The Wall Street Journal is out with a story about how Google has been “bypassing the privacy settings of millions of people” who use Apple’s Safari web browser, along with a headline about “Google’s iPhone tracking.” More accurately, Google’s been bypassing Safari’s default privacy settings that block certain types of cookies rather than overriding what people specifically set. But that still doesn’t make the revelation less of a body blow to Google’s reputation.
By default, Safari doesn’t accept “third-party cookies.” The Wall Street Journal reveals that Google found a way around this. Google protests that it never intended to get around anything, and that this is a byproduct of trying to make its Google +1 buttons on ads work in Safari.
To understand more, let’s do some tech talk first, then get into what the Wall Street Journal discovered.
Cookies are a small bit of code that allows a web site to know that it has seen a particular web browser before. That’s a useful way to help keep someone logged in or to remember how someone has personalized a site they visit.
Safari for the Mac and PCs accepts cookies when they are sent from the web site someone’s on (the first party) to the person’s browser (the second party). It’s third-party cookies that are blocked.
Third-party cookies are when you’re on a web site, and you’re given a cookie that links your browser to a completely different web site than you’re on. This is commonly done by ad networks. A site carries the ad network’s code. When someone visits that site, they get the third-party cookie issued by that network.
A third-party cookie, among other things, can allow an ad network — such as Google’s own — to track people as they surf across to other sites in that network (if you go to a site not in the network, nothing is tracked).
Desktop Safari Says “No” To Third-Party Cookies
Safari makes a feature out of not allowing third-party cookies. It’s part of the “worry-free web” that Apple pitches Safari delivering, as you can see in this section from Apple’s page about Safari:
The section explains:
To prevent companies from tracking the cookies generated by the websites you visit, Safari blocks third-party cookies by default.
You can see how this looks here within Safari. This is a screenshot of my own settings, where I’ve never changed the defaults
Mobile Safari Blocks All Cookies
On the iPhone, the mobile version of Safari also apparently blocks third party cookies by default, even though this isn’t made as clear as with the desktop version. Apple’s page about Mobile Safari doesn’t mention it, nor does the help page about Mobile Safari. It just talks about blocking cookies generally, without saying what the default is:
To set whether Safari accepts cookies, tap Accept Cookies and choose “Never”, “From visited”, or “Always”.
Checking my own phone, the default seems to be “Never,” which is harsher than what the desktop browser’s settings are. “From visited” I’m guessing means to accept first-party cookies; “Always” may mean to accept both first and third-party cookies.
Getting Around The Blocking
As said, the Wall Street Journal found that Google, along with the ad networks of Vibrant Media, Media Innovation Group and PointRoll, were all getting around these blocks on third-party cookies.
To do this, the companies were making it seem as if the person visiting a web site had filled out some type of form, even though no form was actually shown to the person.
By doing this, the companies were then able to get their cookies accepted. A sidebar article from the Wall Street Journal goes into detail about how all this worked, as does this post from the researcher who discovered that cookies were being added.
Postscript: PointRoll has now done a blog post saying it doesn’t “currently employ” the technique and that it was done as only a limited test.
Google Sought Only To Make +1 Buttons Work
In Google’s case, the company said this was being done as a way to allow its +1 buttons on ads it distributes through its AdSense network to other sites to work within Safari. These buttons work fine with the other major browsers of Firefox, Internet Explorer and Chrome, because those browsers don’t block third-party cookies by default.
Google added these +1 buttons last year, but apparently within ads, they wouldn’t work without a third-party cookie. So Google created this workaround to get past Safari’s blocking.
Google Cookies Lasted 24 Hours Or Less
Google said that the cookies were temporarily, lasting between 12-24 hours depending on whether someone was logged in or not, and that there was no personal information (such as someone’s name) contained in the cookies.
