Did Google trick Apple's Safari into tracking users?

Did Google trick Apple's Safari into tracking users?

Summary: The Wall Street Journal has caught Google with its hand in the cookie jar of Apple's Safari users, after privacy-circumventing code was discovered in Google's adverts.

SHARE:

Update: see Google's explanation below.

Search giant Google has been accused by the Wall Street Journal of bypassing the browser's security settings by allowing a site to set tracking cookies.

Safari for Mac and PC, as well as Safari in-built into iOS devices, are thought to be affected. The browser was subject to tests by the Journal which show that Google used code in its advertisements to bypass Safari's security, which by default blocks such tracking activity.

The aim of the code was to allow users who had signed into Google+ in Safari to access the '+1' button within ads, provided by Google's DoubleClick network.

"Don't be evil," the company said. While this may not classify as evil per se, it has already gained the attention of the online privacy advocacy group, the Electronic Frontier Foundation (EFF), reiterating the need for 'Do Not Track' rules on the Web.

Safari's security would normally prevent ads from dropping a tracking cookie in such a case because it blocks cookies coming from advertising networks. But the code Google is accused of using  'tricked' the browser into thinking the code was submitting a web form to Google; form cookies are not blocked, as it allows the browser to see whether the form was in fact sent.

The exploit isn't new. It was first discovered in 2010 by Stanford researcher Jonathan Mayer and confirmed web developer and researcher Anant Garg.

But Google, while the biggest name on the list of the accused, was not the only one to do it. The Journal says that other advertising networks do similar things, such as the Media Innovation Group, Gannet's PointRoll, and Vibrant.

Google's DoubleClick adverts containing the privacy-circumventing code were found on major websites, including AOL.com, Match.com, TMZ.com and YellowPages.com, fellow sister site CNET reports. The Journal's outside advisor found that 22 of the top 100 websites had Google's Safari-busting tracking code, and that 23 different sites install the same code on Safari's iOS browser.

The cookies were set to expire after 12 to 24 hours, but Safari can add even more cookies to a users' browser once the first cookie as been left.

After Google was caught with its hand in the cookie jar, it said that "the Journal mischaracterizes what happened and why," after it disabled the code. "We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information," the company said.

Apple, however, was quoted as saying that it is "working to put a stop" to the circumvention of its privacy settings and security features.

Microsoft has weighed in, taking a cheap shot at its closest rival, by saying that "this type of tracking by Google is not new". The Internet Explorer blog continued: "The novelty here is that Google apparently circumvented the privacy protections built into Apple’s Safari browser in a deliberate, and ultimately, successful fashion."

This is the second controversy in as many weeks. Google recently announced a change to its privacy policy that would consolidate all its policies into one giant, super policy. But this led to calls from the European data protection authorities because it would grant Google the explicit right to "combine personal information" across its products and services. ZDNet's Larry Dignan said: "Google will know more about you than your wife does."

The Electronic Privacy Information Center (EPIC) filed a lawsuit last week against the U.S. Federal Trade Commission in an attempt to force the regulator into preventing Google from making the privacy policy changes.

Update: Rachel Whetstone, senior vice-president for communications and public policy at Google, expanded on the Journal's findings:

"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content -- such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous -- effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.  It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Image source: ZDNet.

Related:

Topics: Apple, Google, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

147 comments
Log in or register to join the discussion
  • RE: Did Google trick Apple's Safari into tracking users?

    Again, you are focusing on the wrong problem here! If Google can do this then so can others but much more maliciously.

    Should Google have done this? Probably not. However, if the browser weren't full of holes they might not have been able to.
    slickjim
    • RE: Did Google trick Apple's Safari into tracking users?

      @Peter Perry
      Then why Google did it in first place?
      GraphiteCube
      • RE: Did Google trick Apple's Safari into tracking users?

        @GraphiteCube
        Google did Apple a service by exposing security holes in Safari. If Apple does not stop suing android Apple has more to lose for its lame software.
        The Linux Geek
      • Games Online- Y8kizi.com

        @GraphiteCube
        one likes playing games come on [url=http://www.Friv200.com]Friv [/url]
        pjckmen
      • RE: Did Google trick Apple's Safari into tracking users?

        @GraphiteCube

        Oh, get over it. Browsers, in general, suck. Anyone whose done web design as deviated from best practice to get something to work. There is a reason rational developers HATE IE6.
        tkejlboom
      • IE6 was a very useful, corporate-friendly browser for its time

        @tkejlboom
        MS put a lot into IE6 to make it useful for enterprises to make decent web-driven LOB and B2B apps. A lot of that stuff would have taken ages to get through standards, though a lot did.

        However, it all worked out too well for businesses that effectively had a 'standard' browser, just not one that worked for consumers, but that was of limited concern for their purposes, except for public-facing sites, which are dwarfed by their intranets.

        Now with the immanent (finally) switch off of XP, the whole effort going into the OS overhaul has to include the masses of stable internal IE6-based processes, a not inconsiderable and expensive effort.
        Patanjali
    • Then if a door to a home is left unlocked

      @Peter Perry
      then the owner is to blame if he is robbed, as the theif bares no resposibility for his actions, and should not go to jail if he is caught>
      :|
      Tim Cook
      • RE: Did Google trick Apple's Safari into tracking users?

