The Wall Street Journal claims Google exploited the Safari web browser to track users’ activity without consent.
News sites are atwitter with a recent Safari and Google snafu. The Wall Street Journal reported early this morning that Google deliberately bypassed the Safari browser security settings to track iPhone, iPad, and iPod Touch users’ Internet usage. The charge laid against the mammoth Internet company is as follows:
Google’s latest ad push has been using Google Plus’s +1 feature to share content from around the web on the company’s social network, via users’ profiles. In most browsers, it has seemed to serve the company well, but not in Safari. The Apple browser’s default privacy settings don’t allow for the +1 button to show up because it’s associated with DoubleClick, Google’s advertising network. The majority of ad cookies are tracking cookies, so in an effort to protect their customers, Safari blocks almost all tracking cookies.
The only way the browser lets ads show up for a user is if a user interacts with a website via the ad. One instance of user/website interaction is a user submitted form to the website. Google’s code, explains CNET, was hoodwinking the browser to think the +1 button would be submitting a form to Google, and thereby enabled the button to appear on the websites the social networking site originally intended.
By claiming that the +1 feature was a form, it allowed Google to put cookies on users’ activity. The analyst from the Wall Street Journal noticed that while these cookies were usually set to expire in the next twelve to twenty-four hours for most users, in that window of time Google could still be tracking Safari users’ activity.
The second half of the outrage surrounding this issue is related to one of Safari’s features. If a user accepts one tracking cookie, the browser lowers the restrictions other websites have to meet to place tracking cookies themselves. This means, Google’s workaround code put users at a higher security risk.
Naturally the original reporter contacted Google for an explanation and a statement, and after that first contact, it appears that the code allowing all of this from Google’s end has been disabled. The company also claimed their process of getting the +1 button to work with the Safari browser had been grossly mischaracterized.
Rachel Whetstone, Google’s senior vice president of communications and public policy, released a statement saying that “We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.” Google also said that they did not know about Safari’s own questionable practice of allowing cookies to be more easily added after one had been, essentially, user-approved.
Further troubling news for Safari users is that three other online ad firms were found to also be exploiting this workaround, namely Vibrant Media, WPP’s Media Innovation Group, and Gannett’s PointRoll. WPP didn’t comment on the original WSJ article but Vibrant was adamant that the workaround doesn’t collect any personal information like names or financial accounts. Gannett said the company’s implementation of the code was just a test and therefore didn’t affect all Safari users.
Safari users don’t need to worry if they’ve never come in contact with an ad that contained this particular workaround code. Unfortunately, the code was reportedly found on massive sites like TMZ.com, Match.com, and AOL.com, among others.
No matter what opinion you have of the ad companies employing this method, we have to question Apple in not plugging this hole in Safari before now. Apple commented on the article and did say that they were fixing the workaround’s effectiveness immediately.