Google Didn’t “Track” iPhones, But It Did Bypass Safari’s Privacy Settings

The Wall Street Journal is out with a story about how Google has been “bypassing the privacy settings of millions of people” who use Apple’s Safari web browser, along with a headline about “Google’s iPhone tracking.” More accurately, Google’s been bypassing Safari’s default privacy settings that block certain types of cookies rather than overriding what people specifically set. But that still doesn’t make the revelation less of a body blow to Google’s reputation.

By default, Safari doesn’t accept “third-party cookies.” The Wall Street Journal reveals that Google found a way around this. Google protests that it never intended to get around anything, and that this is a byproduct of trying to make its Google +1 buttons on ads work in Safari.

To understand more, let’s do some tech talk first, then get into what the Wall Street Journal discovered.


Cookies are a small bit of code that allows a web site to know that it has seen a particular web browser before. That’s a useful way to help keep someone logged in or to remember how someone has personalized a site they visit.

Safari for the Mac and PCs accepts cookies when they are sent from the web site someone’s on (the first party) to the person’s browser (the second party). It’s third-party cookies that are blocked.

Third-Party Cookies?

Third-party cookies are when you’re on a web site, and you’re given a cookie that links your browser to a completely different web site than you’re on. This is commonly done by ad networks. A site carries the ad network’s code. When someone visits that site, they get the third-party cookie issued by that network.

A third-party cookie, among other things, can allow an ad network — such as Google’s own — to track people as they surf across to other sites in that network (if you go to a site not in the network, nothing is tracked).

Desktop Safari Says “No” To Third-Party Cookies

Safari makes a feature out of not allowing third-party cookies. It’s part of the “worry-free web” that Apple pitches Safari delivering, as you can see in this section from Apple’s page about Safari:

The section explains:

To prevent companies from tracking the cookies generated by the websites you visit, Safari blocks third-party cookies by default.

You can see how this looks here within Safari. This is a screenshot of my own settings, where I’ve never changed the defaults

Mobile Safari Blocks All Cookies

On the iPhone, the mobile version of Safari also apparently blocks third party cookies by default, even though this isn’t made as clear as with the desktop version. Apple’s page about Mobile Safari doesn’t mention it, nor does the help page about Mobile Safari. It just talks about blocking cookies generally, without saying what the default is:

To set whether Safari accepts cookies, tap Accept Cookies and choose “Never”, “From visited”, or “Always”.

Checking my own phone, the default seems to be “Never,” which is harsher than what the desktop browser’s settings are. “From visited” I’m guessing means to accept first-party cookies; “Always” may mean to accept both first and third-party cookies.

Getting Around The Blocking

As said, the Wall Street Journal found that Google, along with the ad networks of Vibrant Media, Media Innovation Group and PointRoll, were all getting around these blocks on third-party cookies.

To do this, the companies were making it seem as if the person visiting a web site had filled out some type of form, even though no form was actually shown to the person.

By doing this, the companies were then able to get their cookies accepted. A sidebar article from the Wall Street Journal goes into detail about how all this worked, as does this post from the researcher who discovered that cookies were being added.

Postscript: PointRoll has now done a blog post saying it doesn’t “currently employ” the technique and that it was done as only a limited test.

Google Sought Only To Make +1 Buttons Work

In Google’s case, the company said this was being done as a way to allow its +1 buttons on ads it distributes through its AdSense network to other sites to work within Safari. These buttons work fine with the other major browsers of Firefox, Internet Explorer and Chrome, because those browsers don’t block third-party cookies by default.

Google added these +1 buttons last year, but apparently within ads, they wouldn’t work without a third-party cookie. So Google created this workaround to get past Safari’s blocking.

Google Cookies Lasted 24 Hours Or Less

Google said that the cookies were temporarily, lasting between 12-24 hours depending on whether someone was logged in or not, and that there was no personal information (such as someone’s name) contained in the cookies.

