Print 35 comment(s) - last by watcha10.. on Feb 23 at 11:56 AM

Google was also able to bypass privacy settings on mobile Safari, which normally blocks cookies as well

Google was recently caught bypassing user privacy settings on Apple's browser, Safari, and also on Microsoft's Internet Explorer. But Google claims that it was just trying to get its +1 buttons to work on Safari, and that Internet Explorer's cookie policy was "widely non-operational."

The Wall Street Journal recently outed Google for finding a way to bypass default privacy settings and place ad-tracking cookies on Safari users. These third-party cookies are used to track what users are doing on the Internet, which in turn helps Web giants like Google target users with suitable advertisements.

Google was able to successfully get past Safari's browser settings for privacy, which attempts to block certain types of cookies. Safari accepts first-party cookies (the Web site the user is on) or second-party cookies (the user's browser), but blocks third-party cookies, which links the browser to an entirely different Web site. The mobile version of Safari, which can be found on iOS devices, has the ability to block all cookies or none at all. 

Despite a user's privacy settings, Google and ad networks from Vibrant Media, PointRoll and Media Innovation Group were able to bypass this. They did so by making it look like the user visiting a Web site filled out a form of some sort (even if no form was presented to the user) and the companies would then get their cookies accepted. Google was also tracking user activity on the mobile version of Safari, meaning that iPhone, iPad and iPod touch users were being watched as well.

After The Wall Street Journal broke the story, Microsoft's Windows Internet Explorer Engineering Team wondered if Google was doing the same thing to Internet Explorer's users. As it turns out, it was.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," said the Windows Internet Explorer Engineering Team Blog. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent."

Microsoft suggested that users utilize the Tracking Protection feature in Internet Explorer 9, which doesn't allow Google to bypass security settings.

Google defended itself against the claims, saying that it never intended to track users on Safari or Internet Explorer. As far as Safari goes, it was just trying to get its +1 buttons to work. Browsers like FireFox, Chrome and Internet Explorer don't block third-party cookies by default, but Safari does. Therefore, Google bypassed the privacy settings to allow its +1 buttons on advertisements to be distributed through the AdSense network to other sites. Google also said it wasn't tracking iPhones, just what some people are doing in the Safari browser.

On the Internet Explorer side of things, Google argued that Internet Explorer's P3P cookie technology is "widely non-operational." Google also mentioned Facebook and Amazon's use of P3P bypass, and that P3P doesn't support Google's modern Web services. The P3P standard is now out of date, said Google.

"Microsoft omitted important information from its blog post today," said Google. "Microsoft uses a 'self-declaration' protocol (known as P3P) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites."

Sources: Windows Internet Explorer Engineering Team Blog, Marketing Land, The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Judging the significance
By Tony Swash on 2/22/2012 7:41:42 AM , Rating: 1
I know one can get too paranoid and see too much pattern and intent in a simple fuck up, I am not generally a conspiracy theorist, but episodes like this one with Google circumventing user privacy settings can reflect deeper truths about a company's core dynamic. I do think this episode reveals something about Google and privacy and what the core dynamic of Google's business is, about what drives Google. I don't mean what are it's professed ideals but rather what are the central dynamics and drives of its core business model. ??

The way Google makes money, the only way it makes money, it's almost sole source of income, is to sell advertising. And Google can sell that advertising because it offers the buyers of the advertising the very special added benefit of targeting that advertising, of putting ads before people that are cleverly and effectively tailored to match the interests and concerns of the individual viewer. And Google does that by watching and recording what people do on the internet, what they search for, what they watch, what they write and read in their emails, who they network with, what they buy, etc and then Google records and stores that behaviour at the level of the individual so it can be interrogated by Google's advertising distribution algorithms. Being able to watch what people do and record it at the level of an individual is absolutely central to the very core of Google's corporate identity. That is why there are so many Google offerings trying to tempt people into declaring themselves and making their identity known to Google in some way.??

