WSJ: Safari Loophole Allowed Google to Track Users via Ads

News
By published

Google and a number of other ad networks have been accused of tracking users web browsing by using a loophole to circumvent Safari's default security settings.

Over the last few weeks, Google's found itself at the receiving end of quite a bit of criticism regarding planned changes to its privacy policy. Now it seems the company is in hot water again. An article published in the Wall Street Journal has revealed that the search giant (along with several other ad networks) has been tracking iPhone and Mac users via Apple's Safari browser.

Here's what happened: Apple's Safari browser is set to block third-party cookies by default, accepting cookies only from sites that a user visits or interacts with. However, there is an exception to this rule that allows cookies if you interact with a form or advertisement in certain ways. The Journal reports that Google and other ad networks took advantage of this exception by using an invisible form and its +1 Google+ recommendation system. Essentially, Google allowed Safari users who had signed into Google+ to interact with DoubleClick ads using an embedded '+1' button. This would then send off an invisible form that would have Safari think the user had provided permission for cookies to be stored.

For its part, Google says that it used this workaround to enable signed-in users to give +1 votes to content, but was unaware that it inadvertently enabled the advertising cookies. The search giant has since disabled the feature. It said in a statement to Electronista that users who had opted out of its interest-based ad program (via Google's Ad Preferences Manager) were not affected by the work around. Check out the full statement below:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Google wasn't the only one using this loophole. The code, which was discovered by Stanford researcher Jonathan Mayer, was also used by Media Innovation Group, PointRoll, and Vibrant Media. However, Google is the most high-profile of the listed offenders, and with recent discussions over the search giant's attitude to user privacy, it's hardly surprising that is receiving more attention than others over this.

[UPDATE] Well, it's all fun and games until someone phones the FTC, isn't it? Ars reports that Consumer Watchdog has asked the Federal Trade Commission to investigate this issue. Specifically, they want to know if Google has violated a previous agreement with the FTC by tracking cookies in this way.

Follow @JaneMcEntegart on Twitter for the latest news.      

See more Computing News
Jane McEntegart

Jane McEntegart works in marketing communications at Intel and was previously Manager of Content Marketing at ASUS North America. Before that, she worked for more than seven years at Tom's Guide and Tom's Hardware, holding such roles as Contributing Editor and Senior News Editor and writing about everything from smartphones to tablets and games consoles.

20 Comments Comment from the forums
  • warezme
    I hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.
    Reply
  • freggo
    "but was unaware that it inadvertently enabled the advertising cookies"

    Yeah, right. Because Google employs 2nd tier programmers.
    Gimme a break. You got caught with your fingers in the cookie jar (pun intended).

    It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.

    Shame, but certainly no surprise.
    Reply
  • rantoc
    But but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
    Reply
  • molo9000
    "Don't be evil"
    "provide features"
    "privacy policy"

    George Orwell was right about newspeak...
    Reply
  • dalethepcman
    I find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.

    They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.
    Reply
  • amk-aka-Phantom
    circumvent Safari's default security settings

    Safari has security settings?
    Reply
  • molo9000
    amk-aka-PhantomSafari has security settings?
    Firefox, Chrome, Opera and Internet Explorer all accept 3rd party cookies by default.
    Only Safari blocks them by default.

    btw: it should be called privacy settings, not security settings.
    Reply
  • glasssplinter
    rantocBut but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
    "Well, just a second there, professor. We, uh, we fixed the *glitch*. So he won't be receiving a paycheck anymore, so it'll just work itself out naturally." crapple philosophy 101
    Reply
  • ap3x
    dalethepcmanI find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.
    Google did not find it, and it is not a security problem. It is a privacy issue which Google used for the benefit to Google to get around measures in Safari to block the use of 3rd party cookies. All the other browsers have it enabled by default, Safari does not so Google decided to us a method to get around that.

    So no this is not a case where someone finds a vulnerability and gets in trouble for it. This is a case where a large company leverages a flaw to gleen additional information from a device without explicit permission from the user.

    It is the same thing as someone using a exploit in a browser to install Gator or something on your computer. No one wanted that crap on their machine but somehow it ended up getting installed and showing up next to your clock. Anyone remember Gator?
    Reply
  • greenspoon
    Come on guys. Google was doing this for the good of its users. That is all. They were not out to make money, invade privacy, or anything else. They just wanted to provide a better experience for there users.

    Apple on the other hand. This was a deliberate mistake on their part and everyone at Apple should be hung until dead for the oversight.
    Reply