Google and others caught circumventing Safari and Mobile Safari privacy restrictions (updated)

225

The Wall Street Journal reports that Google and several prominent online advertising networks have been using a workaround to bypass the privacy restrictions on Apple's Safari and Mobile Safari web browsers, allowing the companies to deposit cookies on a user's computer even if the device is set to prevent such behavior. At issue is the way Safari treats cookies. Under its default settings, both the desktop and iOS versions of the app only accept the files, which can be used to track browsing habits, from sites that individuals specifically visit or interact with. This prevents a cookie from an outside source from making its way onto a user's computer without their direct involvement. Google reportedly butted up against this restriction when it couldn't use cookies to determine if users were logged into Google services in conjunction with its +1 recommendation system.

To get around the problem, Google took advantage of an exploit that was first noted by developer Anant Garg in 2010, which uses a blank form sent in the background to trick Safari into accepting cookies from unauthorized sources. Google's use of the workaround was spotted by Stanford researcher Jonathan Mayer, and later corroborated by the WSJ. When contacted about the technique, Google reportedly ceased the practice, saying in a statement that "the Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."

The WSJ also discovered that the technique was used by at least three other advertising networks as well as Facebook, which actually notes Garg's technique in the Best Practices section of its developer documentation. Both Google and Facebook ostensibly provide user-facing benefits with the practice, preventing a constant litany of password typing and sign-ins when using their services. The practice may be quite difficult to justify, however, particularly with user privacy recently becoming an even hotter issue than usual. As for Apple, a spokesperson simply stated that "we are working to put a stop" to the practices in question.

Update: Google has provided us with its full statement on the matter:

The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.

Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as "Like" buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to "+1" things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google's Ads Preferences Manager.

Back to top ^
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_5345_tracker