Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

How Google got around Apple's Safari privacy protection

The search giant has been caught dropping cookies where it shouldn't

Article comments

Jonathan Mayer, a graduate student at Stanford, caused a major stir this morning when he published research showing how Google used loopholes within Apple's Safari browser cookie-blocking policy to place unexpected third party cookies within the browser. In this article we'll detail Mayer's findings and their implications for Safari users.

What are cookies and why should I care?

For the uninitiated, cookies are HTTP headers that are used by websites to track users' behaviour when visiting their sites. Some cookies, however, are not used by first party websites that the user is visiting but by third party websites such as advertisers who happen to have links embedded onto the website the user is visiting.

Apple's cookie-blocking technology is intended to block the cookies employed by these third party sites so that users don't find themselves tracked by every single advertiser they come across on the web. What's more, Apple enables cookie blocking on its Safari browser as a default setting, meaning that Safari users have typically felt comfortable browsing the web without fear of being tracked by third party cookies.

So what has Google done to circumvent Safari's protections?

As Mayer notes, Safari's cookie-blocking policies are fairly lenient in certain key areas. For instance, Safari allows third party advertisers to place cookies within Safari if their advertisement gets fully loaded onto an entire browser window; in other words, if a popup ad fully loads on your iOS device, Safari will allow it to place a tracking cookie.

Another way that Safari allows for third party cookies is if a user interacts with an advertisement in a way that results in the user submitting an HTML form to the advertiser's domain that gives the ad permission to track. Google achieved this particular feat through the placement of its "+1" button in certain advertisements that allowed users to vote up advertisements that they liked.

If a user is signed into their Google account and clicks the "+1" button on an advertisement, then Google submitted an invisible HTML form to the user though the advertisement's iframe, which is the HTML code used to embed a separate document, such as an advertisement, into a page's main HTML document. Unbeknown to users, the form would then automatically respond to Google's ad network and gives it permission to place a cookie within Safari that lasts 24 hours.

So it sounds like I'll get tracked by a Google ad for a day if I click +1 on it. What's the big deal?

Once you let one Google advertisement place cookies in your Safari browser, you're potentially letting all Google advertisements place cookies in your Safari browser, whether you interacted with them or not. This happens because Safari is designed to allow websites to add more cookies once the user has given them initial access.

Or put another way, once you let one ad from Google's domain name place cookies on your browser, Safari sees all ads from as good to go as well.

"The next time Google advertising content attempts to install the 'id' tracking cookie, it will successfully set," Mayer explains in his report. "The next attempt may not even require that the user visit another page: We noticed that many Google ads periodically send requests to"

Is Google going to do something about this?

Google says that it has started removing the offending code that allowed for additional ads to place cookies within Safari. Furthermore, the company claims that it had no idea that its system was adding cookies to users' browsers other than through the advertisements users directly interacted with.

"The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Google said. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

This is going to cause a firestorm, isn't it?

Yes. Google has already taken significant heat for impending changes to its privacy policies and this incident will give more fuel to Google's critics. The Consumer Watchdog advocacy group, for instance, filed a complaint with the Federal Trade Commission and asked it to investigate whether Google's actions violated previous privacy settlements reached between the FTC and Google.

Apple is predictably unhappy with the Safari tracking cookies story, and the company has said that it is working to put a stop to any third parties who have successfully circumvented its browser's privacy settings. Microsoft has also taken a shot at Google for undermining "the privacy protections built into Apple's Safari browser in a deliberate, and ultimately, successful fashion".


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *