Google Under Fire For Circumventing Safari Privacy Setting

It’s a tense time for Google: controversial policy and user-experience changes are combining with a growing distrust of tracking and advertising to produce something of a toxic atmosphere. Not the moment, then, you would want a minor scandal to erupt in the form of Google circumventing, intentionally or unintentionally, the privacy settings of millions of Safari users.

The allegations have their source in a report by Stanford grad student Jonathan Mayer, who showed that using Safari triggered a special behavior in the normal cookie-creation process; his report was later played up by the Wall Street Journal. This behavior deliberately goes around the default Safari behavior of blocking all third-party cookies — like one from Google when you’re visiting TechCrunch.

Google says it’s a side-effect from something else, but even if that’s true, it’s still ugly.

The gist of the exploit is this: normally, a plain HTTP request to put a cookie on a machine running Safari would be acknowledged, vetted, and either accepted (for something like Amazon tracking your position on the site), or rejected (for something like DoubleClick meta-cookies). Google’s (DoubleClick’s, technically, but ultimately it’s Google’s) special cookie dispenser, however, would detect that Safari was being used, and “fill out” a form element on the client side, sending that out instead of a plain request.

It’s a documented feature, this form request for cookies, not some crazy illicit web stunt. Other online advertising companies do it as well, but that’s not really an endorsement. But the way it’s set up is fundamentally shady: using javascript to fill out an invisible form with the information that would normally be sent by other means, but isn’t — because the user has chosen not to. It sidesteps the Safari preferences neatly, by means of a loophole in the cookie-submission process.

Interestingly, that loophole was closed seven months ago in Webkit — by Google. One can view this cynically or generously. Cynically, it could be suggested that Google closed the hole but decided to exploit it in order to track Safari browsers — not the biggest piece of the desktop pie, but huge since it’s the default browser on iOS (also vulnerable). Generously, it could be said that Google fixed the problem and designed around a standard they helped achieve, and this tracking is in fact a side effect.

That’s something like what Google has actually said. In a statement, they say that last year they implemented some things to make sure +1 buttons (which of course are a form of third-party tracking, like most share elements) worked in Safari. They rigged a way to determine, on the level, whether a user had opted in or out to Google-related tracking, and if so, whether they were logged in. Fairly standard. But then:

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.

Whether they are using the phrase “contained functionality” ironically isn’t clear. After all, they’re describing a security vulnerability they sewed up back in the day. Apple, for their part, has only said that they will be working to “put a stop to it.” Whether that means they’ll be adopting the same Webkit changes Google did isn’t clear.

It’s a bit much to swallow that Google designed functionality specifically for the browser and failed to notice this particular quirk. And the huge numbers of Safari browsers reporting data to Doubleclick should have been a red flag as well.

What matters in the end, though, is that a Google product violated the expressed privacy preferences of millions of users. Whether it was a mistake, an outdated browser on the user’s side, and whether the data was effectively anonymized — people won’t care about this. This is a big stumble when Google needed to be treading lightly. A little perspective and investigation might make this violation more or less serious, but the damage is done. Google is going to have to take some big steps to repair their image after the beating it’s taken over the last few months.

Here’s Google’s full statement on the matter:

The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.