Interview: Stanford Student Who Caught Google in Breach of Privacy on Apple Browser
From the Journal:
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—-tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
Google disabled its code after being contacted by The Wall Street Journal.
The Google code was spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani, who found that ads on 22 of the top 100 websites installed the Google tracking code on a test computer, and ads on 23 sites installed it on an iPhone browser.
The aforementioned Jonathan Mayer, who caught Google with its hand in the cookie jar, and who is working toward both a PhD in computer science and a law degree at Stanford, explains more in this blog post:
Every popular web browser, save Opera Mini and the Android built-in browser, includes a “third-party cookie blocking” privacy feature… These options share a common high-level purpose: impose limits on cookies from “third-party domains,” that is, domains that differ from the “first-party domain” in the browser’s URL bar…
Unlike every other browser vendor, Apple enables cookie blocking [on Safari] by default. Every iPhone, iPad, iPod Touch, and Mac ships with the privacy feature turned on…
We discovered four advertising companies that surreptitiously submit a form in an invisible iframe and place trackable cookies in Safari: Google, Vibrant Media, Media Innovation Group, and PointRoll.
Apple, for its part, issued this statement today:
We are aware that some third parties are circumventing Safari’s privacy features, and we are working to put a stop to it.”
KQED’s Joshua Johnson today got a hold of Jonathan Mayer. Here’s an edited transcript of their conversation about what he characterizes as Google’s cookie shenanigans:
First off, explain what a cookie is.
A cookie is code that stores information that a web site sends to a user’s browser. Legitimate uses include saving your preferences, saving your login, and saving your shopping cart. They’re actually great; they’re what makes the web what it is today.
So your research shows that this cookie does something similar but in a way that users have not consented to…
Right. Some cookies are set by other web sites, like advertising networks, for example. These so-called third-party cookies can give rise to privacy concerns because they can let a company figure out what you do on the web sites you visit.
And what is the problem with that?
Well, do you trust a company with your web browsing history? I think the problem is that some company you’ve never heard of has a copy of what you’ve looked at online sitting on its server.
How did you discover this particular cookie from Google?
We started by running ads of our own. We knew that this loophole existed, and to see which advertising networks had set cookies in Safari browsers we ran ads targeted to that browser’s users. Then we we had some code that reported back whether the user had a cookie from each of a number of advertising networks.
The overwhelming majority of some 200,000 Safari browsers in our measurement sample, Google had set cookies on its DoubleClick domain — that’s its advertising domain. Around half of the users had cookies from a company called Vibrant Media. We also saw a number of cookies from a company called Media Innovation Group. These companies aren’t nearly the size of Google.
What was your reaction to these results?
I was a little bit skeptical at first; I ran it by several colleagues to get it verified. I also made sure to test with a bunch of different browsers to see if it was a Safari-specific thing. And we found that it was.
What are the potential implications of these cookies?
They makes it really easy for Google to have a copy of your web-browsing history sitting on their server. One cookie is linked to your specific Google account. They use that to do social personalization of advertising. Google’s response is that there’s no personal information at play, which seems odd to me because we have this design document that Google sent us indicating this social-targeting cookie is supposed to have the user’s Google account ID on it.
Google claims we mischaracterized what they’re doing. When they’re talking about mischaracterization, they’ve left the world of computer science and entered the world of spin. I’ve tried not to put too much stock in that statement.
And I certainly disagree with a few claims they made. They suggest what they did is okay because this was related to a social feature. [Note: Google said they began using the cookies to "enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them."]
I don’t think that’s quite right. This was not a social feature purely for the user’s benefit. It was a social feature on online ads for Google’s benefit. It’s not much of a stretch to imagine this was the tip of the iceberg in the social personalization of ads Google wanted to do. In fact the design document on this personal socialization feature has a couple of suggestions that the button on ads was just the starting point.
How did your research make it to the Wall Street Journal?
My team worked with the Wall Street Journal last summer on a story related to super cookies. It turns out there are lots of alternatives to cookies you can use to track the users. The Journal has several reporters who work nearly full- time on these issues, and it has a top-notch collaborating technologist.
Are there still some open questions around this issue?
I think the No. 1 question is how many users were caught up in this. It’s quite possible we’re talking about millions or even over 10 million people. Google hasn’t suggested this was some sort of limited trial. It’s quite possible we’re talking about most iPhone owners in America who had their privacy undermined by Google.
How can users gets rid of this cookie on their iPhones, iPads or desktops?
Google has said they’re trying to go back and delete these cookies. And if you go into your Safari settings, you can clear out your DoubleClick cookies if you have them. And Google has stopped the practice and so have other companies.
That said, Google gave users the idea that if you were a Safari user, you didn’t need to do anything. The default setting was enough. We know that was clearly not the case. They’ve since pulled that language; I think it’s quite possible they’re going to have a problem with the FTC for that possibly being a deceptive business practice.
Second, because they signed a deal with the FTC after the Google Buzz debacle, where they promised under possible sanction of money damages that they wouldn’t misrepresent the extent to which users can control the information they’re sharing with Google, I think this pretty plainly falls within that language they agreed to.
In my view, this is just another reason why it’s time to build a technology that actually puts users in control over third-party web tracking. For a number of years there’s been this phrasing among people who work on third-party web- tracking issues that there’s an arms race or a cat-and-mouse game going on. And I think these research findings really reify that, quite possibly for millions of users.
So it’s time to start thinking about how Google and other players in the online ad industry can work to provide users with a real choice. We’ve been working on a technology policy proposal called Do Not Track, intended to give users that choice. The World Wide Web Consortium has moved ahead and is trying to standardize it.
The Electronic Frontier Foundation has suggested that one way Google can try to make things right with its users would be to take the lead on Do Not Track, to go ahead and get it implemented in its Chrome browser. That’s the only major browser that does not implement Do Not Track.
The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1” things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.
To read a defense of Google, here’s a post from John Battelle’s Search Blog asserting that it is actually Apple that is the outlier here because it has deviated from standard web practice in making the cookie opt-out the default setting in Safari.
Google circumvented Safari’s default settings by using some trickery…
[But] in short, Apple’s mobile version of Safari broke with common web practice, and as a result, it broke Google’s normal approach to engaging with consumers. Was Google’s “normal approach” wrong? Well, I suppose that’s a debate worth having – it’s currently standard practice and the backbone of the entire web advertising ecosystem – but the Journal doesn’t bother to go into those details. One can debate whether setting cookies should happen by default – but the fact is, that’s how it’s done on the open web.
The Journal article does later acknowledge, though not in a way that a reasonable reader would interpret as meaningful, that the mobile version of Safari has “default” (ie not user activated) settings that prevent Google and others (like ad giant WPP) to track user behavior the way they do on the “normal” Web. That’s a far cry from the Journal’s lead paragraph, which again, states Google bypassed the “the privacy settings of millions of people.” So when is a privacy setting really a privacy setting, I wonder? When Apple makes it so?….
But let’s step back a second here and ask: why do you think Apple has made it impossible for advertising-driven companies like Google to execute what are industry standard practices on the open web (dropping cookies and tracking behavior so as to provide relevant services and advertising)? Do you think it’s because Apple cares deeply about your privacy?
Or perhaps it’s because Apple considers anyone using iOS, even if they’re browsing the web, as “Apple’s customer,” and wants to throttle potential competitors, insuring that it’s impossible to access to “Apple’s” audiences using iOS in any sophisticated fashion?