Google Circumvents Safari Privacy Protections


(I'm using this thumbnail a lot. What can I say, it is deserved.)

Google Circumvents Safari Privacy Protections - This is Why We Need Do Not Track

Earlier today, the Wall Street Journal published evidence that Google has been circumventing the privacy settings of Safari and iPhone users, tracking them on non-Google sites despite Apple's default settings, which were intended to prevent such tracking. [...]

As Google engineers were building the system for passing facts like "your friend Suzy +1'ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick [...]

Unfortunately, that had the side effect of completely undoing all of Safari's protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone.

Previously, previously, previously.

Tags: , , ,

6 Responses:

  1. Pavel says:

    Isn't this going to seriously fuck them in Europe?

  2. antabakayt says:

    Fun fact: If this would be about IE, the headline would focus on a glaring security hole in IE, instead of the company that managed to circumvent it.

    • Lun Esex says:

      Fun fact: The headline is always about "the bigger guy." Better name recognition = more page views.

      Google is "the big guy" in online ads and services. Apple is "the little guy" in browsers and accessing online services. If it was some little advertisers instead of Google that were doing this then the headlines all would be about a security hole in Safari. The story would also barely be carried anywhere, though, because Safari's browser share is relatively small. Most likely the headlines would be something like "iPhone Browser Privacy Hole" and a lot of iPhone owners who read it would shrug and go back to playing with Angry Birds and the other apps that people spend more time in than the phone's browser now.

      Also news organizations like to try to take down the high and mighty and show that the emperor has no clothes. If Google had never come up with their "Don't be evil" mantra then a lot of the stories lately about them being evil would've been responded to with a lot more shrugs of shoulders and thoughts/comments of "Eh, that's business" (because everyone knows big businesses are self-centered and tend to put their own interests first).

      Microsoft got a lot of passes this way, at the height of their domination.

      • antabakayt says:

        If by "little guy" you mean the company that is worth more than Google and Microsoft combined... yeah, I can see that.

        Admittedly, I grok the medias satisfactory part about prodding Google about the "Do no evil" part.

  3. jwb says:

    The most interesting facet of this story (to me) was that Google engineers found and fixed this bug in webkit, last August. Apparently it takes more than 6 months for webkit fixes to arrive in released Safari binaries. http://trac.webkit.org/changeset/92142 and https://bugs.webkit.org/show_bug.cgi?id=61809 (irritatingly secret. I guess webkit didn't learn anything from mozilla's mistakes in that regard.)