Yes, Google may well have been looking over your shoulder every time you surf your iPhone, iPad or MacBook, or anything using Safari for that matter.
The infraction was first discovered by Jonathan Mayer, a grad student at Stanford, who reported it to the Wall St. Journal. In addition to Google, Mayer identified Vibrant Media, Media Innovation Group, and PointRoll as companies that secretly circumvented Safari’s blocking of cookies. Unlike other web browsers, Safari blocks tracking cookies by default, and only accepts cookies temporarily from the current domain.
Normally, a plain HTTP request to put a cookie on a device would be either accepted (such as if Amazon wants to track your position on its site) or rejected (such as a third party like Google or Vibrant Media for tracking the websites you visit). Google needed to get beyond this coding wall for its Google+ feature that works similar to Facebook’s Like button, and installed a cookie to check if Safari users were logged into Google. It then circumvented Safari’s default setting excluding tracking by adding coding to some ads that made the browser think the user was filling out a form. Safari allows tracking in instances where the user interacts in some way, and Google fooled it with its own cookie survey.
Google closed that web loophole seven months ago, but somehow the tourniquet wasn’t tied properly around Safari. Each cookie installed was supposed to be temporary, but a technical quirk in Safari could sometimes result in an extensive collection of cookies that could survey the Safari user.
“However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser,” Google said in defense of its snafu in a statement. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.”
How devious Google was with its hand caught in the cookie jar remains to be seen. It could be looked at as a more technical glitch, or a secret conspiracy to detect what you eat for breakfast. Either way, it’s a terrible PR blunder, as the move comes just as the company has come under heated scrutiny for changing its privacy policies.
Microsoft also tried to hitch a ride on the Google hating bandwagon, contending that Internet Explorer users were subject to the same cookie raid. However, their argument breaks apart like crumbs in milk when you take a good dunk.
“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” Microsoft’s VP Dean Hachamovitch asked on a blog.
Yet it’s a question he already knew the answer to, clearly explained by the New York Times two years ago in a study that showed more than a third of sites visited by Explorer have a technical glitch that allows cookies to be installed. Its done by violating P3P protocol, rather outdated 2002 technology that even Facebook, in which Microsoft has invested, declines to follow because it’s as relevant as 8-track tape.
“The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P,” states Facebook’s Policy on P3P. “As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.”
Google’s tracking of Safari, however, is certain to be its own jungle. It’s a long walk through the woods, and the lion’s in heat.