Did Google trick Apple's Safari into tracking users?

The Wall Street Journal has caught Google with its hand in the cookie jar of Apple's Safari users, after privacy-circumventing code was discovered in Google's adverts.
Written by Zack Whittaker, Contributor

Update: see Google's explanation below.

Search giant Google has been accused by the Wall Street Journal of bypassing the browser's security settings by allowing a site to set tracking cookies.

Safari for Mac and PC, as well as Safari in-built into iOS devices, are thought to be affected. The browser was subject to tests by the Journal which show that Google used code in its advertisements to bypass Safari's security, which by default blocks such tracking activity.

The aim of the code was to allow users who had signed into Google+ in Safari to access the '+1' button within ads, provided by Google's DoubleClick network.

"Don't be evil," the company said. While this may not classify as evil per se, it has already gained the attention of the online privacy advocacy group, the Electronic Frontier Foundation (EFF), reiterating the need for 'Do Not Track' rules on the Web.


Safari's security would normally prevent ads from dropping a tracking cookie in such a case because it blocks cookies coming from advertising networks. But the code Google is accused of using  'tricked' the browser into thinking the code was submitting a web form to Google; form cookies are not blocked, as it allows the browser to see whether the form was in fact sent.

The exploit isn't new. It was first discovered in 2010 by Stanford researcher Jonathan Mayer and confirmed web developer and researcher Anant Garg.

But Google, while the biggest name on the list of the accused, was not the only one to do it. The Journal says that other advertising networks do similar things, such as the Media Innovation Group, Gannet's PointRoll, and Vibrant.

Google's DoubleClick adverts containing the privacy-circumventing code were found on major websites, including AOL.com, Match.com, TMZ.com and YellowPages.com, fellow sister site CNET reports. The Journal's outside advisor found that 22 of the top 100 websites had Google's Safari-busting tracking code, and that 23 different sites install the same code on Safari's iOS browser.

The cookies were set to expire after 12 to 24 hours, but Safari can add even more cookies to a users' browser once the first cookie as been left.

After Google was caught with its hand in the cookie jar, it said that "the Journal mischaracterizes what happened and why," after it disabled the code. "We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information," the company said.

Apple, however, was quoted as saying that it is "working to put a stop" to the circumvention of its privacy settings and security features.

Microsoft has weighed in, taking a cheap shot at its closest rival, by saying that "this type of tracking by Google is not new". The Internet Explorer blog continued: "The novelty here is that Google apparently circumvented the privacy protections built into Apple’s Safari browser in a deliberate, and ultimately, successful fashion."

This is the second controversy in as many weeks. Google recently announced a change to its privacy policy that would consolidate all its policies into one giant, super policy. But this led to calls from the European data protection authorities because it would grant Google the explicit right to "combine personal information" across its products and services. ZDNet's Larry Dignan said: "Google will know more about you than your wife does."

The Electronic Privacy Information Center (EPIC) filed a lawsuit last week against the U.S. Federal Trade Commission in an attempt to force the regulator into preventing Google from making the privacy policy changes.

Update: Rachel Whetstone, senior vice-president for communications and public policy at Google, expanded on the Journal's findings:

"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content -- such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous -- effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.  It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Image source: ZDNet.


Editorial standards