and “+1” buttons to function in Safari the way they do in other browsers (which allow third party cookies by default, unlike Safari). The workaround was only meant to apply to Google users who were signed in and allowed Google to show them personalized content. That the code allowed other advertisers to set their own cookies as well. Google says that once the Journal brought this to their attention, they disabled the code and began deleting the cookies.

In response to a request for comment, Google sent us the following statement from Rachel Whetstone, Senior Vice President, Communications and Public Policy:

The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

A request for comment was also sent to Apple, but they have not yet responded. Business Insider, citing “an industry source who we believe understands Google’s perspective” suggests that Google’s intent was not malicious. Rather, they set out to solve a specific problem concerning their advertising business: Safari behaves differently than every other web browser, and that behavior impacts how Google’s ads work. The problem, this source suggests, is that the workaround was likely developed and implemented without thought toward how it would look from a public relations perspective.

Is it possible that Apple is partly to blame for making Safari function differently than other browsers? Should Apple bear any of the blame for the loophole that made Google’s workaround possible? Let us know in the comments.

In sum, it seems likely that Google is not actually out to spy on their users. Nevertheless, the situation is intensely problematic for Google. The company has already caught significant flack for planned updates to their privacy policy. Moreover, Google (as well as other internet giants like Facebook) has long been fighting an uphill PR battle to convince people that they are not engaged in Big Brother-esque monitoring of people’s internet habits.

The backlash against Google has been swift. In addition to the general public outcry, Consumer Watchdog has filed a complaint (PDF) with the Federal Trade Commission. Their letter calls Google’s actions unfair and deceptive, accuses Google of violating the 2011 consent order concerning Google Buzz, and calls on the FTC to “take immediate action against Google.” Consumer Watchdog has long had a beef with Google (e.g., a series of anti-Google videos that can be found here, here, and here). The consent order mentioned in Consumer Watchdog’s letter has also been the subject of a suit filed against the FTC by the Electronic Privacy Information Center. That suit seeks the to force the FTC to block the rollout of Google’s new unified privacy policy, which is currently scheduled for March 1.

Do you believe Google’s story? Could this be a relatively innocent workaround that got out of hand, or is there something more sinister? What should happen to Google after this? Does this make you less likely to trust Google’s new privacy policy? Let us know in the comments.