Google allegedly bypassed privacy settings to track user browsing in Safari

The Wall Street Journal reports that Google has been bypassing privacy settings in Safari intended to block websites from tracking user activity across the Internet. Stanford researcher Jonathan Mayer discovered that Google had been implementing code that bypasses Safari's user-determined privacy settings, and the Journal's own researcher independently confirmed Mayer's findings. This code affected both Safari on the Mac and its mobile counterpart on iOS devices

According to the Journal, Google's code "exploited a loophole in [Safari's] privacy settings." By default, both Safari and Mobile Safari block cookies designed to track user activity unless that user specifically interacts with a website by filling out a form or performing some other activity. This default setting blocks most advertising networks from tracking users' activity unless the user purposefully interacts with an online ad.

The Journal reports that Google's code "tricked" Safari into believing that users were submitting "an invisible form" to Google. This allowed Google to install cookies on the Mac or iOS device and subsequently track user activity. Such tracking allows ad networks to target specific ads to users based on their browsing habits -- and with the overwhelming majority of Google's revenue coming from advertising revenue, the discovery of this code raises very serious questions about Google's motivations for bypassing user-defined privacy settings.

The Wall Street Journal's testing found that 22 of the top 100 visited sites in the US were affected by the code bypassing Safari's default security settings; the iPhone's mobile version of Safari fared slightly worse, with 23 of the top 100 sites affected by the bypass code. The Journal reports there is "no indication" any of these sites knew about Google's code; indeed, even the Wall Street Journal itself found that its own ads were affected.

The code implementation involves the same iframe HTML code used, for example, to embed YouTube videos on external websites -- we use iframe codes all the time to deliver videos from YouTube, Vimeo, and other sources to TUAW readers. However, it appears that Google has been using the same iframe snippet to inject content from doubleclick.net, which the Journal calls "the primary tracking cookie for Google's ad network."

The iframe window was able to detect the current browser agent, and if Safari or Mobile Safari was being used, Google inserted "an invisible form" into the iframe container. This "form" was automatically filled out by the injected code, making Safari act as though the user had intentionally filled out a form. This then allowed Google to store a cookie on the user's device, effectively bypassing the user's privacy settings.

Google+ users have an added "benefit" from this code in the form of encoded information about their account, the Journal reports. Anyone not using Google+ or not logged into their account would instead have a blank cookie.

The cookie installed by Google's workaround code was temporary, according to the Journal, with an expiration between 12 to 24 hours. However, a "technical quirk" in Safari meant Google's code essentially acted as a Trojan horse for more cookies to be added after the installation of the first cookie. Any user who saw another Google ad before the initial cookie inspired would have further cookies added on top of the first one.

The Wall Street Journal characterizes this as Google tracking user activity across the Internet regardless of what user privacy settings may have been set to; in effect, Google was tracking even those users who specifically set up their browsers to disable such tracking.

For its part, Google says that "The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information." That having been said, as soon as the Journal contacted Google regarding the matter, Google disabled its bypass code.

Apple responded to the Journal on the matter and said it is "working to put a stop" to Google's apparent workaround of Safari's privacy settings.

Google has already been under fire for privacy concerns in several parts of the world and for many different reasons. If the Journal's investigation into this alleged practice is true, it has widespread implications for the search giant that may come to haunt it later, regardless of whether or not Google has subsequently disabled this code. Google has reported in the past that iOS browsers deliver a majority of its mobile ads; if it turns out that the company has been intentionally bypassing user privacy settings on those browsers, Google will find itself at the center of a well-deserved controversy.