Interview With Stanford Student Who Caught Google Spying on Safari Users

Status
Not open for further replies.
P

Pristine_Condition

Member
For those of you who don't know, the Wall Street Journal this week posted a story about Google and three smaller companies secretly circumventing Safari's default setting to block cookies that track users online activity.

Safari (the most popular OS X and iOS web browser) does allow advertisers to place a cookie if the user actually makes a choice and decides to click on the ad. This is the default setting for Safari.

Google used a technique that fooled Safari into thinking a user clicked on an ad when the user never did, and then placed a tracking cookie into Safari without the user's input.

This cookie could then be used to send encoded information to Google if the user used Google+ services. If the user had no Google+ info, the cookie would still be there, and if any other Google ads were "seen" by the browser in that session, other Google cookies, incluing Google's "Double-Click" tracking cookies could be added, again, totally without input from the user.

Wall Street Journal said:
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers—-tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.

The companies used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.

Google disabled its code after being contacted by The Wall Street Journal.

The Google code was spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani, who found that ads on 22 of the top 100 websites installed the Google tracking code on a test computer, and ads on 23 sites installed it on an iPhone browser.
Click to expand...
20120218-crcqnftmqkrh3d26wi78ruxi52.jpg


20120218-r6te26wfwphrm9rypnt2ahiah4.jpg

http://online.wsj.com/article/SB10001424052970204880404577225380456599176.html


Google did this despite language on Google's own privacy site that stated they wouldn't do anything of the kind, (that language has now disappeared from Google's site,) and a pledge from Google to the Federal Trade Commission that they would tell users the whole truth about tracking following them being called onto the carpet by the federal government after Google Buzz was exposed to have gaping privacy issues.

Here's some excerpts from an interview with the Stanford student (working on a PhD in CS and a law degree) who caught Google and the others with their hands in the "cookie jar." (Sorry for the miserable pun.):

Joshua Johnson

How did you discover this particular cookie from Google?

Jonathan Mayer

We started by running ads of our own. We knew that this loophole existed, and to see which advertising networks had set cookies in Safari browsers we ran ads targeted to that browser's users. Then we we had some code that reported back whether the user had a cookie from each of a number of advertising networks.

The overwhelming majority of some 200,000 Safari browsers in our measurement sample, Google had set cookies on its DoubleClick domain -- that's its advertising domain. Around half of the users had cookies from a company called Vibrant Media. We also saw a number of cookies from a company called Media Innovation Group. These companies aren't nearly the size of Google.

Joshua Johnson

What was your reaction to these results?

Jonathan Mayer

I was a little bit skeptical at first; I ran it by several colleagues to get it verified. I also made sure to test with a bunch of different browsers to see if it was a Safari-specific thing. And we found that it was.

Joshua Johnson

What are the potential implications of these cookies?

Jonathan Mayer

They makes it really easy for Google to have a copy of your web-browsing history sitting on their server. One cookie is linked to your specific Google account. They use that to do social personalization of advertising. Google's response is that there's no personal information at play, which seems odd to me because we have this design document that Google sent us indicating this social-targeting cookie is supposed to have the user's Google account ID on it.

Google claims we mischaracterized what they're doing. When they're talking about mischaracterization, they've left the world of computer science and entered the world of spin. I've tried not to put too much stock in that statement.

And I certainly disagree with a few claims they made. They suggest what they did is okay because this was related to a social feature. [Note: Google said they began using the cookies to "enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them."]

I don't think that's quite right. This was not a social feature purely for the user's benefit. It was a social feature on online ads for Google's benefit. It's not much of a stretch to imagine this was the tip of the iceberg in the social personalization of ads Google wanted to do. In fact the design document on this personal socialization feature has a couple of suggestions that the button on ads was just the starting point.

...

Joshua Johnson

Are there still some open questions around this issue?

Jonathan Mayer

I think the No. 1 question is how many users were caught up in this. It's quite possible we're talking about millions or even over 10 million people. Google hasn't suggested this was some sort of limited trial. It's quite possible we're talking about most iPhone owners in America who had their privacy undermined by Google.

Joshua Johnson

How can users gets rid of this cookie on their iPhones, iPads or desktops?

Jonathan Mayer

Google has said they're trying to go back and delete these cookies. And if you go into your Safari settings, you can clear out your DoubleClick cookies if you have them. And Google has stopped the practice and so have other companies.

That said, Google gave users the idea that if you were a Safari user, you didn't need to do anything. The default setting was enough. We know that was clearly not the case. They've since pulled that language; I think it's quite possible they're going to have a problem with the FTC for that possibly being a deceptive business practice.

