NEW YORK (CNNMoney) — In the latest high-profile flap over online data privacy, Google has been caught bypassing the privacy settings on Apple’s Safari Web browser, letting advertisers track users in unintended ways.
A Wall Street Journal investigation published Friday drew attention to the issue and set off alarm bells across the Web. In response to the Journal’s probe, Google ( , Fortune 500) discontinued its use of the tracking code.
The actual consequences were pretty limited: Google’s code was being used only to target ads, and users’ personal information was never collected. But it was yet another prominent example of a tech company drawing fire for a slipshod and sneaky way of handling private data.
The Google imbroglio revolves around the company’s ad network, which serves advertisements across a wide range of websites.
Sites use files called “cookies” to follow users’ movements and log-ins as they travel through the Web. Apple’s (Fortune 500) Safari has far stricter tracking restrictions than any other major browser: By default, it blocks third-party cookies. That’s a big problem for ad networks, which rely on those cookies to measure their campaigns and to enable some ad functions.,
That’s what tripped Google up. It wanted to give viewers who were signed into Google’s network the ability to use Google’s +1 button to tout ads that caught their eye.
To do that, it exploited a loophole in Safari, essentially tricking the browser into thinking that the viewer had interacted with the ad. That fooled Safari into giving Google permission to install a test cookie and create a temporary communication link back to Google’s servers.
Google says that link was designed to operate anonymously and did not collect any personal information. But it had an unintended consequence: Other cookies were able to follow in the first one’s wake. Google essentially cracked open a door and others piled in behind it.
While it admitted using the Safari workaround, Google cast the subsequent cookie flood as an inadvertent screw-up.
“The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen,” Google said Friday in a prepared statement. “We have now started removing these advertising cookies from Safari browsers.”
Google wasn’t the only one exploiting Safari’s loophole. Stanford grad student Jonathan Mayer, who published an extensive technical analysis of it on Friday, found at least three other advertising companies taking advantage of it: Vibrant Media, Media Innovation Group and PointRoll.
Apple did not immediately respond to a request for comment.
“Some privacy researchers and advocates have characterized the interplay between third-party web trackers and browser privacy measures as a ‘cat and mouse game’ or ‘arms race,’” Mayer wrote. “This … regrettably affirms that view.”
Mayer intentionally steered clear of a broader question the debacle raises: Is Safari’s third-party cookie blocking the right way to go?
It’s a big departure from the industry standard. Microsoft’s (Fortune 500) Internet Explorer, Firefox and Chrome all allow third-party cookies.,
Apple says its motive is privacy. Safari’s third-party cookie ban is designed “to prevent companies from tracking the cookies generated by the websites you visit,” Apple says on its website.
But many websites rely on advertising to fund their operations, and Apple’s ban wreaks havoc with tracking across ad networks. Those ad networks are Apple’s direct rivals: It competes against them with its own iAd network, which serves ads through applications instead of websites.
“Marketers who rely on third-party tracking cookies are effectively blind when it comes to measuring performance on the iPad and other iOS devices,” ad software maker Marin Software wrote last year in a research paper examining the problem.
The block also causes problems for some Web apps that integrate content across multiple sites. The permissions that a user intentionally grants on one site can’t be carried through to other, linked sites.
Facebook’s “best practices” guide for its developers lists “cross-domain cookies do not work in Safari” as a common problem and recommends using the same kind of workaround Google employed.
It’s not lost on Apple’s critics that the company’s cookie ban is a big thorn in the side of Apple’s key competitors.
“Let’s step back a second here and ask: why do you think Apple has made it impossible for advertising-driven companies like Google to execute what are industry standard practices on the open web?” author John Battelle, who founded an ad network and wrote a book about Google, wrote in a blog post.
“Do you think it’s because Apple cares deeply about your privacy? Really?” Battelle asked. “Or perhaps it’s because Apple considers anyone using iOS, even if they’re browsing the web, as ‘Apple’s customer,’ and wants to throttle potential competitors.”
Article source: http://rss.cnn.com/~r/rss/money_latest/~3/1X2Q3QehLQg/index.htm