WSJ: Safari Loophole Allowed Google to Track Users via Ads

Over the last few weeks, Google's found itself at the receiving end of quite a bit of criticism regarding planned changes to its privacy policy. Now it seems the company is in hot water again. An article published in the Wall Street Journal has revealed that the search giant (along with several other ad networks) has been tracking iPhone and Mac users via Apple's Safari browser.

Here's what happened: Apple's Safari browser is set to block third-party cookies by default, accepting cookies only from sites that a user visits or interacts with. However, there is an exception to this rule that allows cookies if you interact with a form or advertisement in certain ways. The Journal reports that Google and other ad networks took advantage of this exception by using an invisible form and its +1 Google+ recommendation system. Essentially, Google allowed Safari users who had signed into Google+ to interact with DoubleClick ads using an embedded '+1' button. This would then send off an invisible form that would have Safari think the user had provided permission for cookies to be stored.

For its part, Google says that it used this workaround to enable signed-in users to give +1 votes to content, but was unaware that it inadvertently enabled the advertising cookies. The search giant has since disabled the feature. It said in a statement to Electronista that users who had opted out of its interest-based ad program (via Google's Ad Preferences Manager) were not affected by the work around. Check out the full statement below:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them.

"To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.

"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."

Google wasn't the only one using this loophole. The code, which was discovered by Stanford researcher Jonathan Mayer, was also used by Media Innovation Group, PointRoll, and Vibrant Media. However, Google is the most high-profile of the listed offenders, and with recent discussions over the search giant's attitude to user privacy, it's hardly surprising that is receiving more attention than others over this.

[UPDATE] Well, it's all fun and games until someone phones the FTC, isn't it? Ars reports that Consumer Watchdog has asked the Federal Trade Commission to investigate this issue. Specifically, they want to know if Google has violated a previous agreement with the FTC by tracking cookies in this way.

Follow @JaneMcEntegart on Twitter for the latest news.      

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
20 comments
    Your comment
    Top Comments
  • "but was unaware that it inadvertently enabled the advertising cookies"

    Yeah, right. Because Google employs 2nd tier programmers.
    Gimme a break. You got caught with your fingers in the cookie jar (pun intended).

    It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.

    Shame, but certainly no surprise.
    17
  • amk-aka-PhantomSafari has security settings?


    Firefox, Chrome, Opera and Internet Explorer all accept 3rd party cookies by default.
    Only Safari blocks them by default.

    btw: it should be called privacy settings, not security settings.
    11
  • Other Comments
  • I hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.
    0
  • "but was unaware that it inadvertently enabled the advertising cookies"

    Yeah, right. Because Google employs 2nd tier programmers.
    Gimme a break. You got caught with your fingers in the cookie jar (pun intended).

    It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.

    Shame, but certainly no surprise.
    17
  • But but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
    8