Story Mischaracterized? Somewhat…

Google also pushed back fairly hard against the WSJ’s story, being quoted within it saying:

The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Certainly the headlines I saw felt somewhat mischaracterized. The story is rigged so that the headline appears this way in search engines and social sharing sites:

Google Tracked iPhones, Bypassing Apple Browser Privacy Settings

The main headline on the actual story page says:

Google’s iPhone Tracking

No iPhones Were Tracked

Google was tracking iPhones? That suggests the location scandal that came up last year. In reality, Google’s not tracking phones. It’s tracking what some people might do within the Safari browser, both on the phone and on the desktop.

In fact, I’m pretty perplexed about why the iPhone aspect is being played up so much. This seems far more likely to have impacted more people using Safari on the desktop.

I’m not alone in feeling some things are being trumped up in the headline and opening paragraphs — see also John Battelle’s take, as well as MG Siegler.

But Privacy Settings Were Bypassed, And That’s Bad

Of course, that doesn’t make any of this better for Google. While I’d guess most people had no idea that Safari was blocking third-party cookies by default, it was still doing that — and I doubt most people would be happy to hear that Google deliberately worked around this, even if it was only intended for a limited use of enabling +1 buttons on ads.

It also potentially opens Google up to a violation of its agreement with the FTC over privacy. As the WSJ points out, Google isn’t supposed to misrepresent its privacy practices. But Google’s page about opting-out of its third-party cookie said, until last Tuesday according to the Journal, that Safari users didn’t need to worry about opting-out if they hadn’t changed their defaults.

Here’s how the page used to read, from a cached copy I pulled out of Bing:

The WSJ said the FTC declined to comment about the tracking, but almost certainly some privacy group will file a complaint over it.

Postscript:Less than a day, and this has already happened. See our follow-up story, No Surprise: Congress, Consumer & Privacy Groups Want Google To Explain Safari Privacy Snafu.

Another Google+ification Stumble

Another issue is that this is likely to reignite questions about whether Google is hurting its reputation by its relentless pursuit of Facebook, in how it pushes Google+.

Earlier this year, Google came under intense pressure about how Search Plus Your World seemed to favor Google+ too much. Now you have Google deliberately creating a workaround to socially-enable its ads in Safari, something that’s going to result in a further reputation blow.

There are good reasons why Google does need Google+, as I explain more in my When Everyone Gets The Vote: Social Shares As The New Link Building story from last week. But it also feels like the company needs a bit of an operational pause.

My colleague Greg Sterling also shares more perspectives like this over on our Search Engine Land site in Cookiegate Another Privacy Black Eye For Google.

One thing that remains unclear to me is whether this same issue might impact other social players like Facebook or Twitter, whether for their buttons to work on web sites, do they also have to get around blocking? My assumption is no, otherwise I’d have expected that to be part of the WSJ story.

Over at Techmeme, you’ll find coverage from others on this topic. Below, related articles from us, some referenced above in this story, along with other relevant ones.

Related Articles

Related Topics: Channel: Industry | Features & Analysis | Google: Legal | Google: Privacy | Legal: Privacy | Top News


About The Author: is Founding Editor of Marketing Land. He’s a widely cited authority on search marketing and internet marketing issues, who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • Alan Perkins

    This is a definite own goal. 

    What Google should have done is, when the +1 button was clicked, show a dialogue box explaining that it would not register since the browser’s privacy permissions were set too high.  This could have linked to more info explaining the issue in-depth and how to fix it, if you so wished.  By the time Safari users had seen this message a few times, they would learn either to not click +1 buttons or to change their privacy permissions.

  • Anonymous

    This user tracking right? It tracks where your iphone go on the internet. It is not location tracking.

    But it is tracking.

  • Ruth O’Leary

    How will this behaviour be impacted by the EU’s Cookie Directive?  I can’t see the UK’s Information Commissioner’s Office looking too kindly on it, for a start.

  • James R. Mitchener

    Google incorporates many different strategies that push the bounds of privacy and accountability, but I fail to see how this is that much different than anything they’ve done before. It’s just a tiny violation to make things easier. Google has always had a knack for taking certain privacy options away in exchange for convenience. When a user goes to Google, they are already signing away some of their privacy in exchange for a service. This is how we pay for the most efficient and effective global-information-sharing system the world has ever seen. We hit “Search” and say “You know what, I don’t mind if you know what I looked up. I don’t mind if you remember where I clicked and where I didn’t. I don’t mind if you know where I am and what all my other Google information is, because honestly, your system makes my life easier and therefor it’s a worthwhile trade.”

