A report from the Wall Street Journal suggests that Google has been bypassing the privacy settings of millions of Safari users, by tracking the browsing habits of people, even if they thought they had blocked such monitoring.
The WSJ explains how Google has developed code that installs cookies on a users' device—without their permission—from adverts contained in web pages. Once installed, however, those cookies have allowed Google to track browsing across the majority of websites.
Research by the WSJ showed that the code was present in adverts on Fandango.com, Match.com, AOL.com, TMZ.com and UrbanDictionary.com, among others, and that it worked on both desktop and mobile versions of Safari.
In a statement, Google told the WSJ:
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
However, since the WSJ informed Google that it was aware of the practice, Google has disabled the feature on their servers. An Apple representative has said that the company is "working to put a stop" to the privacy invasion.
The code in question stems from the development of Google+, being developed to skirt the way Safari blocked an original implementation of the "+1" button on third-party websites. Instead of directly using cookies, which Safari doesn't allow without user consent, the code made Safari think that a person was submitting an invisible form to Google. Sneaky. Then, Google had free reign to add cookies—and track a user's browsing—without the user ever knowing.
Image credit: brionv from flickr
Update:We've received statement from Google on the matter basically saying the WSJ got it wrong. Rachel Whetstone, Senior Vice President, Communication Public Policy at Google said:
“The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content -- such as the ability to “+1” things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.”