Second, because they signed a deal with the FTC after the Google Buzz debacle, where they promised under possible sanction of money damages that they wouldn’t misrepresent the extent to which users can control the information they're sharing with Google, I think this pretty plainly falls within that language they agreed to.

In my view, this is just another reason why it's time to build a technology that actually puts users in control over third-party web tracking. For a number of years there's been this phrasing among people who work on third-party web- tracking issues that there's an arms race or a cat-and-mouse game going on. And I think these research findings really reify that, quite possibly for millions of users.

So it's time to start thinking about how Google and other players in the online ad industry can work to provide users with a real choice. We've been working on a technology policy proposal called Do Not Track, intended to give users that choice. The World Wide Web Consortium has moved ahead and is trying to standardize it.

The Electronic Frontier Foundation has suggested that one way Google can try to make things right with its users would be to take the lead on Do Not Track, to go ahead and get it implemented in its Chrome browser. That's the only major browser that does not implement Do Not Track.
Click to expand...

Full interview, and more background info, here:

http://blogs.kqed.org/newsfix/2012/02/17/google-safari-spying/
 
Fun fact: Out of the four ad networks caught abusing the loophole in Safari cookie controls to track users, only Google claims it was unintentional.
 
The whole thing will likely blow up into another Federal Trade Commission hearing on Google, and possible fines.

Violations of a settlement with the FTC can lead to fines of $16,000 per violation, per day. It's unclear how many times Google may have circumvented do-not-track protections on the Safari browser, distributed with iPhones, iPads, some iPods and Macintosh computers.

Google was "incredibly stupid" to slip tracking cookies into Safari, given that the company is under scrutiny by the FTC and privacy advocates, said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. "I'd be very surprised if there was not some type of FTC action."

An FTC spokeswoman said the agency was aware of the allegations, but could not comment beyond that.
Click to expand...
http://www.pcworld.com/businesscent...ri_users_could_lead_to_ftc_investigation.html

Also, since Google's own website said this:

While we don't have a Safari version of the Google advertising cookie opt-out plugin, Safari is set to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie.
Click to expand...

...it seems like a class-action lawsuit should have a good chance of happening as well.

Typing "We're not going to make Safari users an opt-out plugin, but you don't need one" with one hand, while typing code to bypass the user settings in Safari is stupendously evil, IMO.
 
Good Job Bob said:
Fun fact: Out of the four ad networks caught abusing the loophole in Safari cookie controls to track users, only Google claims it was unintentional.
Click to expand...
Unintentionally created code to see if the browser is Safari and, if it is, insert some code that just happens to ignore the user's tracking preferences. A quite fantastic coincidence.
 
They're not really tracking Safari users--just don't visit sites that have Google ads and it won't be a problem.
 
I'm not surprised. Facebook does a similar cookie stunt (but not exact) even if you don't have an account with them but visit a page on their site. It's crazy.
 
evil solrac v3.0 said:
all corporations are after one from people, their money. why bother being fans of them or "trusting" them...
Click to expand...

Actually, this is where Google is somewhat unique. Apple wants your money. Microsoft wants your money. Google doesn't. I, for one, have never paid them one cent directly that I can remember. They want the money of other companies, which sounds great until you realize that they get it by selling YOU.
 
BobLoblaw said:
I'm gonna go out on a limb and say 90% of all of the major commercial sites use google ads. Your logic is flawed.
Click to expand...

k4S0T.jpg


Stumpokapow said:
Then use Chromium, which is the exact same browser without any kind of Google branding/account/corporation stuff.
Click to expand...

Thanks for the link, I'm definitely going to transition over. If Google are this subversive with others browsers I can only imagine how loosey goosey they can be here.
 
TheSeks said:
I'm not surprised. Facebook does a similar cookie stunt (but not exact) even if you don't have an account with them but visit a page on their site. It's crazy.
Click to expand...

all of those 'like' buttons also track you, and better yet, unless they changed the default settings would allow a friend to share information about you when a friend hit a site with those on there.
 
Reminds me of those UberSoft comics where they always portray Google as one of the most evil companies on Earth. (Don't worry, they portray Steve Jobs' ego as being a danger to Earth and the entire concept of the comic is portraying Microsoft as evil; so it is not solely Google bashing)
 
soco said:
all of those 'like' buttons also track you, and better yet, unless they changed the default settings would allow a friend to share information about you when a friend hit a site with those on there.
Click to expand...

Yep, I read about it in USA Today back in November IIRC. Very crazy and shady.
 
This is not a big deal. Facebook even documented it as part of their Best Practices. But it's good that there is now going to be some kind of consensus on how these advertising cookies or Like/+1 cookies should work, and good support for disabling that functionality if you want.
 
I like how Google finally changes its way once it's caught doing something, as if it's surprised that people don't like the things that it does, and then people give credit to Google for "leading the way." Like fucking clockwork.