        @Mister Spock You build a house, lead everyone to believe it is the safest thing around and then sell it to people on that basis! Now you want sympathy?

        The problem with your analogy is that Apple is the builder and the User is the Victim.

        I agree, Google shouldn't have done that but if this house were truly the safest thing around then this likely wouldn't have happened.
        slickjim
      • and Google is the thief..

        @Mister Spock ...in the real world who goes to jail in that case?
        theFunkDoctorSpoc
      • RE: Did Google trick Apple's Safari into tracking users?

        @Mister Spock what about the people who go out and leave their garage door open - they might not be to blame, but they are not smart either
        stevejg61
      • RE: Did Google trick Apple's Safari into tracking users?

        @Mister Spock

        It's more like if you built your house with no doors, asked for a plumber to come over and fix your pipes, and then accused him of breaking and entering when he came in through a window.
        tkejlboom
    • RE: Did Google trick Apple's Safari into tracking users?

      @Peter Perry Yes but Google needs to be brought to task for it's actions here. It's a strawman argument to mention that others do it - Google is the poster child for bypassing Safari's anti-tracking features.

      After all that logic seems to work when it's Apple's dealing with Foxconn... nevermind that other tech companies use them and have used them for years prior to Apple it's all somehow Apple's fault. So now it is with Google - this is all Google's fault - nevermind that others do it and likely have been doing it for some time now.
      athynz
      • RE: Did Google trick Apple's Safari into tracking users?

        @Pete "athynz" Athens isn???t it funny that right after gaping hole is found in IE, there is a knee jerk Safari has holes too article?
        Joel-r
      • RE: Did Google trick Apple's Safari into tracking users?

        @Pete "athynz" Athens I never said others do it and I never said Google wasn't wrong to do it. I said, the real problem is in the security of the system... No Exploit, No Problem! It would be interesting to see if this exploit was documented previously and left in patched.
        slickjim
        • But you obviously have your bullseye painted on Apple

          as if they're the first tech company to have a vulnerability in their software. I mean, it's not like Reader, Flash, Java, etc. have updates to address vulnerabilities on what seems like a weekly basis, oh, wait...

          I know, I know, Apple had an commercial years ago that highlighted the lack of viruses on their OS/computers. So, how much time must pass before the anti-Apple crowd stop using that as a talking point anytime anything related to Apple and security surfaces? 10 years? 15? 20?

          The real issue here is Google, supposedly a "do no evil" company, purposely betrayed the trust of Google's own users by circumventing a feature (of another company's software) specifically designed to protect those users, all just to mine a little more data from them.

          Now, if Google's inclined to do that with another company's software, what liberties do you think they're willing to take with Chrome, ChromeOS, Android and their web-based services? Now, I don't know about you, but that doesn't exactly get me all warm and fuzzy about using Google's offerings.
          TroyMcClure
      • what are you talking about? the real problem is the people exploiting!

        @Peter Perry ..so i guess the real problem with crime is that people just don't make strong enough locks.. not that people shouldn't be breaking into other people's houses in the first place? you sure have some backwards logic.. Google is wrong here end of story.. it's bad enough when crime sindicates in Eastern Europe do it.. it's even worse when 'legit' multi-billion dollar multi-national companies do it.. shameful!<br><br>caught selling ads illegally to foreign pharmacies.. now this..
        theFunkDoctorSpoc
      • RE: Did Google trick Apple's Safari into tracking users?

        @Pete "athynz" Athens

        Does Safari have a pop-up that informs the user they need to change their security settings to allow functionality when they try to "Like", "+1", or "Digg" a story, ad, or other? It sounds to me like Google simply utilized a well documented exploit that was originally reported several years ago to work around shoddy browser implementation.

        @theFunkDoctorSpoc I think the analogy is that Apple is selling perfectly good locks, but you have to submit a special form to get the key to said lock... after it's already on your front door. Google's implementation of this exploit stored a blank cookie only for people trying to use their service. So, really, this is about your plumber pointing out that you can use the window.

        @Peter Perry
        Apparently, the exploit is patched in a developer build already. According to the documentation. Google at the least... helped Apple fix it.
        tkejlboom
      • RE: Did Google trick Apple's Safari into tracking users?

        @tkejlboom [i]

        Does Safari have a pop-up that informs the user they need to change their security settings to allow functionality when they try to "Like", "+1", or "Digg" a story, ad, or other? [/i]

        I have no idea as I rarely use Safari... or the whole "+1, Like, Digg" thing. [i]

        It sounds to me like Google simply utilized a well documented exploit that was originally reported several years ago to work around shoddy browser implementation.[/i]

        And that is entirely possible however that does not invalidate my post mocking those who want to use "Poster Children" as the ones to attack over an issue be it Apple with the Foxconn workers or Google using an exploit in Safari that other companies are using to track users.
        athynz
      • RE: Did Google trick Apple's Safari into tracking users?

        @theFunkDoctorSpoc The real problem is that you guys didn't read the article... If Google did this on purpose then yes they were wrong but, Apple turned the settings on that made the cookies and not Google!
        slickjim
      • RE: Did Google trick Apple's Safari into tracking users?

        @Pete "athynz" Athens +1000!!
        T-Wrench