updated 11:55 pm EST, Thu February 16, 2012
Google alleged in Safari privacy circumvention
(Update: Google's full response) Google in a report Thursday night was accused of circumventing the cookie privacy settings in Apple's desktop and mobile versions of Safari. Web ad code seen by Wall Street Journal advisor Ashkan Soltani allegedly bypassed blocks in Safari's settings on about a fifth of the top 100 websites. Google wasn't alone as Media Innovation Group, PointRoll, and Vibrant Media were also using the strategy, but Google through its size and status was the most significant.
The method faked sending a web form that would get around the block. Ironically, Google's own advice on Safari privacy settings wouldn't necessarily eliminate its own tracking. The method possibly left a hole open for the "vast majority" of websites to insert cookies that wasn't available otherwise.
Google in a response claimed that the newspaper "mischaracterizes" the activity and was supplying cookies for Google users who had signed in, at their request. It didn't collect personal information, Google said. However, the firm didn't explain why code triggering the behavior was disabled shortly after the company was contacted, nor why verbiage guaranteeing privacy when using Safari's settings was removed.
The other providers either wouldn't comment or claimed not to have been aware of the activity.
Apple in a response has said it was "working to put a stop" to cookie workarounds in Safari, although it didn't say when a Safari update might come about.
While the actual damage to customers is likely to have been minimal, the very use of the fake form in question isn't likely to help Google's public image. The Mountain View company is already the subject of a widening FTC antitrust investigation and could be interpreted as ignoring visitors' privacy for the sake of inflating its ad performance. While it's likely that the trick was meant for the sake of Google sign-ins, as promised, the nature of its new Google+ service, Gmail, and others could make it difficult for most anyone to avoid the privacy issues while still trying to use a Google feature.
Update: Google has provided its full response. It argued that the desire to make sure users can give +1 votes to content inadvertently enabled the unwanted advertising cookies, which it had started pulling. The full statement is below.
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them.
"To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.
"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."