I can't believe we were once worried about Microsoft. Google is everything we once imagined Microsoft to be.
 
I want to abandon Chrome. I can't seem to find a download link on that Chromium website, so I guess does anyone know of a good browser that's as fast and lightweight as Chrome, that I can import my Chrome information into? I don't think Firefox lets you import Chrome passwords/bookmarks/etc.
 
What do people expect from Google? This is not a defense, btw. They ''users'' or ''clients'' are not you, it's the ad buyers. Google is an ad company, first and foremost, and users are the currency here. That's how the make their money.

Wit that presupposition, how do you think Google is going to treat the privacy of the end user?
 
this is the bug that was talked about since early 2010 right? the one that there have been coding examples of on various websites since then for workarounds for cross domain tracking? sounds like an unintentional feature that was left in by Apple for 2 years...
 
The Faceless Master said:
this is the bug that was talked about since early 2010 right? the one that there have been coding examples of on various websites since then for workarounds for cross domain tracking? sounds like an unintentional feature that was left in by Apple for 2 years...
Click to expand...

Ahh, the "door was unlocked so it's not breaking and entering" defense. That should work well for Google in court.
 
Why every news story about this is focused on Google, when Facebook and other companies were doing the same? Why is there such paranoia in the news media? Is a backlash for helping to derail SOPA/PIPA?
 
Mondriaan said:
My take away is that Apple needs to give their users a choice of default web browsers on their devices because clearly safari isn't cutting it. :P
Click to expand...

Which they do:

Open Safari->http://mozilla.org->Download Firefox->Drag Firefox.app out of .zip->????->PROFIT!

Same shit as IE on Windows. Or you can use the terminal to get it without opening Safari.
 
This is why I don't use Google Chrome. I want to, but when Google tracks your shit, for whatever reason, it's a bit of a dealbreaker for me.
 
seriously
What are they.going.to.do...? Track me on the web? Whoopdedoo
you're tracked every god.damn where you go.
As.long as google ain't taking my bank details I care not a damn.

Stop throwing ads at me Google...... I........I......I just can't handle it
 
TheSeks said:
Which they do:

Open Safari->http://mozilla.org->Download Firefox->Drag Firefox.app out of .zip->????->PROFIT!

Same shit as IE on Windows. Or you can use the terminal to get it without opening Safari.
Click to expand...

that only works on some of their devices.



Tobor said:
Ahh, the "door was unlocked so it's not breaking and entering" defense. That should work well for Google in court.
Click to expand...

web coders use browser quirks all the time, and seeing as this was known for years, how can they be sure this was an actual bug and not just an unintended feature? why wasn't it fixed by Apple if it was a known bug?
 
cDNA said:
Why every news story about this is focused on Google, when Facebook and other companies were doing the same? Why is there such paranoia in the news media? Is a backlash for helping to derail SOPA/PIPA?
Click to expand...

Facebook isn't doing the same thing. And they aren't lying to users in their privacy policy saying:

"While we don't have a Safari version of the Google advertising cookie opt-out plugin, Safari is set to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie."​

Google, however, certainly did.

As for why Google is taking the lion's share of blame in the story, Mayer answers that question himself, in the interview:

The overwhelming majority of some 200,000 Safari browsers in our measurement sample, Google had set cookies on its DoubleClick domain -- that's its advertising domain. Around half of the users had cookies from a company called Vibrant Media. We also saw a number of cookies from a company called Media Innovation Group. These companies aren't nearly the size of Google.
Click to expand...

So Google was clearly the worst abuser in this case, with their exploit appearing on "the overwhelming majority" of browsers, while the other smaller companies' exploits were found less often.

Faceless Master said:
why wasn't it fixed by Apple if it was a known bug?
Click to expand...

It never was a "known bug." It wasn't a bug at all.

Where do you come up with this shit?

Can you imagine the shitstorm people would have given Apple if Apple locked advertisers out from installing all cookies on all ads, even if the user clicked on the ad? They would have accused Apple of using it's position to give iAds an unfair competitive advantage. They would have sued the shit out of Apple.

Tobor's analogy is exactly right, even if you are too stubborn to accept the facts. It's not Apple's fault if Google cheats. It's Google's.
 
Status
Not open for further replies.

Similar threads

Covid finally caught up with me
42
3K
AJUMP23 replied
Who handles ad placement on this site?
13
914
The Lunch Legend replied
TikTok is back on the Apple and Google app stores
8
611
Jinzo Prime replied
Woman who claimed to be Madeleine McCann charged with stalking
14
884
tkscz replied
Hobby Lobby caught selling A.I. art? Do you care?
2
52
3K
NotMyProblemAnymoreCunt replied
Top Bottom