Friday, February 17, 2012

Google privacy settings, hides cookies in Safari for iPhone



Google is caught up in what has the potential to be a rather large privacy scandal. The company has acknowledged using a hack in ads served by its Google Ads/DoubleClick service that allowed it to bypass a privacy setting in the iPhone and iPad's Safari browser. This hack allowed Google to place a cookie, a small bit of tracking code, in Safari when it normally wouldn't have been allowed.


The issue is that the hack allowed Google's ad servers, as a "third party site," to set the cookie. It is normal behavior for sites that a user visits directly to set cookies. We do it here on MobileBurn.com. It allows sites to keep you logged in, to use your preferred settings, or just to ensure that traffic statistics are accurate. But Google was setting the cookie without the user visiting Google's website directly.

Google's intent in doing this was not to track users for advertising purposes, though. Rather it was a work-around that would allow Google+ users to press the +1 button that appears on ads served by its network. There's nothing particularly nefarious about what Google was trying to do here, and the cookies it placed in Safari were set to expire after no more than 24 hours.

When Google detected that a user was logged into Google+, it set a cookie that would allow the user to hit the ad's +1 button. When the user was not an active Google+ user, it also created the cookie - but left it blank. Google said that this was done to effectively annonymize the data - making all users look alike.

This technical two-step had a side effect that Google admits to not having anticipated.

That side effect is that advertisements that use Google's ad network now had a foot in the door. This is because once a site has a cookie set on a browser, it is generally allowed to set additional cookies - no matter which site is being visited when they are set. This allows for features like Facebook's 'like' button to operate on non-Facebook sites. But now Google advertisements were setting their own cookies that would have been prohibited before, and they could be set with their own expiration dates that could keep this door open indefinitely.

Google's Rachel Whetstone gave The Wall Street Journal the following statement about this side-effect:

"We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

The Journal reported that other advertising networks were using the same Safari hack to set cookies, and that ads containing the hack were appearing on major websites across the country. Including its own.

An Apple spokesperson told the Journal that it was looking to put a stop to this security hole in its Safari browser.

No comments:

Post a Comment