Secret ad code allows Google to bypass Safari’s “no tracking” settings
Once again, Google has been caught doing something that it shouldn’t be doing: using code in their ads to intentionally bypass the privacy settings of Safari users in order to track their browsing behavior.
Given the popularity of Apple’s mobile devices, Safari’s mobile version is used by a considerable chunk of mobile users. But Safari – both the computer and mobile version – blocks most tracking by default by preventing the installation of cookies. So Google and other online advertising companies had to find a solution that would allow them to keep doing it.
Google’s code was discovered by Stanford researcher Jonathan Mayer. The code is inserted in Google’s ads, and makes the browser believe that the users has completed and submitted a form to Google.
As Safari allows sites with which the user interacts in some way to install cookies, it permits Google to do so following the bogus form submission. And even though this one cookie expires after 24 hours, Safari also allows companies that have installed one cookie to continue to do so.
According to an investigation into the matter by the WSJ, the code in question was disabled as soon as the news outlet contacted Google about it.
Google has immediately issued a statement saying that the Journal mischaracterized what happened and why, and claiming that they used a known Safari functionality to provide features that signed-in Google users had enabled. It has also removed text from one of its sites claiming that Safari users could rely on Safari’s privacy settings to prevent tracking by Google.
According to the WSJ’s independent technical advisor Ashkan Soltani, Google is not the only ad company doing this. Vibrant Media, WPP PLC’s Media Innovation Group and Gannett Co.’s PointRoll have also been using similar techniques to get around Safari’s default privacy settings.
Soltani checked all the websites on the top 100 list of most popular Web sites in search for Google’s sneaky code in the ads, and found it on 22. PointRoll’s code was present on 10 of them.
The code in question is a variation of the code devised two years ago by Indian Web developer Anant Garg, who at the time was concerned only with ensuring a consistent experience for users of a chat system.
Apple has piped out to say that they are working on a solution that would prevent Safari’s privacy settings being bypassed in such a way, but I’m sure I’m not the only one to find Google’s tendency to secretly doing things like this until it gets caught in the act both predictable and annoying.