Story Mischaracterized? Somewhat…
Google also pushed back fairly hard against the WSJ’s story, being quoted within it saying:
The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Certainly the headlines I saw felt somewhat mischaracterized. The story is rigged so that the headline appears this way in search engines and social sharing sites:
Google Tracked iPhones, Bypassing Apple Browser Privacy Settings
The main headline on the actual story page says:
Google’s iPhone Tracking
No iPhones Were Tracked
Google was tracking iPhones? That suggests the location scandal that came up last year. In reality, Google’s not tracking phones. It’s tracking what some people might do within the Safari browser, both on the phone and on the desktop.
In fact, I’m pretty perplexed about why the iPhone aspect is being played up so much. This seems far more likely to have impacted more people using Safari on the desktop.
But Privacy Settings Were Bypassed, And That’s Bad
Of course, that doesn’t make any of this better for Google. While I’d guess most people had no idea that Safari was blocking third-party cookies by default, it was still doing that — and I doubt most people would be happy to hear that Google deliberately worked around this, even if it was only intended for a limited use of enabling +1 buttons on ads.
It also potentially opens Google up to a violation of its agreement with the FTC over privacy. As the WSJ points out, Google isn’t supposed to misrepresent its privacy practices. But Google’s page about opting-out of its third-party cookie said, until last Tuesday according to the Journal, that Safari users didn’t need to worry about opting-out if they hadn’t changed their defaults.
Here’s how the page used to read, from a cached copy I pulled out of Bing:
The WSJ said the FTC declined to comment about the tracking, but almost certainly some privacy group will file a complaint over it.
Postscript:Less than a day, and this has already happened. See our follow-up story, No Surprise: Congress, Consumer & Privacy Groups Want Google To Explain Safari Privacy Snafu.
Another Google+ification Stumble
Another issue is that this is likely to reignite questions about whether Google is hurting its reputation by its relentless pursuit of Facebook, in how it pushes Google+.
Earlier this year, Google came under intense pressure about how Search Plus Your World seemed to favor Google+ too much. Now you have Google deliberately creating a workaround to socially-enable its ads in Safari, something that’s going to result in a further reputation blow.
There are good reasons why Google does need Google+, as I explain more in my When Everyone Gets The Vote: Social Shares As The New Link Building story from last week. But it also feels like the company needs a bit of an operational pause.
My colleague Greg Sterling also shares more perspectives like this over on our Search Engine Land site in Cookiegate Another Privacy Black Eye For Google.
One thing that remains unclear to me is whether this same issue might impact other social players like Facebook or Twitter, whether for their buttons to work on web sites, do they also have to get around blocking? My assumption is no, otherwise I’d have expected that to be part of the WSJ story.
Over at Techmeme, you’ll find coverage from others on this topic. Below, related articles from us, some referenced above in this story, along with other relevant ones.
- Apple Takes Google’s Spot As “Most Reputable Company” In US
- Google #2, Facebook #38 In Global “Brand Desire” Study
- Meet +1: Google’s Answer To The Facebook Like Button
- Google Now Forcing All New Users To Create Google+ Enabled Accounts
- Google+ Is Slowly Invading Google’s Main Search Results
- Google’s Results Get More Personal With “Search Plus Your World”
- FAQ: What’s The Debate About Google’s Search Plus Your World?
- Two Weeks In, Google Says “Search Plus Your World” Going Well, Critics Should Give It Time
- When Everyone Gets The Vote: Social Shares As The New Link Building
- Google Anonymizing Search Records To Protect Privacy
- Anonymizing Google’s Server Log Data — How’s It Going?
- Google Maps Privacy: The Street View & Wifi Scorecard
- Apple, Google In Privacy Hot Water Over “Locationgate”
- A Closer Look At The Google Buzz Privacy Settlement
- Google Settles FTC Charges Over Buzz, Agrees To 20 Years Of Privacy Audits
- Europeans, EPIC Bring More Scrutiny To Google Privacy Changes
- No, You Don’t Need To Fear The Google Privacy Changes: A Reality Check