The Consumer Watchdog advocacy group today asked the Federal Trade Commission to investigate whether Google violated a previous privacy agreement with the FTC by tracking cookies in a way that circumvents default privacy settings in Apple's Safari browser.
Google's method of getting around Safari's default blockage of third-party cookies was detailed today in a study by Stanford grad student Jonathan Mayer and in two articles in the Wall Street Journal. One Journal headline calls it "Google's iPhone tracking," but the technique actually works across iPhones, iPads, iPod touches, and desktop computers. After being contacted by the Journal, Google disabled the code that had allowed it to install tracking cookies on Safari, even though the browser is designed to block such cookies by default.
Google says it was unintentional, but this is also concerning—the advertising cookies spread without Google even realizing it.
"Unlike every other browser vendor, Apple enables cookie blocking by default," Mayer writes. "Every iPhone, iPad, iPod Touch, and Mac ships with the privacy feature turned on."
The code used by Google was part of its program to place the "+1" button in advertisements. As the Journal explains, "Safari generally blocks cookies that come from elsewhere—such as advertising networks or other trackers. But there are exceptions to this rule, including that if you interact with an advertisement or form in certain ways, it’s allowed to set a cookie even if you aren’t technically visiting the site. Google’s code, which was placed on certain ads that used the company’s DoubleClick ad technology… took advantage of this loophole."
Three additional advertising companies—Vibrant Media, Media Innovation Group, and PointRoll—were accused of doing the same thing.
Google blames Safari functionality, says cookies spread by accident
In a statement sent to Ars, Google's Senior VP of Communications and Public Policy, Rachel Whetstone, stressed that the advertising cookies did not collect any personal information, that they were an unintentional byproduct of Google adding new functionality for signed-in Google users on Safari, and that Google has now disabled these particular advertising cookies.
The Google statement makes it clear that the tracking cookie placement was specific to Safari, and that the browser contains functionality that allowed it to happen without Google even realizing it.
The full Google statement reads as follows:
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to '+1' things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous—effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."
The Journal notes an update to Webkit that closes the loophole—and was prepared by two Google engineers—could be incorporated into future versions of Safari. An Apple spokesperson told Ars that "We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”
Consumer Watchdog: Google tricked Safari users
But Google still faces that FTC complaint from Consumer Watchdog. The FTC doesn't typically reveal when it conducts an investigation, so we don't know how seriously the complaint will be taken. But Consumer Watchdog Privacy Project Director John Simpson claimed in a letter to FTC Chairman Jon Leibowitz that Google's action's violate the "Buzz Consent Agreement," which requires Google to get consent from users any time it changes its services in a way that results in the sharing of more information.
Simpson blasted Google for giving "false advice" to Safari users regarding the ability to permanently opt out of receiving targeted advertising. "Google has developed a so-called browser 'plugin' for Internet Explorer, Firefox, and Google Chrome that makes the opt-out persistent," Simpson wrote. "Google has not developed a plugin for Safari." Instead, Google tells Safari users "While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie."
We've asked Google for additional comment to address the FTC complaint but haven't heard back.
Simpson's letter to the FTC concludes by saying that all four advertising companies identified by Mayer's research should be investigated, but "Given Google’s dominance of online and mobile advertising and the fact that the company’s actions flagrantly violate its consent agreement with the Commission, I call on you to focus immediate attention on the Internet giant."