    Is it right that Google bypassed Safari to make +1 buttons usable? Technically, no. Does it make for a more intuitive and streamlined experience when surfing the web? I’d say yes. Seems to me like another worthwhile trade.

    And in regards to Google hurting their name by playing games like this: The damage done by such behaviour is akin to throwing a cup of water on Mount Everest; sure, water erodes rock, but I wouldn’t wait around for that mountain to crumble if I were you.

  • dazzlindonna

    “Does it make for a more intuitive and streamlined experience when surfing the web? I’d say yes. Seems to me like another worthwhile trade.” 

    Really? Do you really care if there is a +1 button on an Adsense ad? Do you really +1 ads you see? Is that truly a worthwhile trade for you? Maybe it is for you, but I can’t imagine many people would be willing to trade anything for the “opportunity” to +1 an ad. 

  • Anonymous

    Really?  You broke this taboo for +1 buttons on ads?  Sounds like Google isn’t getting the coverage on the +1 button across the web such as the facebook Like button gets, and so have decided to push it through their ad network to get it out on pages.  Being tracked by these social voting buttons isn’t news, Facebook has been doing it to me for years.

    But when you cross the line between collecting information which is freely given, and game the system to get information that is protected you cross the line in many peoples eyes between simply collecting information and stealing.

    As John Battelle’s take points out Apple is being difficult intentionally, but that doesn’t excuse Google from violating people’s choice who do intentionally keep their browsers at default.  It’s not a good look and leaves you open to ask what other convenient things Google maybe bypassing.  Hope the bad press is worth it for +1 on Ads…

    The WSG did me a disservice as well, but its not the first over dramatized headline I seen in a paper.  This is a problem in the print media not limited to Google, though the focus on the iPhone seems disingenuous as well.

  • Jim Carrington


    Google is not being totally forthcoming.  It is not just Google+.  When they disable their offending code, our remarketing serves on iPad went off a cliff.

  • CEO

    i agree with you it just Google+.But thank you for your info

  • zato

    The New York Times does an over-the-top hit piece on Apple’s “Chinese sweat shops”, then, the next week, the WSJ does an over-the-top hit piece on Google. 

    Microsoft and the WSJ go way back. 
    Microsoft seems to OWN the NYTimes these days. I think there was some kind of secret bailout of the NYT in 2008-9. 
    Microsoft is desperately trying to regain mindshare. I wouldn’t put any of this kind of hanky-panky past them.

  • rt

    Google is a spyware company.

  • Anonymous

    “It’s just a tiny violation to make things easier”


    Users should be the ones making the privacy vs convenience tradeoff decisions.

    And what makes you think you have been chosen to define “tiny violation”.

  • Swift2

    I heard the usually even-handed Leo Laporte define the “free” web as the advertising web. So missing the point. I said I didn’t want third party or advertiser’s cookies to be said. Apple’s preference protects non-technical people. If they think it’s worthwhile, they can voluntarily click the buttons to get tracked. But all the browsers allow you to stop these cookies. All of them, including Google’s Chrome. It’s just that only the technical elite think about it, so the great majority of the shmoes get to be 21-century serfs.

  • Swift2

    John Battelle is an advertiser, so his opinion is taken with a grain of salt. A big boulder of salt, actually. I don’t buy that Apple is “just protecting iAd,” which is a) on the level of a hobby, and b) look it up: does it set cookies in Safari if your preferences are set otherwise? I’ll bet not. iAd will likely fail, because Jobs put so many strictures against it being invasive. And? Oh yes, this default existed long before iAd. I know you could set it from the beginning of Safari, and I’m trying to figure out in what version it became the default and when. My memory tells me, it was a LONG way back.

  • Swift2

    That’s why they did it by accident.

  • David Lam

    There’s a known bug in iOS5 where the iPhone’s mobile Safari cookies preferences would reset itself to “Never” despite the user setting it to “From visited” or “Always”:

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!