There’s been a firestorm of controversy brewing over the past few days after a Web researcher at Stanford University discovered Google and several other major online advertising companies were surreptitiously circumventing the default security settings on Apple’s Safari web browser to allow them to track users’ interactions online.
As Jonathan Mayer, a graduate student of computer science and law at Stanford, explained, Apple’s Safari browser — found on all Mac computers, the iPhone and the iPad — is unique among competitors in that it ships with default privacy settings that block all third-party “cookies,” from being installed on a user’s device.
Browser “cookies” are small files that websites and services install on users computers in order to store information related to a particular user’s browsing experience — such as the items they’ve put in an e-shopping cart, for example. Although Safari allows some cookies, such as those related to filling out online forms, it blocks those that are “third party” — cookies that don’t come from the same web address that the user is currently viewing. Many ad companies install cookies on users’ machines to see if they’ve clicked on ads or not and keep track of other web browsing habits to enable personalized advertising options.
But as Mayer found in his research, Google, which runs the Web’s largest online advertising service, DoubleClick, and three other separate advertising companies — VirbantMedia, Media Innovation Group and PointRoll — dodged Safari’s third party cookie blocking by submitting an invisible form to the browser, tricking it into thinking the user had voluntarily filled out a form to allow such cookies to be installed on his or her machine.
Mayer included 200,000 Safari browsers in his sample size, telling KQED News that “the overwhelming majority” were found to have Google DoubleClick cookies installed on its servers, but said he was unsure just how widespread the problem was. Safari is the largest mobile web browser in terms of market share, according to tracking firm Net Applications, so the problem could be much more widespread.
Mayer on February 17 published the incriminating evidence of the massive privacy settings evasion on his personal blog. The Wall Street Journal picked up the findings and brought them into the spotlight, running a lengthy article with several graphics explaining just how the evasion process worked.
Google was immediately thrust on the defense, announcing it had disabled the cookies and stealthily removing language on a Google privacy policy page affirming that Safari’s default settings prevented the search giant from tracking users. Google also told The Journal that the newspaper “mischaracterizes what happened and why.”
“We used known Safari functionality to provide features that signed-in Google users had enabled,” said Google’s statement. “It’s important to stress that these advertising cookies do not collect personal information.”
In a fuller statement circulated by other media outlets, Google further elaborated on what it was trying to do and why, shifting the blame to Apple’s Safari browser for having tighter default privacy settings than other competitors, and saying that the circumvention was necessary to enable features related to Google Plus, Google’s up-and-coming social network. Google also admitted that by circumventing the default Safari settings, it had inadvertently allowed other advertisers to install cookies on user’s devices.
As Google explained:
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content-such as the ability to “+1” things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous-effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.
However, that last paragraph proved to be a sticking point for Microsoft (Google’s largest search competitor) which on Monday published a blog post outlining how Google also evaded the default settings on Microsoft’s Internet Explorer web browser.
As Microsoft’s Dean Hachamovitch, corporate VP of Internet Explorer (IE), explained in the post:
“By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.”
Google hit back several hours later with a lengthy statement, available in full over on WebProNews. In it, Google points out that Microsoft’s P3P standard has fallen into widespread disuse since it was introduced in 2002, with over 11,000 websites not using it as of 2010, including Facebook.
Indeed, Facebook itself confirmed to ZDNet on Tuesday that its ubiquitous “Like” buttons all evade IE’s P3P standard, and must, in order to enable users to see and access them. As Facebook explained in a statement: “P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform.” However, Facebook threw Microsoft a proverbial bone, saying it had “reached out directly” to the company to work on a solution. Facebook also subtly attacked Google for bringing Facebook into the fray as a proxy, noting that “our P3P policy is not intended to enable us to set additional cookies or to track users,” unlike, of course, Google’s evasion of Safari and IE to enable tracking cookies.
It should be noted that Microsoft is a major investor in Facebook, owning just over 1 percent of the company after buying $240 million worth of shares on the secondary market in 2007, valuing the company at $15 billion (it’s now thought to be worth up to $100 billion).
Microsoft has also been shamelessly attempting to exploit Google’s privacy controversies lately, posting a video in early February on Google-owned YouTube making fun of Gmail, so their latest attack on Google should be taken with more than a few grains of salt.
That was also the conclusion of Jonathan Mayer, the Stanford researcher who first discovered Google’s Safari circumvention.
“Microsoft: hallmarks of privacy research are 1) finding something new, 2) not pushing the story with a PR agency (but thanks for the note!),” Mayer tweeted Tuesday.
Still, that’s not to say that Google should be getting a pass for its practices. Mayer posted a thorough update to his findings on his blog Tuesday, essentially calling Google out for attempting to whitewash the controversy by deferring to its new social network, Google Plus, which Mayer pointed out is only tangentially related to the cookie problem at best.
“The circumvention behaviors affected all users, independent of whether they had a Google account, were logged into a Google account, or had made a choice about social advertising,” Mayer wrote, puncturing a hole in Google’s defense that it had pursued the Safari circumvention strategy to “to provide features that signed-in Google users had enabled.”
Further, as Mayer noted, “Circumvention is not a commonly accepted business practice,” and “Apple’s purpose was not messing with Google. The default cookie blocking feature that Google circumvented was implemented in Safari 1.0, which shipped in 2003–long before Google was in the third-party display advertising business, and long before relations between the companies soured over smartphones.”
That line of analysis, from a technical expert, no less, acts as a deft answer to those Google apologists, like Web search blogger John Battelle, who have argued that this is mostly a corporate fight between Google’s vision of the Internet — open and easy to crawl — and Apple’s — a tightly-controlled and prescribed experience.
No matter how one slices it, Google doesn’t come out of this scrape looking any better. In fact, with the company already facing scrutiny from bloggers and lawmakers over its newly condensed privacy policy (which goes into effect March 1), it’s just about the worst possible news for the company and its users.
Regulators, for one, are less happy with Google than ever before: On Friday, hours after The Journal‘s piece was published, the Federal Trade Commission was hit with three letters from lawmakers and advocacy groups calling upon the agency to investigate Google over the Safari evading practice.
The FTC has already placed Google on thin ice, settling a privacy investigation into Google’s failed Buzz social network in March 2011 by making Google agree to a series of terms and bi-annual privacy audits. It’s unclear if Google’s latest privacy breach violates any of the FTC’s settlement terms, but the agency is looking into the complaints. The FTC in June 2011 also announced it had begun another investigation into Google, this one into antitrust allegations over its search and advertising businesses.
