How Google got around Apple's Safari privacy protection
The search giant has been caught dropping cookies where it shouldn't
By Brad Reed | Network World US | Published: 20:37, 17 February 2012
Jonathan Mayer, a graduate student at Stanford, caused a major stir this morning when he published research showing how Google used loopholes within Apple's Safari browser cookie-blocking policy to place unexpected third party cookies within the browser. In this article we'll detail Mayer's findings and their implications for Safari users.
What are cookies and why should I care?
For the uninitiated, cookies are HTTP headers that are used by websites to track users' behaviour when visiting their sites. Some cookies, however, are not used by first party websites that the user is visiting but by third party websites such as advertisers who happen to have links embedded onto the website the user is visiting.
Apple's cookie-blocking technology is intended to block the cookies employed by these third party sites so that users don't find themselves tracked by every single advertiser they come across on the web. What's more, Apple enables cookie blocking on its Safari browser as a default setting, meaning that Safari users have typically felt comfortable browsing the web without fear of being tracked by third party cookies.
So what has Google done to circumvent Safari's protections?
As Mayer notes, Safari's cookie-blocking policies are fairly lenient in certain key areas. For instance, Safari allows third party advertisers to place cookies within Safari if their advertisement gets fully loaded onto an entire browser window; in other words, if a popup ad fully loads on your iOS device, Safari will allow it to place a tracking cookie.
Another way that Safari allows for third party cookies is if a user interacts with an advertisement in a way that results in the user submitting an HTML form to the advertiser's domain that gives the ad permission to track. Google achieved this particular feat through the placement of its "+1" button in certain advertisements that allowed users to vote up advertisements that they liked.
If a user is signed into their Google account and clicks the "+1" button on an advertisement, then Google submitted an invisible HTML form to the user though the advertisement's iframe, which is the HTML code used to embed a separate document, such as an advertisement, into a page's main HTML document. Unbeknown to users, the form would then automatically respond to Google's ad network and gives it permission to place a cookie within Safari that lasts 24 hours.
So it sounds like I'll get tracked by a Google ad for a day if I click +1 on it. What's the big deal?
Once you let one Google advertisement place cookies in your Safari browser, you're potentially letting all Google advertisements place cookies in your Safari browser, whether you interacted with them or not. This happens because Safari is designed to allow websites to add more cookies once the user has given them initial access.
Or put another way, once you let one ad from Google's doubleclick.net domain name place cookies on your browser, Safari sees all ads from doubleclick.net as good to go as well.
"The next time Google advertising content attempts to install the 'id' tracking cookie for.doubleclick.net, it will successfully set," Mayer explains in his report. "The next attempt may not even require that the user visit another page: We noticed that many Google ads periodically send requests to doubleclick.net."
Is Google going to do something about this?
Google says that it has started removing the offending code that allowed for additional ads to place cookies within Safari. Furthermore, the company claims that it had no idea that its system was adding cookies to users' browsers other than through the advertisements users directly interacted with.
"The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Google said. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."
This is going to cause a firestorm, isn't it?
Yes. Google has already taken significant heat for impending changes to its privacy policies and this incident will give more fuel to Google's critics. The Consumer Watchdog advocacy group, for instance, filed a complaint with the Federal Trade Commission and asked it to investigate whether Google's actions violated previous privacy settlements reached between the FTC and Google.
Apple is predictably unhappy with the Safari tracking cookies story, and the company has said that it is working to put a stop to any third parties who have successfully circumvented its browser's privacy settings. Microsoft has also taken a shot at Google for undermining "the privacy protections built into Apple's Safari browser in a deliberate, and ultimately, successful fashion".