WSJ: Safari Loophole Allowed Google to Track Users via Ads
Google and a number of other ad networks have been accused of tracking users web browsing by using a loophole to circumvent Safari's default security settings.
Over the last few weeks, Google's found itself at the receiving end of quite a bit of criticism regarding planned changes to its privacy policy. Now it seems the company is in hot water again. An article published in the Wall Street Journal has revealed that the search giant (along with several other ad networks) has been tracking iPhone and Mac users via Apple's Safari browser.
Here's what happened: Apple's Safari browser is set to block third-party cookies by default, accepting cookies only from sites that a user visits or interacts with. However, there is an exception to this rule that allows cookies if you interact with a form or advertisement in certain ways. The Journal reports that Google and other ad networks took advantage of this exception by using an invisible form and its +1 Google+ recommendation system. Essentially, Google allowed Safari users who had signed into Google+ to interact with DoubleClick ads using an embedded '+1' button. This would then send off an invisible form that would have Safari think the user had provided permission for cookies to be stored.
For its part, Google says that it used this workaround to enable signed-in users to give +1 votes to content, but was unaware that it inadvertently enabled the advertising cookies. The search giant has since disabled the feature. It said in a statement to Electronista that users who had opted out of its interest-based ad program (via Google's Ad Preferences Manager) were not affected by the work around. Check out the full statement below:
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them.
"To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.
"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."
Google wasn't the only one using this loophole. The code, which was discovered by Stanford researcher Jonathan Mayer, was also used by Media Innovation Group, PointRoll, and Vibrant Media. However, Google is the most high-profile of the listed offenders, and with recent discussions over the search giant's attitude to user privacy, it's hardly surprising that is receiving more attention than others over this.
[UPDATE] Well, it's all fun and games until someone phones the FTC, isn't it? Ars reports that Consumer Watchdog has asked the Federal Trade Commission to investigate this issue. Specifically, they want to know if Google has violated a previous agreement with the FTC by tracking cookies in this way.
- Rumor: Kindle Fire 2 Shipping in May or June
- Crazy Rumor: Android 5.0 "Jelly Bean" in 2Q12
- Sony's PS Vita Already Doomed? Devs Bailing Out?
- Online Role-Playing Games May Damage Your Marriage
- The Coolest Hotel in the World, Literally
- Battery Device Turns Sea Water Into Freshwater
- Report Compares Top Issues With Kindle Fire and iPad 2
- Anonymous Threatens To Shut Down Internet Next Month
- Hulu Plus Finally Arrives On Nintendo Wii
- Apple Wins Limited Injunction Against Motorola In Germany
- TPB: The Delusional Recording Industry Must Be Stopped
- Google's Self-Driving Cars Arrive in Nevada
- Mozilla to Unveil Partners for B2G at MWC
- Google Offers Chrome With Integrated Dart
- Hackers Can Track Your Cellphone Without Your Knowledge
- Megaupload Faces Additional Charges
- BlackBerry PlayBook OS 2.0 Now Available, Says RIM
- Barnes & Noble Intros Cheaper $199 Nook Tablet
- Apple Could Lose Rights to iPad Name in China
I hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.
"but was unaware that it inadvertently enabled the advertising cookies"
Yeah, right. Because Google employs 2nd tier programmers.
Gimme a break. You got caught with your fingers in the cookie jar (pun intended).
It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.
Shame, but certainly no surprise.
But but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
"Don't be evil"
"provide features"
"privacy policy"
George Orwell was right about newspeak...
I find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.
They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.
Safari has security settings?
Safari has security settings?
Firefox, Chrome, Opera and Internet Explorer all accept 3rd party cookies by default.
Only Safari blocks them by default.
btw: it should be called privacy settings, not security settings.
But but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
"Well, just a second there, professor. We, uh, we fixed the *glitch*. So he won't be receiving a paycheck anymore, so it'll just work itself out naturally." crapple philosophy 101
I find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.
Google did not find it, and it is not a security problem. It is a privacy issue which Google used for the benefit to Google to get around measures in Safari to block the use of 3rd party cookies. All the other browsers have it enabled by default, Safari does not so Google decided to us a method to get around that.
So no this is not a case where someone finds a vulnerability and gets in trouble for it. This is a case where a large company leverages a flaw to gleen additional information from a device without explicit permission from the user.
It is the same thing as someone using a exploit in a browser to install Gator or something on your computer. No one wanted that crap on their machine but somehow it ended up getting installed and showing up next to your clock. Anyone remember Gator?
Come on guys. Google was doing this for the good of its users. That is all. They were not out to make money, invade privacy, or anything else. They just wanted to provide a better experience for there users.
Apple on the other hand. This was a deliberate mistake on their part and everyone at Apple should be hung until dead for the oversight.
Come on guys. Google was doing this for the good of its users. That is all. They were not out to make money, invade privacy, or anything else. They just wanted to provide a better experience for there users.Apple on the other hand. This was a deliberate mistake on their part and everyone at Apple should be hung until dead for the oversight.
lol, are you serious? For the good of it's users on IOS devices? Am I the only one that finds it interesting that your so understanding for Google and then you go to the extreme when talking about Apple. I mean come on "hung until dead"? seriously?
lol, are you serious? For the good of it's users on IOS devices? Am I the only one that finds it interesting that your so understanding for Google and then you go to the extreme when talking about Apple. I mean come on "hung until dead"? seriously?
Ummm.... It is called sarcasm.
I hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.
if those ads are what keep youtube free, my email free and with more than 10mb of storage space, and help allot of websites and video makers make money through allowing their ads, in large enough sums that popular places can make it a full time job... well i am PERFECTLY FINE with being shown ads.
i WILL NEVER see why people have such a huge problem with ads.
Curiously IE, FF and Chrome are not affected. Only safari. Is this poor programming or something more sinister?
Ummm.... It is called sarcasm.
Ahh, my apologies. Guess I am used to seeing all kinds of really extreme comments on this site so it is hard to tell when someone is being sarcastic.
This proves that it was intention; why else would you code the workaround to not work on users that opted out...
Not everyone is a moron Google. You're cold busted. Enjoy the lawsuits and fines.
Curiously IE, FF and Chrome are not affected. Only safari. Is this poor programming or something more sinister?
IE, Firefox and Chrome aren't affected because they accept third party cookies by default while Safari doesn't
You comment points light at how the MSM list of favored companies is rigged these days. Imagine Microsoft getting off that easily.
Talk about THG not even trying to filter the spam ads out.
It's not that hard to do after all; especially for a top tech site.
Shame.
Pay hackers to secure your browser, but when you've got a information leak in a competitor's browser - just leap in and harvest data!
Just like Google.