Without being able to watch and record what people do Google no longer has a product to sell. This means that Google will always view areas of activity on the internet which it cannot record and inspect as a threat, to be broken into or routed around. This is not about ethics or the simplistic and somewhat childish notions of good and bad, it is about basic business logic. For Google opening up, inspecting, and recording information and behaviour is really just one big technical problem and all Google thinks it wants to do with this information is just make things better for the user, to make the search results and the advertising that each of us sees, more relevant. So the drive to overcome hurdles and to breach obstacles to the collection of user data is hardwired deep into Google's DNA.??

Google has to be able to watch enough of us enough of the time so that the adverts it places are accurately tailored to each of us. Then it has a product it can sell. If it cannot watch and record at the level of individuals Google has no business and nothing to sell. If it cannot access a high proportion of the users and activities on the internet then it's product is devalued.

Whether any of this bother one is a personal issue, some care some don't. But it is wrong to view episodes such as the Google Safari/IE privacy breach as somehow anomalous.??

Remember: if the product is free, You are the product.

RE: Judging the significance
By SkullOne on 2/22/2012 10:56:24 AM , Rating: 2
I love how you ignore the facts all the time Tony. Then again facts always make Apple look rotten.

How are they purposely circumventing? Is it Google's fault that Webkit purposely relaxed 3rd party cookie policies back in March 2010? Is it Google's fault that Webkit and Safari didn't implement the fix for this that was submitted in August, 2011 by Google developers? Please explain that too.

Firefox and Chrome both explicitly block 3rd party cookies no questions asked so this "loophole" doesn't exist. Why does IE and Safari not do the same?

RE: Judging the significance
By The Raven on 2/22/2012 11:32:54 AM , Rating: 2
Actually they ask you by default if I am not mistaken. Better than default block IMHO

RE: Judging the significance
By Tony Swash on 2/22/2012 12:18:02 PM , Rating: 2
I believe that Google also exploited a loop hole in IE which doesn't use webkit.

Who is more guilty, the person who leaves their window open or the burglar who climbs in?

Obviously a tough call for some:)

RE: Judging the significance
By SkullOne on 2/22/2012 12:48:14 PM , Rating: 2
You still ignore the facts that were posted earlier in the thread so I'll post the URL again and pay attention to the date. IE has had this known issue since well...forever and they chose to ignore it. So it's Microsoft's fault.

You also (conveniently) didn't answer my question though. If Firefox and Chrome explicitly block 3rd party cookies no questions asked why do IE and Safari not do the same? That takes the issue and points is squarely at the web browsers, not at Google or the other websites out there that use this "loophole".

RE: Judging the significance
By Tony Swash on 2/22/2012 3:13:37 PM , Rating: 2
So I guess your answer is that the burglar is less guilty than the guy who leaves his window open.

Odd call in my opinion.

RE: Judging the significance
By SkullOne on 2/22/2012 3:40:49 PM , Rating: 2

I love how you can never answer a simple question when the answer makes your precious Apple look rotten. Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.

RE: Judging the significance
By Tony Swash on 2/22/2012 5:11:25 PM , Rating: 2
Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.

So Googles response was to exploit the hole. Nice. I blame the burglar not the victim no matter how careless they are. You obviously do the opposite.

RE: Judging the significance
By SkullOne on 2/23/2012 9:17:15 AM , Rating: 2
What about the fact that Microsoft's own support page recommended people do exactly what Google is doing? Which is also what Microsoft's site does, as does Facebook.

The only reason Microsoft came out with this information was to jump on the "I hate Google" bandwagon and make Google look bad. Instead all it's done is show that IE is still outdated and insecure as is Safari.

Why can't you ever lay blame where it belongs?

RE: Judging the significance
By sprockkets on 2/22/2012 12:05:24 PM , Rating: 2
I am not generally a conspiracy theorist...


"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki