February 17, 2012
WSJ: Google Used Illicit Code To Track iPhone Activity
According to a report by the Wall Street Journal, Google along with a handful of advertising companies has been using a piece of clandestine code to get around security settings in Apple´s Safari web browser in order to track iPhone users´ online activities.
The investigation stated that Google and ad networks Vibrant Media, Media Innovation Group and Gannett PointRoll had circumvented Safari´s privacy settings by using code that falsely represents its advertisements as being a user-initiated form submission.
Researcher Jonathan Mayer of Stanford University discovered the loophole after noting that ads on 23 of the top 100 websites installed a tracking code on an iPhone browser, compared to 22 on a test desktop computer. Once the websites had activated the code, they could then follow the user´s activity across the Internet.
Internet advertisers typically save cookies on users´ web browsers, allowing them to track and record what kind of sites they visit for more targeted advertising. Safari´s default settings are designed to block the device´s cookies from use by third parties and advertisers. This setting is intended to permit only those sites with which the user has directly interacted to save a cookie.
The article stated that “Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.”
According to the report, the Google-engineered code essentially tricked Safari into letting it put a tracking cookie on the device by making it appear as though the user had submitted an online form to Google.
While the illicit cookies were designed to expire within 12 to 24 hours, the report stated that they “could sometimes result in extensive tracking of Safari users...because of a technical quirk in Safari that allows companies to easily add more cookies to a user´s computer once the company has installed at least one cookie.”
Google subsequently disabled the security-evading code after being contacted by the Journal for the report.
One particularly damaging segment of the exposÃ© pointed to a Google website on which it specifically reassured users that Safari´s security settings did not allow it track their web activities.
The web giant was quick to respond to newspaper´s report, releasing a press statement just hours after the Friday paper hit newsstands.
“The Journal mischaracterizes what happened and why,” wrote a Google spokesman.
“We used known Safari functionality to provide features that signed-in Google users had enabled. It´s important to stress that these advertising cookies do not collect personal information.”
Vibrant Media, which also used similar pieces of code, told the Journal that it had simply made use of a legitimate “workaround” code that does not collect personally identifiable data like names or account numbers.
The Journal reported that the web advertising firm WPP declined to comment, while Gannett Pointroll stated the code was part of a “limited test” to determine how often Safari users went to an advertiser´s site after exposure to an ad.
The investigation revealed that the dubious codes were also found on numerous major websites like AOL.com, Match.com, YellowPages.com and even its own WSJ.com. There was no evidence to suspect, however, that these sites had any knowledge of the code, the Journal said.
The paper also talked with a representative from Apple who said that the company was hard at work closing up the privacy loophole in Safari.
It remains to be seen what the public relations fallout will look like for Google in the coming days and weeks. The web juggernaut has in recent years developed an increasingly ambivalent relationship with its users, who love its services but are growing increasingly wary of its privacy practices.
In the latest in a long row of legal battles, Google has recently run afoul of European Union legislators, who are petitioning the U.S. Federal Trade Commission to overturn a decision that would give the Internet giant explicit rights to “combine personal information” across multiple products and services.
On the Net: