Apple's mobile Safari browser by default blocks third-party cookies — such as those used to track Web-browsing habits or to personalize ads — but Google has been managing to bypass these privacy settings and enable the use of advertising-related cookies on iPhones since last year.
The Wall Street Journal was the first to call attention to this issue on Friday and Google says it has begun removing the offending advertising cookies since that time. The company's actions were initially "spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani."
We reached out to Google for clarification on the incident. According to Rachel Whetstone, Senior Vice President, Communications and Public Policy, the search engine giant was simply attempting to use a "known Safari functionality" in order to "provide features that signed-in Google users had enabled." She emphasizes that all of the related cookies "did not collect personal information" and "that the information passing between the user’s Safari browser and Google’s servers was anonymous."
Whetstone explains that the use of any additional advertising-related cookies was simply enabled by accident:
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many Web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them. ... However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen.
According to the WSJ's research, the way Google managed to circumvent Safari's privacy settings in the first place involved taking advantage of a loophole in the browser:
While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way — for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.
This cookie, the WSJ says, could "sometimes result in extensive tracking of Safari users." This was because of a "technical quirk" which allowed Google to easily add more cookies once it deposited the first one using the Safari loophole.
Google isn't the only company guilty of bypassing Safari's privacy settings though. Jonathan Mayer, the researcher who first noticed the exploitation of the browser loophole, also found that three major online-ad companies — Vibrant Media, the Media Innovation Group, and PointRoll — are using similar tricks.
We have reached out to Apple and asked for a statement regarding whether the company intends to do anything to put a stop to this practice. In the meantime, you may try protecting yourself by opting out of advertising programs such as Google's. This can be done using the Google Ads Preference Manager.
Related stories:
- Careful: Twitter may be storing your contacts
- Report: Hacked Syrian officials used '12345' as email password
- HTC security flaw lets malicious apps steal Wi-Fi passwords
Want more tech news, silly puns, or amusing links? You'll get plenty of all three if you keep up with Rosa Golijan, the writer of this post, by following her on Twitter, subscribing to her Facebook posts, or circling her on Google+.
