Google Caught With Hand In Safari's Cookie Jar
Google is among a handful of companies that used a certain unusual characteristic of Apple's Safari Web browser to insert tracking cookies on users' machines, according to recent research from a Stanford grad student. The news has outraged consumer advocacy groups, though Google claims it was using known Safari functionality to provide features that signed in Google users had enabled.
02/17/12 11:58 AM PT
Google is one of four online advertising companies that have sneaked around the privacy settings in Apple's Safari Web browser to track users of Cupertino's devices, according to research from Stanford University graduate student Jonathan Mayer.
All four surreptitiously submitted a Web form and placed trackable cookies in Safari, Mayer's research has found.
Later, The Wall Street Journal claimed Google disabled the code after being contacted by the publication.
However, "the Journal mischaracterizes what happened and why," Google spokesperson Rachel Whetstone asserted.
What Google Did, and How
Safari is the first browser to block tracking cookies by default, Mayer said.
It also has a cookie-blocking policy that is less restrictive than those of other browsers. Safari allows a response to write cookies if an HTTP request to a third-party domain includes a cookie or is caused by the submission of an HTML form, Mayer said.
Google apparently leveraged the policy to circumvent Safari's privacy settings.
iFrames and Their Use by Google
An iFrame places an HTML document in a frame in another HTML document. You can use links in one iFrame to change links in another.
The iFrame used by Google loads a page that contains a meta refresh to a Google ad link, Mayer found. If the user's not logged into Google, the response directs the browser back to Google's DoubleClick advertising management and serving platform. If the user is logged in, the user is directed to Google's authentication service and then redirected to DoubleClick.
The tracking cookies last for 12 to 24 hours, Mayer said.
Vibrant Media, Media Innovation Group and PointRoll were the other three companies that Mayer found had circumvented Safari's privacy settings. Like Google, they submitted a form in an invisible iFrame to place trackable cookies in Safari.
Reaction to Google's Action
News of Google's circumvention of Safari's privacy policies has triggered outrage among consumer advocacy groups, some of which are calling on the Federal Trade Commission FTC to investigate.
"I expect many groups to express outrage at Google's wanton violation of privacy rights," John Simpson, consumer advocate at Consumer Watchdog, told TechNewsWorld. He has written to the FTC demanding an investigation of all four companies that sneaked around Safari's privacy settings, but urging it to focus on Google first. Google gave false advice to Safari users on how to opt out of receiving targeted advertising, Simpson alleged.
EPIC has also written to the FTC urging it once again to enforce a consent order entered into with Google in November over the violation of privacy by Google Buzz, the company's attempt to bring a social dimension to Gmail.
The Electronic Frontier Foundation called for Google to offer a built-in Do Not Track option. It said Google's tracking was probably an unintended side effect of a system the company built to bypass social personalization.
Do Not Track is a technology and policy proposal that lets users opt out of tracking by websites they don't visit. It's been implemented by Microsoft in Internet Explorer 9 and the Mozilla Foundation in Firefox. Google's solution is an option for users to keep their opt-outs as an extension for its Chrome browser.
Microsoft also took the opportunity to tweak Google over the circumvention of Safari's privacy settings.
Across the Pond and Into the EU
The Office of the Irish Data Protection Commission is also keeping an eye on the situation.
"This office was notified of this issue by Google yesterday in broad outline terms," Deputy Data Protection Commissioner Gary Davis of the Irish Data Protection Commission, told TechNewsWorld. "We have sought clarification from Google on a number of issues to assist our understanding of the matter and await a response."
"We used known Safari functionality to provide features that signed in Google users had enabled," Google's Whetstone told TechNewsWorld. The advertising cookies don't collect personal information, she added.
Google created a "temporary communication link" between Safari browsers and Google servers so that Google could ascertain whether Safari users were also signed into Google and had opted for personalized ads and other content, Whetstone said.
Google "didn't anticipate" that the Safari browser contained functionality enabling other advertising cookies to be set on the browser, Whetstone stated. Google has begun removing these advertising cookies from Safari browsers.
Users of any browsers who have opted out of personalized ad programs using Google's Ads Preferences Manager wouldn't have been affected, Whetstone contended.
However, Google ads are automatically opt-in. When asked whether Google clearly told Safari browser users about the Ads Preferences Manager and opting out, another Google spokesperson, Andrea Faville, declined comment.
Apple did not respond to our request for comment.