Google caught skirting Safari privacy settings

@CNNMoneyTech February 17, 2012: 6:09 PM ET

NEW YORK (CNNMoney) -- In the latest high-profile flap over online data privacy, Google has been caught bypassing the privacy settings on Apple's Safari Web browser, letting advertisers track users in unintended ways.

A Wall Street Journal investigation published Friday drew attention to the issue and set off alarm bells across the Web. In response to the Journal's probe, Google (GOOG, Fortune 500) discontinued its use of the tracking code.

The actual consequences were pretty limited: Google's code was being used only to target ads, and users' personal information was never collected. But it was yet another prominent example of a tech company drawing fire for a slipshod and sneaky way of handling private data.

The Google imbroglio revolves around the company's ad network, which serves advertisements across a wide range of websites.

Sites use files called "cookies" to follow users' movements and log-ins as they travel through the Web. Apple's (AAPL, Fortune 500) Safari has far stricter tracking restrictions than any other major browser: By default, it blocks third-party cookies. That's a big problem for ad networks, which rely on those cookies to measure their campaigns and to enable some ad functions.

That's what tripped Google up. It wanted to give viewers who were signed into Google's network the ability to use Google's +1 button to tout ads that caught their eye.

To do that, it exploited a loophole in Safari, essentially tricking the browser into thinking that the viewer had interacted with the ad. That fooled Safari into giving Google permission to install a test cookie and create a temporary communication link back to Google's servers.

Google says that link was designed to operate anonymously and did not collect any personal information. But it had an unintended consequence: Other cookies were able to follow in the first one's wake. Google essentially cracked open a door and others piled in behind it.

While it admitted using the Safari workaround, Google cast the subsequent cookie flood as an inadvertent screw-up.

"The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn't anticipate that this would happen," Google said Friday in a prepared statement. "We have now started removing these advertising cookies from Safari browsers."

Google wasn't the only one exploiting Safari's loophole. Stanford grad student Jonathan Mayer, who published an extensive technical analysis of it on Friday, found at least three other advertising companies taking advantage of it: Vibrant Media, Media Innovation Group and PointRoll.

"I think there's quite possibly a deceptive business practice here," Mayer said in an interview with CNN.

He questioned Google's claim that no private data was ever misued.

"Google released a statement that there was not personal information at play. I'm not quite certain what they mean by that," Mayer said. "They were quite intentionally moving information about a Google user's account over to Google's advertising networks."

In his technical analysis, Mayer intentionally steered clear of a broader question the debacle raises: Is Safari's third-party cookie blocking the right way to go?

It's a big departure from the industry standard. Microsoft's (MSFT, Fortune 500) Internet Explorer, Firefox and Chrome all allow third-party cookies.

Apple says its motive is privacy. Safari's third-party cookie ban is designed "to prevent companies from tracking the cookies generated by the websites you visit," Apple says on its website.

But many websites rely on advertising to fund their operations, and Apple's ban wreaks havoc with tracking across ad networks. Those ad networks are Apple's direct rivals: It competes against them with its own iAd network, which serves ads through applications instead of websites.

Apple did not immediately respond to a request for comment.

"Marketers who rely on third-party tracking cookies are effectively blind when it comes to measuring performance on the iPad and other iOS devices," ad software maker Marin Software wrote last year in a research paper examining the problem.

The block also causes problems for some Web apps that integrate content across multiple sites. The permissions that a user intentionally grants on one site can't be carried through to other, linked sites.

Facebook's "best practices" guide for its developers lists "cross-domain cookies do not work in Safari" as a common problem and recommends using the same kind of workaround Google employed.

It's not lost on Apple's critics that the company's cookie ban is a big thorn in the side of Apple's key competitors.

"Let's step back a second here and ask: why do you think Apple has made it impossible for advertising-driven companies like Google to execute what are industry standard practices on the open web?" author John Battelle, who founded an ad network and wrote a book about Google, wrote in a blog post.

"Do you think it's because Apple cares deeply about your privacy? Really?" Battelle asked. "Or perhaps it's because Apple considers anyone using iOS, even if they're browsing the web, as 'Apple's customer,' and wants to throttle potential competitors."

-CNN's Dan Simon, in San Francisco, contributed to this report To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.